1. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,300
    Caille
    Windows 10
    OSArmor, MBAE and HMP.A? Yeah, don't do that. OSArmor and MBAE I can't see conflicting with exclusions and not everything enabled for OSArmor, but all three of those? That is asking for trouble!
     
    AtlBo, Syafiq, DeepWeb and 4 others like this.
  2. plat1098

    plat1098 Level 5

    Aug 23, 2017
    227
    1,333
    Brooklyn
    Windows 10
    Microsoft
    Just curious, is it Malwarebytes Anti-exploit free? Even if not, what does this offer in addition to Alert? There are always risks of "silent" conflicts, even with exclusions in place. I would not underestimate Alert's capabilities; for example, on here, occasionally it is still squabbling with Sandboxie for control over Firefox plugins and .dll, etc but is very calm with OSArmor, no problems.

    HitmanPro.ALERT Support and Discussion Thread
     
    AtlBo, Syafiq, Deletedmessiah and 4 others like this.
  3. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,255
    13,526
    Utopia
    MBAE doesn't add any protection, if you have HMPA. Not that I am recommending either of them, but HMPA is a monster and MBAE is a mouse.
     
    AtlBo, Syafiq, Sunshine-boy and 4 others like this.
  4. DavidLMO

    DavidLMO Level 1

    Dec 25, 2017
    28
    75
    Security
    USA
    Windows 7
    BitDefender
    Fully understand and AGREE. There is a purpose in addition to Beta testing on three of these apps.
     
    AtlBo, Syafiq, Opcode and 1 other person like this.
  5. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,300
    Caille
    Windows 10
    Malwarebytes Anti-Exploit offers forcing of protection features like Address Space Layout Randomisation (ASLR), Data Execution Prevention (DEP) and can help mitigate exploits for various software. However, Windows 10 now has EMET features built-in and HitmanPro.Alert covers a whole lot more in my opinion.

    However, with more functionality provides more system slow-down and more potential problems. I don't know about the performance with HitmanPro.Alert on a regular basis, however I do know it breaks an awful lot of software depending on the configuration, and also after updates to various software. I see a lot of break reports... So I'd say it is probably better for a business who update software/their OS software after check-ups and X amount of time.

    Both are good though; don't use both at the same time though.
     
  6. NoVirusThanks

    NoVirusThanks From NoVirusThanks
    Developer

    Aug 23, 2012
    53
    705
    Italy
    Windows 10
    Here is a new v1.4 (pre-release) (test10):
    http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test10.exe

    *** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

    So far this is what's new compared to the previous pre-release:

    + Block any process executed from javaw.exe (except java.exe)
    + Block any process executed from java.exe
    + Fixed display of GUI and Configurator on multi-monitors
    + Minor fixes and optimizations

    This pre-release version can be installed over the top of the previous one.

    We're now working on the driver to support Secure Boot.

    @shmu26

    Should be fixed in this test10.
     
    AtlBo, Syafiq, harlan4096 and 9 others like this.
  7. Slyguy

    Slyguy Level 21

    Jan 27, 2017
    1,090
    4,371
    Fortinet Engineer
    USA
    Other OS
    The most important fix in this was the ability to use the mouse wheel to scroll through the rules.
     
  8. Darrin

    Darrin Level 1

    Dec 12, 2015
    4
    13
    Spokane Wa.
    @ NoVirusThanks

    Just a FP you should be aware of...

    Date/Time: 1/1/2018 1:05:18 AM
    Process: [10156]C:\ProgramData\Panda Security\Panda Devices Agent\Downloads\94f8cda3e22ca03b64f714f92fb73415\PSExpCampaign.exe
    Parent: [2124]C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe
    Rule: BlockSuspiciousProcesses
    Rule Name: Block execution of suspicious processes
    Command Line: "C:\ProgramData\Panda Security\Panda Devices Agent\Downloads\94f8cda3e22ca03b64f714f92fb73415\PSExpCampaign.exe"
    Signer: Panda Security S.L
    Parent Signer: Panda Security S.L

    and... Thank You for this Excellent program
     
    AtlBo, Syafiq, NoVirusThanks and 2 others like this.
  9. Darrin

    Darrin Level 1

    Dec 12, 2015
    4
    13
    Spokane Wa.
    Is ERP really necessary when running OSArmor and MBAE Premium and NVT Registry Guard ?
    Thanks Guys
     
    AtlBo, Azure Phoenix and Syafiq like this.
  10. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,255
    13,526
    Utopia
    It depends whether you feel that you need a default/deny setup or not. None of the programs you mentioned will prompt or block unknown exe files.
     
    AtlBo, simmerskool, Syafiq and 2 others like this.
  11. l0rdraiden

    l0rdraiden Level 1

    Jul 28, 2017
    44
    61
    World
    You already offer it for free that is a lot but I am just wondering what do you think about making the rules open source, so more people can contribute and you could review them before each release.

    Does Osarmor have popups when something is detected? I think it would be useful to have additional information of the file, like a direct link to VT or anything else
     
    AtlBo and Andy Ful like this.
  12. Umbra

    Umbra From Emsisoft
    Developer

    May 16, 2011
    17,163
    29,640
    Community manager
    Vietnam & France
    Windows 10
    Emsisoft
    If by that you mean users submitting some rules to be hardcoded. it may be a good idea.
    Note that users can already create rules "a la" Smart Object Blocker.
     
    Azure Phoenix, BryanB and harlan4096 like this.
  13. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    615
    2,879
    Holland
    Windows 7
    Default-Deny
    #313 Windows_Security, Jan 3, 2018
    Last edited: Jan 3, 2018
    Edit the the CustomBlock.db and Exclusions.db

    See ObjectBlcoker explanation of attached file (add a few general block rules and exceptions and you basically have the new and improvend NVT V4) ;)(y)
     

    Attached Files:

    AtlBo, Syafiq, TerrakionSmash and 4 others like this.
  14. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    615
    2,879
    Holland
    Windows 7
    Default-Deny
    #314 Windows_Security, Jan 3, 2018
    Last edited: Jan 3, 2018
    EDIT: IT IS EVEN SIMPLER TO ALLOW ONLY SIGNED PROCESS EXECUTION FROM NORMAL USER FOLDERS

    OPEN CONFIGURATOR: CHECK WHETHER THESE SETTINGS ARE ENABLED
    Block suspicious Explorer.exe process behaviors
    Block processes located in suspicious folders
    Block execution of unsigned processes on Local AppData
    Block execution of unsigned processes on Roaming AppData
    Block execution of unsigned processes on Common AppData

    ADD A CUSTOM BLOCK-RULES (change Kees to your name)
    ; Block executables from data partition D (documents) on main drive and and Q (quick backup) on second harddisk
    [%PROCESS%: D:\*]
    [%PROCESS%: Q:\*]

    ; Block executables from public folders on C drive
    [%PROCESS%: C:\Users\Public\*]

    ; Block executables from my user folders on C drive
    [%PROCESS%: C:\Users\Kees\Contacts\*]
    [%PROCESS%: C:\Users\Kees\Downloads\*]
    [%PROCESS%: C:\Users\Kees\Desktop\*]
    [%PROCESS%: C:\Users\Kees\Documents\*]
    [%PROCESS%: C:\Users\Kees\Music\*]
    [%PROCESS%: C:\Users\Kees\Videos\*]
    [%PROCESS%: C:\Users\Kees\Saved Games\*]
    [%PROCESS%: C:\Users\Kees\Searches\*]

    ONLY DOWNSIDE IS THAT YOU HAVE TO INSTALL AND UPDATE FROM YOUR TEMP FOLDER

    @NoVirusThanks would it be possible to add a ALLOW SIGNED EXECUTION FROM DESKTOP rule and block execution in other user folders?

    --------------------------- Tested with unsigned (AppTimer) and signed (ProcessExplorer) see log below
    NOTE PROCESS EXPLORER (SIGNED) WAS ALLOWED TO EXECUTE FROM TEMP AND OTHER APPDATA LOCATIONS

    Date/Time: 3-1-2018 12:04:41
    Process: [2204]C:\Users\Kees\AppData\Local\Temp\AppTimer.exe
    Parent: [2496]C:\Windows\explorer.exe
    Rule: BlockSuspiciousExplorerBehaviors
    Rule Name: Block suspicious Explorer.exe process behaviors
    Command Line: "C:\Users\Kees\AppData\Local\Temp\AppTimer.exe"
    Signer:
    Parent Signer:

    Date/Time: 3-1-2018 12:04:59
    Process: [768]C:\Users\Kees\AppTimer.exe
    Parent: [2496]C:\Windows\explorer.exe
    Rule: BlockProcessesOnSuspiciousFolders
    Rule Name: Block processes located in suspicious folders
    Command Line: "C:\Users\Kees\AppTimer.exe"
    Signer:
    Parent Signer:

    Date/Time: 3-1-2018 12:05:35
    Process: [824]C:\Users\Kees\Documents\AppTimer.exe
    Parent: [2496]C:\Windows\explorer.exe
    Rule: CustomBlockRule
    Rule Name: Custom process-block rule via CustomBlock.db
    Command Line: "C:\Users\Kees\Documents\AppTimer.exe"
    Signer:
    Parent Signer:

    Date/Time: 3-1-2018 12:06:20
    Process: [3232]C:\Users\Kees\Documents\procexp.exe
    Parent: [2496]C:\Windows\explorer.exe
    Rule: CustomBlockRule
    Rule Name: Custom process-block rule via CustomBlock.db
    Command Line: "C:\Users\Kees\Documents\procexp.exe"
    Signer: Microsoft Corporation
    Parent Signer:

    WITH ABOVE SETTING OS-ARMOR IS NICE FREE REPLACEMENT FOR APPGUARD (DEFAULT MODE, NOT LOCKDOWN).
     
    Av Gurus, AtlBo, simmerskool and 8 others like this.
  15. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,092
    4,677
    business
    Poland
    Windows 10
    Microsoft
    The rule:
    Thanks for the useful command summary. :)
    I noticed that only variables: %PROCESS%, %PARENTPROCESS% and %PROCESSCMDLINE% can be used for OSArmor (Andreas mentioned this in CustomBlock.db). The other variables (from SOB) are probably not supported. So, one cannot block DLL files.:(

    But anyway, the variables %PROCESS%, %PARENTPROCESS% and %PROCESSCMDLINE% are very useful.(y)
     
  16. NoVirusThanks

    NoVirusThanks From NoVirusThanks
    Developer

    Aug 23, 2012
    53
    705
    Italy
    Windows 10
    Just a quick update, new v1.4 (pre-release) (test11):
    http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test11.exe

    *** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

    So far this is what's new compared to the previous pre-release:

    + Added buttons to save\load protection options to\from a file
    + Some improvements on internal rules
    + Fixed all reported false positives

    @Darrin

    Thanks for reporting it, should be fixed in this test 11.

    I've also fine-tuned some internal rules related to that FP.

    @l0rdraiden

    We have not plan for that about OSArmor, but you may use the "Custom Block-Rules" to create customized or specific block-rules.

    It works the same way as SOB but supports only 3 variables.

    However, if you have some ideas about new rules, just let me know via PM or posting there and we'll discuss if add them to OSArmor "Configurator".

    Yes, it shows a popup dialog when something is blocked.

    A link to VT would not help much, since many exploits run system processes like cmd.exe, etc, the VT link would show the file as clean.

    @Windows_Security

    You mean like adding "Block unsigned processes on Desktop folder" on Configurator right?

    We can add it and make it unchecked by default (can create some FPs to regular users).

    @Andy Ful

    Yes, OSArmor supports only 3 variables for now, but I can add support for %SIGNER% and %PARENTSIGNER% in case.

    Then you have all that you need to create very fine-tuned custom process-block rules.
     
  17. Andy Ful

    Andy Ful Level 21

    Dec 23, 2014
    1,092
    4,677
    business
    Poland
    Windows 10
    Microsoft
    Will those variables recognize only files with a faithful digital signatures?
     
    AtlBo and Sunshine-boy like this.
  18. l0rdraiden

    l0rdraiden Level 1

    Jul 28, 2017
    44
    61
    World
    #318 l0rdraiden, Jan 3, 2018
    Last edited: Jan 3, 2018
    AtlBo and Prorootect like this.
  19. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,300
    Caille
    Windows 10
    Just use MBRFilter, it's free. Use it alongside NVT OSArmor. The developer signed up here recently to respond to me, not sure if they are still active here but the developer is smart and experienced and MBRFilter does work quite well (they just need to improve the uninstallation process I think so its more user friendly).
     
  20. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    615
    2,879
    Holland
    Windows 7
    Default-Deny
    #320 Windows_Security, Jan 3, 2018
    Last edited: Jan 3, 2018
    As far as I know, it just checks the values of the executable meta-data, Andreas should answer this question. Malware has forged signatures, still only 5-10 percent of the malware is signed with forged signatures, so even a simple check on signature meta already reduces the chance of infection substantially. When OS_armor would perform a signature validity check the attack surface would be further reduced to 2-5% of the (PC) malware.
     
Loading...
Similar Threads Forum Date
Video Review OSArmor by NoVirusThanks- An Overview Video Reviews Friday at 6:37 PM
Hello from NoVirusThanks New Member Introductions Dec 17, 2017
NoVirusThanks YaGuard Other Security for Windows Apr 18, 2017