OSArmor is not intended to block signed EXE files. It can block them when they are run from suspicious locations. It can also block some LOLBins, etc.OSArmor on all systems here. I have a question though. So if this malware was signed, that's one protection the malware can bypass. However, how did it get past the rest? I mean, does anyone know the specific mechanism of this malware. I haven't ever used the Custom Block-Rules dialog, but maybe this could be useful for preventing this kind of attack?
OSA lets you make custom block rules, if you want, but it's easier to just use a program that is specifically designed for that, such as NVT EXE Radar Pro or Hard_Configurator.signed EXE files are allowed by design to run from Desktop
and we know why it allowed this. If it did not, it would block a lot of application usage on a system if it didn't. The tester didn't show any bypass of OSArmor, he showed something most things would allow to run. VoodooShield would likely have prevented this by virtue of the EXE being low reputation attempting to execute though, in all fairness.Technically, the last sample did not bypass OSArmor, because signed EXE files are allowed by design to run from Desktop.
OK, so that IS the mechanism for this malware. Don't know why, but I thought that it must surely need more than the signature to change files. Now it seems obvious to me that this is a blank check for a process without a super strong HIPs element like Comodo (and then customized honestly). Yes, for evaluation of NVT OSArmore, citing reference to this video would incite unfair criticism of the application, I agree. Information is hidden from the viewer...Technically, the last sample did not bypass OSArmor, because signed EXE files are allowed by design to run from Desktop.
Can only speak for me but once 1809 then 1903 installed, there was a persistently small but noticeable delay in boot and shutdown. I couldn't get rid of it. Once I notice these things, the days of the software on my system are numbered. Switched to gpedit.msc (which is used for other Windows policies besides security-related) plus OSArmor with many rules enabled beyond defaults. I also disabled some things in Turn Windows Features On and Off, like SMB1 and Internet Explorer.I wonder why people don't seem to use NVT ERP very much anymore?