Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.
As long as MB does not slow down your system, then good.
Back to my question please. I do not install software I do not need. "Keep it Simple, Stupid" is my philosophy.
Again, do not want to go OT.
I would get rid of Malwarebytes (not needed) and add OSArmor (a good, solid additional layer of security).
That's ok. Will install. Now to understand the advance options to achieve maximum protection. Got to read this thread in depth. Here we go again.
I like the GUI and icon in Systray too. Simple elegance. No fancy stuff...just the facts.
Whoa, startup is instant. Only 15 MB for both services. Efficient.
No problems so far using v1.4.2
Same here, no issues so far.
Done! Finished reading this thread..took all morning. Now to input MY rules in Exclusions and Blocked.
v1.4.2 working fine on Win 10 Pro x64 1809.
Good info as always since Help/FAQs is basic,
A trivial issue is an occasional unexpected resizing of the main window (it becomes smaller). It reverts to its correct dimensions after a restart.
OSArmor version 1.4.1 seems to have lost the tendency of version 1.4 to cause Windows 7 (x64) to hang when running on very low pwered hardware. I am at last enjoying its benefits with a AMD Sempron 3000+ SINGLE CORE 1.8GHz 64bit processor.
Is MP3's allowed as Dev said he would implement or still only WAV? No sound plays when the Notification window is displayed with latest version. Foolishly deleted the default sound before testing.
Have it checked to Play custom sound.
What is "block suspicious SVCHOST process behaviors" ? I am mainly interested in protecting svchost, because Windows Defender's exploit protection cannot cover it - it requires 'Do not allow child processes' turned off. Because it calls other DLL's to perform each service's specific tasks.
Does OSArmor detect if a service dll has been attacked and launches another non-Windows process?
OSA and any other anti-exe (except NVT SOB) don't monitor dlls, however they can block LOLbins triggered by the said dll.
I set Windows Defender exploit protection to protect SVCHOST.exe, which launches other DLL's. So the parent process is protected and all threads under it are protected right?
OK I just found out what LOLbins are.
Found a github list of LOLbins. Can the developer of OSArmor build on this and detect+block them ? https://github.com/LOLBAS-Project/LOLBAS/tree/master/yml
OSA cover a good part of the most abused ones (check advanced settings)
Then you can manually add more via the Custom Block option.
I am on Win 10 and wonder if an OSA user would do me a favour.
I am troubleshooting something, and as part of the troubleshooting I uninstalled OSA latest build 1.4.2. test 4 and then restarted machine twice.
However I still have osadevprotect.sys left in C\Windows\System32\Drivers. The date on it is 22nd April 2018.
I believe the latest one has a date of 22nd June.
At one time I used to just install new builds over the top and then started uninstalling the old one first. I am wondering if this sys file was not uninstalled because of that. Could someone check that sys file for me on their machine ?
On my Windows 10 machine it looks like this:
Hope this helps. By the way, please note that I have another OSA-related sys file (OSArmorDevDrv.sys). Hm...
Hi @stapp ,
Thanks for the replies.
It seems odd we have different dates. On another Win 10 machine my date for that file shows 22nd June.
The other OSA file is because you have OSA installed. I have uninstalled it but still have that one file left.
If the service has been deleted after the uninstallation and the driver is not in use anymore you should be able to safely delete the file osadevprotect.sys.
Perhaps the developer can optimize the uninstallation routine, so that both drivers will be deleted.
(Btw. I also see the driver osadevprotect.sys after an uninstallation)
The drivers of OS Armor are embedded into the service (OSArmorDevSvc.exe) and this service is extracting them with each start to the C:\Windows\System32\drivers directory.
So it is ensured that you have correct and current drivers.
Win10x64 - OS Armor 1.4.2test4:
osadevprotect.sys = (Digital Signatures: 19 + 20. April 2018)
OSArmorDevDrv.sys = (Digital Signatures: 07 + 11. October 2018)
Mine was created 10. June with signatures from 19. April. Modified yesterday
Now, after a reimage, NVT OS's sound works (loom.wav), when the Notification appears.
P.S. Umbra, you and mood, test everything...just like Lockdown and mirimir does.
Thanks everyone for the wishes! Happy new year 2019 =)
Here is a new v1.4.2 (pre-release) test5:
*** Please do not share the download link, we will delete it when we'll release the official v1.4.2 ***
So far this is what's new compared to the previous pre-release:
+ New rule: Prevent msiexec.exe from executing unsigned .tmp files (useful to mitigate "msi-to-exe" behaviors)
+ Improved uninstaller scripts (both .sys files are now removed)
+ Improved internal rules to block suspicious process activities
+ Improved internal rules to block suspicious command-lines
+ Minor improvements
To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.
Let me know if you find any issue or FPs with this new beta build.
OSA can play only WAV alerts sounds (MP3s are not supported).
Great, I think it was not working because the Windows audio service was not running.
Will see if we can start it once OSA is installed.
The driver file osadevprotect.sys handles the self-defense of OSA.
I updated the uninstaller to fully remove both .sys files when OSA is uninstalled.
Thanks for reporting this.
Thanks for the MP3 response. Just going to use default. It works.
Lol it's kinda hilarious that the dev forgot to make the uninstaller remove (both) .sys files, how can you forget something that basic. Anyway, I use revo uninstaller and it deleted both of them, it's just a no-brainer to use a complete uninstaller like revo instead of uninstalling normally through control panel @stapp
Each to their own. I don't use Revo.
Some softwares (especially security type ones) don't take kindly to 3rd party uninstallers being used on them. Plus the dev would never know about issues like this if no one told him because no one had used the software's uninstaller
Separate names with a comma.