NoVirusThanks OSArmor

NoVirusThanks

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
293
@tiktoshi

Can you try one of these new exclusions:

Code: 
[%PROCESS%: C:\Windows\System32\wscript.exe] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PROCESSCMDLINE%: "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\slmgr.vbs"]

Code: 
[%PROCESS%: C:\Windows\System32\wscript.exe] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PROCESSCMDLINE%: "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\slmgr.vbs"?]

Code: 
[%PROCESS%: C:\Windows\System32\wscript.exe] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PROCESSCMDLINE%: "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\slmgr.vbs"*]

Let me know which one work.

Other problems can not retrieve settings
Click to expand...

The "Reset to Default" button just unchecks the options that are unchecked by default.

I'll make sure it also checks all the other options.
 
  • Like
Reactions: tonibalas and harlan4096
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Andy Ful said:
I only reported that OSArmor can block an application after that application is sandboxed by Sandboxie. .
Click to expand...
I think that is basically what people want, though. They want their malware to be both sandboxed and blocked. They don't want keyloggers living inside their browser's sandboxed environment, for instance.
 
  • Like
Reactions: AtlBo, simmerskool and Andy Ful
NoVirusThanks

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
293
Here is a new v1.4 (pre-release) (test7):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test7.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block execution of any process related to Radmin (unchecked by default)
+ Scroll the list of protections using the mouse wheel
+ Fixed button to reset protection options to the default values
+ Many improvements in the internal rules
+ Fixed all reported false positives

This pre-release version can be installed over the top of the previous one.

Please let me know if you find new FPs.

@tiktoshi

Other problems can not retrieve settings
Click to expand...

It is fixed now (test7).

@l0rdraiden

What are all those internal rules you add?
Click to expand...

Rules to identify bad process behaviors.
 
  • Like
Reactions: tonibalas, AtlBo, Prorootect and 7 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
I got a couple error messages from my logitech mouse (in addition to the appguard license issue that was reported on the other forum)

Capture.PNG
Capture2.PNG
 
  • Like
Reactions: AtlBo, simmerskool, silversurfer and 2 others
D

Deleted member 65228

@shmu26 0xC0000142 (NTSTATUS) is STATUS_DLL_INIT_FAILED. Probably interception was done via PsSetLoadImageNotifyRoutine/Ex for process start-up monitoring (once NTDLL.DLL load triggered the callback) and it was blocked, unless PsSetCreateProcessNotifyRoutine/Ex or FltRegisterFilter was used for blocking and specified that specific NTSTATUS error code when the operation was blocked. Disable all security software you have temporary and slowly re-enable each one one-by-one to identify which specific one is causing the problem, of course assuming it is indeed related to security software on your machine.
 
  • Like
Reactions: AtlBo, simmerskool, silversurfer and 2 others
NoVirusThanks

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
293
Here is a new v1.4 (pre-release) (test8 ):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test8.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Fixed an issue on test 7

This pre-release version can be installed over the top of the previous one.

@shmu26

Should work fine now, thanks for reporting the issue.
 
  • Like
Reactions: AtlBo, Prorootect, Sunshine-boy and 6 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Opcode said:
@shmu26 0xC0000142 (NTSTATUS) is STATUS_DLL_INIT_FAILED. Probably interception was done via PsSetLoadImageNotifyRoutine/Ex for process start-up monitoring (once NTDLL.DLL load triggered the callback) and it was blocked, unless PsSetCreateProcessNotifyRoutine/Ex or FltRegisterFilter was used for blocking and specified that specific NTSTATUS error code when the operation was blocked. Disable all security software you have temporary and slowly re-enable each one one-by-one to identify which specific one is causing the problem, of course assuming it is indeed related to security software on your machine.
Click to expand...
Thanks, but the new OSA build fixed it. This issue arose immediately after installing test 7, and the folks over on the other forum were reporting lots of error messages from it, so it really was a no-brainer that OSA test 7 was the culprit.
 
  • Like
Reactions: AtlBo, simmerskool, NoVirusThanks and 3 others
L

l0rdraiden

Level 3
Verified
Jul 28, 2017
117
NoVirusThanks said:
Here is a new v1.4 (pre-release) (test7):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test7.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block execution of any process related to Radmin (unchecked by default)
+ Scroll the list of protections using the mouse wheel
+ Fixed button to reset protection options to the default values
+ Many improvements in the internal rules
+ Fixed all reported false positives

This pre-release version can be installed over the top of the previous one.

Please let me know if you find new FPs.

@tiktoshi



It is fixed now (test7).

@l0rdraiden



Rules to identify bad process behaviors.
Click to expand...
But those are not part of the list we can see.0
How the behaviour blocker detections are presented to they users If there is no rule linked to them? Are the popups different?
 
Last edited:
  • Like
Reactions: AtlBo
NoVirusThanks

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
293
But those are not part of the list we can see.
Click to expand...

Basic anti-exploit protection
Block execution of suspicious processes
Block processes located in suspicious folders
Block suspicious Svchost.exe process behaviors
Block direct execution of JavaScript and VBscript code
Block command-lines that match shellcode-like patterns
Block execution of suspicious scripts
Block malformed PowerShell commands
And so on...

All these protection options (and many more) use a lot of internal rules.

For example, to identify a malformed PowerShell command we use 50+ internal rules (and we will add more).

All the internal rules that we add ("Added N+ internal rules") are associated with the protection options listed.
 
Last edited:
  • Like
Reactions: tonibalas, AtlBo, silversurfer and 8 others
T

tiktoshi

Level 5
Verified
Jan 19, 2015
205
NoVirusThanks said:
Here is a new v1.4 (pre-release) (test7):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test7.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block execution of any process related to Radmin (unchecked by default)
+ Scroll the list of protections using the mouse wheel
+ Fixed button to reset protection options to the default values
+ Many improvements in the internal rules
+ Fixed all reported false positives

This pre-release version can be installed over the top of the previous one.

Please let me know if you find new FPs.

@tiktoshi



It is fixed now (test7).

@l0rdraiden



Rules to identify bad process behaviors.
Click to expand...


+ Fixed button to reset protection options to the default values

Problem solved
 
  • Like
Reactions: AtlBo, plat1098, NoVirusThanks and 2 others
NoVirusThanks

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
293
Here is a new v1.4 (pre-release) (test9 ):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test9.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Fixed blocking of processes executed from mmc.exe
+ Minor fixes and optimizations

This pre-release version can be installed over the top of the previous one.
 
  • Like
Reactions: AtlBo, Prorootect, Oxygen and 7 others
DavidLMO

DavidLMO

Level 4
Verified
Dec 25, 2017
158
Trickster said:
( maybe ) a stupid question : can nvt os armor run alongside nvt exe radar pro and mbae? Thanks!
Click to expand...

I have all 3 running on Win 7 box and also Hitmanpro.alert (beta). After a few initial set up problems (over 2 weeks ago) everything has been stable since. Also running Malwarebytes with thinks unticked so I use it as a scanner.
 
  • Like
Reactions: AtlBo and FrFc1908
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
NoVirusThanks said:
Here is a new v1.4 (pre-release) (test9 ):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test9.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Fixed blocking of processes executed from mmc.exe
+ Minor fixes and optimizations

This pre-release version can be installed over the top of the previous one.
Click to expand...
Some of the HP blocks came back:

Date/Time: 1/2/2018 7:04:00 PM
Process: [8476]C:\Windows\SysWOW64\mshta.exe
Parent: [8472]C:\Program Files\HP\HP Officejet Pro 6830\Bin\HP Officejet Pro 6830.exe
Rule: BlockHtaScripts
Rule Name: Block execution of .hta scripts
Command Line: "C:\WINDOWS\SysWOW64\mshta.exe" "C:\Program Files\HP\HP Officejet Pro 6830\Bin\HPSPProgress.hta" -lang_id="1033"
Signer:
Parent Signer: Hewlett Packard

Date/Time: 1/2/2018 7:04:22 PM
Process: [2148]C:\Windows\SysWOW64\mshta.exe
Parent: [8472]C:\Program Files\HP\HP Officejet Pro 6830\Bin\HP Officejet Pro 6830.exe
Rule: BlockHtaScripts
Rule Name: Block execution of .hta scripts
Command Line: "C:\WINDOWS\SysWOW64\mshta.exe" "C:\Program Files\HP\HP Officejet Pro 6830\Bin\HPSolutionsPortal.hta" -data_folder="C:\ProgramData\HP\HP Officejet Pro 6830\HPUDC\HP Officejet Pro 6830 (Network)\"
Signer:
Parent Signer: Hewlett Packard
 
  • Like
Reactions: AtlBo, Deletedmessiah, NoVirusThanks and 2 others

Similar threads

way hodge
    • Like
    • HaHa
    • Wow
Advice Request TTB Internet Security [ Worst Antivirus Program for Mobile & Desktop ]
Replies
8
Views
682
Other security for Windows, Mac, Linux
cartaphilus
cartaphilus
Brownie2019
    • Like
New Update Avast One Basic It’s free
Replies
1
Views
368
Avast
Bot
Bot
D
    • Like
    • +Reputation
    • Love
For additional security/privacy: "MajorPrivacy" (upgraded from "PrivateWin10")
Replies
23
Views
1,845
System utilities
Digmor Crusher
Digmor Crusher

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top