@NoVirusThanks i'm always amazed how good your timing is to release very valuable projects just when people needs them while "killing" the concurrence at same time 
NoVirusThanks OSArmor
- Thread starter Evjl's Rain
- Start date
@NoVirusThanks i'm always amazed how good your timing is to release very valuable projects just when people needs them while "killing" the concurrence at same time
@NoVirusThanks
What @Umbra is really saying is your freeware releases coincidentally kill others' projects and softs. Such is life.
Last edited by a moderator:
- Jan 17, 2014
- 503
Bump to my own question.
Any way someone could write a harmless test file to test the program?
- Jul 3, 2015
- 8,153
Well said.
Thanks!Very interesting comments, questions, opinions and feedbacks guys
Just as information, here are some more details and characteristics about OSArmor:
1) It doesn't use code injection, API hooking, etc (as @Opcode said) and due to this, it should be compatible with mostly any other security software.
2) It is based on "Process Permit" technology (an anti-exe\application whitelisting "skeleton" framework) that uses a powerful and stable kernel-driver:
Skeleton Framework for Application Whitelisting Software | NoVirusThanks
It is the same "skeleton" used for EXE Radar Pro v3 and v4, and supports XP to 10 (32 and 64-bit), FUS, LUA, etc.
3) It is aimed at adding an additional layer of protection, independently from the security software installed (it can help mitigate and block many different kind of threats).
4) A single rule, i.e "Block suspicious command-line strings" has 100+ smart internal rules that block not just one threat, but many known and unknown ones.
5) We believe that there may always be something that OSArmor can block or mitigate that the installed security software (free or paid) may not catch.
6) It can block not-needed system programs or functionalities that are commonly hijacked\exploited by malware (mitigating a malware attack).
7) It can block common ways used by malware to infect the PC, i.e via malicious documents (DOC, XLS, etc), exploit payloads, fileless attacks, VBS or JS scripts, USB autorun.inf, and so on.
8) As of now, it uses more than 500 internal smart rules that can mitigate and block malware attacks.
Yes we agree with this, OSArmor is built for any user, we started OSArmor with not-experienced users as targets in mind.
We are doing our best to handle all important and common FPs internally (the objective is to have 0 common FPs)
All reported FPs will be fixed in the next days.
Last edited by a moderator:
- Dec 29, 2014
- 1,716
Brainstorming some this AM. @NoVirusThanks (Andreas), have you considered making this a companion of your updated NTV ERP? What I am considering is the possiblity of using the OSArmor component and its rules to wipe out the need for discovery of "clean" Windows system protected processes in ERP. This would mean that ERP users wouldn't need to simply allow all Windows processes. They could without the extra effort use a customized version of Windows processes that should be allowed by default. For sure some of them should be imo monitored by command-line usage, i.e. runonce. There is more, too, as all the rules of OSArmor could be incorporated for monitoring types of files and the others too.
I am beginning to develop a desire to come up with a list of common Windows based command lines/wildcard command lines for ERP, so that settings and rules can be transferred onto a new PC easily with NVT ERP running. After going over the list of Windows allowed that were added in the first hour or so I used NVT ERP on this PC, I noticed some of these processes that I would prefer to allow via the command line option, so I removed them from the allowed list. These made it into the list while I was running ERP with "Allow Microsoft Windows system protected processes" checked (I believe that is the default on installation?).
IDK and o/c you know these products far better than I. However, I could see both these apps in one without any overlap, using a single GUI. I am envisioning side by side dialogs, one for applications (ERP) and one for the OS (OSArmor).
Maybe you could even come up with a nice way in NVT OSArmor of monitoring Runonce and other startups without the risk that the Windows process might be unknowingly auto allowed by a user as with NVT ERP. This is sort of a well trained HIPS module that is smart enough imo to be thought of as behavior blocker. Another good thing to monitor would be running tasks. If a task wants to start, using OSArmor alert, user can block the task once or for each attempt (maybe even disable the task LOL, although I think I am seeing possible UAC development challenges for standard user account users). There is always monitoring of changes to drivers too and I suppose others.
I am beginning to develop a desire to come up with a list of common Windows based command lines/wildcard command lines for ERP, so that settings and rules can be transferred onto a new PC easily with NVT ERP running. After going over the list of Windows allowed that were added in the first hour or so I used NVT ERP on this PC, I noticed some of these processes that I would prefer to allow via the command line option, so I removed them from the allowed list. These made it into the list while I was running ERP with "Allow Microsoft Windows system protected processes" checked (I believe that is the default on installation?).
IDK and o/c you know these products far better than I. However, I could see both these apps in one without any overlap, using a single GUI. I am envisioning side by side dialogs, one for applications (ERP) and one for the OS (OSArmor).
Maybe you could even come up with a nice way in NVT OSArmor of monitoring Runonce and other startups without the risk that the Windows process might be unknowingly auto allowed by a user as with NVT ERP. This is sort of a well trained HIPS module that is smart enough imo to be thought of as behavior blocker. Another good thing to monitor would be running tasks. If a task wants to start, using OSArmor alert, user can block the task once or for each attempt (maybe even disable the task LOL, although I think I am seeing possible UAC development challenges for standard user account users
). There is always monitoring of changes to drivers too and I suppose others.I hasten to want OSA turned into 'something more'.
It is what it is, and it's good at what it is good at.. Like the old days with QwikFix and Geek Superhero, they never tried to be anything more than they were. Sure they were eventually bought out and integrated with other products or went legacy. But while they were around they did what they did very well. All the while people like MalwareBytes were trying to morph what they had with 1.75 into something more with each revision after revision missing the point of what they had.
Just my opinion on that.
It is what it is, and it's good at what it is good at.. Like the old days with QwikFix and Geek Superhero, they never tried to be anything more than they were. Sure they were eventually bought out and integrated with other products or went legacy. But while they were around they did what they did very well. All the while people like MalwareBytes were trying to morph what they had with 1.75 into something more with each revision after revision missing the point of what they had.
Just my opinion on that.
ERP should stay just an anti-exe, many softs try to be more than what they should be and failed at it by introducing more complexity and bugs.
- Jan 17, 2014
- 503
I would like to see OS Armor tweaked and have rules added to where it could be considered a full fledged Behavior Blocker (for free)
The only reason I use Voodooshield is because there are no free ones left.
I prefer a AV+BB combo over a AV+Anti-exe combo honestly.
The only reason I use Voodooshield is because there are no free ones left.
I prefer a AV+BB combo over a AV+Anti-exe combo honestly.
100% agreement from me there. I think a BB type product would be much more valuable. There are plenty of good working anti-exe's out there.
- Aug 2, 2014
- 368
- Jan 17, 2014
- 503
Voodooshield
NVT Exe Radar pro
Comodo Firewall (If configured correctly can be used as a anti-exe, can be dangerous though)
come to mind
NoVirusThanks EXE Pro Radar, VoodooShield, AppGuard, Faronics Anti-Executable.
Appguard is SRP like Applocker, not anti-exe. AG doesn't prompt like the others, it just blocks or not.
ERP can simulate SRP tough, one reason i like it.
- Oct 30, 2015
- 1,251
Couldn't agree more.
till date I'm still using ERP and it's works wonders in Lockdown.
Try to Keep it simple.
- Jul 3, 2015
- 8,153
ReHIPS can be used as an anti-exe, if you just delete the rules for the isolated programs. And what's more, the limitations of the demo version will not apply. I tried it, it works great.
- Mar 13, 2016
- 1,298
Avast and AVG are free and they both contain a behavioral blocker. In 2009 AVG bought Primary Response SafeConnect of Sana Security. At that time there were three stand alone behavioral blockers (Mamutu of EAM, ThreatFire of PC Tools now Symantec and PRSC of AVG now Avast).
Last edited:
- Mar 13, 2016
- 1,298
Guys Andreas has bigger plans than ERP. Process Permit ( Experimental Security Tools, PoCs, Skeletons | NoVirusThanks ) is directed to the corporate (B2B) market. In Layman terms: process permit has the engine of NVT ERP with the rules syntax of NVT ObjectBlcker. NVT OS Armor is the stand alone version to test the basic ruleset for Process Permit. OS Armor provides corporate buyers a tested set of Process Permit rules to start with.
Andreas won't get rich from the few security enthousiasts enjoying the benefits of NVT Exe Radar Pro, the Process Permit framework might be strong contender in the corporate EDR market (Endpoint intrusion detection and response). OS Armor builds his basic set of secure block rules. The optional rules probably will log but won't blog. With a central monitor an organisation could react to intrusion by deploying very granular rules to mitigate intrusions or attacks.
I think it is a smart move and wish him the best for 2018 . When Andreas manages to acquire a few corporate customers for Process Permit, security forum members can enjoy the further refinement and development of silent rules for OS Armor.
Andreas won't get rich from the few security enthousiasts enjoying the benefits of NVT Exe Radar Pro, the Process Permit framework might be strong contender in the corporate EDR market (Endpoint intrusion detection and response). OS Armor builds his basic set of secure block rules. The optional rules probably will log but won't blog. With a central monitor an organisation could react to intrusion by deploying very granular rules to mitigate intrusions or attacks.
I think it is a smart move and wish him the best for 2018 . When Andreas manages to acquire a few corporate customers for Process Permit, security forum members can enjoy the further refinement and development of silent rules for OS Armor.
Last edited:
- Jul 3, 2015
- 8,153
Dan from VoodooShield tested out OSA, he has good words to say about it, and he tried to produce FPs. This is what he came up with:
So far, the only FP's I have seen are:
Date/Time: 12/27/2017 1:44:53 PM
Process: [1924]C:\Program Files (x86)\Notepad++\notepad++.exe
Parent: [1772]C:\Windows\explorer.exe
Rule: BlockSuspiciousCmdlines
Rule Name: Block execution of suspicious command-line strings
Command Line: "C:\Program Files (x86)\Notepad++\notepad++.exe" "C:\Users\UserName\Desktop\New Text Document.bat"
Signer: Notepad++
Parent Signer: Microsoft Windows
Date/Time: 12/27/2017 1:44:59 PM
Process: [5696]C:\Windows\System32\notepad.exe
Parent: [1772]C:\Windows\explorer.exe
Rule: BlockSuspiciousCmdlines
Rule Name: Block execution of suspicious command-line strings
Command Line: "C:\Windows\System32\NOTEPAD.EXE" C:\Users\UserName\Desktop\New Text Document.bat
Signer:
Parent Signer: Microsoft Windows
Edit: BTW, the above FP's were a result of me right clicking on the file and choosing Edit / Edit with Notepad ++
So far, the only FP's I have seen are:
Date/Time: 12/27/2017 1:44:53 PM
Process: [1924]C:\Program Files (x86)\Notepad++\notepad++.exe
Parent: [1772]C:\Windows\explorer.exe
Rule: BlockSuspiciousCmdlines
Rule Name: Block execution of suspicious command-line strings
Command Line: "C:\Program Files (x86)\Notepad++\notepad++.exe" "C:\Users\UserName\Desktop\New Text Document.bat"
Signer: Notepad++
Parent Signer: Microsoft Windows
Date/Time: 12/27/2017 1:44:59 PM
Process: [5696]C:\Windows\System32\notepad.exe
Parent: [1772]C:\Windows\explorer.exe
Rule: BlockSuspiciousCmdlines
Rule Name: Block execution of suspicious command-line strings
Command Line: "C:\Windows\System32\NOTEPAD.EXE" C:\Users\UserName\Desktop\New Text Document.bat
Signer:
Parent Signer: Microsoft Windows
Edit: BTW, the above FP's were a result of me right clicking on the file and choosing Edit / Edit with Notepad ++
- Aug 2, 2014
- 368
Amusingly and honestly, I thought you were going to mention a bunch of "not well known" anti-exes other than those you mentioned. I already know those, in fact, I'm beta-testing Andreas' ERP lol
Hey, AppGuard doesn't count here, it's a SRP software.
So we are left with NVTERP, VS and Faronics AE. I don't see plenty of anti-exes here.
Similar threads
