NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    Does it require a reboot after install to activate the self-protection? I've just installed over the top of test 59 and can kill the OSArmorDevSvc.exe process using Process Hacker.
     
  2. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    645
    Location:
    Sydney Australia
    Of course you can. With Process Hacker's kernel mode driver and the methods it uses, you can kill anything.
     
    Last edited: Apr 21, 2018
  3. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,744
    Location:
    U.S.A. (South)
    Process Explorer termination attempt :thumb:

    dd.jpg

    Newcomers and seasoned experts can pick up some fairly decent notify tones from this safe sight (creative commons license) for add to OSA's new audio alert feature.

    Simply replace loon.wav in OSA folder and you're good to go.

    https://notificationsounds.com/
     
    Last edited: Apr 21, 2018
  4. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    I confirm, Process Hacker (portable version) can kill OSArmorDevSvc.exe (tested v1.4 test60 after rebooting)
     
  5. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    @novirusthanks
    What about set up a password and ask for it upon any termination attempt (no matter from where it comes)?
     
  6. mekelek

    mekelek Registered Member

    Joined:
    May 5, 2017
    Posts:
    518
    Location:
    Hungary
  7. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    866
    Location:
    Lunar module
    Over the top- this is a bad method, till. Correct method- uninstall -> reboot -> install. After this, the Process Hacker is powerless, it can not kill the processes OSArmorDevSvc.exe and OSArmorDevUI.exe (tested "60" on Win10 x64). All settings and rules will be saved.
    Maybe, you can now reboot PC.
     
  8. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    Not happening here (Win 10 64bit too).
    I have just tried to uninstall OSA, clean everything, reboot, install OSA v1.4 test60, reboot.
    Process Hacker portable can still kill OSArmorDevSvc.exe
     
  9. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    Are you using the new Process Hacker v3 or the original v2? I'm using v3 and it can be killed easily.
     
  10. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    v2.39.124
     
  11. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    So it doesn't matter which version then. I wonder why other people are not able to kill osarmordevsvc?
     
  12. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    866
    Location:
    Lunar module
    ScreenShot_118.png
    I use PH v3.0.402. In test59 processes were killed.
    Ad
    It is possible to block in OSA the addition new autoruns entries?
     
  13. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    Maybe because they don't run Process Hacker as Administrator?
    I do and it can kill OSArmorDevSvc.exe, but if I run PH without administrative rights, I'll get a prompt instead, asking for elevation in order to complete the task
     
  14. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    866
    Location:
    Lunar module
    In either variant, when you try to kill the process, the PH is restarted as Admin.
     
  15. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    No, you get a prompt asking for that.
    If you click "yes", PH will restart with administrative right and will kill the process.
    If you click "no", PH will just cancel the task
     
  16. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    866
    Location:
    Lunar module
    That's right, after the request UAC, the PH will restart as Admin. So, I have an PH as Admin, OSA processes are not killed.
     
  17. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    Then, i'm really puzzled :confused::confused::confused:
    Still thinking this may be good:
     
  18. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    Are you starting PH as admin directly from a shortcut or only responding to UAC prompt to be admin when attempting to kill the process?
    if it's the latter, then i've found the action will fail on first attempt after elevation, but if you try killing the process again it will be successful.

    Update:
    just tested on PH 2.39 and it fails directly after UAC, but succeeds on second attempt.
     
  19. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    40,599
    If Process Hacker is properly configured and if it makes use of the Kernel Mode Driver, it can easily terminate OS Armor. This is expected:
    Process Hacker 3.x (nightly build) - (running with normal privileges, Integrity: Medium):
    Code:
    13:12:17 21.04.2018: Process terminated: OSArmorDevSvc.exe (3540); exit status 0x1
    13:12:17 21.04.2018: Service stopped: OSArmorDevSvc (NoVirusThanks OSArmorDevSvc)
    
     
  20. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    @novirusthanks
    This will be a great additional shield :)
     
  21. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,125
    Location:
    Italy
    Process Hacker can terminate OSArmor processes because it uses a kernel-mode driver.

    Main focus on self-protection against process termination for OSArmor is that non-elevated malware do not terminate it via powershell, cmd, taskkill, and other command-line tools. Once a malware has Admin privs or has loaded a kernel-mode driver, it can do mostly anything on the system. OSArmor is more focused on preventing a malware from being executed in the system.

    Just uploaded a new video (~10 minutes):

    Testing OSArmor with UACME on Windows 7 64-bit
    https://www.youtube.com/watch?v=avkK06MxuUU

    Should upload a new video on Windows 10 1709 64-bit on the next week.
     
  22. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    So you are able to kill the service without elevation?

    What do you mean by "properly configured"? as i've not done any configuration.
     
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,744
    Location:
    U.S.A. (South)
    OSA running smooth as silk here and functioning perfectly to expectations.

    Coupled in tandem with ERP 4 (pre-release) is exceedingly quite formidable :thumb:
     
  24. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    40,599
    If this is an issue that other users with normal privileges are able to terminate it, the configuration of Process Hacker must be modified (disabling of the kernel-mode driver or other specific changes can be done,...)
    Now users with normal privileges cannot simply terminate the service of OS Armor.
    Yes, Process Hacker is running with normal user-rights, i can see information about all processes and can theoretically terminate all of them (it is using the kernel-mode driver to achieve this)
     
  25. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,603
    Location:
    USA
    Hello mekelek....I thought this might be the case and hesitated to post. Thanks.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.