NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. Gandalf_The_Grey

    Gandalf_The_Grey Registered Member

    Joined:
    Jan 31, 2012
    Posts:
    893
    Location:
    The Netherlands
    @novirusthanks Thanks for fixing the FPs.
    Unfortunately I can't confirm because the Epson software updater almost never gets an update...
    If it does I will let you know.
     
  2. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,278
    Location:
    Among the gum trees
    Another probable FP:
    Code:
    Date/Time: 9/05/2018 8:46:49 AM
    Process: [6064]C:\Windows\System32\fodhelper.exe
    Process MD5 Hash: 1D1F9E564472A9698F1BE3F9FEB9864B
    Parent: [996]C:\Windows\System32\svchost.exe
    Rule: BlockSuspiciousProcesses
    Rule Name: Block execution of suspicious processes
    Command Line: C:\WINDOWS\System32\FodHelper.exe -Embedding
    Signer:
    Parent Signer: Microsoft Windows Publisher
    User/Domain: SYSTEM/NT AUTHORITY
    System File: True
    Parent System File: True
    Integrity Level: System
    Parent Integrity Level: System
    Win10 x64 1803
    OSA Test 63
    Thanks.
     
  3. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,223
    Location:
    Italy
    I fixed the OSA error with Windows XP.
    Details send to the Developer.

    I will not write any information in this 3D.
    For the aversion of some users against those who still use XP.

    I can only say that it is not a OSA kernel driver incompatibility.

    This error,for me,may also occur in other OS.
    Now I know how to act to solve it.
     
    Last edited: May 9, 2018
  4. imuade

    imuade Registered Member

    Joined:
    Aug 4, 2016
    Posts:
    751
    Location:
    Italy
    I agree with you, this thread is about OSArmor, not about XP lovers vs. XP haters :thumb:
     
  5. Tomin2009

    Tomin2009 Registered Member

    Joined:
    Sep 13, 2012
    Posts:
    94
    @novirusthanks

    With May update installed, it appears again.

    Date/Time: 2018/5/10 7:19:57
    Process: [7820]C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE
    Process MD5 Hash: E3850484B5CDFF097EC67F263AD9CBFE
    Parent: [6476]C:\Windows\explorer.exe
    Rule: BlockSuspiciousCmdlines
    Rule Name: Block execution of suspicious command-line strings
    Command Line: "C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE" sr
    Signer: Microsoft Corporation
    Parent Signer: Microsoft Windows
    User/Domain: ***********
    System File: False
    Parent System File: True
    Integrity Level: Medium
    Parent Integrity Level: Medium
     
  6. ronald739

    ronald739 Registered Member

    Joined:
    Nov 9, 2011
    Posts:
    123
    Location:
    Australia
    Getting the same as @Krusty

    https://www.wilderssecurity.com/thr...-layer-of-defense.398859/page-70#post-2755698

    I only noticed looking through OSA log's today as my son was on the PC yesterday.

    Win10X64 1803

    Code:
    Date/Time: 9/05/2018 3:21:19 PM
    Process: [11684]C:\Windows\System32\fodhelper.exe
    Process MD5 Hash: 1D1F9E564472A9698F1BE3F9FEB9864B
    Parent: [956]C:\Windows\System32\svchost.exe
    Rule: BlockSuspiciousProcesses
    Rule Name: Block execution of suspicious processes
    Command Line: C:\WINDOWS\System32\FodHelper.exe -Embedding
    Signer:
    Parent Signer: Microsoft Windows Publisher
    User/Domain: SYSTEM/NT AUTHORITY
    System File: True
    Parent System File: True
    Integrity Level: System
    Parent Integrity Level: System
    
    Date/Time: 9/05/2018 3:20:48 PM
    Process: [10164]C:\Windows\System32\fodhelper.exe
    Process MD5 Hash: 1D1F9E564472A9698F1BE3F9FEB9864B
    Parent: [956]C:\Windows\System32\svchost.exe
    Rule: BlockSuspiciousProcesses
    Rule Name: Block execution of suspicious processes
    Command Line: C:\WINDOWS\System32\FodHelper.exe -Embedding
    Signer:
    Parent Signer: Microsoft Windows Publisher
    User/Domain: SYSTEM/NT AUTHORITY
    System File: True
    Parent System File: True
    Integrity Level: System
    Parent Integrity Level: System
    
    Date/Time: 9/05/2018 10:34:58 AM
    Process: [11748]C:\Windows\System32\fodhelper.exe
    Process MD5 Hash: 1D1F9E564472A9698F1BE3F9FEB9864B
    Parent: [916]C:\Windows\System32\svchost.exe
    Rule: BlockSuspiciousProcesses
    Rule Name: Block execution of suspicious processes
    Command Line: C:\WINDOWS\System32\FodHelper.exe -Embedding
    Signer:
    Parent Signer: Microsoft Windows Publisher
    User/Domain: SYSTEM/NT AUTHORITY
    System File: True
    Parent System File: True
    Integrity Level: System
    Parent Integrity Level: System
    
     
  7. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,133
    Location:
    Italy
    Here is a new v1.4 (pre-release) test64:
    http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test64.exe

    *** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

    So far this is what's new compared to the previous pre-release:

    + Improved Block suspicious processes
    + Improved Block execution of PowerShell malformed commands
    + Disabled by default "Block reg.exe from hijacking Registry startup entries" *only on clean/new installations*
    + Minor fixes and optimizations
    + Fixed some false positives

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    If you find any false positive or issue please let me know.

    @Tomin2009 @Krusty @ronald739

    That FPs should be fixed now, please confirm if possible.

    @Sampei Nihira

    Please keep sharing your information =)

    Thanks for reporting the details via PM.
     
    Last edited: May 11, 2018
  8. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,278
    Location:
    Among the gum trees
    This is still enabled on my machine, even after clicking "Reset to Default".
     
  9. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,065
    Location:
    .
    +1 2820.png
     
  10. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,133
    Location:
    Italy
    @Krusty @bjm_

    It is disabled only on clean installations of OSA. * Added a reference to this on my previous post*

    On the next build will make sure it is disabled after clicking "Restore to Default" button.
     
  11. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,278
    Location:
    Among the gum trees
    OK. I thought uninstalling with REVO Uninstaller would give me a clean install.
     
  12. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,065
    Location:
    .
    Date/Time: 5/11/2018 7:40:10 PM
    Process: [2296]C:\Windows\System32\notepad.exe
    Process MD5 Hash: F60A9D3A9461F68DE0FCCEBB0C6CB31A
    Parent: [956]C:\Windows\System32\OpenWith.exe
    Rule: EnableOSArmorSelfDefense
    Rule Name: Enable OSArmor self defense (basic)
    Command Line: "C:\WINDOWS\system32\NOTEPAD.EXE" C:\Program Files\NoVirusThanks\OSArmorDevSvc\Exclusions.db
    Signer:
    Parent Signer: Microsoft Windows
    User/Domain: bjms/BJM-PCW10
    System File: True
    Parent System File: True
    Integrity Level: Medium
    Parent Integrity Level: Medium
     
  13. Tomin2009

    Tomin2009 Registered Member

    Joined:
    Sep 13, 2012
    Posts:
    94
  14. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    41,722
    Two more:
    Code:
    Date/Time: 12.05.2018 15:00:14
    Process: [3664]C:\Program Files\EmEditor\EmEditor.exe
    Process MD5 Hash: 6F6685952D2ABF39FC6199A0569F1F69
    Parent: [9924]C:\Windows\System32\OpenWith.exe
    Rule: EnableOSArmorSelfDefense
    Rule Name: Enable OSArmor self defense (basic)
    Command Line: "C:\Program Files\EmEditor\EmEditor.exe" "C:\Program Files\NoVirusThanks\OSArmorDevSvc\Exclusions.db"
    Signer: Emurasoft, Inc.
    Parent Signer: Microsoft Windows
    User/Domain: XXXX/XXXX
    System File: False
    Parent System File: True
    Integrity Level: Medium
    Parent Integrity Level: Medium
    
    Date/Time: 12.05.2018 15:01:14
    Process: [8580]C:\Program Files\Notepad3\Notepad3.exe
    Process MD5 Hash: 46FF154A525D15C2331BF62CB7790CB0
    Parent: [11076]C:\Windows\System32\OpenWith.exe
    Rule: EnableOSArmorSelfDefense
    Rule Name: Enable OSArmor self defense (basic)
    Command Line: "C:\Program Files\Notepad3\Notepad3.exe" C:\Program Files\NoVirusThanks\OSArmorDevSvc\Exclusions.db
    Signer:
    Parent Signer: Microsoft Windows
    User/Domain: XXXX/XXXX
    System File: False
    Parent System File: True
    Integrity Level: Medium
    Parent Integrity Level: Medium
    
     
  15. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,133
    Location:
    Italy
    Here is a new v1.4 (pre-release) test65:
    http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test65.exe

    *** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

    So far this is what's new compared to the previous pre-release:

    + Block rundll32.exe from using RegisterOCX
    + Improved Block suspicious command-lines (50+ new internal rules)
    + Improved Block loading of .inf files via InstallHinfSection\LaunchINFSection\etc
    + Fixed "Restore to Default" and disabling of "Block reg.exe from hijacking Registry startup entries"
    + Fixed some false positives

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    If you find any false positive or issue please let me know.

    @mood @bjm_

    FPs should be fixed now.
     
  16. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    When uninstalling OSA prior to installing a newer release, is there any way to save your current Exclusions -- or do you have to start over from scratch with each new install?
     
  17. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,484
    Your exclusions, as well as your custom block list, are stored in separate files that are not deleted when you run the uninstaller.
    They are always there and will be used whenever you decide to reinstall.
    But if you run a third-party uninstaller, it might search and destroy those files, so just use the standard uninstaller.
     
  18. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    Good to know -- thank you!
     
  19. ronald739

    ronald739 Registered Member

    Joined:
    Nov 9, 2011
    Posts:
    123
    Location:
    Australia
    @novirusthanks

    https://www.wilderssecurity.com/thr...-layer-of-defense.398859/page-70#post-2755979

    It has not appeared in any of the logs on this System again as of posting and at the same previous version of OSA as of the previous post.

    ====

    On a different System (WIN10X64 1709) with test 63 & 64 OSA using Portable Apps

    Code:
    Date/Time: 12/05/2018 7:07:55 PM
    Process: [10892]C:\Windows\SysWOW64\wbem\WMIC.exe
    Process MD5 Hash: 2CB843EBCA0BCD8095F0A78D8F3CA117
    Parent: [12212]D:\PortableApps\CommonFiles\Java\bin\javaw.exe
    Rule: AntiExploitJava
    Rule Name: (Anti-Exploit) Protect Java
    Command Line: C:\Windows\System32\Wbem\wmic.exe /NAMESPACE:\\root\SecurityCenter2 path AntiSpywareProduct get displayName,pathToSignedProductExe,pathToSignedProductExe,pathToSignedReportingExe,productState /format:value
    Signer:
    Parent Signer: Oracle America, Inc.
    User/Domain: ronal/DESKTOP-UFCJ72P
    System File: True
    Parent System File: False
    Integrity Level: Medium
    Parent Integrity Level: Medium
    
    Date/Time: 12/05/2018 7:07:55 PM
    Process: [9256]C:\Windows\SysWOW64\wbem\WMIC.exe
    Process MD5 Hash: 2CB843EBCA0BCD8095F0A78D8F3CA117
    Parent: [12212]D:\PortableApps\CommonFiles\Java\bin\javaw.exe
    Rule: AntiExploitJava
    Rule Name: (Anti-Exploit) Protect Java
    Command Line: C:\Windows\System32\Wbem\wmic.exe /NAMESPACE:\\root\SecurityCenter2 path FirewallProduct get displayName,pathToSignedProductExe,pathToSignedProductExe,pathToSignedReportingExe,productState /format:value
    Signer:
    Parent Signer: Oracle America, Inc.
    User/Domain: ronal/DESKTOP-UFCJ72P
    System File: True
    Parent System File: False
    Integrity Level: Medium
    Parent Integrity Level: Medium
    
    Date/Time: 12/05/2018 7:07:55 PM
    Process: [6360]C:\Windows\SysWOW64\cmd.exe
    Process MD5 Hash: 8FAFBE3C23E2BE4D6A3C063118B9A4F2
    Parent: [12212]D:\PortableApps\CommonFiles\Java\bin\javaw.exe
    Rule: AntiExploitJava
    Rule Name: (Anti-Exploit) Protect Java
    Command Line: cmd /c chcp
    Signer:
    Parent Signer: Oracle America, Inc.
    User/Domain: ronal/DESKTOP-UFCJ72P
    System File: True
    Parent System File: False
    Integrity Level: Medium
    Parent Integrity Level: Medium
    
    Date/Time: 12/05/2018 7:07:55 PM
    Process: [5204]C:\Windows\SysWOW64\wbem\WMIC.exe
    Process MD5 Hash: 2CB843EBCA0BCD8095F0A78D8F3CA117
    Parent: [12212]D:\PortableApps\CommonFiles\Java\bin\javaw.exe
    Rule: AntiExploitJava
    Rule Name: (Anti-Exploit) Protect Java
    Command Line: C:\Windows\System32\Wbem\wmic.exe /NAMESPACE:\\root\SecurityCenter2 path AntiVirusProduct get displayName,pathToSignedProductExe,pathToSignedReportingExe,productState /format:value
    Signer:
    Parent Signer: Oracle America, Inc.
    User/Domain: ronal/DESKTOP-UFCJ72P
    System File: True
    Parent System File: False
    Integrity Level: Medium
    Parent Integrity Level: Medium
    
    Date/Time: 12/05/2018 7:07:46 PM
    Process: [11248]C:\Windows\SysWOW64\reg.exe
    Process MD5 Hash: EDE11E768487C6FEFC1287E5CB653662
    Parent: [12212]D:\PortableApps\CommonFiles\Java\bin\javaw.exe
    Rule: AntiExploitJava
    Rule Name: (Anti-Exploit) Protect Java
    Command Line: reg query "HKEY_CURRENT_USER\Control Panel\Desktop" /v "ForegroundLockTimeout"
    Signer:
    Parent Signer: Oracle America, Inc.
    User/Domain: ronal/DESKTOP-UFCJ72P
    System File: True
    Parent System File: False
    Integrity Level: Medium
    Parent Integrity Level: Medium
    
    Date/Time: 12/05/2018 7:07:43 PM
    Process: [9228]C:\Windows\SysWOW64\reg.exe
    Process MD5 Hash: EDE11E768487C6FEFC1287E5CB653662
    Parent: [12212]D:\PortableApps\CommonFiles\Java\bin\javaw.exe
    Rule: AntiExploitJava
    Rule Name: (Anti-Exploit) Protect Java
    Command Line: reg query "HKEY_CURRENT_USER\Control Panel\Desktop" /v "ForegroundLockTimeout"
    Signer:
    Parent Signer: Oracle America, Inc.
    User/Domain: ronal/DESKTOP-UFCJ72P
    System File: True
    Parent System File: False
    Integrity Level: Medium
    Parent Integrity Level: Medium
    
    Date/Time: 12/05/2018 7:07:43 PM
    Process: [12116]C:\Windows\SysWOW64\reg.exe
    Process MD5 Hash: EDE11E768487C6FEFC1287E5CB653662
    Parent: [12212]D:\PortableApps\CommonFiles\Java\bin\javaw.exe
    Rule: AntiExploitJava
    Rule Name: (Anti-Exploit) Protect Java
    Command Line: reg query "HKEY_CURRENT_USER\Control Panel\Desktop" /v "ForegroundLockTimeout"
    Signer:
    Parent Signer: Oracle America, Inc.
    User/Domain: ronal/DESKTOP-UFCJ72P
    System File: True
    Parent System File: False
    Integrity Level: Medium
    Parent Integrity Level: Medium
    
    Date/Time: 12/05/2018 6:40:11 PM
    Process: [1368]C:\Windows\SysWOW64\icacls.exe
    Process MD5 Hash: 327272D9C05C23D28DEA9BF94E4B9093
    Parent: [5256]D:\PortableApps\CommonFiles\Java\bin\javaw.exe
    Rule: AntiExploitJava
    Rule Name: (Anti-Exploit) Protect Java
    Command Line: C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    Signer:
    Parent Signer: Oracle America, Inc.
    User/Domain: ronal/DESKTOP-UFCJ72P
    System File: True
    Parent System File: False
    Integrity Level: Medium
    Parent Integrity Level: Medium
     
    Date/Time: 12/05/2018 6:40:18 PM
    Process: [6648]C:\Windows\SysWOW64\reg.exe
    Process MD5 Hash: EDE11E768487C6FEFC1287E5CB653662
    Parent: [5256]D:\PortableApps\CommonFiles\Java\bin\javaw.exe
    Rule: AntiExploitJava
    Rule Name: (Anti-Exploit) Protect Java
    Command Line: reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
    Signer:
    Parent Signer: Oracle America, Inc.
    User/Domain: ronal/DESKTOP-UFCJ72P
    System File: True
    Parent System File: False
    Integrity Level: Medium
    Parent Integrity Level: Medium
     
    Date/Time: 12/05/2018 6:40:18 PM
    Process: [9880]C:\Windows\SysWOW64\reg.exe
    Process MD5 Hash: EDE11E768487C6FEFC1287E5CB653662
    Parent: [5256]D:\PortableApps\CommonFiles\Java\bin\javaw.exe
    Rule: AntiExploitJava
    Rule Name: (Anti-Exploit) Protect Java
    Command Line: reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
    Signer:
    Parent Signer: Oracle America, Inc.
    User/Domain: ronal/DESKTOP-UFCJ72P
    System File: True
    Parent System File: False
    Integrity Level: Medium
    Parent Integrity Level: Medium
     
    Date/Time: 12/05/2018 6:40:20 PM
    Process: [5052]C:\Windows\SysWOW64\reg.exe
    Process MD5 Hash: EDE11E768487C6FEFC1287E5CB653662
    Parent: [5256]D:\PortableApps\CommonFiles\Java\bin\javaw.exe
    Rule: AntiExploitJava
    Rule Name: (Anti-Exploit) Protect Java
    Command Line: reg query "HKEY_CURRENT_USER\Control Panel\Desktop" /v "ForegroundLockTimeout"
    Signer:
    Parent Signer: Oracle America, Inc.
    User/Domain: ronal/DESKTOP-UFCJ72P
    System File: True
    Parent System File: False
    Integrity Level: Medium
    Parent Integrity Level: Medium
     
    Date/Time: 12/05/2018 6:41:12 PM
    Process: [6316]C:\Windows\SysWOW64\reg.exe
    Process MD5 Hash: EDE11E768487C6FEFC1287E5CB653662
    Parent: [5256]D:\PortableApps\CommonFiles\Java\bin\javaw.exe
    Rule: AntiExploitJava
    Rule Name: (Anti-Exploit) Protect Java
    Command Line: reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
    Signer:
    Parent Signer: Oracle America, Inc.
    User/Domain: ronal/DESKTOP-UFCJ72P
    System File: True
    Parent System File: False
    Integrity Level: Medium
    Parent Integrity Level: Medium
     
    Date/Time: 12/05/2018 6:43:22 PM
    Process: [11124]C:\Windows\SysWOW64\reg.exe
    Process MD5 Hash: EDE11E768487C6FEFC1287E5CB653662
    Parent: [12828]D:\PortableApps\CommonFiles\Java\bin\javaw.exe
    Rule: AntiExploitJava
    Rule Name: (Anti-Exploit) Protect Java
    Command Line: reg query "HKEY_CURRENT_USER\Control Panel\Desktop" /v "ForegroundLockTimeout"
    Signer:
    Parent Signer: Oracle America, Inc.
    User/Domain: ronal/DESKTOP-UFCJ72P
    System File: True
    Parent System File: False
    Integrity Level: Medium
    Parent Integrity Level: Medium
     
    Date/Time: 12/05/2018 6:46:20 PM
    Process: [2240]C:\Windows\SysWOW64\reg.exe
    Process MD5 Hash: EDE11E768487C6FEFC1287E5CB653662
    Parent: [2256]D:\PortableApps\CommonFiles\Java\bin\javaw.exe
    Rule: AntiExploitJava
    Rule Name: (Anti-Exploit) Protect Java
    Command Line: reg query "HKEY_CURRENT_USER\Control Panel\Desktop" /v "ForegroundLockTimeout"
    Signer:
    Parent Signer: Oracle America, Inc.
    User/Domain: ronal/DESKTOP-UFCJ72P
    System File: True
    Parent System File: False
    Integrity Level: Medium
    Parent Integrity Level: Medium
     
    Date/Time: 12/05/2018 6:46:20 PM
    Process: [2168]C:\Windows\SysWOW64\reg.exe
    Process MD5 Hash: EDE11E768487C6FEFC1287E5CB653662
    Parent: [2256]D:\PortableApps\CommonFiles\Java\bin\javaw.exe
    Rule: AntiExploitJava
    Rule Name: (Anti-Exploit) Protect Java
    Command Line: reg query "HKEY_CURRENT_USER\Control Panel\Desktop" /v "ForegroundLockTimeout"
    Signer:
    Parent Signer: Oracle America, Inc.
    User/Domain: ronal/DESKTOP-UFCJ72P
    System File: True
    Parent System File: False
    Integrity Level: Medium
    Parent Integrity Level: Medium
     
    Date/Time: 12/05/2018 6:46:22 PM
    Process: [2244]C:\Windows\SysWOW64\reg.exe
    Process MD5 Hash: EDE11E768487C6FEFC1287E5CB653662
    Parent: [2256]D:\PortableApps\CommonFiles\Java\bin\javaw.exe
    Rule: AntiExploitJava
    Rule Name: (Anti-Exploit) Protect Java
    Command Line: reg query "HKEY_CURRENT_USER\Control Panel\Desktop" /v "ForegroundLockTimeout"
    Signer:
    Parent Signer: Oracle America, Inc.
    User/Domain: ronal/DESKTOP-UFCJ72P
    System File: True
    Parent System File: False
    Integrity Level: Medium
    Parent Integrity Level: Medium
     
    Date/Time: 12/05/2018 6:46:27 PM
    Process: [4332]C:\Windows\SysWOW64\wbem\WMIC.exe
    Process MD5 Hash: 2CB843EBCA0BCD8095F0A78D8F3CA117
    Parent: [2256]D:\PortableApps\CommonFiles\Java\bin\javaw.exe
    Rule: AntiExploitJava
    Rule Name: (Anti-Exploit) Protect Java
    Command Line: C:\Windows\System32\Wbem\wmic.exe /NAMESPACE:\\root\SecurityCenter2 path AntiVirusProduct get displayName,pathToSignedProductExe,pathToSignedReportingExe,productState /format:value
    Signer:
    Parent Signer: Oracle America, Inc.
    User/Domain: ronal/DESKTOP-UFCJ72P
    System File: True
    Parent System File: False
    Integrity Level: Medium
    Parent Integrity Level: Medium
     
    Date/Time: 12/05/2018 6:46:27 PM
    Process: [8240]C:\Windows\SysWOW64\cmd.exe
    Process MD5 Hash: 8FAFBE3C23E2BE4D6A3C063118B9A4F2
    Parent: [2256]D:\PortableApps\CommonFiles\Java\bin\javaw.exe
    Rule: AntiExploitJava
    Rule Name: (Anti-Exploit) Protect Java
    Command Line: cmd /c chcp
    Signer:
    Parent Signer: Oracle America, Inc.
    User/Domain: ronal/DESKTOP-UFCJ72P
    System File: True
    Parent System File: False
    Integrity Level: Medium
    Parent Integrity Level: Medium
     
    Date/Time: 12/05/2018 6:46:27 PM
    Process: [6092]C:\Windows\SysWOW64\wbem\WMIC.exe
    Process MD5 Hash: 2CB843EBCA0BCD8095F0A78D8F3CA117
    Parent: [2256]D:\PortableApps\CommonFiles\Java\bin\javaw.exe
    Rule: AntiExploitJava
    Rule Name: (Anti-Exploit) Protect Java
    Command Line: C:\Windows\System32\Wbem\wmic.exe /NAMESPACE:\\root\SecurityCenter2 path FirewallProduct get displayName,pathToSignedProductExe,pathToSignedProductExe,pathToSignedReportingExe,productState /format:value
    Signer:
    Parent Signer: Oracle America, Inc.
    User/Domain: ronal/DESKTOP-UFCJ72P
    System File: True
    Parent System File: False
    Integrity Level: Medium
    Parent Integrity Level: Medium
     
    Date/Time: 12/05/2018 6:46:28 PM
    Process: [968]C:\Windows\SysWOW64\wbem\WMIC.exe
    Process MD5 Hash: 2CB843EBCA0BCD8095F0A78D8F3CA117
    Parent: [2256]D:\PortableApps\CommonFiles\Java\bin\javaw.exe
    Rule: AntiExploitJava
    Rule Name: (Anti-Exploit) Protect Java
    Command Line: C:\Windows\System32\Wbem\wmic.exe /NAMESPACE:\\root\SecurityCenter2 path AntiSpywareProduct get displayName,pathToSignedProductExe,pathToSignedProductExe,pathToSignedReportingExe,productState /format:value
    Signer:
    Parent Signer: Oracle America, Inc.
    User/Domain: ronal/DESKTOP-UFCJ72P
    System File: True
    Parent System File: False
    Integrity Level: Medium
    Parent Integrity Level: Medium
     
    Date/Time: 12/05/2018 6:48:06 PM
    Process: [9792]C:\Windows\SysWOW64\reg.exe
    Process MD5 Hash: EDE11E768487C6FEFC1287E5CB653662
    Parent: [9000]D:\PortableApps\CommonFiles\Java\bin\javaw.exe
    Rule: AntiExploitJava
    Rule Name: (Anti-Exploit) Protect Java
    Command Line: reg query "HKEY_CURRENT_USER\Control Panel\Desktop" /v "ForegroundLockTimeout"
    Signer:
    Parent Signer: Oracle America, Inc.
    User/Domain: ronal/DESKTOP-UFCJ72P
    System File: True
    Parent System File: False
    Integrity Level: Medium
    Parent Integrity Level: Medium
     
    Date/Time: 12/05/2018 6:48:06 PM
    Process: [436]C:\Windows\SysWOW64\reg.exe
    Process MD5 Hash: EDE11E768487C6FEFC1287E5CB653662
    Parent: [9000]D:\PortableApps\CommonFiles\Java\bin\javaw.exe
    Rule: AntiExploitJava
    Rule Name: (Anti-Exploit) Protect Java
    Command Line: reg query "HKEY_CURRENT_USER\Control Panel\Desktop" /v "ForegroundLockTimeout"
    Signer:
    Parent Signer: Oracle America, Inc.
    User/Domain: ronal/DESKTOP-UFCJ72P
    System File: True
    Parent System File: False
    Integrity Level: Medium
    Parent Integrity Level: Medium
     
    Date/Time: 12/05/2018 6:48:08 PM
    Process: [5616]C:\Windows\SysWOW64\reg.exe
    Process MD5 Hash: EDE11E768487C6FEFC1287E5CB653662
    Parent: [9000]D:\PortableApps\CommonFiles\Java\bin\javaw.exe
    Rule: AntiExploitJava
    Rule Name: (Anti-Exploit) Protect Java
    Command Line: reg query "HKEY_CURRENT_USER\Control Panel\Desktop" /v "ForegroundLockTimeout"
    Signer:
    Parent Signer: Oracle America, Inc.
    User/Domain: ronal/DESKTOP-UFCJ72P
    System File: True
    Parent System File: False
    Integrity Level: Medium
    Parent Integrity Level: Medium
     
    Date/Time: 12/05/2018 6:48:13 PM
    Process: [12088]C:\Windows\SysWOW64\wbem\WMIC.exe
    Process MD5 Hash: 2CB843EBCA0BCD8095F0A78D8F3CA117
    Parent: [9000]D:\PortableApps\CommonFiles\Java\bin\javaw.exe
    Rule: AntiExploitJava
    Rule Name: (Anti-Exploit) Protect Java
    Command Line: C:\Windows\System32\Wbem\wmic.exe /NAMESPACE:\\root\SecurityCenter2 path AntiVirusProduct get displayName,pathToSignedProductExe,pathToSignedReportingExe,productState /format:value
    Signer:
    Parent Signer: Oracle America, Inc.
    User/Domain: ronal/DESKTOP-UFCJ72P
    System File: True
    Parent System File: False
    Integrity Level: Medium
    Parent Integrity Level: Medium
     
    Date/Time: 12/05/2018 6:48:13 PM
    Process: [11748]C:\Windows\SysWOW64\cmd.exe
    Process MD5 Hash: 8FAFBE3C23E2BE4D6A3C063118B9A4F2
    Parent: [9000]D:\PortableApps\CommonFiles\Java\bin\javaw.exe
    Rule: AntiExploitJava
    Rule Name: (Anti-Exploit) Protect Java
    Command Line: cmd /c chcp
    Signer:
    Parent Signer: Oracle America, Inc.
    User/Domain: ronal/DESKTOP-UFCJ72P
    System File: True
    Parent System File: False
    Integrity Level: Medium
    Parent Integrity Level: Medium
     
    Date/Time: 12/05/2018 6:48:13 PM
    Process: [6812]C:\Windows\SysWOW64\wbem\WMIC.exe
    Process MD5 Hash: 2CB843EBCA0BCD8095F0A78D8F3CA117
    Parent: [9000]D:\PortableApps\CommonFiles\Java\bin\javaw.exe
    Rule: AntiExploitJava
    Rule Name: (Anti-Exploit) Protect Java
    Command Line: C:\Windows\System32\Wbem\wmic.exe /NAMESPACE:\\root\SecurityCenter2 path FirewallProduct get displayName,pathToSignedProductExe,pathToSignedProductExe,pathToSignedReportingExe,productState /format:value
    Signer:
    Parent Signer: Oracle America, Inc.
    User/Domain: ronal/DESKTOP-UFCJ72P
    System File: True
    Parent System File: False
    Integrity Level: Medium
    Parent Integrity Level: Medium
     
    Date/Time: 12/05/2018 6:48:13 PM
    Process: [10564]C:\Windows\SysWOW64\wbem\WMIC.exe
    Process MD5 Hash: 2CB843EBCA0BCD8095F0A78D8F3CA117
    Parent: [9000]D:\PortableApps\CommonFiles\Java\bin\javaw.exe
    Rule: AntiExploitJava
    Rule Name: (Anti-Exploit) Protect Java
    Command Line: C:\Windows\System32\Wbem\wmic.exe /NAMESPACE:\\root\SecurityCenter2 path AntiSpywareProduct get displayName,pathToSignedProductExe,pathToSignedProductExe,pathToSignedReportingExe,productState /format:value
    Signer:
    Parent Signer: Oracle America, Inc.
    User/Domain: ronal/DESKTOP-UFCJ72P
    System File: True
    Parent System File: False
    Integrity Level: Medium
    Parent Integrity Level: Medium
     

    Try again tomorrow on both Systems as your quiet quick with different test version's.

    Regards.
     
  20. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,777
    Location:
    U.S.A. (South)
    Is the Blocked Alert Box dialog configurable? Not that it's of any issue because it's not and fine as is, however I assume it's hard coded for x amount of seconds and was curious just what the time delay is roughly set at for it's display after it's activated.
     
  21. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,278
    Location:
    Among the gum trees
    I have mine set to "Automatically close the notification window" unchecked so that I can see if there have been any blocks while away from my machines.
     
  22. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,065
    Location:
    .
    NoVirusThanks OSArmor Quick help\FAQs:
     
    Last edited: May 14, 2018
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,777
    Location:
    U.S.A. (South)
    Oh yes, I also did the same however things are well configured and so I allow it to auto-close notification alert window now AND ESPECIALLY since the Master of this superb program is added AUDIO ALERTS which improves recognition whenever something is acted on as a requirement (per rules) and blocked.

    Not even suggesting or hinting for an added manual config that you could set but just curious to the time element involved since it varies on my machine to being a little quick to fade to invisible to shows in plenty of time to react to it and/or set an exclusion.....

    ...which there again is a non-issue since we have a manual exclusion rules DB feature. :thumb:
     
  24. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,379
    Location:
    Hawaii
    Please keep on with posting your reports in detail, including those pertaining to XP. I operate several teaching websites that draw hits & mail from many areas throughout the world. There are lots of people who are still using old windows systems plus 56K or dsl for their internet.. OSA can be a godsend to those with older computers.

    I recently did cost-cutting studies at 3 rural clinics in CONUS. All 3 were county hospitals with pitifully inadequate budgets. All 3 had XP systems throughout... with 15, 17, & 7 workstations repectively. They had no interest in using their limited funding to upgrade a functional computer system.They were mainly concerned with finding ways to cut operating costs so they could spend more of their $$ on replacing older medical equipment.

    So I am very happy that NVT is continuing XP support, despite the many headaches of doing so.
     
  25. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,223
    Location:
    Italy
    :thumb:
    I will continue the reports.
    In MP details of how not to run into the error.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.