NoVirusThanks OSArmor: An Additional Layer of Defense

...first, you have to select all....

 

One bug

It is possible to Open Logs Folder from SUA Account without a UAC/password:

 

I have V1.3 and don't see any reset to default.

 

The button "Reset to Default" is not available in the stable version 1.3.
But you can deinstall OS Armor and after this try to remove the appropiate registry key: "HKEY_LOCAL_MACHINE\SOFTWARE\NoVirusThanks\OSArmorDev"
Now, after installing of the stable version you should have default settings.

 

OSA doesn't make any changes to your system settings, AFAIK. I don't see why it should back them up, since it doesn't touch them in the first place. It is different from SysHardener, which does make significant changes to system settings.

 

Here is a new v1.4 (pre-release) test67:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test67.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

If you find any false positive or issue please let me know.

@Sampei Nihira

The "Open Logs Folder" should be fine to not have UAC-prompt, it can just open the logs folder to check what has been blocked.

The LUA user would be able to just see what has been blocked checking the .log files, but can't do anything more than that.

If needed, we can add UAC-prompt on it, we can discuss about it

@mike83

I think you meant to ask that question about SysHardener?

http://www.novirusthanks.org/products/syshardener/

Link to the thread on this forum:

https://www.wilderssecurity.com/threads/syshardener-harden-windows-settings.401092/page-7

 

You can send the logs by email.
Probably share the logs.
Bluetooth........

 

Running this OSA in combo with ERP 4 latest pre-release. Especially of interest to me on Windows 10 with all the shifting that the latest 1803 does under the hood. My 8.1 is pretty tame but Windows 10 is chalked with plenty of feelers and IMO unnecessary interactions although it's completely understood in one respect, and via networking in/outs (besides spying) they seem to try to give it a self healing correcting capability previous version didn't have. Which should cut down on having to do a snap restore every so often to get back to normal operating functions.

This OSA and ERP 4 is proving it's like putting a N52 grade neodymium magnet into your system.

Many thanks over again to everyone who raise suggestions and throw up bug reports they find.

 

For some strange reason, I'm having trouble with OSA Test 67 on my Win 7 Pro system. It won't allow me to Enable Protection (Disabled only)
.
I've installed, rebooted, reinstalled several times, but always with the same result. Interestingly enough, 67 seems to be runing fine on my XP machine.

By the way, Test 66 runs okay on my Win 7 machine, so not sure what would have cause this in Test 67.

 

NVT will no doubt issue a remedy but try to start the Service under services manually and see if it starts and stays Enable Protection or not.

I ran into something similar many test versions ago but NVT team applied/updated with a modification that corrected it.

 

This is not a common occurence, but if you use the download manager Jdownloader2:
http://jdownloader.org/jdownloader2
and use the Jdownloader Chrome extension:
https://chrome.google.com/webstore/...er-ext/fbcohnmimjicjdomonkcbcpbpnhggkip?hl=en
then when Jdownloader tries to download a link with captcha, such as the trailer:
https://openload.co/f/tL9wC11hsqw
it will be blocked in version 66.

 

Oh, there's 67 now, I haven't checked if that blocking also takes place in it.

 

@Lorina- Any improvement with 67 you care to share?

@mood and/or @novirusthanks. Lost track. There is a shorter format using wildcards to Manage Exclusions manually too? Can someone show an example? For instance this is one formatted by using the built-in OSArmor exclusions prompt...........

Curious if there is to reduce my list. This is no priority or expectation wish, just want to be sure i'm not missing an alternative method to shorten the exclusions DB log

 

67 is fine on my Win7 64.

 

Well, it all depends how much ink you want to save.
In the first line, you could just write *\Belvedere.exe in place of the whole path
You could omit PROCESSCMDLINE altogether
You could shorten the path in PARENTPROCESS to this: *\explorer.exe

So it will come out like this:
[%PROCESS%: *\Belvedere.exe]
[%PARENTPROCESS%: *\explorer.exe]
[%PARENTSIGNER%: Microsoft Windows]

This is just a suggestion...

 

@novirusthanks Well, I was and am interested in the answer for this regarding SysHarderer, too. However my question here was indeed about OSA.

I guess your kind hint implies that most likely I'm ignorant here, but I did not find OSA documentation about e.g. the process mitigations, so I was thinking that they might have been implemented by using the program-specific GFlags image file execution options within the Windows registry.

But now I guess that I must be wrong and that OSA implements all its protections only in realtime using kernel drivers and its own INI file, right?

 

Attention to the Exclusion Rules.
If the rule is badly written, it is possible that a Service shutdown also occurs.
I have experienced this scenario.

 

I was hoping someone would chime in to say something like that @shmu26

Appreciate that example "and" the opportunity to save some ink with it. I'll try that and post back only if something goes amuck as @Sampei Nihira made attention to.

 

Running good on 7x64.

Would be nice to have a setting that would check all but, the yellow and red flags.

 

Sure enough. The service didn't shutdown but all the RULES went straight out the window using that shortened format.

Anything everything launched at will possibly because the [%PARENTPROCESS%: *\explorer.exe] is too loose when consigned to a single app in the Exclusions Rules

It must needs be Full Path to folder/file to ensure continuity for Exclusions Rules?

Perhaps @novirusthanks can stipulate another format/variable.

Of note, this is absolutely a non-issue and unnecessary, was just curious if that prospect (wildcard for exclusion rules shortening) might be open within that section or not.

 

Please include SMplayer (anti exploits).

 

Sorry for leading you astray. I am not sure what went wrong. Maybe @novirusthanks or someone else can provide some insight?
It would probably help if you would paste the rule you wrote. It might have a tiny but critical error somewhere, like a missing bracket or something.

 

You didn't lead astray-it gave something useful to try out and work on adding-subtracting to maybe do a shorter list.

I'll continue to tinker around and see what sticks and what doesn't. This isn't a priority by any stretch, just an experiment.

 

If I remember right, the dev said that OSA settings are saved straight in the registry, not in an INI file.
But nevertheless, these settings do not make changes to the system. If OSA active protection is disabled, even temporarily, the settings are disabled.