NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,764
    Location:
    U.S.A.
    Per the tenforums.com article on the same: https://www.tenforums.com/tutorials...-block-suspicious-behaviors-windows-10-a.html
    Before doing this, I would scroll down in this registry key area and see if the actual mitigations are stored there. If they are not, I believe enabling this option will do nothing.

    Also after performing the reg. hack, make sure you change the key's ownership back to what it was originally. I assume that was System.

    I also suspect these 1809 mitigations could possible work on 1803 if the mitigations were added manually via PowerShell and the EnableASRConsumers DWORD reg key value was added. Anyone game for doing so?
     
  2. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    742
    Location:
    Baden Germany
    This reg.hack does nothing on my 1809 enterprise machine. There is no switch in the UI.
    I have the mitigations set by powershell, and confirmed that they work
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,764
    Location:
    U.S.A.
    That makes sense since it appears this reg. switch only applies to Win 10 Home.

    Also another possibility is the reg. switch will cause upon reboot, the mitigations to be added to the registry via WDEG Powershell interface. Now that would be interesting; especially if the switch did the same on 1803.
     
  4. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    742
    Location:
    Baden Germany
    I will find out ̶t̶̶o̶̶m̶̶o̶̶r̶̶r̶̶o̶̶w̶, when I have access to WIN 10-home.

    edit: asap
     
    Last edited: Oct 11, 2018
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    7,771
    Location:
    U.S.A. (South)
    Thanks for the reference link to TenForums-Been xtremely useful Forums for 8.1 too. :cool:
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,764
    Location:
    U.S.A.
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    7,771
    Location:
    U.S.A. (South)
    IF, and I mean this literally, IF after making modifications to that registry setting since it involves specialty Permissions, and some of my own experience on file permissions with Windows 10 has caused issues before. Just don't panic if it gets whacked. Use Tweaking.com's Windows Repair and it will ACCURATELY-SAFELY reset & restore them back again to prevent further weirdness. Just a precaution that might prove helpful to experimenters.
     
  8. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    973
    Anyways, these features sometimes change before they reach the release version, so when it comes out, WYSIWYG.
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,764
    Location:
    U.S.A.
    I believe the ASR rules shown in your screen shot are those that you manually created via Powershell or possibly created when WD is running in realtime mode.

    I use a third party AV and have not created any manual ASR rules. No rules exist in my registry in that area for 1803 ver..
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,764
    Location:
    U.S.A.
    Ok. That answers the question in that the ASR consumer rules are loaded by default and use of them controlled by the EnableASRConsumers reg. setting.
     
  11. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    973
    Thanks for the reports!
     
  12. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,335
    Location:
    Italy
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,764
    Location:
    U.S.A.
  14. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    7,771
    Location:
    U.S.A. (South)
    Awesome. Thanks for fishing these out for us.
     
  15. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    973
    I have WD with active realtime scanning enabled, on 1809 pro, but I don't have the option in the Security Center GUI. You know how MS is with new features that they promise. Sometimes they make good on promises, but...
     
  16. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    973
    Screenshot 2018-10-11 19.37.44.png
    It works
     
  17. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    973
    Scroll down so you can see the lower right of the screenshot, you will see the pop-up.
    It might be hard to see on this screenshot, but Appguard is disabled. The pop-up is clearly from Windows, not from a 3rd party app.
     
    Last edited: Oct 11, 2018
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,764
    Location:
    U.S.A.
    I think I have an idea on what is going on in 1809 in regards to these new ASR mitigations.

    In the link I posted previously, the OP commented that these ASR mitigations worked on 1803 Pro despite MS statements that only so on the Enterprise vers.. Appears to me MS intentionally left out the Security Center GUI enable/disable option on the non-Home 1809 vers. since they can be controlled via Group Policy.

    Now for the really big question. Will these new ASR mitigations work if one is using a third party AV? My gut is telling me that is so if one enables the EnableASRConsumers reg. setting hack. Obviously, there will be no WD alert if one is triggered but the action will be recorded in the Security-Mitigations event log.
     
  19. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    742
    Location:
    Baden Germany
    You can also configure and test rules with a Microsoft tool:

    Windows Defender Exploit Guard evaluation package:
    http://download.microsoft.com/download/8/9/3/89365A76-6586-40CB-964A-6FBD0DAA0A6D/Windows Defender Exploit Guard evaluation package.zip?ocid=cx-dlc-evaluatewdeg
     
  20. lucidstorm

    lucidstorm Registered Member

    Joined:
    Aug 12, 2018
    Posts:
    30
    Location:
    Poland
    when installing kaspersky cloud free I got this warning:
    Process: [6580]C:\Windows\System32\regsvr32.exe
    Process MD5 Hash: 59BCE9F07985F8A4204F4D6554CFF708
    Parent: [6036]C:\Windows\SysWOW64\regsvr32.exe
    Rule: PreventRegsvr32LoadingDLLs
    Rule Name: Prevent regsvr32.exe from loading .DLLs
    Command Line: /s "C:\ProgramData\Kaspersky Lab\AVP19.0.0\Bases\klsihk64.dll"
    Signer:
    Parent Signer:
    User/Domain: SYSTEM/NT AUTHORITY
    System File: True
    Parent System File: True
    Integrity Level: System
    Parent Integrity Level: System

    wondering if its ok.
     
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,764
    Location:
    U.S.A.
    This article excerpt is for 1803 and confirms that ASR mitigations require WD to be set to realtime mode; i.e. it is the primary AV. I see no reason why this would change in 1809:
    https://argonsys.com/learn-microsof...tack-surface-against-next-generation-malware/

    In 1809, you might be able to use ASR if your third party AV does not use the Win 10 ELAM driver to load its kernel process as PPL - antivirus. In this case, WD will automatically set itself to the primary AV realtime solution.
     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,764
    Location:
    U.S.A.
    The download from here is: http://download.microsoft.com/download/8/9/3/89365A76-6586-40CB-964A-6FBD0DAA0A6D/Windows Defender Exploit Guard evaluation package.zip?ocid=cx-dlc-evaluatewdeg ; both the x(86) and x(64) .exe's are Microsoft signed.
     
    Last edited by a moderator: Oct 12, 2018 at 5:35 PM
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    6,764
    Location:
    U.S.A.
    Yikes! The below screen shot is self-explanatory. Install the Microsoft Testing Root Certificate in the Win root trusted CA store and you won't get any more chaining errors.

    Assumed is that root CA store certificate is only installed and manually so in development envionments.

    MS_Cert_Error.png
     
    Last edited: Oct 12, 2018 at 4:36 PM
  24. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    6,100
    Location:
    Among the gum trees
    I thought this thread was about OSA.
     
  25. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    692
    Location:
    Land o fruits and nuts, and more crime.
    Move to another thread, quit clogging up OSA!
    There is enough to read through.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.