App Review NoVirusThanks OSArmor vs Ransomware

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,513
I have already commented Juan Diaz video's:
https://malwaretips.com/threads/wisevector-stopx-vs-ransomware.95058/#post-835181
But, this one requires some additional notes because OSArmor is not an AV. It is not designed to detect the PE malware (like EXE, DLL etc.), but can harden the system in many ways to avoid suspicious files/actions.
  1. It is easy to compile the signed malware which could bypass OSArmor if one knows how the system is hardened. Similarly, it is easy to go out of the labyrinth if one knows the right way. But, most widespread malware in the wild will be blocked, anyway.
  2. Most EXE malware in the wild is not delivered as a direct download. Usually, they are delivered by using scripts (directly or embedded in spam, documents, etc.), ZIP archives, or LOLBins. This delivery method is blocked well by OSArmor, which can be seen on the video.
For example, the delivery method of Ordinypt Wiper malware from the post:
Security Alert - Fake résumé emails attempt to spread Ordinypt Wiper to German recipients,
uses ZIP archive (spam attachment) with the malicious EXE file (Lebenslauf.pdf.exe) that pretends to be a PDF document. This also will be blocked by OSArmor.

If the author wanted to show that OSArmor can be bypassed, then this is nothing new.
If the author wanted to show how effective is OSArmor, then he failed as I commented in the post about his test on WiseVector.
If the author wanted to show how OSArmor works by using some malware examples, then the video is probably OK.
 
Last edited:
  • Like
  • +Reputation
  • Thanks
Reactions: Mercenary, Zartarra, enaph and 23 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,513
Syafiq said:
Conclusion: Don't use security software at all, because it will fail anyway
Click to expand...

ebocious said:
I don't know how you arrived at that conclusion, and especially the bit about no security software at all. What I got out of it was don't rely on NVT OSA to be your complete security apparatus.
Click to expand...
@ebocious,
I think that his conclusion was a justified irony.;)
 
  • Like
  • HaHa
Reactions: plat, shmu26, simmerskool and 9 others
9

93803123

Andy Ful said:
I have already commented Juan Diaz video's:
https://malwaretips.com/threads/wisevector-stopx-vs-ransomware.95058/#post-835181
But, this one requires some additional notes because OSArmor is not an AV. It is not designed to detect the PE malware (like EXE, DLL etc.), but can harden the system in many ways to avoid suspicious files/actions.
  1. It is easy to compile the signed malware which could bypass OSArmor if one knows how the system is hardened. Similarly, it is easy to go out of the labyrinth if one knows the right way. But, most widespread malware in the wild will be blocked, anyway.
  2. Most EXE malware in the wild is not delivered as a direct download. Usually, they are delivered by using scripts (directly or embedded in spam, documents, etc.), ZIP archives, or LOLBins. This delivery method is blocked well by OSArmor, which can be seen on the video.
For example, the delivery method of Ordinypt Wiper malware from the post:
Security Alert - Fake résumé emails attempt to spread Ordinypt Wiper to German recipients,
uses ZIP archive (spam attachment) with the malicious EXE file (Lebenslauf.pdf.exe) that pretends to be a PDF document. This also will be blocked by OSArmor.

If the author wanted to show that OSArmor can be bypassed, then this is nothing new.
If the author wanted to show how effective is OSArmor, then he failed as I commented in the post about his test on WiseVector.
If the author wanted to show how OSArmor works by using some malware examples, then the video is probably OK.
Click to expand...

That person uses malware grabbed off of Hybrid-Analysis and other online malware repos. They aren't making custom, targeting malware.
 
  • Like
Reactions: [correlate], Venustus, roger_m and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,513
zhuzhangspankspank said:
That person uses malware grabbed off of Hybrid-Analysis and other online malware repos. They aren't making custom, targeting malware.
Click to expand...
ErzCrz said:
Wow, impressive results. Certainly something worth considering as an addition if I move away from Comodo at any point. I'll have look into it.
Click to expand...

The samples in the test are not random samples, but specially selected samples. The last sample had to be digitally signed to bypass OSArmor. The guy knows how OSArmor works and selected the last sample to bypass OSArmor. Generally, such a test alone is worthless for showing the efficiency of tested security.

It would be more interesting if the malware in the test could bypass one of the OSArmor features.
 
Last edited:
  • Like
  • +Reputation
Reactions: [correlate], stefanos, Venustus and 10 others
9

93803123

Andy Ful said:
The samples in the test are not random samples, but specially selected samples. The last sample had to be digitally signed to bypass OSArmor. The guy knows how OSArmor works and selected the last sample to bypass OSArmor.
Click to expand...

I did not say they are using random samples. They are getting the samples from the usual online sources. They aren't making their own malware.

Of course one would make a video of a sample that knowingly bypasses the protections. The whole point of the video is to show what can happen. Otherwise, there is no point in making the bypass video.
 
  • Like
Reactions: [correlate], AtlBo, harlan4096 and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,513
zhuzhangspankspank said:
I did not say they are using random samples. They are getting the samples from the usual online sources. They aren't making their own malware.
Click to expand...
Yes, I know. I also did not say that the author uses custom made malware. Anyway, selecting samples to bypass something has the same effect as preparing the custom malware to bypass something.

zhuzhangspankspank said:
Of course one would make a video of a sample that knowingly bypasses the protections. The whole point of the video is to show what can happen. Otherwise, there is no point in making the bypass video.
Click to expand...
That is also my opinion. The video uses selected samples to show how OSArmor can block malware, and that it is not 100% efficient. It cannot show anything interesting about the effectiveness of tested software. I do not think that the author's intention was showing this.
 
Last edited:
  • Like
Reactions: [correlate], Venustus, roger_m and 9 others
9

93803123

Andy Ful said:
Yes, I know. I also did not say that the author uses custom made malware. Anyway, selecting samples to bypass something has the same effect as preparing the custom malware to bypass something.


That is also my opinion. The video uses selected samples to show how OSArmor can block malware, and that it is not 100% efficient. It cannot show anything interesting about the effectiveness of tested software. I do not think that the author's intention was showing this.
Click to expand...

People don't care about "1000 random sample selected and tested, result 100% protection." When it comes down to it, they only care about bypass video and failed protections. That is what the video author feeds. That demand. This person's videos are just as legitimate as anyone else's.

Most people measure security by the number of failures, and not the number of successes. So to them, they don't care if there is a single fail in 1000. To them, a single fail is significant. A fail is a fail, no matter the context or statistics. That's just how the average human mind works and the industry cannot do anything about this psychology. It is what it is.
 
Last edited by a moderator:
  • Like
Reactions: [correlate], Venustus, AtlBo and 9 others

Similar threads

Shadowra
    • Like
    • +Reputation
    • Thanks
App Review NoVirusThanks OSArmor 2024
Replies
18
Views
2,499
Video Reviews - Security and Privacy
vonvon
vonvon
NB InfoTech
    • Like
App Review Want to try? | Comodo Antivirus Test & Review | Comodo Internet Security vs Ransomware | 2024
Replies
4
Views
406
Video Reviews - Security and Privacy
bazang
bazang
L
    • Like
App Review Windows Defender Controlled Folders bypassed by ransomware
Replies
1
Views
365
Video Reviews - Security and Privacy
oldschool
oldschool

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top