NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,125
    Location:
    Italy
    @Sampei Nihira

    A quick workaround (waiting that MBAE's uninstaller is signed) would be to add this exclusion rule on OSA's Exclusions.db file:

    Code:
    [%PARENTSIGNER%: Malwarebytes Corporation] [%PROCESS%: C:\WINDOWS\Temp\*]
    
     
  2. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    866
    Location:
    Lunar module
    Carried out additional tests and found out. Start PH as user -> UAC -> restart PH as Admin = does not kill OSA processes.
    Start PH as Admin = killing OSA processes.
    But on "test59" the first variant (with UAC) killed the OSA processes!
     
    Last edited: Apr 21, 2018
  3. loungehake

    loungehake Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    174
    Location:
    Wigan
    That post is a great little insight into the composing of exclusions. I guess it's like learning language when a small child. I have contrived a different workround which is by editing the exclusion text created by OSArmor and with use of wildcards, e.g. as below:-
    [%PROCESS%: C:\WINDOWS\Temp\is-o_O??.tmp\mbae-setup-*.tmp] [%PARENTPROCESS%: C:\WINDOWS\Temp\mbae-setup-*.exe] [%PARENTSIGNER%: Malwarebytes Corporation]

    N.B. I did not intend the (not very) smilie face to appear in my copy of the exclusion rule. I deliberately used 5 question marks but WildersSecurity has overruled me.

    The exclusion rule also works a treat BTW. All roads lead to Rome?
     
  4. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,131
    Location:
    Italy
    Test60 malfunctions on windows XP.
    Sent private message with details to the developer.

    7a.JPG

    7.JPG

    The uninstallation of the test60 and the replacement with the test59 does not allow the elimination of the error.

    Now I have deleted the sys driver.
     
    Last edited: Apr 21, 2018
  5. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    866
    Location:
    Lunar module
    First uninstall, then try searching in the registry for the keywords novirusthanks, osarmor and remove all detected registry branches. Then install 59.
     
  6. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,131
    Location:
    Italy
    Too many keys with custom settings.
    With XP some settings can be found in the registry.
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    note that MBAE may never be signed as it is a beta and probably will never be signed. it is not intended for release but once it's ready it is incorporated into MBAM
     
  8. loungehake

    loungehake Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    174
    Location:
    Wigan
    Not even a hint of a problem with my two XP SP3 systems. The behaviour is very good and has been improving with each new version.
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,728
    Location:
    U.S.A. (South)
    Another attempt to suspend both OSA GUI + Service.

    ss.jpg
     
  10. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,125
    Location:
    Italy
    Just uploaded a new video:

    Testing OSArmor with UACME on Windows 10 SCU 1803 64-bit
    https://www.youtube.com/watch?v=6ypNDRSfZm0


    @Sampei Nihira

    Thanks for the PM, we'll take a look at it tomorrow.
     
  11. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,929
    Hi loungehake,
    Use the plain tags. See test thread for you: https://www.wilderssecurity.com/threads/for-loungehake.403012/
    PS: I'm not commenting on the rule you posted but just only about how to avoid the smiley.
     
  12. loungehake

    loungehake Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    174
    Location:
    Wigan
  13. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,131
    Location:
    Italy
    :(:thumb:

    Do you recommend enabling the rule?
     
  14. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,728
    Location:
    U.S.A. (South)
  15. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    392
    Location:
    united kingdom
    @novirusthanks
    Would it be possible to record in the log file those events/actions which have been allowed by an exclusion rule?
     
  16. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    866
    Location:
    Lunar module
    If protection is triggered while viewing the logfile, new events do not enter the logfile, even after the update or re-opening of the logfile. Please confirm or deny.
     
  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,728
    Location:
    U.S.A. (South)
    Tested this. Thanks.

    On this machine new event doesn't post to the logfile while it is open and being viewed (triggered protection) however after closing it and upon reopen the new event indeed is logged. Likely because it's in use from user viewing at the time of triggered protection.

    If that helps.
     
    Last edited: Apr 27, 2018
  18. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    40,390
    The texteditor must "re-read" the file to show recently added events.
     
  19. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    866
    Location:
    Lunar module
    Of course, I understand this, but...
    Perhaps I was inattentive and hurried to conclusions.
    Thank!
     
  20. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,125
    Location:
    Italy
    Here is a new v1.4 (pre-release) test61:
    http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test61.exe

    *** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

    So far this is what's new compared to the previous pre-release:

    + Fixed a typo in the Help\FAQs file
    + Fixed detection of parent processes in particular situations
    + Improved Block suspicious command-lines
    + Improved Block suspicious processes
    + Minor fixes and optimizations
    + Fixed some false positives

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    If you find any false positive or issue please let me know.

    Can be done, but in next version (1.5)

    .Yes, you can enable it. I noticed no FPs so far here.
     
  21. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,728
    Location:
    U.S.A. (South)
    Almost missed this. Thanks as always Andreas.

    Your ERP is an absolute dream to fine tune runnings in PC and setting them to their desired & proper order where they are of most use.

    OSA is equally as fine tuned a defensive measure as can be. Multitasking both OSA/ERP in Win 10/8.1 and that's some doing :geek:
     
  22. digmor crusher

    digmor crusher Registered Member

    Joined:
    Jul 6, 2012
    Posts:
    929
    Location:
    Canada
    just an FYI Andreas. The last 5 or 6 times I've updated I never did a restart and there were no issues. This time after a install and no restart I couldn't enable protection, had to uninstall and restart to turn the protection on. Funny thing is that the last 5 or 6 times every time I updated Emsisoft would throw up an alert, the first time I tried updating to the latest version tonight Emsisoft was silent, second time after a restart it popped up an alert again. I'm thinking just a wonky update and no big deal.
     
  23. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,391
    Location:
    Under a bushel ...
    Maybe digmor, I also have EAM and it alerted as usual ... no issues with protection after update (previous uninstalled first and like you, no restart).
     
  24. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,482
    Suggestion: A generic set of anti-exploit rules that the user can apply to additional programs that are not already on the list. If it breaks the app, the user can disable one or more of the rules. So it will be the responsibility of the user, not of the dev, to make it work.

    My pet peeve is programs running from appdata that display a desktop version of a webpage. There are apps like this for Gmail, Slack, and much more. The whole idea seems so insecure, and some of these apps were made by people who seem to know almost nothing about security.

    It would be nice to slap some protection on apps like this.
     
  25. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,131
    Location:
    Italy
    Again the error I have already described on Windows XP.
    Uninstalled.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.