Online Armor General Discussion

Discussion in 'other anti-malware software' started by Cutting_Edgetech, Nov 18, 2014.

  1. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,950
    Location:
    USA
    This thread is for discussing anything directly related to Online Armor. There has been many things I have wanted to discuss about Online Armor the last few months, but there really hasn't been a good thread to post in about Online Armor since the release of Emsisoft Internet Security. I've been using Online Armor since about 2003. I know how effective Online Armor is, and I believe many members here at Wilder's don't know how powerful OA HIPS really is. It has blocked all the ransomeware that i'm aware of. If you find a variant that can bypass OA then please let me know. Hopefully Online Armor development will start up again soon. I look forward to discussing Online Armor.










     
    Last edited: Nov 18, 2014
  2. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,950
    Location:
    USA
    I just tested Online Armor against the latest HMPA exploit test tool, and it passed all of the applicable test on my machine. I used Firefox as the exploitable application. I had a little trouble at first getting Online Armor to allow the test tool to select Firefox.exe before starting the actual test. I had to tick allow, and remember action to allow the test tool to select Firefox.exe. I was then able to change it from allow back to ask after that. Unless I am somehow misunderstanding this test then Online Armor passed all the test I could conduct on this machine. Calculator.exe was never able to launch. Online Armor prompted me for all of them, and did not allow the test tool to do anything that i'm aware of.

    Stats: Windows 7X64 Ultimate.
    Hardware: intel (R) Core(TM) i7 3.2 ghz CPU, 8GB Dual-Channel DDR3, ATI AMD Radeon HD 6900 Series (ATI), and Velociraptor 10,000 rpm Western Digital HD.

    Run Windows Calculator: pass
    Stack Pivot: pass
    Stack Exec pass
    DEP: pass
    ROP Win Exec (): pass
    ROP VirtualProtect (): pass
    ROP NtProtect VirtualMemory (): pass
    ROP System() in msvcrt: pass
    ROP VirtualProtect() Via call gadget: pass
    ROP-WinExec() via anti-detour: pass
    Null Page: pass
    SEHOP: pass
    HEAP Spray 1: pass
    HEAP Spray 2: pass
    HEAP Spray 3: pass
    HEAP Spray 4: pass
    Anti-VM VMware: (no VM on this machine) OA alerted anyways
    ANti-VM Virtual PC: (no VM on this machine) OA alerted anyways
    Load Library: pass
    URL Mon: pass
    URL Mon 2: pass
    URL Mon 3: pass
    Run IAT Exploit: pass
    Lockdown 1: pass
    Lockdown 2: pass
    Webcam test: (no webcam on this machine: did not test)

    Keyboard Logger: pass

    Edit: results have been edited. Take a look at post #13. Also note that the test results were inconsistent when using a different version of the test tool. Online Armor caused some versions of the test tool to crash as soon as I attempted to run the exploit.
     
    Last edited: Nov 19, 2014
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,042
    I have to think about this one. When I tested against real maiware, EIS, Appguard, and ERP if blocking the malware from running stopped it. But the point was even if the malware was allowed to run HMPA, stopped the exploit. I think the only reason OA passed was because you didn't let the "malware run". So I think the real test for me would be allowing the malware to run and then see if OA could block the exploit. My hunch is no. I may test tomorrow.

    Pete
     
  4. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    Have tested Online Armor in the past with the old Comodo leak test (CLT.exe) It scored 340/340 .
    Also did well IIRC on Anti-Keylogger Tester. (AKLT.exe) Another old test was done with GRC Firewall leakage
    tester which OA passed.
     
  5. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,913
    Thank you for sharing your testing results. I'm glad that one of my favs is still OK.
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Isn't it true that all HIPS with anti-exe capabilities will pass this test? To clarify, OA is not blocking the "memory corruption" techniques, it's blocking the result of it, and that is launching calc.exe.
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,042
    From the testing I tried, you are absolutely correct. To really test it all the blocks that were done should have been allows. I'd bet OA would have then failed. I say tried, because as I tested OA revealed it's inconsistency's. I'd run the test, get a pop up, disallow remember decision and run safer, click allow, and OA would block.

    Pete

    I was able to retest and it was very clear. It was simply the anti executable functions that were preventing execution. Given the purpose of those tests was to test memory techniques, I would totally agree, OA didn't pass that test.
     
    Last edited: Nov 18, 2014
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Yes exactly, EXE Radar should also pass all the tests where running calc.exe is the objective (when it's not white-listed), even though it's not designed to stop memory corruption techniques, just like OA.
     
  9. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,950
    Location:
    USA
    I will test again. I don't think that is what I was seeing at all. The way I tested was I allowed the HMPA test tool to run by clicking allow to all of OA prompts. After allowing the test tool to run I then selected Firefox.exe from within the test tool as the application to be exploited. This was a little difficult to do because no matter how many times I clicked allow OA continue to prompt me for an action so I had to go ahead, and choose remember action in order for the test tool to successfully select Firefox.exe as the application to exploit. After the test tool was able to successfully select Firefox.exe as the application to exploit I changed the allow, and remember action back to ask the user. I then ran each of the exploit test. I received a prompt immediately for each one. I got the prompt as soon as I clicked the button on the test tool. The prompt was immediate.
     
  10. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,950
    Location:
    USA
    I found a pdf manual for the test tools. I will read through it before I test again.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    The point is that OA will not alert about stuff like ROP/Heap Spay, you will probably only see some alert about calc.exe wanting to launch.
     
  12. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,950
    Location:
    USA
    I will be posting exactly what OA blocks with each test, but I think you will be correct. I just checked a few of them. OA blocked the test tool from launching calc.exe on a few I just checked, and OA blocked the test tool from launching cmd.exe on another one I just checked. I will post exactly what OA is doing for reach one. It's seems Online Armor is blocking the end result instead of the actual exploit. I'm not sure that will be the case for all of them since OA does restrict access to the physical memory. I will test AppGuard also when I get a chance. I started to last night, but when I got done with Online Armor I was not sure I understood the test right as I mentioned in my initial post.

    Btw.. the test kit I just used must be an older version because it does not give the option to choose an application to exploit like the one I used to test with. I will see if there is any difference with the two different test.
     
  13. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,950
    Location:
    USA
    I had to use two different versions of the test tool to pull this test off. The newest test tool kept crashing each time I attempted to execute each of the test for most of them. Online Armor caused the test tool to crash before receiving any prompt upon executing each of many of the test. Does that count as a pass lol Luckily most of the test functioned ok with the older tool, and I was able to use the test from the newer test tool that the older test tool did not contain. Confusing huh.. I don't know what to think about most of the test crashing before it could do anything with the newest version of the test tool. The test exploit was never able to do anything since the tool crashed immediately. You could technically say OA blocked the attack, but I used the older tool for those to get more accurate results. I misunderstood the newest version of the test tool when previously posting the test results. I previously thought the exploited application which the user chose was suppose to somehow be used to launch calc.exe. I chose Firefox.exe, and when I went back to try the test again with Firefox OA was just blocking the test tool from launching Firefox.exe. That must be all the exploit does because I disabled all my security software, and executed each of the attacks. The only thing the test tool did was launch Firefox.exe, and it did not use Firefox.exe to launch the calculator.

    Run Windows Calculator: test tool was able to launch calc.exe when allowing it to launch so the test should function as intended.
    Stack Pivot: promp was given when tool attempted to access calc.exe. I chose block, and calculator was unable to launch. Also killed test tool.
    Stack Exec: promp was given when tool attempted to access calc.exe. I chose block, and calculator was unable to launch. Also killed test tool.
    DEP: promp was given when tool attempted to access calc.exe. I chose block, and calculator was unable to launch. Also killed test tool.
    ROP Win Exec (): promp was given when tool attempted to access calc.exe. I chose block, and calculator was unable to launch. Also killed test tool.
    ROP VirtualProtect (): promp was given when tool attempted to access calc.exe. I chose block, and calculator was unable to launch. Also killed test tool.
    ROP NtProtect VirtualMemory (): promp was given when tool attempted to access calc.exe. I chose block, and calculator was unable to launch. Also killed test tool.
    ROP System() in msvcrt: prompted that the test tool was attempting to access cmd.exe from Systemwow64 folder. I chose block. The test tool was killed.
    ROP VirtualProtect() Via call gadget: promp was given when tool attempted to access calc.exe. I chose block, and calculator was unable to launch. Also killed test tool process.
    ROP-WinExec() via anti-detour: promp was given when tool attempted to access calc.exe. I chose block, and calculator was unable to launch. Also killed test tool.
    Null Page: Null Page exploit/test failed.
    SEHOP: promp was given when tool attempted to access calc.exe. I chose block, and calculator was unable to launch. Also killed test tool.
    HEAP Spray 1: promp was given when tool attempted to access calc.exe. I chose block, and calculator was unable to launch. Also killed test tool.
    HEAP Spray 2: promp was given when tool attempted to access calc.exe. I chose block, and calculator was unable to launch. Also killed test tool.
    HEAP Spray 3: promp was given when tool attempted to access calc.exe. I chose block, and calculator was unable to launch. Also killed test tool.
    HEAP Spray 4: promp was given when tool attempted to access calc.exe. I chose block, and calculator was unable to launch. Also killed test tool.
    Anti-VM VMware: (no VM on this machine) promp was given when tool attempted to access calc.exe. I chose block, and calculator was unable to launch. Also killed test tool.
    ANti-VM Virtual PC: (no VM on this machine) promp was given when tool attempted to access calc.exe. I chose block, and calculator was unable to launch. Also killed test tool.
    Load Library: Test tool was killed as soon as the test was executed. No prompts, and nothing was launched.
    URL Mon: OA prompted that the test tool requested internet access. I chose block. I then received a prompt that stated unable to download test payload.
    URL Mon 2: OA prompted that the test tool was requesting internet access. I chose block. I then got a second prompt that the test tool was attempting to access rundll32.exe. I chose block, and the test tool was killed. Nothing was able to launch.
    URL Mon 3: OA prompted that the test tool was attempting internet access. I chose block. I then received a second prompt that the test tool was attempting to launch calc.exe. I chose block, and the test tool was killed. Nothing was able to launch.
    Run IAT Exploit: promp was given when tool attempted to access calc.exe. I chose block, and calculator was unable to launch. Also killed test tool.
    Lockdown 1: prompt was given that calc.exe was attempting to execute from a temp folder. I chose block, and the calculator was unable to launch. I received several more of the same prompt, and chose remember action.
    Lockdown 2: prompt was given that calc.exe was attempting to execute from a temp folder. I chose block, and the calculator was unable to launch.
    Webcam test: (no webcam on this machine: did not test)
    Keyboard Logger: OA prompted a keylogger was attempting to execute. I chose block. No text was captured in the box. The box was empty.

    In summary of the test. It appears Online Armor does not block the exploits themselves, but blocks their intended actions. The test tool was killed before it could do anything with some of the test like the load library test. At least I don't think it did anything. I never got any feedback that anything happened from the test tool before it was killed. The keylogger test was passed by OA. In general OA fails to block the actual exploits as the test is intended to test the ability of an application to block the exploit at it's earliest stage. The ability for most exploits to do any damage should be severely handicapped though since OA will not allow the exploit manipulate the system. I'm not speaking of kernel exploits of course. I tested another product against all the exploits from the test tool, and it seemed to fail miserably since it did not even prevent the end result of the exploit. Calc.exe was successfully able to launch, and the other aspects of the test were failed also. I can't post about it here, and i'm not sure I tested the application correctly so I will hold off on posted about the results for now. I think possibly I did not test the application correctly. I should get in touch with the developer before testing it again.

    Edit 11/19/14 @ 08:15: The test results were inconsistent depending on which version of the test tool that was used. Online Armor caused some versions of the test tool to crash as soon as I attempted to run the exploit. None of the test tools were able to use an exploit to launch another application, or use another system process such as cmd.exe, rundll32.exe, etc. That being said, the exploits themselves were not blocked. They were only prevented from doing any harm.
     
    Last edited: Nov 19, 2014
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Can you tell us the name of the app that failed, and can you also tell if you tested OA against the "process hollowing " method?
     
  15. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,950
    Location:
    USA
    I think it's best I don't mention the app until I know for sure how to test it. No, I did not test for the process hollowing method. I did not have that option on the test.
     
  16. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,950
    Location:
    USA
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,042
    There really is nothing in the thread that says they may stop. You talk about promoting OA, but posting they may stop is effective anti promotion
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,042
    Just looked again. He states no decision has been made so it isn't worth speculating.
     
  19. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,950
    Location:
    USA
    His post was edited since I read it last night. I was going to post about it last night. I will pm you what it said.
     
    Last edited: Jan 15, 2015
  20. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    It's been a couple months since i last used OA due to some problems i had with my system. Time to reinstall it.
     
  21. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,913
    Thank you for your tests.
    What version of OA do you test freemium (in Standard Mode) or paid (then in Advanced Mode)?
     
  22. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,950
    Location:
    USA
    Your welcome! I used OA premium 7.0.0.1866. I was operating in Advanced Mode. I always operate in Advanced Mode.
     
  23. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,913
    Thank you!

    Any news if they are going to develop OA? Or just ...
     
  24. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,695
    Location:
    Zagreb, Croatia
    No news.
     
  25. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,950
    Location:
    USA
    No, the post was edited in the Emsisoft forum thread. It originally stated something like sales of Online Armor were being evaluated to see if continued development was warranted. Then it said an announcement would be made soon whether it be positive, or negative. That's paraphrasing what I can remember of it. It's no longer there. It wasn't an official announcement by Emsisoft. It was made by someone that works for Emsisoft responding to someone's question about Online Armor's future. I guess we will have to wait, and see.
     
Loading...