shmu26

Level 85
Verified
Trusted
Content Creator
I am still seeing blocks from HP printer software:

Date/Time: 12/31/2017 9:02:38 AM
Process: [3608]C:\Windows\SysWOW64\mshta.exe
Parent: [14256]C:\Program Files\HP\HP Officejet Pro 6830\Bin\HP Officejet Pro 6830.exe
Rule: BlockHtaScripts
Rule Name: Block execution of .hta scripts
Command Line: "C:\Windows\SysWOW64\mshta.exe" "C:\Program Files\HP\HP Officejet Pro 6830\Bin\HPSPProgress.hta" -lang_id="1033"
Signer:
Parent Signer: Hewlett Packard

Date/Time: 12/31/2017 9:03:07 AM
Process: [764]C:\Windows\SysWOW64\mshta.exe
Parent: [14256]C:\Program Files\HP\HP Officejet Pro 6830\Bin\HP Officejet Pro 6830.exe
Rule: BlockHtaScripts
Rule Name: Block execution of .hta scripts
Command Line: "C:\Windows\SysWOW64\mshta.exe" "C:\Program Files\HP\HP Officejet Pro 6830\Bin\HPSolutionsPortal.hta" -data_folder="C:\ProgramData\HP\HP Officejet Pro 6830\HPUDC\HP Officejet Pro 6830 (Network)\"
Signer:
Parent Signer: Hewlett Packard
Also these:

Date/Time: 12/31/2017 12:06:10 PM
Process: [12696]C:\Windows\SysWOW64\cmd.exe
Parent: [6472]C:\Windows\SysWOW64\mshta.exe
Rule: BlockProcessesFromMshta
Rule Name: Block any process executed from mshta.exe
Command Line: "C:\Windows\System32\cmd.exe" /C "copy /Y "C:\ProgramData\HP\HP Officejet Pro 6830\HPUDC\HP Officejet Pro 6830 (Network)\UDC_device.json" "C:\ProgramData\HP\HP Officejet Pro 6830\HPUDC\HP Officejet Pro 6830 (Network)\UDC_device_2.json" "
Signer:
Parent Signer:

Date/Time: 12/31/2017 12:06:10 PM
Process: [108]C:\Windows\SysWOW64\cmd.exe
Parent: [6472]C:\Windows\SysWOW64\mshta.exe
Rule: BlockProcessesFromMshta
Rule Name: Block any process executed from mshta.exe
Command Line: "C:\Windows\System32\cmd.exe" /C "del /Q /F "C:\ProgramData\HP\HP Officejet Pro 6830\HPUDC\HP Officejet Pro 6830 (Network)\UDC_device.json""
Signer:
Parent Signer:
 

tiktoshi

Level 4
How Exclusions Work


Code:
Date/Time: 12/31/2017 11:30:15 AM
Process: [6304]C:\Windows\System32\cmd.exe
Parent: [1436]C:\Windows\explorer.exe
Rule: BlockCmdScripts
Rule Name: Block execution of .cmd scripts
Command Line: cmd /c ""C:\GPG\b310 usbloader\hh.cmd" "
Signer:
Parent Signer:
 

bjm_

Level 7
Verified
Edit
The post was several times edited, because of the complex interactions between Sandboxie and OSArmor. I thought that OSArmor can be triggered first and Sandboxie second, because OSArmor blocked execution of payload.exe in the sandbox so quickly, that sandboxing were not visible. I realized that this can be a problem and changed Sandboxie settings to block payload.exe and then everything was finally clear to me.
...are you reporting that OSA communicates in Sandboxie sandboxes?
 
D

Deleted member 65228

...are you reporting that OSA communicates in Sandboxie sandboxes?
When Sandboxie "sandboxes" a process, the process is still on the Host environment. Sandboxie doesn't use virtualisation via the hyper-visor which uses processor-embedded technology such as Intel VT-x or AMD SVM. Therefore, the activities made by a program isolated by Sandboxie still passes through the Host environment's Windows Kernel. Due to this, when a program is isolated by Sandboxie, the Host environment receives the process creation notifications as it still passes through the Windows Kernel of the Host environment. The callbacks are dished out in an order where one callback routine registered by driver X will receive it at a time as far as I am aware, and thus NoVirusThanks OSArmor still becomes aware of when a program is started up regardless of whether it's going into the Sandboxie container or not.

Sandboxie pretty much start up a process under a different user account, inject a DLL into it which hooks a huge amount of APIs (user-mode run-time byte patching to be precise) and relies on kernel-mode callbacks to redirect activities from kernel-mode and not only from user-mode, which makes it a bit more secure than if it relied entirely on user-mode patching for interception and redirection.
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Here is a new v1.4 (pre-release) (test6):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test6.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Prevent PowerShell from using Invoke-Expression via cmdline (unchecked by default)
+ Prevent wscript.exe from changing script engine via //E:
+ Prevent cscript.exe from changing script engine via //E:
+ Fixed all reported false positives
+ Added more than 100 internal rules
+ Minor fixes and optimizations

This pre-release version can be installed over the top of the previous one.

Please let me know if you find new FPs.

@tiktoshi

Try with this exlusion rule:

Code:
[%PROCESS%: C:\Windows\System32\cmd.exe] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PROCESSCMDLINE%: cmd /c ""C:\GPG\b310 usbloader\hh.cmd" "]
@shmu26

The FPs about the HP printer should be fixed now, please confirm.

@Stas

Great!
 
Last edited:

shmu26

Level 85
Verified
Trusted
Content Creator
Here is a new v1.4 (pre-release) (test6):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test6.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Prevent PowerShell from using Invoke-Expression via cmdline (unchecked by default)
+ Prevent wscript.exe from changing script engine via //E:
+ Prevent cscript.exe from changing script engine via //E:
+ Fixed all reported false positives
+ Added more than 100 internal rules
+ Minor fixes and optimizations

This pre-release version can be installed over the top of the previous one.

Please let me know if you find new FPs.

@tiktoshi

Try with this exlusion rule:

Code:
[%PROCESS%: C:\Windows\System32\cmd.exe] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PROCESSCMDLINE%: cmd /c ""C:\GPG\b310 usbloader\hh.cmd" "]
@shmu26

The FPs about the HP printer should be fixed now, please confirm.

@Stas

Great!
Yes, you fixed the FPs from HP printer software. Thanks!
 

bjm_

Level 7
Verified
[..] and thus NoVirusThanks OSArmor still becomes aware of when a program is started up regardless of whether it's going into the Sandboxie container or not.

Sandboxie pretty much start up a process under a different user account, inject a DLL into it which hooks a huge amount of APIs (user-mode run-time byte patching to be precise) and relies on kernel-mode callbacks to redirect activities from kernel-mode and not only from user-mode, which makes it a bit more secure than if it relied entirely on user-mode patching for interception and redirection.
Okay, since Sandbox Settings has Full Access template for ERP. I was wondering regarding OSA communication. Thanks
 
Last edited:

CMLew

Level 23
Verified
Installed OSArmor awhile ago.
When turn on Windscibe Pro, one process blocked. Tried a few times and it happens the same.
Details below:-

Date/Time: 12/31/2017 11:10:26 PM
Process: [5232]C:\Windows\System32\conhost.exe
Parent: [13124]C:\Windows\System32\wbem\WMIC.exe
Rule: BlockProcessesFromWMIC
Rule Name: Block any process executed from wmic.exe
Command Line: \??\C:\WINDOWS\system32\conhost.exe 0x4
Signer:
Parent Signer:

Any advice?
 

CMLew

Level 23
Verified

shmu26

Level 85
Verified
Trusted
Content Creator
Thanks @NoVirusThanks !
I tried the v1.4 and now no more issue.

My previous one was from the main NVT webpage where I got the installer from. I guess it was the stable one but not updated?
The downloads posted here are temporary, experimental builds, leading toward the next version.. They do fix a lot of problems but they have not been tested extensively.
 

tiktoshi

Level 4
Thank you so much
another request


How Exclusions Work

Code:
Date/Time: 12/31/2017 7:21:04 PM
Process: [7284]C:\Windows\System32\wscript.exe
Parent: [7644]C:\Windows\explorer.exe
Rule: BlockVbsScripts
Rule Name: Block execution of .vbs scripts
Command Line: "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\slmgr.vbs"
 

bjm_

Level 7
Verified
No. I only reported that OSArmor can block an application after that application is sandboxed by Sandboxie. That is not the same as communicating with an application.
Ahh!...maybe that helps explain ERP Full Access template.... *\mailslot\NVTInj\*.
Admitting, I do not fully understand (communicating with an application) the difference.
 
Last edited:

l0rdraiden

Level 2
Here is a new v1.4 (pre-release) (test6):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test6.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Prevent PowerShell from using Invoke-Expression via cmdline (unchecked by default)
+ Prevent wscript.exe from changing script engine via //E:
+ Prevent cscript.exe from changing script engine via //E:
+ Fixed all reported false positives
+ Added more than 100 internal rules
+ Minor fixes and optimizations

This pre-release version can be installed over the top of the previous one.

Please let me know if you find new FPs.

@tiktoshi

Try with this exlusion rule:

Code:
[%PROCESS%: C:\Windows\System32\cmd.exe] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PROCESSCMDLINE%: cmd /c ""C:\GPG\b310 usbloader\hh.cmd" "]
@shmu26

The FPs about the HP printer should be fixed now, please confirm.

@Stas

Great!
What are all those internal rules you add?
 
Top