- Apr 13, 2013
- 3,151
- Content source
- https://youtu.be/JchYFmWQ7Wk
There will be a little downtime as OSA "thinks", but I thought it important to give the full flavour so the video is not clipped for time (but I hope you enjoy it anyway).
An OSArmor Overview
- Thread starter cruelsister
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Here is a prime example of where relying upon "context" - or more specifically, not covering 100% of possible permutations of "context" - results in a fail. If you want to make your protection dependent upon whitelisting\blacklisting command lines for the sake of usability, you're going to fail at some point. Why? Because it is virtually impossible to mitigate all potential permutations, and it doesn't matter how good your AI\ML backend is. Not that OSArmor employs AI\ML. It doesn't. How does Microsoft and other security vendors tackle this fact? They block globally. It's in the Microsoft internal security best practices playbook as well as its stated position in Microsoft learn as well as elsewhere. The Big M has the right concept with SAC, but it will very unfortunately bungle that entire endeavor as the Big M is so apt to do. It's probably a foregone conclusion that SAC will turn out to be another futile enterprise.
Testing malware against solution X, Y, or Z - and then being disappointed when any or all of them fail - is... I don't know - naiveté,? You must always assume breach. It's says something, that given the vast amounts of money lost every year to the malc0ders, society - especially the typical citizen - is completely unprepared to handle digital life securely. Knowing that they have to install an AV is not nearly enough. Expecting any vendor to protect you 100% of the time under 100% of the circumstances is completely unrealistic. But lots of people expect just that... "How did my credit card get hacked, I have AV installed on my home PC?" said the angry and devastated lady to Target.
Heed the @cruelsister 's admonition...
Testing malware against solution X, Y, or Z - and then being disappointed when any or all of them fail - is... I don't know - naiveté,? You must always assume breach. It's says something, that given the vast amounts of money lost every year to the malc0ders, society - especially the typical citizen - is completely unprepared to handle digital life securely. Knowing that they have to install an AV is not nearly enough. Expecting any vendor to protect you 100% of the time under 100% of the circumstances is completely unrealistic. But lots of people expect just that... "How did my credit card get hacked, I have AV installed on my home PC?" said the angry and devastated lady to Target.
Heed the @cruelsister 's admonition...
Last edited by a moderator:
- Aug 22, 2013
- 831
The average typical ones should use a mac or ipad, i am not saying its foolproof but nearly there. Windows is for geeks.
Moving from Windows only secures them so far. They should use either Chromebook (much more affordable) or Apple (finance their lives away) or Linux (if they can handle it). Then again, it is online behaviors that dictate security far more than anything else. They should also be taught to set up an online-only checking account that is disconnected from all their other accounts and sits at a low balance; money is transferred in only as-needed for vendor payment. Next to hardening or locking-down their credit accounts. Far more effective than "best AV."
I moved my parents from a windows environment to Chromebook and Ubuntu with Windows skin. It's been 7 years and no infection.
- Aug 23, 2012
- 292
@cruelsister
Thanks for the test, always much appreciated!
Regarding the outcome, here are some information that may be useful:
- OSArmor in Basic protection is focused on preventing malware infection by blocking common malware delivery methods (that are installed via maldocs, scripts, cpl, lnk, iso/img -> exe/msi/bat, unsigned msi, *crack*, etc)
- OSArmor in Medium/Advanced protection improves the protection by enabling additional options to mitigate more threats.
- OSArmor in Extreme protection is the best you get, and this includes blocking of any unsigned exe and exe signed by unknown vendors (not present in Trusted Vendors). The efficacy of this mode can be seen in the video at minute 2:08 by @Shadowra where it blocked all exe malware samples:
Video - NoVirusThanks OSArmor - Demonstration Tests
Now about the test, the main question is how the Petya ransomware or the other exe ransomware arrived on Desktop or other user space folder?
On a real-world scenario ransomware is delivered mainly via maldocs, scripts, cpl, iso/img, lnk, zip -> lnk, etc and not as exe file type (.exe attachments are blocked in emails/messages/chats/etc), so the final exe or dll payload has to successfully pass a few or many chains/stages (e.g in the case of maldocs) and here is where OSArmor kicks in -> it blocks the execution of the payload and/or the infection chain making sure the final payload exe/dll is not executed/loaded and the system is safe.
OSArmor can be configured in many ways since it has some options available, considering that exe/msi signed malware have as target mostly companies (once they are detected the certificate is revoked so it doesn't work good for users), the Basic protection + Microsoft Defender or another AV/AM is fine for regular PC users.
When the user is presented directly with a exe malware/ransomware it commonly happens with cracked software or fake software downloaded from "dubious" websites.
For this case where the user performs "risky operations" or in a company where are needed strong restrictions, then these two rules should be enabled:
"Block signers not present in Trusted Vendors"
"Block unsigned processes on user space"
If you make the test with these two options it would have blocked all exe samples, example here:
Hope these information can be useful
Thanks for the test, always much appreciated!
Regarding the outcome, here are some information that may be useful:
- OSArmor in Basic protection is focused on preventing malware infection by blocking common malware delivery methods (that are installed via maldocs, scripts, cpl, lnk, iso/img -> exe/msi/bat, unsigned msi, *crack*, etc)
- OSArmor in Medium/Advanced protection improves the protection by enabling additional options to mitigate more threats.
- OSArmor in Extreme protection is the best you get, and this includes blocking of any unsigned exe and exe signed by unknown vendors (not present in Trusted Vendors). The efficacy of this mode can be seen in the video at minute 2:08 by @Shadowra where it blocked all exe malware samples:
Video - NoVirusThanks OSArmor - Demonstration Tests
Now about the test, the main question is how the Petya ransomware or the other exe ransomware arrived on Desktop or other user space folder?
On a real-world scenario ransomware is delivered mainly via maldocs, scripts, cpl, iso/img, lnk, zip -> lnk, etc and not as exe file type (.exe attachments are blocked in emails/messages/chats/etc), so the final exe or dll payload has to successfully pass a few or many chains/stages (e.g in the case of maldocs) and here is where OSArmor kicks in -> it blocks the execution of the payload and/or the infection chain making sure the final payload exe/dll is not executed/loaded and the system is safe.
OSArmor can be configured in many ways since it has some options available, considering that exe/msi signed malware have as target mostly companies (once they are detected the certificate is revoked so it doesn't work good for users), the Basic protection + Microsoft Defender or another AV/AM is fine for regular PC users.
When the user is presented directly with a exe malware/ransomware it commonly happens with cracked software or fake software downloaded from "dubious" websites.
For this case where the user performs "risky operations" or in a company where are needed strong restrictions, then these two rules should be enabled:
"Block signers not present in Trusted Vendors"
"Block unsigned processes on user space"
If you make the test with these two options it would have blocked all exe samples, example here:
Hope these information can be useful
Last edited:
- Apr 13, 2013
- 3,151
Andreas- Thank you for a thoughtful response! I agree with agree what you state, but I should clarify a few things- First- I decided to use the Advanced setting as I took an informal poll on Wilders and that was the consensus opinion of what was being used by OSA fans
Second- The executable files could have come from just about anywhere and moved into the user space; this would include a torrent or an email link for a download from my cat's website (wouldn't suggest anyone go there! And I thought it important to make sure that a SmartScreen alert was included for just that eventuality). There are indeed many ways this could be done. but almost all would indeed involve user issue or unawareness. Although you kindly did not do this, but many when confronted with a security application failure due to malware infection will place the blame squarely on the user. This is for me really unjustifiable and reminds me of the joke about the patient seeing a Physician for an issue:
Patient "Doctor- my arm hurts when I do this!"
Physician- "Well, don't do that"
Much better would be a proper diagnosis and remediation of the issue.
Third- Personally I feel that increasing the protection to the Extreme and/or putting the additional controls in place to be too draconian for me. It restricts freedom while increasing potential FP's. Caser in point would be the SeaMonkey browser which is legitimate, been around for years but never ever has been signed. Extra work would be needed to verify its legitimacy upon an alert which the user may or may not do.
Finally- I like OSA. It did a nice job on a number of things that I didn't have time to add (as the song wasn't that long) like preventing dropped dll's from RATs from becoming active even if successfully deposited. As you have pointed out it would indeed be a compliment to a Primary AM application which actually was also the theme of the video.
m
Second- The executable files could have come from just about anywhere and moved into the user space; this would include a torrent or an email link for a download from my cat's website (wouldn't suggest anyone go there! And I thought it important to make sure that a SmartScreen alert was included for just that eventuality). There are indeed many ways this could be done. but almost all would indeed involve user issue or unawareness. Although you kindly did not do this, but many when confronted with a security application failure due to malware infection will place the blame squarely on the user. This is for me really unjustifiable and reminds me of the joke about the patient seeing a Physician for an issue:
Patient "Doctor- my arm hurts when I do this!"
Physician- "Well, don't do that"
Much better would be a proper diagnosis and remediation of the issue.
Third- Personally I feel that increasing the protection to the Extreme and/or putting the additional controls in place to be too draconian for me. It restricts freedom while increasing potential FP's. Caser in point would be the SeaMonkey browser which is legitimate, been around for years but never ever has been signed. Extra work would be needed to verify its legitimacy upon an alert which the user may or may not do.
Finally- I like OSA. It did a nice job on a number of things that I didn't have time to add (as the song wasn't that long) like preventing dropped dll's from RATs from becoming active even if successfully deposited. As you have pointed out it would indeed be a compliment to a Primary AM application which actually was also the theme of the video.
m
Well said. In the end it doesn't matter where a file comes from (yeah I know of mark of the web and their usage as a compartment) it just does. One does not immunize the system to fight just the bacteria/viruses that arrive through an oral cavity. Because if we did then the same infection could suddenly arrive through a paper cut.
I understand how OA is based on System Security Rules so you are limited by windows rule system whilst walking the right rope between too many alerts vs not enough alerts.
Let me just say that after few of those alerts I personally would have pressed ok.
- Aug 23, 2012
- 292
@cruelsister
Totally fine and my information was meant only as additional potentially useful details.
Yeah that is a problem if an user uses Extreme protection, with this mode only signed applications should be used if possible (unsigned but trusted apps should be excluded).
On the Basic protection the detection of malicious exes directly downloaded/executed from the user should be helped by the primary AV/AM, while with the two additional rules checked and/or in Extreme profile then OSA can handle them (an AV/AM should be always present).
We continuously improve OSA and videos like this can only help the product, so thanks again for the video!
Totally fine and my information was meant only as additional potentially useful details.
Yeah that is a problem if an user uses Extreme protection, with this mode only signed applications should be used if possible (unsigned but trusted apps should be excluded).
On the Basic protection the detection of malicious exes directly downloaded/executed from the user should be helped by the primary AV/AM, while with the two additional rules checked and/or in Extreme profile then OSA can handle them (an AV/AM should be always present).
We continuously improve OSA and videos like this can only help the product, so thanks again for the video!
A mac mini is $600. Add a $200 monitor, and whatever keyboard and mouse you want, and you have a capable desktop you can use for a decade. Let's cut the hyperbole here.
Hell, you can get a macbook air for $800 and use that for 8-10 years too. What windows laptop will last that long, even the more expensive ones?
- Aug 17, 2017
- 1,508
It seems to me that he recommended Apple, only with the cavate that it is expensive, or you can purchase a Chromebook for far less but yes, as you rightly imply, you get what you pay for.
That's a very North America or European-centric view of money\prices. $600 is a few months' salary for some people.
In my mind as I typed was a pimped-out MacBook Pro M2, but even the Mac Mini is out of reach for enough people.
I did not search for statistics, but a good guess is that people keep a system for about 5 years. But hey, there are people on this forum using 10+ year old Windows laptops still running XP. Not many, but there are some.
I'm starting to see why people prefer to buy macs and iphones. Why bother with the stress of the windows/android ecosystem. Sure, there is mac/ios malware but you're talking about million dollar exploits to do that compromise and public exploits are found out pretty quick. Security has improved all round though on windows/android/mac/ios so that is good news compared to 15 years ago.
What stress? In my experience, if you keep Windows updated and don't open random files, it's very hard to get infected. I've been using Android devices for 12 years and have never been infected.
OK man, whatever you say.
And all I'm saying is, compared to a new Windows computer, it's NOT that expensive, especially one that's comparatively specced.
- Dec 7, 2021
- 402
I agree what stress?? Used every version of Windows from 3 & had no infections I'm ware of, my other half has a Mac & we both have iPhones but no issues with Windows.
Whoever infected Roger_m's Android, you are doing a good job! He doesn't know about it! Keep at it! /sarcasm
Last edited:
- Jan 16, 2017
- 1,469
And how do you know? Are you saying every Android phone will be infected at some point?
No, it was a joke. The best infection is the one you don't know about.
Similar threads
