NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    20,803
    Yes, the settings of OS armor are saved into the registry: HKEY_LOCAL_MACHINE\SOFTWARE\NoVirusThanks\OSArmorDev
    Exclusions and Custom Block-Rules are saved into a file (CustomBlock.db / Exclusions.db)
     
  2. Lorina

    Lorina Registered Member

    Joined:
    Mar 13, 2018
    Posts:
    12
    Location:
    EU
    JDownloader's blocking happens in v67, too; it doesn't matter too much, since the program is not too commonly found, but the log says this (it happens when it tries to run Chrome, to access the captcha extension):

    Process: [13020]C:\Windows\System32\rundll32.exe
    Process MD5 Hash: 73C519F050C20580F8A62C849D49215A
    Parent: [19832]E:\Jdownloader\JDownloader2.exe
    Rule: BlockSuspiciousCmdlines
    Rule Name: Block execution of suspicious command-line strings
    Command Line: rundll32.exe url.dll,FileProtocolHandler http://127.0.0.1:24613/openload.co/
    Signer:
    Parent Signer: Appwork GmbH
    System File: True
    Parent System File: False
    Integrity Level: Medium
    Parent Integrity Level: Medium




    *But* I did discover this, which may be more important/common: with Google's Android Studio 3.1, OSArmor has blocked its attempt to update itself to version 3.2, apparently when trying to access Java:

    Process: [12624]C:\.AndroidStudio3.1\system\tmp\patch-update\jre\bin\java.exe
    Process MD5 Hash: B930C6CB6EFD109622886EE2AB3A7A3C
    Parent: [13340]C:\.AndroidStudio3.1\system\restart\restarter.exe
    Rule: BlockProcessesOnSuspiciousFolders
    Rule Name: Block processes located in suspicious folders
    Command Line: C:\AndroidStudio3.1\system\tmp\patch-update\jre\bin\java.exe -Xmx750m -cp C:\.AndroidStudio3.1\system\tmp\patch-update\patch.jar;C:\.AndroidStudio3.1\system\tmp\patch-update\log4j.jar;C:\.AndroidStudio3.1\system\tmp\patch-update\jna.jar;C:\.AndroidStudio3.1\system\tmp\patch-update\jna-platform.jar -Djna.nosys=true -Djna.boot.library.path= -Djna.debug_load=true -Djna.debug_load.jna=true -Djava.io.tmpdir=C:\.AndroidStudio3.1\system\tmp\patch-update -Didea.updater.log=C:\.AndroidStudio3.1\system\log -Dswing.defaultlaf=com.sun.java.swing.plaf.windows.WindowsLookAndFeel com.intellij.updater.Runner install "F:\Android Studio"
    Signer:
    Parent Signer: Google Inc
    System File: False
    Parent System File: False
    Integrity Level: Medium
    Parent Integrity Level: Medium
     
  3. mike83

    mike83 Registered Member

    Joined:
    Mar 9, 2016
    Posts:
    35
    @mood Ok, thank you, that explains already pretty much.

    I wonder if there is any documentation or other information available about the OSA protections that are not self-explanatory. To give just one example, what does the Anti-Exploit "Protect Microsoft Office Word" actually do?

    I'm currently using GFlagsX to set some anti exploit options on winword.exe via the Windows Image File Execution Options and I'd to like to understand if there is e.g. some overlapping between the two, or if the OSA anti expliot protection is something totally different...
     
  4. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    20,803
    Regarding the Anti-Exploit function:
    Block Exploit Payloads with OSArmor
    https://www.youtube.com/watch?v=g90-lqBXNKM
     
  5. mike83

    mike83 Registered Member

    Joined:
    Mar 9, 2016
    Posts:
    35
    Thanks for the quick reply, mood!

    Ok, the Anti-Exploit function seems to be actually a parent-based anti-executable with a fixed anti-exe configuration - rather than a traditional exploit mitigation tool. So no overlapping with GFlags...
     
  6. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,028
    Location:
    Italy
    Here is a new v1.4 (pre-release) test68:
    http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test68.exe

    *** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

    So far this is what's new compared to the previous pre-release:

    + New option to "Use only your own Custom Block rules"
    + Extended process and parent process cmdline to 8192 chars (max for Windows)
    + Block execution of IQY Excel Web Query files (Main Protections, enabled)
    + Block rundll32.exe from using InstallScreenSaver
    + Block msdeploy.exe from using RunCommand
    + Block execution of jjs.exe -scripting (related to Java)
    + Block execution of jsc.exe /out: (related to Java)
    + Updated Help/FAQs file with two new Q&A
    + Fixed all reported false positives

    To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

    If you find any false positive or issue please let me know.

    Here is a screenshot:

    osa68.png

    //EDIT

    * Will reply to posted questions tomorrow, just wanted to post this update *
     
    Last edited: May 27, 2018
  7. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,544
    Please fix the smiley in your post.

    Within plain tags it is:
    + Block execution of jsc.exe /out:(related to Java)
     
  8. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    1,858
    Location:
    Hollow Earth - Telos
    I just uninstalled Ccleaner and i got this popup message
    Date/Time: 5/26/2018 8:55:02 PM
    Process: [9184]C:\Windows\SysWOW64\schtasks.exe
    Parent: [7544]C:\Users\User\AppData\Local\Temp\~nsuA.tmp\Au_.exe
    Rule: BlockSchtasksExe
    Rule Name: Block execution of schtasks.exe
    Command Line: schtasks /delete /tn CCleanerSkipUAC /f
    Signer:
    Parent Signer: Piriform Ltd

    Date/Time: 5/26/2018 8:55:02 PM
    Process: [9012]C:\Windows\SysWOW64\schtasks.exe
    Parent: [7544]C:\Users\User\AppData\Local\Temp\~nsuA.tmp\Au_.exe
    Rule: BlockSchtasksExe
    Rule Name: Block execution of schtasks.exe
    Command Line: schtasks /delete /tn CCleanerClean /f
    Signer:
    Parent Signer: Piriform Ltd

    Date/Time: 5/26/2018 8:55:03 PM
    Process: [7700]C:\Windows\SysWOW64\schtasks.exe
    Parent: [7544]C:\Users\User\AppData\Local\Temp\~nsuA.tmp\Au_.exe
    Rule: BlockSchtasksExe
    Rule Name: Block execution of schtasks.exe
    Command Line: schtasks /delete /tn CCleanerSkipUAC /f
    Signer:
    Parent Signer: Piriform Ltd

    Date/Time: 5/26/2018 8:55:03 PM
    Process: [7004]C:\Windows\SysWOW64\schtasks.exe
    Parent: [7544]C:\Users\User\AppData\Local\Temp\~nsuA.tmp\Au_.exe
    Rule: BlockSchtasksExe
    Rule Name: Block execution of schtasks.exe
    Command Line: schtasks /delete /tn CCleanerClean /f
    Signer:
    Parent Signer: Piriform Ltd
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,560
    Latest build running fine here
     
  10. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,690
    Location:
    Hawaii
    Me, too.
     
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,365
    Location:
    U.S.A. (South)
    Same :thumb:

    However each new build requires replacing loon.wav :D
     
  12. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    3,316
    Location:
    .
    FWIW ~ I have not observed (as reported) incompatibility with WebrootSA since "self-defense (process termination)".
     
  13. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    462
    Location:
    Germany
    4.png
     
  14. guest

    guest Guest

    can't you do it (as a mod)?
     
  15. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    20,803
    @novirusthanks
    Suggestion: Suport for "hiding" of notifications for specific processes
    Some processes might launch processes which will be blocked each time by OS Armor. Or the user might have added rules to the file CustomBlock.db which is affecting a lot of files.
    This means a notification window will also be displayed each time if one of these processes has been blocked.
    In this case unticking of "Show a notification window when something is blocked" is not the solution because it will hide all notifications.
    To keep the notifications to a minimum it might help to have a hide-/exclude-feature for notifications.
     
  16. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    462
    Location:
    Germany
    @novirusthanks
    Is it possible to add a numbering of questions and answers to Help like Q1, A1, Q2, A2...? This will facilitate the orientation for the user, digits are easy to remember, and it will be easier for the developer to specify changes: ...Deleted Q5, added Q21 and Q22...
     
  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,365
    Location:
    U.S.A. (South)
    @novirusthanks - Any way to tone down, adjust or turn off the alpha transparency on the Alert Box?

    No biggie by any stretch but from what I been able to determine is it does seem to lag a bit.
     
  18. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,312
    Location:
    USA
    How long until the final version stable?
     
  19. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,555
    Location:
    Italy
    @novirusthanks

    Date/Time: 28/05/2018 12:00:07
    Process: [2024]C:\Windows\SysWOW64\mshta.exe
    Process MD5 Hash: 7083239CE743FDB68DFC933B7308E80A
    Parent: [972]C:\Users\XXXX\AppData\Local\Temp\HYDC7F7.tmp.1527501585_permissionsCopy\uTorrent.exe
    Rule: BlockHtaScripts
    Rule Name: Block execution of .hta scripts
    Command Line: "C:\WINDOWS\System32\mshta.exe" "C:\Users\XXXX\AppData\Local\Temp\HYD10D8.tmp.1527501603\HTA\uninstall.hta?utorrent" "C:\Users\XXXX\AppData\Local\Temp\HYDC7F7.tmp.1527501585_permissionsCopy\uTorrent.exe" /LOG "C:\Users\XXXX\AppData\Local\Temp\HYD10D8.tmp.1527501603\uninstall.hta.log" /PID "972" /CID "C1B6F17B473FCFF723CBF2219B4061109183B97D" /VERSION "111652166" /BUCKET "9" /SSB "36907469" /COUNTRY "IT" /OS "10.0" /BROWSERS "\"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe\"" /ARCHITECTURE "64" /LANG "it" /USERNAME "XXXX Standard" /SID "S-1-5-21-4021377586-169500733-1175366892-1003" /USERLANG "it" /CLIENT "utorrent"
    Signer:
    Parent Signer:
    User/Domain: XXXX
    System File: True
    Parent System File: False
    Integrity Level: High
    Parent Integrity Level: High
     
  20. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,128
    Location:
    USA
    It sounds like there's quite a bit of overlap between OSA and HMPA. Do you think it's a good idea (or necessary) to use both concurrently -- or is one or the other sufficient?
     
  21. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    7,164
    Location:
    Among the gum trees
    I'm using both latest beta versions of OSA + HMP.A without any conflict on three Win10 x64 machines.
     
  22. guest

    guest Guest

    OSA is post-exploitation, means it will block an exploited process to do further damages (hence the long list of process in the Advanced tab), where HMPA will prevent the said process to be exploited.
     
  23. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    3,678
    Location:
    Under a bushel ...
    Yes, on two machines also.
    Thanks for that explanation.
     
  24. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,690
    Location:
    Hawaii
    I like loon.wav. I remember a little red-headed girl in 8th grade who sounded just like it when someone goosed her.
     
  25. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,365
    Location:
    U.S.A. (South)
    In that case there's no purpose for ya to change it. LoL

    Customizers like EASTER always have to apply their own tunes and some of those can sound like the roof is falling in. But gets the job done nicely :thumb:
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.