NoVirusThanks OSArmor: An Additional Layer of Defense

As long as MB does not slow down your system, then good.

 

No impact.

Back to my question please. I do not install software I do not need. "Keep it Simple, Stupid" is my philosophy.

Again, do not want to go OT.

Thanks,
Robert

 

I would get rid of Malwarebytes (not needed) and add OSArmor (a good, solid additional layer of security).

 

That's ok. Will install. Now to understand the advance options to achieve maximum protection. Got to read this thread in depth. Here we go again.

I like the GUI and icon in Systray too. Simple elegance. No fancy stuff...just the facts.

Whoa, startup is instant. Only 15 MB for both services. Efficient.

Thanks,
Robert

 

Same here, no issues so far.

 

Done! Finished reading this thread..took all morning. Now to input MY rules in Exclusions and Blocked.

v1.4.2 working fine on Win 10 Pro x64 1809.

Good info as always since Help/FAQs is basic,
Robert

 

A trivial issue is an occasional unexpected resizing of the main window (it becomes smaller). It reverts to its correct dimensions after a restart.

OSArmor version 1.4.1 seems to have lost the tendency of version 1.4 to cause Windows 7 (x64) to hang when running on very low pwered hardware. I am at last enjoying its benefits with a AMD Sempron 3000+ SINGLE CORE 1.8GHz 64bit processor.

 

Is MP3's allowed as Dev said he would implement or still only WAV? No sound plays when the Notification window is displayed with latest version. Foolishly deleted the default sound before testing.

Have it checked to Play custom sound.

Thanks,
Robert

 

What is "block suspicious SVCHOST process behaviors" ? I am mainly interested in protecting svchost, because Windows Defender's exploit protection cannot cover it - it requires 'Do not allow child processes' turned off. Because it calls other DLL's to perform each service's specific tasks.

Does OSArmor detect if a service dll has been attacked and launches another non-Windows process?

 

OSA and any other anti-exe (except NVT SOB) don't monitor dlls, however they can block LOLbins triggered by the said dll.

 

Hi guest,

I set Windows Defender exploit protection to protect SVCHOST.exe, which launches other DLL's. So the parent process is protected and all threads under it are protected right?

OK I just found out what LOLbins are.

 

Found a github list of LOLbins. Can the developer of OSArmor build on this and detect+block them ? https://github.com/LOLBAS-Project/LOLBAS/tree/master/yml

 

OSA cover a good part of the most abused ones (check advanced settings)
Then you can manually add more via the Custom Block option.

 

On my Windows 10 machine it looks like this:

Hope this helps. By the way, please note that I have another OSA-related sys file (OSArmorDevDrv.sys). Hm...

 

Hi @stapp ,

Here's mine.

 

If the service has been deleted after the uninstallation and the driver is not in use anymore you should be able to safely delete the file osadevprotect.sys.
Perhaps the developer can optimize the uninstallation routine, so that both drivers will be deleted.
(Btw. I also see the driver osadevprotect.sys after an uninstallation)

The drivers of OS Armor are embedded into the service (OSArmorDevSvc.exe) and this service is extracting them with each start to the C:\Windows\System32\drivers directory.
So it is ensured that you have correct and current drivers.
Win10x64 - OS Armor 1.4.2test4:
osadevprotect.sys = (Digital Signatures: 19 + 20. April 2018)
OSArmorDevDrv.sys = (Digital Signatures: 07 + 11. October 2018)

 

Mine was created 10. June with signatures from 19. April. Modified yesterday

 

Now, after a reimage, NVT OS's sound works (loom.wav), when the Notification appears.

Robert

P.S. guest, you and mood, test everything...just like Lockdown and mirimir does.

 

Thanks everyone for the wishes! Happy new year 2019 =)

Here is a new v1.4.2 (pre-release) test5:
https://downloads.novirusthanks.org/files/osarmor_setup_v1.4.2_beta_build5.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4.2 ***

So far this is what's new compared to the previous pre-release:

+ New rule: Prevent msiexec.exe from executing unsigned .tmp files (useful to mitigate "msi-to-exe" behaviors)
+ Improved uninstaller scripts (both .sys files are now removed)
+ Improved internal rules to block suspicious process activities
+ Improved internal rules to block suspicious command-lines
+ Minor improvements

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

Let me know if you find any issue or FPs with this new beta build.

@Roberteyewhy

OSA can play only WAV alerts sounds (MP3s are not supported).

Great, I think it was not working because the Windows audio service was not running.

Will see if we can start it once OSA is installed.

@stapp

The driver file osadevprotect.sys handles the self-defense of OSA.

I updated the uninstaller to fully remove both .sys files when OSA is uninstalled.

Thanks for reporting this.

 

Thanks for the MP3 response. Just going to use default. It works.

Robert

 

Lol it's kinda hilarious that the dev forgot to make the uninstaller remove (both) .sys files, how can you forget something that basic. Anyway, I use revo uninstaller and it deleted both of them, it's just a no-brainer to use a complete uninstaller like revo instead of uninstalling normally through control panel @stapp