NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,150
    Location:
    Italy
    //Everyone

    OSA may not work correctly in Windows 10 1809, we'll provide more details asap.

    A temporary workaround is to not upgrade until next build of OSA is released (in a few days).


    @shmu26

    Yes, will run some tests and probably add it.

    @lucidstorm

    Yes, I think what changes is the random folder name in Temp where is placed the setup exe file, example:

    C:\Users\<user>\AppData\Local\Temp\is-RANDOM.tmp\winzip_setup_1.1.1.tmp

    If you still have that logs please send me via PM so I can take a look at them.
     
  2. guest

    guest Guest

    I dont have issues yet on 1809
     
  3. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,316
    Location:
    Italy
    @novirusthanks

    Hi Andreas.
    I tested the exclusion rule without the parent process, for the "problematic software" specified in MP, in W.10 Home 1809 (Standard Account).
    It is OK.
    TH.
     
  4. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,316
    Location:
    Italy
    It seems but it does not.;)
     
  5. Willpower

    Willpower Registered Member

    Joined:
    Jan 3, 2014
    Posts:
    30
    Location:
    Sunny Okanagan, BC Canada
    No apparent issues with 1809 here
     
  6. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    2,316
    Location:
    Italy
    In Italy there is a proverb that reads:

    "Appearances are deceiving".

    ;)

    _____________________________

    To All.

    Follow the developer's advice.:thumb:
     
  7. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,654
    Location:
    USA
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,411
    Location:
    U.S.A.
    I suspect that unless you use Windows Defender as your AV, this is a feature you will regret implementing.

    Of note is WDEG only blocks and logs activity. So you will have to constantly refer to your Win Event logs, Security - Mitigations log, to find out what is going on. I believe however if WD is your real-time AV, this new feature will interface with WD's GUI and display an alert notification. You will have to check this out for yourself.
     
  9. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,654
    Location:
    USA
    I was only subtly suggesting the possibility that Microsoft's devs surf the web looking at other Security Softs for ideals.

    Whether Microsoft's new security feature is their own innovation, or someone elses, I have no ideal. Many Security Softs use similar techniques so its hard to say, but NVT was the first in my memory to use process control to the extent it has been used. This goes back to NVT integrating their vulnerable process feature.

    I'm still not saying Microsoft stole their ideal from NVT, but it just makes you wonder sometimes about the possibility when two products are so similar (feature/product in this case).
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,411
    Location:
    U.S.A.
    If MS intent was to copy OSArmor mitigations, they certainly did a piss poor job of it. Here are the additional WDEG ASR mitigations: https://docs.microsoft.com/en-us/wi...-guard/attack-surface-reduction-exploit-guard
     
  11. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,815
    Location:
    U.S.A. (South)
    :argh:
    Further, let's hope they're not in the business of leeching on already outstanding third party creations that were initially started anyway to fill in the void Windows has always had a bad reputation of leaving wide open. They should be grateful the 3-party focus is on their MS platform at all.
     
  12. XenMan

    XenMan Registered Member

    Joined:
    May 8, 2018
    Posts:
    130
    Location:
    Australia
    I think we have had this discussion somewhere else that it would be easy for MS to lock down windows as they have the basics there already with task manager, as an anti exe, and windows firewall as something that actually works.

    There is almost a conspiracy in play…
     
  13. guest

    guest Guest

    MS didn't wait NVT to implement default-deny, Windows Applocker exist since years on Enterprise versions.
     
  14. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,531
    I can't find "Block Suspicious Behavior" in Win 10 pro 1809. Is it supposed to be there, or not?
     
  15. aldist

    aldist Registered Member

    Joined:
    Nov 8, 2017
    Posts:
    895
    Location:
    Lunar module
    Something like that, he is definitely there howtogeek.com/359767/what-is-the-new-“block-suspicious-behaviors”-feature-in-windows-10/
     
  16. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,531
    Yeah, it is definitely there in a screenshot of an Insider build from a few months ago. But I don't see it in 1809 release version. If it is there, and I am blind -- which would not be a big surprise -- could someone please tell me where it is?
     
  17. Willpower

    Willpower Registered Member

    Joined:
    Jan 3, 2014
    Posts:
    30
    Location:
    Sunny Okanagan, BC Canada

    So is there an issue or not.
    I certainly haven't noticed but the suggestion here is there could be
    So?
     
  18. waking

    waking Registered Member

    Joined:
    Jan 25, 2016
    Posts:
    87
    AFAIK it started with Windows 10 build 17704.
     
  19. waking

    waking Registered Member

    Joined:
    Jan 25, 2016
    Posts:
    87
  20. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,531
    This feature did not actually make it into the release version of 1809, but I think it will be added fairly soon, after MS gets some more telemetry-powered feedback from Guinea pigs like me who have enabled the ASR rules by means of Powershell.
    IMHO, the ASR rules are:
    1 Very powerful.
    2 Very different from OSArmor.
     
  21. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,531
    It works for me in 1809 pro. Interesting.
     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,411
    Location:
    U.S.A.
    By use of Powershell command or is the option available via 1809 Pro Security Center GUI option?
     
  23. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,531
    There is no Windows GUI for it yet. I do it by powershell.
     
  24. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,531
    Very interesting. The article says that the registry key is protected, so you need special software to hack it. Not sure I really want to do that...
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,411
    Location:
    U.S.A.
    Per the tenforums.com article on the same: https://www.tenforums.com/tutorials...-block-suspicious-behaviors-windows-10-a.html
    Before doing this, I would scroll down in this registry key area and see if the actual mitigations are stored there. If they are not, I believe enabling this option will do nothing.

    Also after performing the reg. hack, make sure you change the key's ownership back to what it was originally. I assume that was System.

    I also suspect these 1809 mitigations could possible work on 1803 if the mitigations were added manually via PowerShell and the EnableASRConsumers DWORD reg key value was added. Anyone game for doing so?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.