NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. Wolfram

    Wolfram Registered Member

    Joined:
    Jan 28, 2019
    Posts:
    31
    Location:
    Romania

    + 2 !
     
  2. Circuit

    Circuit Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    778
    Location:
    Land o fruits and nuts, and more crime.
    EAM never detected anything, same with Kaspersky. Really just a waste of money.
    Go with Appguard, and OSA and maybe EXE Raderpro all that is needed @ least for Win7
    Again, no alerts from firewall.
     
  3. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,356
    Location:
    Europe then Asia
    i +1 this ;)

    If one can handle a default-deny soft properly, one won't need any real-time scanner. And if one really worry about suspicious file one may download and need, one should compare the checksum or check in Virus Total or some other rep services.
     
  4. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,025
    Location:
    Italy
    @Overkill @Krusty @bellgamin

    Yes, we're aware of that issue, fixing the scrollbars to move the content too while scrolling using mouse left button isn't that easy due to some limitations in the UI component we're using, but we'll see what we can do soon. It works fine only by using the mouse wheels to scroll.

    @bjm_

    Thanks for reporting that FP and for including all the details, it will be fixed on the next build.

    @Wolfram

    Sorry for the delay in the answer, will try to reply all of them now:

    OSA needs to verify the signature of digitally signed processes, hence why sometimes you see that connections.

    Of course it does not do that in any way, nor any of our other programs.

    You are free to do any tests about it.

    Not yet, for now you should uninstall the old version reboot and install the new version (recommended and most safe way to update any security program).

    However, it works fine also if you install over the top of an already installed version of OSA overwriting existing files (all is done automatically by the installer setup).

    I need to recommend the first way because it is the standard procedure.

    It is already on the todo list.

    They are just the kernel-mode drivers of OSA and are digitally signed by both SHA1 and SHA256 code sign.

    I don't know Script Sentry, but maybe it has somehow set a priority over OSA to monitor .js files?

    It may be due to Windows XP, if it is in a virtual machine, what other apps are installed, and other aspects.

    In all higher Windows versions (Vista+) it uses just a few MBs.

    We do our best to make sure OSA uses low resources.

    Because many of our other programs do the same and also to promote a little the social channels.

    Not every user clicks on Help -> About window.
     
  5. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    449
    Location:
    US
    Thanks.

    Robert
     
  6. drhu22

    drhu22 Registered Member

    Joined:
    Aug 21, 2010
    Posts:
    377
    A request
    Could you add network related mitigations as a subcategory in configurator?

    thanks
     
  7. Wolfram

    Wolfram Registered Member

    Joined:
    Jan 28, 2019
    Posts:
    31
    Location:
    Romania

    I agree with you, Circuit. EEK rarely finds something "dangerous". I had it installed for years, on one of my systems. And I confirm that - fortunately! - it never detected anything suspicious. But this does not prove it is ineffective.

    Instead, KVRT, from time to time, has found some Potentially Unwanted Programs. Most of them assimilated to the category "False positives".

    And yes, you are perfectly right about AppGuard. It provides complete protection.

    If I am not wrong, OSArmor is about to become a free substitute for AppGuard; and, in its specific way, for EXE Radar Pro.
     
  8. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,195
    OSA has an advantage over Appguard in that you just need to tick boxes in order to configure it, whereas with Appguard you need to sweat a little. But OSA is not capable of replacing Appguard, and this is for several reasons. I will mention what I think are the 2 most important:
    1 OSA is not designed to be a default/deny solution, whereas AG is. (This reason also explains why OSA doesn't replace EXE Radar Pro.)
    2 OSA cannot guard apps as well as AG can, because AG applies to them also memory protection and privacy protection and write protection.
     
  9. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,356
    Location:
    Europe then Asia
    1- No, AppGuard doesn't provide complete protection:
    - it can't differentiate malicious processes from legit one, it just allow or block based on the policy. User skills then play an important role.
    - it can't block pure exploits (it is not an anti-exploits like HMPA or MBAE), however it does prevent post-exploitation if configured properly by someone who knows how it works.
    - by default, it won't block malicious processes initiated from system-space (if the user was unaware and unfortunately let it in), however the policy can be set to prevent such issue.
    2- see below


    I will add precision so people will not get the wrong picture:

    About point 1, OSA if tweaked via Custom Blocks can become a solid default-deny solution. However you won't get prompts, just blocks notifications. Reason why i said it can be a "Limited Hybrid/pseudo-SRP"

    About point 2; AppGuard Solo (not Enterprise version) has:
    - Memory Guard, which deny Guarded Apps to read/modify other processes or access specified folders.
    - only Lsass.exe is MemoryProtected, means no processes can read/modify it. This was implemented after the EternalBlue/DoublePulsar event, where the said exploit abused the process to create a backdoor at System level, then a reverse shell.
     
    Last edited: Feb 6, 2019
  10. Floyd 57

    Floyd 57 Registered Member

    Joined:
    Mar 17, 2017
    Posts:
    467
    Location:
    Europe
    How does that work, can you explain?
     
  11. Wolfram

    Wolfram Registered Member

    Joined:
    Jan 28, 2019
    Posts:
    31
    Location:
    Romania
    Warning: it is an unusually long post!


    I feel honored to receive a response from the developer of OSArmor. And not every answer, but one to object, concise, calm, written by a competent and patient man.

    I affirm from the outset that I do not question your good faith. Nor do I contest the capabilities of OSArmor. This program is very useful. It is, somehow, the long awaited complete solution for protecting Windows. It does exactly what we expect to do. I do not doubt it will be improved with every new version. With, or without "guiding" from the community.

    I know that Windows XP is antique. But I have installed it on one of my older PCs.

    Windows XP - a "Swiss cheese" like OS - is missing at least 4 years worth of progress in operating system security, in an era where the armies of hackers have evolved from kids in basements, to industrial-scale organized crime and State-sponsored professionals. The main reason why Windows XP it's way easier to attack than any other OS, is the fact that those who still use it do not bother to strengthen it and make it secure. Although in Windows XP Pro they have the appropriate administrative tools.

    For those interested in hardening their ancient OS, I recommend a book titled "Guide to Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist. Recommendations of the National Institute of Standards and Technology":
    https://www.govinfo.gov/content/pkg/GOVPUB-C13-6b6d5f8b0a1c9c1300998d658f44f48a/pdf/GOVPUB-C13-6b6d5f8b0a1c9c1300998d658f44f48a.pdf


    Next year I will replace Windows XP with another Operating System. One belonging to the open source category. I may choose ReactOS - even if it's an early development stage. "6,000,000 downloads in 100 countries. And tons of references.":
    https://reactos.org/
    https://en.wikipedia.org/wiki/ReactOS

    Till then, I will continue to use Windos XP Pro SP3.

    I installed on my system a Firewall called FortKnox Personal. According to its developers, among other features, FK has the following ones:

    - Protection from inbound and outbound attacks;
    - Traffic and packet logging;
    - Statefull packet inspection;
    - Integrated Intrusion Prevention System;
    - All system connections overview;
    - Advanced rules for experienced users;
    - Anti-spoofing technologies;
    - Site Control System with ability to block individual websites.

    FortKnox is based on Sygate Firewall Pro.

    Protecting the system with a properly configured Firewall is fundamental to ensuring its security. A good Firewall can save your system, from contamination, even if you do not use any security solution.


    After this ample preamble I will go to the findings.


    Yesterday I decided to allow OSArmorDevSvc.exe to connect to the Internet. But only for an hour.
    Where it connected, I will reveal to you, a little later, in the lines below.


    You told us that "OSA needs to verify the signature of digitally signed processes, hence why sometimes you see that connections."


    My question is: why? Why does OSArmor behaves similarly to a Cloud Antivirus? <-

    As you perhaps know, there are Malware species who have perfectly valid Digital Signatures.

    "Researchers from Masaryk University in the Czech Republic and Maryland Cybersecurity Center (MCC) monitored suspicious organizations and identified four that sold Microsoft Authenticode certificates to anonymous buyers. The same research team also collected a trove of Windows-targeted malware carrying valid digital signatures."
    https://www.infosecurity-magazine.com/news/windows-malware-carries-valid/

    "The Rise of Super-Stealthy Digitally Signed Malware—Thanks to the Dark Web"
    https://thehackernews.com/2017/11/malware-digital-certificate.html

    "Stuxnet famously used legitimate digital certificates to sign its malware. A research paper from last year found that the practice is much more common than previously thought."
    https://www.schneier.com/blog/archives/2018/02/signed_malware.html


    I thought that OSArmor only needs to monitor & analyze the comportment of the programs.
    I thought that OSArmor operates as a kind of part of Group Policy Editor, already implemented in Windows.

    -> Can't you add a "local database" in OSArmor? It would be too large? Can't you use DigiCert, for example?

    -> If OSArmor is not allowed to connect to the Internet, if it is not able to verify the Digital Signatures, it won't function properly?

    -> At least, when OSArmor connects to the Internet, it uses (or not) a secured / encrypted connection?

    From what I know, under Windows you can check [manually] the Digital Signature of any program, via File Explorer. Why OSArmor can not put Explorer to work for it? <-

    I noticed, on my system, that OSArmorDevSvc.exe is reacting immediately after I open one of my installed programs. It asks me to allow it Internet access. I suppose it wants to check the validity of the Digital Signatures of the program just launched. The question is: how many times it has to do this, for the same program, "by design"? How often "a new check" has to take place? <-

    Most of the installed programs have already went through several "filters" before being allowed to install. They were, more or less, "checked" by the Operating System. Why OSArmor acts redundantly? Why is it not interrogating the Operating System? Why does it have to do its own checking? Is, OSArmor, a PUP, or a Rogue programs detector? <-



    In the followings I will present you a few portions of my Firewall's Traffic Log.

    1. OSArmor service requests Internet access:
    https://imx.to/i/1yizxj

    2. I allowed OSArmor to connect to the Internet:
    https://imx.to/i/1yizys

    3. OSArmor connects to the Internet between 22:30:38 and 22:30:52, A first "burst" of connections, lasting 14 seconds:
    https://imx.to/i/1yj02p

    4. The first notable destination (here is here...):
    https://imx.to/i/1yj02x

    -> I would like to know, please, WHY OSArmor has "to report" its presence, on a certain user's PC, to an IP address called CHINA Telecom Corporation? (CHINA NET-LAX-IDC-2014)

    According to ARIN, we are talking here about a network which is a part of chinatelecom.com.cn !
    Are we supposed to ask "more details" from Liu Zhuo, Wang Zhiyu, or Zheng Wei Zhao?!?!

    5. First destination - detailed record:
    https://imx.to/i/1yj030

    -> Is there any connection between those "kernel-mode drivers - digitally signed by both SHA1 and SHA256 code sign[ers]", and China Net?
    -> Why OSArmor is so eager to connect there? It can not function as it should, without connecting, from the start, to an obscure "Mailbox" belonging to China Telecom Corporation? It has to be "registered" there? Windows Media Player is notorious for doing the same kind of thing, with the difference it connects to Microsoft Networks.

    6. The second destination is Akamai - which might be considered "necessary", or, in the best case, "neutral". Many legitimate programs connect to Akamai.
    https://imx.to/i/1yj031

    7. The third connection was established:
    https://imx.to/i/1yj032

    Now let's see where OSArmor supposedly searches for the validity of the Digital Signatures.

    8. Third connection identified:
    https://imx.to/i/1yj033

    As you can see, it is EDGECAST NET. It is located, as the previous destination, in the same [American] state, Virginia.
    Is is only a simple coincidence that the CIAs headquarters is in that province?

    9. Third connection identified - more details:
    https://imx.to/i/1yj036

    10. Subsequent Internet traffic recorded by FortKnox:
    https://imx.to/i/1yj039

    11. New connection occur right after I started PaleMoon web browser:
    https://imx.to/i/1yj03a

    12. Identification of the IP made by ARIN:
    https://imx.to/i/1yj03b

    It is the same IP address as above.

    13. OSArmor is very ''talkative'':
    https://imx.to/i/1yj03e



    Each time I launch a program, OSArmor makes "checks", online. The frequency with which it connects to the Internet is not predictable. But, at least, now we know where it connects. But we do not know exactly WHY. (And if we know, today, can we be absolutely sure, tomorrow?)

    From an unknown reason, to my disappointment, the Packet Log of my Firewall has not recorded the data exchanged by OSArmor, with its hosts, during its "travel over the ocean".

    I decided not to deepen the investigation. I will not install, on my system, a program like WireShark. I will not make network protocol analysis.

    Therefore, I have no reason, no viable proof, to claim that NVT is spying on their customers. I will let others, more qualified, to do "forensic research".

    I noticed that most of the "hobbyists" do not really care if OSArmor connects to the Internet. OSArmorDevSvc.exe connects to China Net. Yes. And so what?! Nobody seems to be bothered by this. 99% of the "security" programs connect to the Internet. It is a commonplace. In our days, everything security-related happens "in the cloud". We all live in houses with glass walls. There is no more Privacy. People have become careless in this regard.

    However, when you know that a country like China has the reputation it has, please try to avoid using pieces of code Made in China, if you want to keep your customers. Or, at least, ask your Chinese partner to translate in English its lines of code. Someone who does not speak Chinese might worry when he sees Chinese ideograms. Not to mention China Telecom... You should spare your clients' sensibilities. You should clearly specify, in the EULA, where, and why OSArmor has to connect; i.e., for what purpose.

    In any case, those who have good Firewalls can block any communication attempts of OSArmor.

    My main concern is: will OSArmor function as it should, WITHOUT connecting, "from time to time", to the Internet? <-


    Unless otherwise proven, I do not question the good intentions of NVT. You must not look a gift horse in the... Firewall's Traffic log...

    I consider that we have a mutual understanding between gentlemen. If you gave your word that OSArmor does not do "espionage", for me it is enough.



    In your spare time, if I do not ask you too much, please formulate short answers to the questions - marked with red - that I have addressed you.

    Thank you. And continue to improve your software. People will be grateful to you.


    P. S.: if you decide to keep the hyperlinks displayed on OSArmor's main window, then you should remove them from Help -> About window. And, maybe, replace them with links to [trusted] file-servers which pay you per download, where the users can find the latest installers of OSArmor. You deserve a financial reward for your work.
     
    Last edited by a moderator: Feb 12, 2019
  12. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,356
    Location:
    Europe then Asia
    AppGuard function with a simple concept, by default:

    - Processes started from System-Space (Both Program Files and Windows folders) are assumed clean and allowed to execute.
    - Processes started from User-Space are considered malicious and their execution automatically blocked.
    (note that AG has a slider to set the level of protection and a tray icon menu to allow temporarily user-space execution)

    From here, the policy can be adjusted so some processes located in System-Space can be set as User-Space and then their execution blocked, usually the various "known-to-be-abused" LOLbins.
    Note that some known vulnerable programs/processes usually located in System-Space (Office, browsers, powershell.exe, cmd.exe, rundll32.exe, etc...) are Guarded by default to allow some security without preventing the OS to perform properly.

    It is why the user must set his policy properly and be careful not to install suspicious/malicious programs in System-Space, hence a good knowledge of programs and their behavior is required.
     
    Last edited: Feb 6, 2019
  13. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,195
    True. You can do that, and it works (after you write a lot of manual rules). And in fact, I have done it in the past. But OSA is not designed to be used that way, so it's not trying to put other default/deny solutions to rest.
     
  14. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,356
    Location:
    Europe then Asia
    indeed.
     
  15. Wolfram

    Wolfram Registered Member

    Joined:
    Jan 28, 2019
    Posts:
    31
    Location:
    Romania


    You are perfectly right, Umbra, when you say that "User skills play an important role."

    In what concerns the degree of protection provided by AppGuard, I made my claim based on:

    1. My own tests - on the Solo version -, on a Windows XP Pro system.
    2. The statements made by Blue Planet-works Company - the developer of AppGuard.

    Well set, AppGuard is invincible. Indeed, you have to know very well what you do with such a "tool" installed on your system.

    Its proper configuration requires a vast documentation process. I even used the suggestions you made on the appropriate forums. :)
    I would say that your are the supreme authority when it comes to AppGuard.



    No matter to what challenges I subjected this program, no matter what Malware samples I tried on AppGuard, I never managed to kneel it.

    I quote from this web-page:
    https://www.appguard.us/

    - "Our technology does not rely on detection and response, it instead prevents."
    - "AppGuard prevents all non-policy conforming processes at the kernel level."
    - "AppGuard’s patented technology prevents viruses, fileless malware, botnets, polymorphic malware, weaponized documents, targeted attacks, in-memory attacks, ransomware, phishing, watering-holes, drive-by-downloads, and other undetectable advanced threats."
    - "AppGuard stops attacks at the initial stages and beyond, without requiring detection of the attack, (...)"
    - "AppGuard’s patented technology is the only security product in the marketplace that is currently undefeated by any kind of malware." [I can confirm this, n.n.]
    - "No Update Ever Needed", "No CPU Degradation", "No User Interaction Required", "Artificial Intelligence"
    - “AppGuard should be on every Windows system in the world.” Robert Bigman -Former Chief Information Security Officer, Central Intelligence Agency (CIA)
    - "Prominent industry analysts have recognized AppGuard as a leading next generation solution for endpoint protection. AppGuard won the Government Security News (GSN) Homeland Security Award for 2014, 2015 and 2016, for Best Anti-Malware Platform, as well as the 2016 American Security Today (AST) Platinum Award for Best Cyber Anti-Malware Solution. In addition to those awards, the US Army recognized the effectiveness of AppGuard by granting it a Certificate of Net Worthiness in 2017."

    Are, the above statements, just a summary of the good intentions of AppGuard's Marketing department?

    From my point of view, AppGuard is a complete Security Solution. But, as you said, you must know very well how to configure it, far beyond its default settings. And that's not within the reach of everyone.

    As long as I do not have proofs that AppGuard "is not enough" and has failed in a certain, specific case, I will not shake the trust of the potential users in its capabilities. You might have such proofs. But I do not have them. I made my affirmation based only on my [limited] experience with AppGuard - running on a Windows XP Pro system. AppGuard simply stopped every malefic program with which it faced. It was the only "security" program installed on my test machine.-
     
  16. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    11,436
    Location:
    UK
    The title of this thread is

    NoVirusThanks OSArmor: An Additional Layer of Defense

    Not AppGuard.. please stay on topic or posts may have to be removed.
     
  17. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,025
    Location:
    Italy
    @Wolfram

    OSA already uses internal rules, it doesn't use remote rules.

    In case you block it, OSA will be unable to verify if a signed program has a valid or revoked certificate.

    OSA just uses Windows APIs to verify the signatures.

    I don't know what is happening on your PC, but let me explain how it works:

    1) A signed executable is going to be executed
    2) OSA intercepts it before it is executed
    3) It checks if it is signed, and it may verify the certificate (i.e if it is revoked or not valid) if certain criterias are met
    4) To do this, we use Windows APIs that do the work of checking the certificate with remote trusted servers (we don't select where it connects to)

    OSA doesn't connect to Internet to send data outside, it just uses Windows APIs to verify the signatures of digitally signed processes.

    No, all our kernel-mode drivers are developed by us and we don't use third party components.

    @drhu22

    We'll discuss about it.
     
  18. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,356
    Location:
    Europe then Asia
    @Wolfram Your PC is owned, Chinese spies got you :argh: :p
     
    Last edited: Feb 6, 2019
  19. Nitty Kutchie

    Nitty Kutchie Registered Member

    Joined:
    Apr 10, 2015
    Posts:
    132
    I personally don't think that an outdated OS should be the stage to judge anything on when a person or persons are looking to produce evidence of misconduct or compromisation.
    I personally don't fine anything about this situation funny due to the fact that if you start wrong you will end wrong, any program that a person wants to test to give creditable or accurate information about should be at least ran on a up to date OS which will then cause others to take them seriously, so that when they finally put it on anything outdated they will at least have an idea when something doesn't look right.
     
  20. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,356
    Location:
    Europe then Asia
    +1
     
  21. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,195
    Thanks to everyone who initiated and participated in the above discussion, especially @novirusthanks , because it sure was interesting and informative!
     
  22. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    11,436
    Location:
    UK
    Off topic posts discussing merits and explanations of other softwares removed... and will continue to get removed.
     
  23. Wolfram

    Wolfram Registered Member

    Joined:
    Jan 28, 2019
    Posts:
    31
    Location:
    Romania
    @Wolfram Your PC is owned, Chinese spies got you :argh: :p


    I like jokes. Umbra's joke is a good one. But, a joke, or not, Umbra might be right. It is not completely excluded that my Windows XP system to have been penetrated by an undetected program written by Chinese hackers. After I installed OSArmor - which hinders their activity -, that unknown Chinese program decided to use OSArmor itself, in order to connect to the Internet...

    OSArmor, being now "possessed", has transformed into a "talking [gift] horse"...

    From my point of view, OSArmor behaves "strange" (to put it euphemistically).


    NVT told us that "In case you block it [to access the Internet], OSA will be unable to verify if a signed program has a valid or revoked certificate."

    But it is still unclear to me if "no Internet access allowed" will incapacitate OSArmor up to the point of making it useless.

    => Perhaps the author of OSArmor will come back with new clarifications. <=

    If the Digital Signatures checking is absolutely necessary, then OSArmor should let Windows Explorer to connect to the Internet.
    Most people have much more trust in Explorer.exe, than in OSArmorDevSvc.exe.

    There should also be a version of OSArmor for systems without Internet access. (air-gapped systems)
     
  24. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    5,356
    Location:
    Europe then Asia
    @Wolfram if i were if you state of mind, i would worry more about Windows unnecessary connections than OSA ones...
    Personally i "trust" (relatively) OSA more than Windows...
     
  25. gery

    gery Registered Member

    Joined:
    Mar 8, 2008
    Posts:
    2,045
    i uninstalled it and will not need it anymore . will stay with emsisoft
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.