NoVirusThanks OSArmor

[Evjl's Rain]

Spoiler: Screenshots

Monitor and block suspicious processes behaviors to prevent infections by malware, ransomware, and other threats. This security application analyzes parent processes and prevents, for example, MS Word from running cmd.exe or powershell.exe, it prevents ransomware from deleting shadow copies of files via vssadmin.exe, it blocks processes with double file extensions (i.e invoice.pdf.exe), it blocks USB-spreading malware, and much more. It monitors commonly exploited processes (such as MS Office, Java, Web Browsers, Adobe PDF, Flash, etc) and blocks suspicious child processes, blocking the exploit payloads and thus preventing the malware infection.

This program is compatible with other security software and adds an additional layer of defense to prevent malware and ransomware infections. So far, we have added more than 30 smart policies to block malicious processes behaviors and improve your system security. You don't have to configure anything, just install it and forget about it. If needed, you can enable or disable the policies via the "Configurator" application, that needs Admin privileges.


An Additional Layer of Defense
This smart security application focuses on preventing a malware infection by applying smart and intelligent rules that block bad processes behaviors. This tool can block threats not detected by your installed security solution. Add to your system an additional layer of defense to prevent infections by malware and ransomware!
You don't have to configure anything, just install it and forget about it. We have already added more than 30 smart policies to improve your system security with this security application.

Basic Anti-Exploit
Analyze parent processes and child processes blocking exploit payloads.

Protect MS Office Apps
Prevent WINWORD.EXE or EXCEL.EXE from executing malicious processes.

Monitor Applications
Monitor Adobe PDF Reader, MS Office, OpenOffice, Web Browsers, etc.

Block USB Malware
Prevent execution of processes started via autorun.inf from USB devices.

Block Command-Lines
Block processes with command-line strings commonly related to malware.

Protect Shadow Copies
Block system processes (vssadmin.exe, etc) from deleting shadow copies of files.

Block File Download
Block specific command-lines related to download of remote files.

Block .COM & .PIF
Block execution of processes with .COM or .PIF obsolete file extensions.

Filter System Processes
Block wscript.exe, mshta.exe, etc if they match our rules of bad behaviors.

Block Bcedit.exe
Prevent important and critical system modifications from Bcedit.exe

Block Schtasks.exe
Block the execution of schtasks.exe (commonly used by malware).

Block Bitsadmin.exe
Prevent Bitsadmin.exe from downloading (/download) remote files.

PowerShell Rules
Block execution of encoded or malformed commands via PowerShell.

Svchost & Explorer
Block suspicious behaviors related to Svchost.exe and Explorer.exe.

Block RegisterXLL()
Prevent calling of Application.Excel RegisterXLL() via command-line.

Block Remote Scripts
Prevent Regsvr32.exe or Mshta.exe from loading remote scripts.

Very Lightweight
The software application uses only a few MBs of memory, you will not even notice it.

Free to Use
This software is completely free to use for anyone, at home and at work.


For Windows XP, Vista, 7, 8, 10 (32\64-bit)

*** Doesn't support Secure Boot for now ***

Download & more info here:
Prevent Malware and Ransomware Infections with OSArmor | NoVirusThanks

 

[enaph]

Another tool from NVT which will be abandoned after a short period of active development.

 

[Peter2150]

Another tool from NVT which will be abandoned after a short period of active development.

And the basis of this claim is....

 

[Rengar]

Another tool from NVT which will be abandoned after a short period of active development.

Why are you saying that? lol

 

[HarborFront]

So is this OSArmor the same as NVT ERP or a subset of NVT ERP? With NVT ERP do I still need the OSArmor? Or do I need both for better protection?

Thanks

 

[bribon77]

I have seen it in wilder and I have installed it in Shadow. I have deactivated all my protection and Executed some malwares .. but I have not perceived any alert ... it will be possible to prove this application?? .. it looks good as everything that this developer does. Thank you.

 

[Evjl's Rain]

I have seen it in wilder and I have installed it in Shadow. I have deactivated all my protection and Executed some malwares .. but I have not perceived any alert ... it will be possible to prove this application .. it looks good as everything that this developer does. Thank you.

I don't think this app is designed for regular malwares with .exe extension but for scriptors and several malwares which fit the criteria in the checkboxes (for example double extension malware)

the only I can see it missing is prevention against java malwares, which many AV vendors are not really good at. However I can understand the reason why

it's working properly as it just blocked my google chrome portable installer from portableapps due to its double extension .paf.exe

 

[shmu26]

The drivers are not yet co-signed, so you might have to disable secure boot to install it on Windows 10. If you ignore the warning and install it anyway, your system will become unbootable until you disable secure boot.

If your Windows 10 is from an upgrade instead of a clean install, you probably will not have this limitation.
The dev says he already applied to get sigs for the drivers, and will update the installation file accordingly.

 

[enaph]

And the basis of this claim is....

Why are you saying that? lol

It's just my biased opinion.
Just look at the website and see how many tools are there.
Now tell me how many of them are receiving regular updates/fixes?
Don't get me wrong - I love NVT soft (I even bought ERP license) but it would be better if Andreas could focus on up to 3 main tools instead of creating another tool which will be forgotten after a period of time.
Anyway I am going to try OSA

 

[Peter2150]

There a bunch and most are relatively simple and don't need updates.

 

[Prorootect]

Ah, I have a big desire for this new tool, developers are trusted!

- It would be my first downloaded software since time immemorial...
Thank you Evjl's Rain !https://malwaretips.com/members/evjls-rain.51905/

 

[AtlBo]

Yes, looking forward to running this to see where NVT has gone with this tool. It's interesting to me that the dev here has chosen to make the application free for offices. Honestly, I feel like he should reserve the free for the office decision to make at a later date personally. He has given away so much good software over the years. This is how I feel.

I wonder how this would compare on Windows 7 to the work @Andy Ful is doing with his policy based application (primarily powerful for W10 users?). I guess his is more machine policy control rather actual establishment of policy, as this seems it actually is for Windows 7. Going to be interesting to see how it works on Windows 7 for sure. A little bit strange to see an app with such simple settings. Makes me nervous for some reason.

Any other malware testing done, please pass on your findings! Thanks to @bribon77 for his initial tests.

 

[NoVirusThanks]

NVT here

Thank you for posting OSArmor here.

You may want to watch this video that demonstrate how OSArmor can block the payload of a DOC (MSWord) and SWF (Flash) exploit:


OSArmor is like a behavioral blocker with pre-built rules that block suspicious processes (in short).
It works by preventing a malware or ransomware infection in real-world scenario.

You should test it with real-world scenarios:
- Opening a malicious .DOC\.PDF.\XLS.\etc. file used to exploit MSWord\MSExcel\PDF Reader\etc to drop\download and execute a payload (malware\ransomware\etc) in the system
- Visiting a malicious website that exploits a vulnerability (Java\Flash Player\PDF\etc) to download and execute a payload in the system
- And so on. Simply clicking on a .exe file or a .vbs file would not trigger any alert.

OSArmor can also block fileless malware that execute JS or VBS code, i.e Poweliks:
Poweliks click-fraud malware goes fileless in attempt to prevent removal

This tool can really improve the security of the system and requires zero configuration.

If you have questions just ask, I'll reply here

 

[NoVirusThanks]

@shmu26

ERP gives you full control on every single application that is installed\executed in the system and is more for advanced users.

OSArmor is for beginner users (but also for experts) with pre-built rules that requires 0 configuration and adds an additional (solid) layer of defense.

 

[Sunshine-boy]

Worth it for free! even some paid Avs cant do what this free tool can do! right?it is smth like dr.web katana!

 

[shmu26]

NVT here

Thank you for posting OSArmor here.

You may want to watch this video that demonstrate how OSArmor can block the payload of a DOC (MSWord) and SWF (Flash) exploit:


OSArmor is like a behavioral blocker with pre-built rules that block suspicious processes (in short).
It works by preventing a malware or ransomware infection in real-world scenario.

You should test it with real-world scenarios:
- Opening a malicious .DOC\.PDF.\XLS.\etc. file used to exploit MSWord\MSExcel\PDF Reader\etc to drop\download and execute a payload (malware\ransomware\etc) in the system
- Visiting a malicious website that exploits a vulnerability (Java\Flash Player\PDF\etc) to download and execute a payload in the system
- And so on. Simply clicking on a .exe file or a .vbs file would not trigger any alert.

OSArmor can also block fileless malware that execute JS or VBS code, i.e Poweliks:
Poweliks click-fraud malware goes fileless in attempt to prevent removal

This tool can really improve the security of the system and requires zero configuration.

If you have questions just ask, I'll reply here

Thanks for explanations. Is this product designed to work side by side with the new ERP, or will the new ERP still have command line parsing?

 

[NoVirusThanks]

ERP gives you full control on every single application that is installed\executed in the system and is more for advanced users.

OSArmor is for beginner users (but also for experts) with pre-built rules that requires 0 configuration and adds an additional (solid) layer of defense.

 

[Deleted member 65228]

The Bcdedit.exe protection doesn't work by preventing the activity itself, it appears that it works by filtering for command line. I attempted to spawn Dbgview.exe with the fake arguments (which would have been appropriate for Bcdedit.exe) and it still got flagged, despite the target not being Bcdedit.exe. So I wouldn't count your chickens.

Date/Time: 12/17/2017 8:59:41 PM
Process: [1556]C:\Users\PCNAME\Desktop\Dbgview.exe
Parent: [3724]C:\Windows\System32\cmd.exe
Rule: BlockModificationsViaBcedit
Rule Name: Prevent important system modifications via Bcedit.exe
Command Line: dbgview.exe  -set loadoptions DDISABLE_INTEGRITY_CHECKS
Signer: Microsoft Corporation

Strangely, it doesn't flag for TESTSIGNING being enabled. You can use that instead of DDISABLE_INTEGRITY_CHECKS and it won't be flagged?

However, there's no self-protection. You need to have administrator rights to use the original Bcdedit.exe, and you can break the service for this product with Administrator rights too... Same for editing the config for it in the Registry! So that feature isn't that reliable.

Still useful and decent though - can be very handy for additional protection & I like how the User Interface is simple to use. All the settings are right there in front of you with hardly any effort at all, ease-of-use. Which is a good thing , After all it is a free product which is really nice and kind of them. The alerts UI looks nice too but would be good to have details put on there

 

[bribon77]

Thank you for being here in MT, We are many who like your Programs.

 

[NoVirusThanks]

@Opcode

We'll add self-protection (for the service only) in the next release, and we'll also add support for blocking "bcdedit.exe -set TESTSIGNING OFF" within the rule "Prevent important system modifications via Bcedit.exe", thanks for reporting it