NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,028
    Location:
    Italy
    Correct, a complete uninstall + clean install of the new version is required if you're using v1.3

    If you are using v1.4 build 70 (or near that number) you can install v1.4 (final) over it without issues.
     
  2. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    7,375
    Location:
    Among the gum trees
    Great! Thanks @novirusthanks . Nice work too! :thumb:
     
  3. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,467
    Location:
    U.S.A. (South)
    Really awesome. Thanks Andreas and congratulations!
     
  4. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,087
    @novirusthanks Can confirm the issue I reported is fixed. Thanks.
     
  5. jimb949

    jimb949 Registered Member

    Joined:
    Jul 6, 2017
    Posts:
    129
    Location:
    LA
    When I installed OSA 1.4 final why did Windows smart screen and avast try to block it?
     
  6. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,413
    Because it is so new. Smart screen will block files like that.
     
  7. mike83

    mike83 Registered Member

    Joined:
    Mar 9, 2016
    Posts:
    35
    I'm using SUAs; on some workstations there are more then one standard user account. In addition I have created a special Visitor account that does not belong to Users group, but instead only to Guests group.

    The Visitor is allowed to use a web browser etc, but access e.g. to all data disks is limited with an ACL denying Guests access.

    Additionally I have limited access to all security software (depending on the software either access to the software folder altogether - or access to the user interface only) from the Visitor account, unless the security software already had such limitation built-in.

    I just installed OSA 1.4 and noticed that the Tray component was started on the visitor account, too; and it was possible to change the protection level.

    So, I denied Guests access to whole OSA directory. That caused major problems: After logging in, for example Windows 10 Start Menu refused to open at all any longer. My next step was to deny access to OSArmorDevUI.exe only, but to my surprise the Tray application still started and was fully operational even with the Visitor account.

    I wonder if there is a way to effectively deny access to OSA user interface from user accounts belonging to the Guests group, but still have the protection on?

    I know that it is possible to limit setting the protection level to Admin accounts only in the configuration. However, when I checked that option, then the protection setting part of the Tray menu was totally grayed out when logged in with a normal SUA. So there was no practical way to make any changes to the protection...
     
  8. jimb949

    jimb949 Registered Member

    Joined:
    Jul 6, 2017
    Posts:
    129
    Location:
    LA
    I excluded a program from being blocked but when I tried to install that program again it still got blocked. Why doesn't it remember this exclusion?
     
  9. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    23,766
    Of course the protection level cannot be changed if "User must be in the Administrators Group to change protection" is ticked and OSArmorDevUI.exe is running with non administrator rights :cautious:
    You need to open the Configurator, untick the option and now you are able to change the protection level.
    Perhaps the command-line is changing each time (or some other part of the exclusion) and the exclusion isn't working anymore.
    If this is the case (have a look at the log-files) you need to use wildcards or change it to a less specific rule.
     
  10. jimb949

    jimb949 Registered Member

    Joined:
    Jul 6, 2017
    Posts:
    129
    Location:
    LA
    I don't know how to play around with this. When 1.5 comes out I'm going to set the pre-defined protection mode to Basic.
     
  11. loungehake

    loungehake Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    156
    Location:
    Wigan
    Thank you Andreas for OSA 1.4 final release. All advanced options are enabled and it works beautifully with my Windows XP SP3 system. The exclusions are a delight to create. That so many protections are present must mean that some impressive implementations of complex decision trees or somesuch are in use for OSA to be so light on what is an old AMD Athlon XP 3000+ powered system.
     
  12. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,087
    Did you see the log file like @mood suggested?
     
  13. loungehake

    loungehake Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    156
    Location:
    Wigan
    This is a performance thing. I have decided to include the processes for Panda Dome Free 18.05 and Agnitum Outpost Firewall Pro 9.3 in Exclusions.db. These are self-defending software so what is the need for OS Armor to monitor them?

    This extract from Exclusions.db shows the relevant entries: -

    [%PROCESS%: C:\Program Files\Agnitum\Outpost Firewall Pro\acs.exe] [%PARENTPROCESS%: C:\WINDOWS\system32\services.exe]
    [%PROCESS%: C:\Program Files\Agnitum\Outpost Firewall Pro\op_mon.exe] [%PARENTPROCESS%: C:\WINDOWS\explorer.exe]
    [%PROCESS%: C:\Program Files\Panda Security\Panda Security Protection\PSANHost.exe] [%PARENTPROCESS%: C:\WINDOWS\system32\services.exe]
    [%PROCESS%: C:\Program Files\Panda Security\Panda Security Protection\PSUAMain.exe] [%PARENTPROCESS%: C:\WINDOWS\explorer.exe]
    [%PROCESS%: C:\Program Files\Panda Security\Panda Security Protection\PSUAService.exe] [%PARENTPROCESS%: C:\WINDOWS\system32\services.exe]

    I detect a little more liveliness in the old system's performance (wishful thinking?).
     
  14. SouthPark

    SouthPark Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    413
    Location:
    USA
    On the advice of form member mekelek, I just installed OSA 1.4 final to supplement my WSA on a low-spec laptop. I've been impressed with how light it is and how easy it was to set up.

    I tested it with the HMP exploit testing tool, and it blocked exploits against Chromium (because the process was "chrome.exe") as well as VLC Portable. (Firefox 52 and 60 did not react to any of the simulated exploits with or without OSA.)

    I was surprised to find that the current VLC 3.0.3 was vulnerable to several different exploits which OSA blocked. I would like to request that SMPlayer also be added to the list of protected software.

    Thank you to NoVirusThanks for this excellent tool!
     
  15. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    7,375
    Location:
    Among the gum trees
    In HitmanPro.Alert there is a link to open Event Viewer to see blocked events and when I clicked that link I got this:
    Code:
    Date/Time: 24/06/2018 9:03:55 AM
    Process: [8808]C:\Windows\System32\mmc.exe
    Process MD5 Hash: BA80301974CC8C4FB9F3F9DDB5905C30
    Parent: [4716]C:\Windows\SysWOW64\mmc.exe
    Rule: AntiExploitMicrosoftManagementConsole
    Rule Name: (Anti-Exploit) Protect Microsoft Management Console
    Command Line: "C:\WINDOWS\system32\eventvwr.msc" "C:\WINDOWS\system32\eventvwr.msc" /v:"C:\ProgramData\Microsoft\Event Viewer\Views\hmpalert.xml"
    Signer:
    Parent Signer:
    User/Domain: David/DAVID-HP
    System File: True
    Parent System File: True
    Integrity Level: High
    Parent Integrity Level: High
    
    I have now made an exclusion.
     
  16. coastie_sk

    coastie_sk Registered Member

    Joined:
    Jun 24, 2018
    Posts:
    1
    Location:
    Baton Rouge, LA
    New user here, so please pardon my ignorance and naïveté. Having read through the OSArmor help file I noticed the recommendation of excluding OSArmorDevSvc.exe, OSArmorDevUI.exe, OSArmorDevCfg.exe and OSArmorExcHlp.exe in the HIPS settings.

    As I'd done something similar with Malwarebytes exes in MSE I would like to accomplish this also in OS Armor. What I don't know is where to find the file/folder that those HIPS settings reside. My setup is Windows 7 Home premium, 64 bit.
     
  17. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    484
    Location:
    Lunar module
    Windows 7, 8.1, 10 by default do not have the HIPS options. HIPS (Host-based Intrusion Prevention System) available in third-party products, such as Firewall or Security Suite (Outpost, Comodo etc).
     
  18. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,823
    I've been away for quite some time now, so I'm out of the loop on what's going on here on the forums. But, my question is, Is NoVirusThanks OSArmor a EXE Radar Pro replacement, or something completely different?
     
  19. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    23,766
    Short answer: No :)

    You can install programs and OS Armor won't give a single alert (depends on the ticked options) whereas you high likely received alerts by ERP.
    On the other side OS Armor detects "suspicious behavior" which goes unnoticed by ERP.
     
  20. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,777
    Location:
    Hawaii
    I like ERP but it is a rather useless pain in the glutius when I do an install. Its many pop-ups during an install can bust an install at times. And all those pop-ups are saying is, "Hey, this is new stuff!" I only want ERP to tell me if an install starts that was NOT instituted by me.

    OSA, on the other hand, if it pops up during an install (& it often does) I pay VERY close attention.
     
  21. loungehake

    loungehake Registered Member

    Joined:
    Mar 9, 2015
    Posts:
    156
    Location:
    Wigan
    I had reported that the Windows 7 issue had abated. Alas it has not. I surmise that the driver has some flaw which creates a timing problem on slower computers. OSArmor works great with Windows XP with quick and slow processors and with Windows 7 with quicker processors dating back 8 years or less.

    When running OSArmor on Windows 7 with slow processors, the software works well until the machine suddenly briefly becomes very slow and then completely unresponsive, the display screen freezing and then sometimes becoming pale and blank. With a very slow processor (e.g. AMD Sempron 3000 single core x64) the issue occurs sooner than later but with, say an Intel Pentium 4 3.2GHz dual core, the system can run for more than a day before the issue raises its head. It's not a problem for me as long as I can install OSArmor final release on friend and family PCs with confidence. So far I have not been disappointed.

    Obviously I would be pleased to read that the source of the problem has been identified and corrected but so many happy users is a reassuring sign.


    I'll shut up now. Just a thought that the difference in processor speed making the difference between a problem occuring or not indicates a hidden flaw. I guess that almost all testers/users will be using up to date hardware so will not have noticed that there is a problem.
     
    Last edited: Jun 27, 2018
  22. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,467
    Location:
    U.S.A. (South)
    ERP is pure RAW metal-finely and intelligently granular of course.

    Simple solution, just DISABLE it while doing the install. Very simple and routine and is as easily available as flipping a switch.

    Hope that helps. Regards.
     
  23. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    6,777
    Location:
    Hawaii
    Yeah, that has been my practice for a long while. I wrote what I wrote to illustrate that ERP does not replace OSA nor does OSA replace ERP. I was merely expounding upon Mood's post 1895, in response to tyrizian.
     
  24. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,413
    You don't have to wait. On the settings tab, all the way at the very bottom, there is a button to restore the default settings. That is the "basic" mode.

    Alternatively, you can turn OSA off when you install a program that you trust.
     
  25. jimb949

    jimb949 Registered Member

    Joined:
    Jul 6, 2017
    Posts:
    129
    Location:
    LA
    When I installed OSA I didn't touch the settings so that would mean it's set to basic mode right?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.