NoVirusThanks

From NoVirusThanks
Verified
Developer
@tiktoshi

Can you try one of these new exclusions:

Code:
[%PROCESS%: C:\Windows\System32\wscript.exe] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PROCESSCMDLINE%: "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\slmgr.vbs"]
Code:
[%PROCESS%: C:\Windows\System32\wscript.exe] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PROCESSCMDLINE%: "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\slmgr.vbs"?]
Code:
[%PROCESS%: C:\Windows\System32\wscript.exe] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PROCESSCMDLINE%: "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\slmgr.vbs"*]
Let me know which one work.

Other problems can not retrieve settings
The "Reset to Default" button just unchecks the options that are unchecked by default.

I'll make sure it also checks all the other options.
 

shmu26

Level 85
Verified
Trusted
Content Creator
I only reported that OSArmor can block an application after that application is sandboxed by Sandboxie. .
I think that is basically what people want, though. They want their malware to be both sandboxed and blocked. They don't want keyloggers living inside their browser's sandboxed environment, for instance.
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Here is a new v1.4 (pre-release) (test7):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test7.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block execution of any process related to Radmin (unchecked by default)
+ Scroll the list of protections using the mouse wheel
+ Fixed button to reset protection options to the default values
+ Many improvements in the internal rules
+ Fixed all reported false positives

This pre-release version can be installed over the top of the previous one.

Please let me know if you find new FPs.

@tiktoshi

Other problems can not retrieve settings
It is fixed now (test7).

@l0rdraiden

What are all those internal rules you add?
Rules to identify bad process behaviors.
 
D

Deleted member 65228

@shmu26 0xC0000142 (NTSTATUS) is STATUS_DLL_INIT_FAILED. Probably interception was done via PsSetLoadImageNotifyRoutine/Ex for process start-up monitoring (once NTDLL.DLL load triggered the callback) and it was blocked, unless PsSetCreateProcessNotifyRoutine/Ex or FltRegisterFilter was used for blocking and specified that specific NTSTATUS error code when the operation was blocked. Disable all security software you have temporary and slowly re-enable each one one-by-one to identify which specific one is causing the problem, of course assuming it is indeed related to security software on your machine.
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Here is a new v1.4 (pre-release) (test8 ):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test8.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Fixed an issue on test 7

This pre-release version can be installed over the top of the previous one.

@shmu26

Should work fine now, thanks for reporting the issue.
 

shmu26

Level 85
Verified
Trusted
Content Creator
@shmu26 0xC0000142 (NTSTATUS) is STATUS_DLL_INIT_FAILED. Probably interception was done via PsSetLoadImageNotifyRoutine/Ex for process start-up monitoring (once NTDLL.DLL load triggered the callback) and it was blocked, unless PsSetCreateProcessNotifyRoutine/Ex or FltRegisterFilter was used for blocking and specified that specific NTSTATUS error code when the operation was blocked. Disable all security software you have temporary and slowly re-enable each one one-by-one to identify which specific one is causing the problem, of course assuming it is indeed related to security software on your machine.
Thanks, but the new OSA build fixed it. This issue arose immediately after installing test 7, and the folks over on the other forum were reporting lots of error messages from it, so it really was a no-brainer that OSA test 7 was the culprit.
 

l0rdraiden

Level 2
Here is a new v1.4 (pre-release) (test7):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test7.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block execution of any process related to Radmin (unchecked by default)
+ Scroll the list of protections using the mouse wheel
+ Fixed button to reset protection options to the default values
+ Many improvements in the internal rules
+ Fixed all reported false positives

This pre-release version can be installed over the top of the previous one.

Please let me know if you find new FPs.

@tiktoshi



It is fixed now (test7).

@l0rdraiden



Rules to identify bad process behaviors.
But those are not part of the list we can see.0
How the behaviour blocker detections are presented to they users If there is no rule linked to them? Are the popups different?
 
Last edited:

NoVirusThanks

From NoVirusThanks
Verified
Developer
But those are not part of the list we can see.
Basic anti-exploit protection
Block execution of suspicious processes
Block processes located in suspicious folders
Block suspicious Svchost.exe process behaviors
Block direct execution of JavaScript and VBscript code
Block command-lines that match shellcode-like patterns
Block execution of suspicious scripts
Block malformed PowerShell commands
And so on...

All these protection options (and many more) use a lot of internal rules.

For example, to identify a malformed PowerShell command we use 50+ internal rules (and we will add more).

All the internal rules that we add ("Added N+ internal rules") are associated with the protection options listed.
 
Last edited:

tiktoshi

Level 4
Here is a new v1.4 (pre-release) (test7):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test7.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block execution of any process related to Radmin (unchecked by default)
+ Scroll the list of protections using the mouse wheel
+ Fixed button to reset protection options to the default values
+ Many improvements in the internal rules
+ Fixed all reported false positives

This pre-release version can be installed over the top of the previous one.

Please let me know if you find new FPs.

@tiktoshi



It is fixed now (test7).

@l0rdraiden



Rules to identify bad process behaviors.

+ Fixed button to reset protection options to the default values

Problem solved
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Here is a new v1.4 (pre-release) (test9 ):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test9.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Fixed blocking of processes executed from mmc.exe
+ Minor fixes and optimizations

This pre-release version can be installed over the top of the previous one.
 

DavidLMO

Level 4
( maybe ) a stupid question : can nvt os armor run alongside nvt exe radar pro and mbae? Thanks!
I have all 3 running on Windows 7 box and also Hitmanpro.alert (beta). After a few initial set up problems (over 2 weeks ago) everything has been stable since. Also running Malwarebytes with thinks unticked so I use it as a scanner.
 

shmu26

Level 85
Verified
Trusted
Content Creator
Here is a new v1.4 (pre-release) (test9 ):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test9.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Fixed blocking of processes executed from mmc.exe
+ Minor fixes and optimizations

This pre-release version can be installed over the top of the previous one.
Some of the HP blocks came back:

Date/Time: 1/2/2018 7:04:00 PM
Process: [8476]C:\Windows\SysWOW64\mshta.exe
Parent: [8472]C:\Program Files\HP\HP Officejet Pro 6830\Bin\HP Officejet Pro 6830.exe
Rule: BlockHtaScripts
Rule Name: Block execution of .hta scripts
Command Line: "C:\WINDOWS\SysWOW64\mshta.exe" "C:\Program Files\HP\HP Officejet Pro 6830\Bin\HPSPProgress.hta" -lang_id="1033"
Signer:
Parent Signer: Hewlett Packard

Date/Time: 1/2/2018 7:04:22 PM
Process: [2148]C:\Windows\SysWOW64\mshta.exe
Parent: [8472]C:\Program Files\HP\HP Officejet Pro 6830\Bin\HP Officejet Pro 6830.exe
Rule: BlockHtaScripts
Rule Name: Block execution of .hta scripts
Command Line: "C:\WINDOWS\SysWOW64\mshta.exe" "C:\Program Files\HP\HP Officejet Pro 6830\Bin\HPSolutionsPortal.hta" -data_folder="C:\ProgramData\HP\HP Officejet Pro 6830\HPUDC\HP Officejet Pro 6830 (Network)\"
Signer:
Parent Signer: Hewlett Packard
 
Top