Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Video Reviews - Security and Privacy
An OSArmor Overview
Message
<blockquote data-quote="NoVirusThanks" data-source="post: 1007762" data-attributes="member: 68429"><p>[USER=7463]@cruelsister[/USER]</p><p></p><p>Thanks for the test, always much appreciated!</p><p></p><p>Regarding the outcome, here are some information that may be useful:</p><p></p><p>- OSArmor in Basic protection is focused on preventing malware infection by blocking common malware delivery methods (that are installed via maldocs, scripts, cpl, lnk, iso/img -> exe/msi/bat, unsigned msi, *crack*, etc)</p><p></p><p>- OSArmor in Medium/Advanced protection improves the protection by enabling additional options to mitigate more threats.</p><p></p><p>- OSArmor in Extreme protection is the best you get, and this includes blocking of any unsigned exe and exe signed by unknown vendors (not present in Trusted Vendors). The efficacy of this mode can be seen in the video at minute 2:08 by [USER=92939]@Shadowra[/USER] where it blocked all exe malware samples:</p><p> <a href="https://malwaretips.com/threads/novirusthanks-osarmor-demonstration-tests.115056/" target="_blank">Video - NoVirusThanks OSArmor - Demonstration Tests</a></p><p></p><p>Now about the test, the main question is how the Petya ransomware or the other exe ransomware arrived on Desktop or other user space folder?</p><p></p><p>On a real-world scenario ransomware is delivered mainly via maldocs, scripts, cpl, iso/img, lnk, zip -> lnk, etc and not as exe file type (.exe attachments are blocked in emails/messages/chats/etc), so the final exe or dll payload has to successfully pass a few or many chains/stages (e.g in the case of maldocs) and here is where OSArmor kicks in -> it blocks the execution of the payload and/or the infection chain making sure the final payload exe/dll is not executed/loaded and the system is safe.</p><p></p><p>OSArmor can be configured in many ways since it has some options available, considering that exe/msi signed malware have as target mostly companies (once they are detected the certificate is revoked so it doesn't work good for users), the Basic protection + Microsoft Defender or another AV/AM is fine for regular PC users.</p><p></p><p>When the user is presented directly with a exe malware/ransomware it commonly happens with cracked software or fake software downloaded from "dubious" websites.</p><p></p><p>For this case where the user performs "risky operations" or in a company where are needed strong restrictions, then these two rules should be enabled:</p><p></p><p>"Block signers not present in Trusted Vendors"</p><p>"Block unsigned processes on user space"</p><p></p><p>If you make the test with these two options it would have blocked all exe samples, example here:</p><p></p><p>[MEDIA=youtube]kdtHxUqDNMc:382[/MEDIA]</p><p></p><p>Hope these information can be useful <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite109" alt=":)" title="Smile :)" loading="lazy" data-shortname=":)" /></p></blockquote><p></p>
[QUOTE="NoVirusThanks, post: 1007762, member: 68429"] [USER=7463]@cruelsister[/USER] Thanks for the test, always much appreciated! Regarding the outcome, here are some information that may be useful: - OSArmor in Basic protection is focused on preventing malware infection by blocking common malware delivery methods (that are installed via maldocs, scripts, cpl, lnk, iso/img -> exe/msi/bat, unsigned msi, *crack*, etc) - OSArmor in Medium/Advanced protection improves the protection by enabling additional options to mitigate more threats. - OSArmor in Extreme protection is the best you get, and this includes blocking of any unsigned exe and exe signed by unknown vendors (not present in Trusted Vendors). The efficacy of this mode can be seen in the video at minute 2:08 by [USER=92939]@Shadowra[/USER] where it blocked all exe malware samples: [URL='https://malwaretips.com/threads/novirusthanks-osarmor-demonstration-tests.115056/']Video - NoVirusThanks OSArmor - Demonstration Tests[/URL] Now about the test, the main question is how the Petya ransomware or the other exe ransomware arrived on Desktop or other user space folder? On a real-world scenario ransomware is delivered mainly via maldocs, scripts, cpl, iso/img, lnk, zip -> lnk, etc and not as exe file type (.exe attachments are blocked in emails/messages/chats/etc), so the final exe or dll payload has to successfully pass a few or many chains/stages (e.g in the case of maldocs) and here is where OSArmor kicks in -> it blocks the execution of the payload and/or the infection chain making sure the final payload exe/dll is not executed/loaded and the system is safe. OSArmor can be configured in many ways since it has some options available, considering that exe/msi signed malware have as target mostly companies (once they are detected the certificate is revoked so it doesn't work good for users), the Basic protection + Microsoft Defender or another AV/AM is fine for regular PC users. When the user is presented directly with a exe malware/ransomware it commonly happens with cracked software or fake software downloaded from "dubious" websites. For this case where the user performs "risky operations" or in a company where are needed strong restrictions, then these two rules should be enabled: "Block signers not present in Trusted Vendors" "Block unsigned processes on user space" If you make the test with these two options it would have blocked all exe samples, example here: [MEDIA=youtube]kdtHxUqDNMc:382[/MEDIA] Hope these information can be useful :) [/QUOTE]
Insert quotes…
Verification
Post reply
Top