NoVirusThanks OSArmor: An Additional Layer of Defense

Just installed v1.3. Very neat.

Will one be able to bypass a block? For example, I get attached blocks when opening RansomOff GUI (at least I think that's what is causing this ) ... it would be nice to allow them (rather than disable cscript in Configurator).

Notification window appearance is very brief though ...

Or would that defeat OSA philosophy?

 

You can use exceptions for this (in the coming version)
Maybe something like this:

Code:

[%PROCESS%: C:\Windows\System32\conhost.exe] [%PARENT%: C:\WINDOWS\SysWOW64\cscript.exe] [%CMDLINE%: *C:\WINDOWS\system32\conhost.exe 0x4*]

 

Feature suggestion: Display prompts for XX seconds
It would be great if there were an option for choosing the display time for prompts. It is currently a bit short. Thank you.

 

Thanks @mood. Yeah, that would be great.

I see scheduled Acronis image was also blocked overnight (see attached).

+1. Maybe also with display till closed manually ...

 

Manually creating exception rules might be OK for more advanced users but if NoVirusThanks OSArmor is to, "You don't have to configure anything, just install it and forget about it.", then this is a un-user-friendly answer. It will be enough for me not to try it anyway.

 

I concur. That will be helpful. Good suggestion.

 

Here is a pre-release (not final) of OSArmor v1.4:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

This is the changelog so far (will be updated on the next days):

+ The program is now installed on Program Files
+ Added support for exclusions via Exclusions.db file
+ Added support for custom block-rules via CustomBlock.db file
+ Added option "Disable Protection" on tray icon menu
+ Added option "Manage Exclusions" on main GUI and on tray icon menu
+ Added option "Custom Block-Rules" on main GUI and on tray icon menu
+ Fixed "Open Configurator" on Windows XP
+ Fixed display of tray icon on Windows XP
+ Fixed all reported false positives
+ Improved internal rules

Feedbacks are welcome

@Krusty

I'll do my best to fix all reported FPs internally on the program.

For now Exclusions works using variables and is manual, we may however add a button "Add to Exclusions" that will create the rules for you automatically.

@Sampei Nihira

Please let me know if the XP issues are gone for you.

@Buddel

Sure, have added to the todo list.

 

Thank you.

 

please add auto scroll function into OSArmor Configurator menu

 

This is kind of interesting, maybe I need to change my network configuration. Gives you a little peek into some of the stuff going on in the background without your knowing.

 

I assume it will create a rule for the previously blocked process automatically.
Will it also be possible for the user to exclude files (or folders) in an easy way (without the need to write complicated rules)?

 

Hi.

OK for the problems below:

• Fixed "Open Configurator" on Windows XP
• Fixed display of tray icon on Windows XP

________________________________________________________________________

Failure to open:

• Added option "Manage Exclusions" on main GUI and on tray icon menu
• Added option "Custom Block-Rules" on main GUI and on tray icon menu

Little visibility for the option below:

• Added option "Disable Protection" on tray icon menu

_____________________________________________________________________

Why OSArmor block "CCleaner.pdf.exe" and not "CCleaner.exe.pdf" ?


http://sendvid.com/36g01r2t

TH.

 

OSArmor appears to be complementary to MBAE. The two together should greatly strengthen defences.

I want OSArmor to be able to retain settings (version 1.2 cannot) and I want to be able to set exceptions. I cannot presently use OSArmor on Windows XP because I make heavy use of StripMyRights.exe (which I have renamed DropMyRights.exe). OSArmor identifies this as 'suspicious' which I cannot override.

 

Do you change with PSExec:

Example:

To run Internet Explorer as with limited-user privileges use this command:

psexec -l -d "c:\program files\internet explorer\iexplore.exe".

 

A request:

under statistics it goes back to zero on reboot.
It would be good to have this sessions blocked processes and a historical total in the home screen.

 

"Date/Time: 24/12/2017 00:38:22
Process: [7020]C:\WINDOWS\system32\Wilders Security Screen Saver v2.scr
Parent: [860]C:\WINDOWS\system32\winlogon.exe
Rule: RunScrOnlyOnWindowsFolder
Rule Name: Run Windows Screensavers (.scr) only on Windows folder
Command Line: C:\WINDOWS\system32\WILDER~1.SCR /s
Signer:
Parent Signer:"

Is the screensaver in the wrong directory?
It looks like the windows directory to me.

 

OK. Thanks.

 

Upgraded to 1.4 on Windows 10 x 64.

 

@plat1098

Looks like related to SMB file sharing option, more info here:
https://www.reddit.com/r/Windows10/comments/7azvqs/i_tracked_down_a_powershell_script/

@mood @Peter2150

We may add a button in the notification dialog (the alert when a process is blocked) with like "Exclude this block" or something similar.

We need to better think about this. The focus is to fix all FPs (except specific ones) internally, so the regular user doesn't have to exclude too many events.

@Sampei Nihira

Will fix that "Manage Exclusions" and "Custom Block-Rules" and will maybe change the color of the tray icon in gray when the protection is disabled.

Because from v1.3 it blocks only known (pre-defined list) double file extensions.

Malware often try to hide the .exe extension hence why they use file.pdf.exe and not the inverse.

However, we can add support to detect also the inverse double file extension.

@loungehake

The v1.4 (pre-release) should fix that issues.

@trott3r

We'll discuss about it.

It should work fine on v1.4 (pre-release).

@paulderdash

We'll discuss about it.

@Cutting_Edgetech

Great, let me know if you find any issues.

Btw, Merry Christmas everyone =)

 

I agree. The manual creation of rules is too complex for most users. Would be great if there was an easier way to create individual block rules and exclusions. Apart from that, I do like OSArmor. Well done!

 

we can see the remnants of Smart Object Blocker here

btw, @novirusthanks how is SoB development?

 

**Fixed here as well windows xp pro