NoVirusThanks OSArmor

shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Lockdown said:
NVT's freewares are what beginners should study. They're a perfect starting point to familiarize themselves with some of Windows' weaknesses and how to patch them.

Andreas' utilities cover all the general concepts that most anyone can wrap their head around.

There's no excuse. They're free. All it takes is effort.

The problem is that Average Joe super-beginners does not know such awesome places as MT exist where he\she can gain knowledge that just might save their bank account from being pillaged by a banking Trojan simply by using a freeware like NVT OSA.
Click to expand...
Well said.

NoVirusThanks said:
Very interesting comments, questions, opinions and feedbacks guys :)

Just as information, here are some more details and characteristics about OSArmor:

1) It doesn't use code injection, API hooking, etc (as @Opcode said) and due to this, it should be compatible with mostly any other security software.

2) It is based on "Process Permit" technology (an anti-exe\application whitelisting "skeleton" framework) that uses a powerful and stable kernel-driver:
Skeleton Framework for Application Whitelisting Software | NoVirusThanks

It is the same "skeleton" used for EXE Radar Pro v3 and v4, and supports XP to 10 (32 and 64-bit), FUS, LUA, etc.

3) It is aimed at adding an additional layer of protection, independently from the security software installed (it can help mitigate and block many different kind of threats).

4) A single rule, i.e "Block suspicious command-line strings" has 100+ smart internal rules that block not just one threat, but many known and unknown ones.

5) We believe that there may always be something that OSArmor can block or mitigate that the installed security software (free or paid) may not catch.

6) It can block not-needed system programs or functionalities that are commonly hijacked\exploited by malware (mitigating a malware attack).

7) It can block common ways used by malware to infect the PC, i.e via malicious documents (DOC, XLS, etc), exploit payloads, fileless attacks, VBS or JS scripts, USB autorun.inf, and so on.

8) As of now, it uses more than 500 internal smart rules that can mitigate and block malware attacks.



Yes we agree with this, OSArmor is built for any user, we started OSArmor with not-experienced users as targets in mind.

We are doing our best to handle all important and common FPs internally (the objective is to have 0 common FPs) :)

All reported FPs will be fixed in the next days.
Click to expand...
Thanks!:)
 
Last edited by a moderator:
  • Like
Reactions: vtqhtr413, Deleted Member 3a5v73x, AtlBo and 1 other person
AtlBo

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,711
Brainstorming some this AM. @NoVirusThanks (Andreas), have you considered making this a companion of your updated NTV ERP? What I am considering is the possiblity of using the OSArmor component and its rules to wipe out the need for discovery of "clean" Windows system protected processes in ERP. This would mean that ERP users wouldn't need to simply allow all Windows processes. They could without the extra effort use a customized version of Windows processes that should be allowed by default. For sure some of them should be imo monitored by command-line usage, i.e. runonce. There is more, too, as all the rules of OSArmor could be incorporated for monitoring types of files and the others too.

I am beginning to develop a desire to come up with a list of common Windows based command lines/wildcard command lines for ERP, so that settings and rules can be transferred onto a new PC easily with NVT ERP running. After going over the list of Windows allowed that were added in the first hour or so I used NVT ERP on this PC, I noticed some of these processes that I would prefer to allow via the command line option, so I removed them from the allowed list. These made it into the list while I was running ERP with "Allow Microsoft Windows system protected processes" checked (I believe that is the default on installation?).

IDK and o/c you know these products far better than I. However, I could see both these apps in one without any overlap, using a single GUI. I am envisioning side by side dialogs, one for applications (ERP) and one for the OS (OSArmor).

Maybe you could even come up with a nice way in NVT OSArmor of monitoring Runonce and other startups without the risk that the Windows process might be unknowingly auto allowed by a user as with NVT ERP. This is sort of a well trained HIPS module that is smart enough imo to be thought of as behavior blocker. Another good thing to monitor would be running tasks. If a task wants to start, using OSArmor alert, user can block the task once or for each attempt (maybe even disable the task LOL, although I think I am seeing possible UAC development challenges for standard user account users :rolleyes:). There is always monitoring of changes to drivers too and I suppose others.
 
  • Like
Reactions: Andytay70, tonibalas, Cats-4_Owners-2 and 6 others
F

ForgottenSeer 58943

I hasten to want OSA turned into 'something more'.

It is what it is, and it's good at what it is good at.. Like the old days with QwikFix and Geek Superhero, they never tried to be anything more than they were. Sure they were eventually bought out and integrated with other products or went legacy. But while they were around they did what they did very well. All the while people like MalwareBytes were trying to morph what they had with 1.75 into something more with each revision after revision missing the point of what they had.

Just my opinion on that.
 
  • Like
Reactions: Cats-4_Owners-2, Sunshine-boy, Deleted Member 3a5v73x and 2 others
F

ForgottenSeer 58943

Antimalware18 said:
I would like to see OS Armor tweaked and have rules added to where it could be considered a full fledged Behavior Blocker (for free)
The only reason I use Voodooshield is because there are no free ones left.

I prefer a AV+BB combo over a AV+Anti-exe combo honestly.
Click to expand...

100% agreement from me there. I think a BB type product would be much more valuable. There are plenty of good working anti-exe's out there.
 
  • Like
Reactions: Cats-4_Owners-2, vtqhtr413, Deleted Member 3a5v73x and 1 other person
CMLew

CMLew

Level 23
Verified
Well-known
Oct 30, 2015
1,251
Umbra said:
ERP should stay just an anti-exe, many softs try to be more than what they should be and failed at it by introducing more complexity and bugs.
Click to expand...

Couldn't agree more.
till date I'm still using ERP and it's works wonders in Lockdown.

Try to Keep it simple.
 
  • Like
Reactions: Cats-4_Owners-2
Windows_Security

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Antimalware18 said:
I would like to see OS Armor tweaked and have rules added to where it could be considered a full fledged Behavior Blocker (for free)
The only reason I use Voodooshield is because there are no free ones left.

I prefer a AV+BB combo over a AV+Anti-exe combo honestly.
Click to expand...

Avast and AVG are free and they both contain a behavioral blocker. In 2009 AVG bought Primary Response SafeConnect of Sana Security. At that time there were three stand alone behavioral blockers (Mamutu of EAM, ThreatFire of PC Tools now Symantec and PRSC of AVG now Avast).
 
Last edited:
  • Like
Reactions: Cats-4_Owners-2, ZeroDay, AtlBo and 3 others
Windows_Security

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Guys Andreas has bigger plans than ERP. Process Permit ( Experimental Security Tools, PoCs, Skeletons | NoVirusThanks ) is directed to the corporate (B2B) market. In Layman terms: process permit has the engine of NVT ERP with the rules syntax of NVT ObjectBlcker. NVT OS Armor is the stand alone version to test the basic ruleset for Process Permit. OS Armor provides corporate buyers a tested set of Process Permit rules to start with.

Andreas won't get rich from the few security enthousiasts enjoying the benefits of NVT Exe Radar Pro, the Process Permit framework might be strong contender in the corporate EDR market (Endpoint intrusion detection and response). OS Armor builds his basic set of secure block rules. The optional rules probably will log but won't blog. With a central monitor an organisation could react to intrusion by deploying very granular rules to mitigate intrusions or attacks.

I think it is a smart move and wish him the best for 2018 . When Andreas manages to acquire a few corporate customers for Process Permit, security forum members can enjoy the further refinement and development of silent rules for OS Armor. :)
 
Last edited:
  • Like
Reactions: Cats-4_Owners-2, ZeroDay, Deleted Member 3a5v73x and 4 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Dan from VoodooShield tested out OSA, he has good words to say about it, and he tried to produce FPs. This is what he came up with:

So far, the only FP's I have seen are:

Date/Time: 12/27/2017 1:44:53 PM
Process: [1924]C:\Program Files (x86)\Notepad++\notepad++.exe
Parent: [1772]C:\Windows\explorer.exe
Rule: BlockSuspiciousCmdlines
Rule Name: Block execution of suspicious command-line strings
Command Line: "C:\Program Files (x86)\Notepad++\notepad++.exe" "C:\Users\UserName\Desktop\New Text Document.bat"
Signer: Notepad++
Parent Signer: Microsoft Windows

Date/Time: 12/27/2017 1:44:59 PM
Process: [5696]C:\Windows\System32\notepad.exe
Parent: [1772]C:\Windows\explorer.exe
Rule: BlockSuspiciousCmdlines
Rule Name: Block execution of suspicious command-line strings
Command Line: "C:\Windows\System32\NOTEPAD.EXE" C:\Users\UserName\Desktop\New Text Document.bat
Signer:
Parent Signer: Microsoft Windows

Edit: BTW, the above FP's were a result of me right clicking on the file and choosing Edit / Edit with Notepad ++
 
  • Like
Reactions: tonibalas, Cats-4_Owners-2, ZeroDay and 9 others
Mr.X

Mr.X

Level 8
Verified
Well-known
Aug 2, 2014
368
ForgottenSeer 58943 said:
100% agreement from me there. I think a BB type product would be much more valuable. There are plenty of good working anti-exe's out there.
Click to expand...
ForgottenSeer 58943 said:
NoVirusThanks EXE Pro Radar, VoodooShield, AppGuard, Faronics Anti-Executable.
Click to expand...
Amusingly and honestly, I thought you were going to mention a bunch of "not well known" anti-exes other than those you mentioned. I already know those, in fact, I'm beta-testing Andreas' ERP lol

Hey, AppGuard doesn't count here, it's a SRP software.

So we are left with NVTERP, VS and Faronics AE. I don't see plenty of anti-exes here.:)
 
  • Like
Reactions: HarborFront, Cats-4_Owners-2, Deleted Member 3a5v73x and 1 other person

Similar threads

Brownie2019
    • Like
On Sale! Avast Premium Security 2024 [10-D, 2-YR] 29.99 €
Replies
0
Views
141
Discounts and Deals
Brownie2019
Brownie2019
Brownie2019
    • Like
On Sale! Avast Premium Security 2024 [10-D, 1-YR] 19.99 €
Replies
0
Views
230
Discounts and Deals
Brownie2019
Brownie2019
Shadowra
    • +Reputation
    • Like
Malware News StopCrypt: Most widely distributed ransomware evolves to evade detection
Replies
3
Views
1,014
Security News
Victor M
Victor M

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top