App Review NoVirusThanks OSArmor vs Ransomware

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
AtlBo

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,716
OSArmor on all systems here. I have a question though. So if this malware was signed, that's one protection the malware can bypass. However, how did it get past the rest? I mean, does anyone know the specific mechanism of this malware. I haven't ever used the Custom Block-Rules dialog, but maybe this could be useful for preventing this kind of attack?
 
  • Like
Reactions: Anker_by, plat, stefanos and 7 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,513
AtlBo said:
OSArmor on all systems here. I have a question though. So if this malware was signed, that's one protection the malware can bypass. However, how did it get past the rest? I mean, does anyone know the specific mechanism of this malware. I haven't ever used the Custom Block-Rules dialog, but maybe this could be useful for preventing this kind of attack?
Click to expand...
OSArmor is not intended to block signed EXE files. It can block them when they are run from suspicious locations. It can also block some LOLBins, etc.
  1. The first sample was JS script and wscript.exe (scripting interpreter) was blocked.
  2. The second was HTA scriptlet and mshta.exe sponsor was blocked.
  3. The third was CMD script and cmd.exe sponsor was blocked.
  4. The fourth was weaponized document with a macro that tried to run VBE script - this one was blocked by anti-exploit feature for MS Word.
  5. The fifth was unsigned EXE and this one was blocked directly by Desktop protection from unsigned executables.
  6. The last was signed EXE - allowed by design to run from the Desktop.
Technically, the last sample did not bypass OSArmor, because signed EXE files are allowed by design to run from Desktop.
 
Last edited:
  • Like
  • +Reputation
Reactions: Moonhorse, plat, AtlBo and 10 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Andy Ful said:
signed EXE files are allowed by design to run from Desktop
Click to expand...
OSA lets you make custom block rules, if you want, but it's easier to just use a program that is specifically designed for that, such as NVT EXE Radar Pro or Hard_Configurator.

I wonder why people don't seem to use NVT ERP very much anymore? A few years ago, it was all the rage on the security forums.
 
  • Like
Reactions: plat, AtlBo, Venustus and 4 others
F

ForgottenSeer 58943

Andy Ful said:
Technically, the last sample did not bypass OSArmor, because signed EXE files are allowed by design to run from Desktop.
Click to expand...

and we know why it allowed this. If it did not, it would block a lot of application usage on a system if it didn't. The tester didn't show any bypass of OSArmor, he showed something most things would allow to run. VoodooShield would likely have prevented this by virtue of the EXE being low reputation attempting to execute though, in all fairness.
 
  • Like
Reactions: roger_m, AtlBo, Handsome Recluse and 4 others
AtlBo

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,716
Andy Ful said:
Technically, the last sample did not bypass OSArmor, because signed EXE files are allowed by design to run from Desktop.
Click to expand...

OK, so that IS the mechanism for this malware. Don't know why, but I thought that it must surely need more than the signature to change files. Now it seems obvious to me that this is a blank check for a process without a super strong HIPs element like Comodo (and then customized honestly). Yes, for evaluation of NVT OSArmore, citing reference to this video would incite unfair criticism of the application, I agree. Information is hidden from the viewer...

Thanks for the explanation...
 
  • Like
Reactions: Andy Ful, ebocious, roger_m and 2 others
P

plat

Level 29
Top Poster
Sep 13, 2018
1,793
shmu26 said:
I wonder why people don't seem to use NVT ERP very much anymore?
Click to expand...

Can only speak for me but once 1809 then 1903 installed, there was a persistently small but noticeable delay in boot and shutdown. I couldn't get rid of it. Once I notice these things, the days of the software on my system are numbered. Switched to gpedit.msc (which is used for other Windows policies besides security-related) plus OSArmor with many rules enabled beyond defaults. I also disabled some things in Turn Windows Features On and Off, like SMB1 and Internet Explorer.
 
  • Like
Reactions: shmu26 and oldschool

Similar threads

Shadowra
    • Like
    • +Reputation
    • Thanks
App Review NoVirusThanks OSArmor 2024
Replies
18
Views
2,499
Video Reviews - Security and Privacy
vonvon
vonvon
NB InfoTech
    • Like
App Review Want to try? | Comodo Antivirus Test & Review | Comodo Internet Security vs Ransomware | 2024
Replies
4
Views
406
Video Reviews - Security and Privacy
bazang
bazang
L
    • Like
App Review Windows Defender Controlled Folders bypassed by ransomware
Replies
1
Views
365
Video Reviews - Security and Privacy
oldschool
oldschool

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top