NoVirusThanks OSArmor

[shmu26]

I am still seeing blocks from HP printer software:

Date/Time: 12/31/2017 9:02:38 AM
Process: [3608]C:\Windows\SysWOW64\mshta.exe
Parent: [14256]C:\Program Files\HP\HP Officejet Pro 6830\Bin\HP Officejet Pro 6830.exe
Rule: BlockHtaScripts
Rule Name: Block execution of .hta scripts
Command Line: "C:\Windows\SysWOW64\mshta.exe" "C:\Program Files\HP\HP Officejet Pro 6830\Bin\HPSPProgress.hta" -lang_id="1033"
Signer:
Parent Signer: Hewlett Packard

Date/Time: 12/31/2017 9:03:07 AM
Process: [764]C:\Windows\SysWOW64\mshta.exe
Parent: [14256]C:\Program Files\HP\HP Officejet Pro 6830\Bin\HP Officejet Pro 6830.exe
Rule: BlockHtaScripts
Rule Name: Block execution of .hta scripts
Command Line: "C:\Windows\SysWOW64\mshta.exe" "C:\Program Files\HP\HP Officejet Pro 6830\Bin\HPSolutionsPortal.hta" -data_folder="C:\ProgramData\HP\HP Officejet Pro 6830\HPUDC\HP Officejet Pro 6830 (Network)\"
Signer:
Parent Signer: Hewlett Packard

Also these:

Date/Time: 12/31/2017 12:06:10 PM
Process: [12696]C:\Windows\SysWOW64\cmd.exe
Parent: [6472]C:\Windows\SysWOW64\mshta.exe
Rule: BlockProcessesFromMshta
Rule Name: Block any process executed from mshta.exe
Command Line: "C:\Windows\System32\cmd.exe" /C "copy /Y "C:\ProgramData\HP\HP Officejet Pro 6830\HPUDC\HP Officejet Pro 6830 (Network)\UDC_device.json" "C:\ProgramData\HP\HP Officejet Pro 6830\HPUDC\HP Officejet Pro 6830 (Network)\UDC_device_2.json" "
Signer:
Parent Signer:

Date/Time: 12/31/2017 12:06:10 PM
Process: [108]C:\Windows\SysWOW64\cmd.exe
Parent: [6472]C:\Windows\SysWOW64\mshta.exe
Rule: BlockProcessesFromMshta
Rule Name: Block any process executed from mshta.exe
Command Line: "C:\Windows\System32\cmd.exe" /C "del /Q /F "C:\ProgramData\HP\HP Officejet Pro 6830\HPUDC\HP Officejet Pro 6830 (Network)\UDC_device.json""
Signer:
Parent Signer:

 

[tiktoshi]

How Exclusions Work

Date/Time: 12/31/2017 11:30:15 AM
Process: [6304]C:\Windows\System32\cmd.exe
Parent: [1436]C:\Windows\explorer.exe
Rule: BlockCmdScripts
Rule Name: Block execution of .cmd scripts
Command Line: cmd /c ""C:\GPG\b310 usbloader\hh.cmd" "
Signer:
Parent Signer:

 

[Stas]

Good news I tried latest version OSArmor 1.4 test5 on my XP and it boots fast now 18 sec shows Qihoo 360, without OSArmor Qihoo 360 shows 15 sec.

 

[Deleted member 65228]

Good news I tried latest version OSArmor 1.4 test5 on my XP and it boots fast now 18 sec shows Qihoo 360, without OSArmor Qihoo 360 shows 15 sec.

Great news

 

[bjm_]

Edit
The post was several times edited, because of the complex interactions between Sandboxie and OSArmor. I thought that OSArmor can be triggered first and Sandboxie second, because OSArmor blocked execution of payload.exe in the sandbox so quickly, that sandboxing were not visible. I realized that this can be a problem and changed Sandboxie settings to block payload.exe and then everything was finally clear to me.

...are you reporting that OSA communicates in Sandboxie sandboxes?

 

[Deleted member 65228]

...are you reporting that OSA communicates in Sandboxie sandboxes?

When Sandboxie "sandboxes" a process, the process is still on the Host environment. Sandboxie doesn't use virtualisation via the hyper-visor which uses processor-embedded technology such as Intel VT-x or AMD SVM. Therefore, the activities made by a program isolated by Sandboxie still passes through the Host environment's Windows Kernel. Due to this, when a program is isolated by Sandboxie, the Host environment receives the process creation notifications as it still passes through the Windows Kernel of the Host environment. The callbacks are dished out in an order where one callback routine registered by driver X will receive it at a time as far as I am aware, and thus NoVirusThanks OSArmor still becomes aware of when a program is started up regardless of whether it's going into the Sandboxie container or not.

Sandboxie pretty much start up a process under a different user account, inject a DLL into it which hooks a huge amount of APIs (user-mode run-time byte patching to be precise) and relies on kernel-mode callbacks to redirect activities from kernel-mode and not only from user-mode, which makes it a bit more secure than if it relied entirely on user-mode patching for interception and redirection.

 

[NoVirusThanks]

Here is a new v1.4 (pre-release) (test6):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test6.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Prevent PowerShell from using Invoke-Expression via cmdline (unchecked by default)
+ Prevent wscript.exe from changing script engine via //E:
+ Prevent cscript.exe from changing script engine via //E:
+ Fixed all reported false positives
+ Added more than 100 internal rules
+ Minor fixes and optimizations

This pre-release version can be installed over the top of the previous one.

Please let me know if you find new FPs.

@tiktoshi

Try with this exlusion rule:

[%PROCESS%: C:\Windows\System32\cmd.exe] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PROCESSCMDLINE%: cmd /c ""C:\GPG\b310 usbloader\hh.cmd" "]

@shmu26

The FPs about the HP printer should be fixed now, please confirm.

@Stas

Great!

 

[shmu26]

Here is a new v1.4 (pre-release) (test6):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test6.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Prevent PowerShell from using Invoke-Expression via cmdline (unchecked by default)
+ Prevent wscript.exe from changing script engine via //E:
+ Prevent cscript.exe from changing script engine via //E:
+ Fixed all reported false positives
+ Added more than 100 internal rules
+ Minor fixes and optimizations

This pre-release version can be installed over the top of the previous one.

Please let me know if you find new FPs.

@tiktoshi

Try with this exlusion rule:

[%PROCESS%: C:\Windows\System32\cmd.exe] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PROCESSCMDLINE%: cmd /c ""C:\GPG\b310 usbloader\hh.cmd" "]

@shmu26

The FPs about the HP printer should be fixed now, please confirm.

@Stas

Great!

Yes, you fixed the FPs from HP printer software. Thanks!

 

[bjm_]

[..] and thus NoVirusThanks OSArmor still becomes aware of when a program is started up regardless of whether it's going into the Sandboxie container or not.

Sandboxie pretty much start up a process under a different user account, inject a DLL into it which hooks a huge amount of APIs (user-mode run-time byte patching to be precise) and relies on kernel-mode callbacks to redirect activities from kernel-mode and not only from user-mode, which makes it a bit more secure than if it relied entirely on user-mode patching for interception and redirection.

Okay, since Sandbox Settings has Full Access template for ERP. I was wondering regarding OSA communication. Thanks

 

[CMLew]

Installed OSArmor awhile ago.
When turn on Windscibe Pro, one process blocked. Tried a few times and it happens the same.
Details below:-

Date/Time: 12/31/2017 11:10:26 PM
Process: [5232]C:\Windows\System32\conhost.exe
Parent: [13124]C:\Windows\System32\wbem\WMIC.exe
Rule: BlockProcessesFromWMIC
Rule Name: Block any process executed from wmic.exe
Command Line: \??\C:\WINDOWS\system32\conhost.exe 0x4
Signer:
Parent Signer:

Any advice?

 

[NoVirusThanks]

@CMLew

Can you try to use OSArmor v1.4 (pre-release) (test6) from my post #266 ?

That FP should be fixed on that version, please confirm.

 

[CMLew]

@CMLew

Can you try to use OSArmor v1.4 (pre-release) (test6) from my post #266 ?
https://malwaretips.com/threads/novirusthanks-osarmor.78195/page-14#post-701199
That FP should be fixed on that version, please confirm.

Thanks @NoVirusThanks !
I tried the v1.4 and now no more issue.

My previous one was from the main NVT webpage where I got the installer from. I guess it was the stable one but not updated?

 

[shmu26]

Thanks @NoVirusThanks !
I tried the v1.4 and now no more issue.

My previous one was from the main NVT webpage where I got the installer from. I guess it was the stable one but not updated?

The downloads posted here are temporary, experimental builds, leading toward the next version.. They do fix a lot of problems but they have not been tested extensively.

 

[Andy Ful]

...are you reporting that OSA communicates in Sandboxie sandboxes?

No. I only reported that OSArmor can block an application after that application is sandboxed by Sandboxie. That is not the same as communicating with an application.

 

[tiktoshi]

Thank you so much
another request


How Exclusions Work

Date/Time: 12/31/2017 7:21:04 PM
Process: [7284]C:\Windows\System32\wscript.exe
Parent: [7644]C:\Windows\explorer.exe
Rule: BlockVbsScripts
Rule Name: Block execution of .vbs scripts
Command Line: "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\slmgr.vbs"

 

[bjm_]

No. I only reported that OSArmor can block an application after that application is sandboxed by Sandboxie. That is not the same as communicating with an application.

Ahh!...maybe that helps explain ERP Full Access template.... *\mailslot\NVTInj\*.
Admitting, I do not fully understand (communicating with an application) the difference.

 

[NoVirusThanks]

@tiktoshi

Try with this exclusion rule:

[%PROCESS%: C:\Windows\System32\wscript.exe] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PROCESSCMDLINE%: "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\slmgr.vbs" ]

 

[l0rdraiden]

Here is a new v1.4 (pre-release) (test6):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test6.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Prevent PowerShell from using Invoke-Expression via cmdline (unchecked by default)
+ Prevent wscript.exe from changing script engine via //E:
+ Prevent cscript.exe from changing script engine via //E:
+ Fixed all reported false positives
+ Added more than 100 internal rules
+ Minor fixes and optimizations

This pre-release version can be installed over the top of the previous one.

Please let me know if you find new FPs.

@tiktoshi

Try with this exlusion rule:

[%PROCESS%: C:\Windows\System32\cmd.exe] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PROCESSCMDLINE%: cmd /c ""C:\GPG\b310 usbloader\hh.cmd" "]

@shmu26

The FPs about the HP printer should be fixed now, please confirm.

@Stas

Great!

What are all those internal rules you add?

 

[tiktoshi]

@tiktoshi

Try with this exclusion rule:

[%PROCESS%: C:\Windows\System32\wscript.exe] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PROCESSCMDLINE%: "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\slmgr.vbs" ]

Did not work

 

[tiktoshi]

Other problems can not retrieve settings