- Jul 3, 2015
- 8,153
+1
When a person piles up security softs like that, he might actually be weakening his protection, rather than strengthening it. "Too many cooks spoil the soup."
NoVirusThanks OSArmor
- Thread starter Evjl's Rain
- Start date
When a person piles up security softs like that, he might actually be weakening his protection, rather than strengthening it. "Too many cooks spoil the soup."
OSArmor, MBAE and HMP.A? Yeah, don't do that. OSArmor and MBAE I can't see conflicting with exclusions and not everything enabled for OSArmor, but all three of those? That is asking for trouble!
Just curious, is it Malwarebytes Anti-exploit free? Even if not, what does this offer in addition to Alert? There are always risks of "silent" conflicts, even with exclusions in place. I would not underestimate Alert's capabilities; for example, on here, occasionally it is still squabbling with Sandboxie for control over Firefox plugins and .dll, etc but is very calm with OSArmor, no problems.
HitmanPro.ALERT Support and Discussion Thread
HitmanPro.ALERT Support and Discussion Thread
- Jul 3, 2015
- 8,153
MBAE doesn't add any protection, if you have HMPA. Not that I am recommending either of them, but HMPA is a monster and MBAE is a mouse.
- Dec 25, 2017
- 158
Fully understand and AGREE. There is a purpose in addition to Beta testing on three of these apps.
Malwarebytes Anti-Exploit offers forcing of protection features like Address Space Layout Randomisation (ASLR), Data Execution Prevention (DEP) and can help mitigate exploits for various software. However, Windows 10 now has EMET features built-in and HitmanPro.Alert covers a whole lot more in my opinion.
However, with more functionality provides more system slow-down and more potential problems. I don't know about the performance with HitmanPro.Alert on a regular basis, however I do know it breaks an awful lot of software depending on the configuration, and also after updates to various software. I see a lot of break reports... So I'd say it is probably better for a business who update software/their OS software after check-ups and X amount of time.
Both are good though; don't use both at the same time though.
However, with more functionality provides more system slow-down and more potential problems. I don't know about the performance with HitmanPro.Alert on a regular basis, however I do know it breaks an awful lot of software depending on the configuration, and also after updates to various software. I see a lot of break reports... So I'd say it is probably better for a business who update software/their OS software after check-ups and X amount of time.
Both are good though; don't use both at the same time though.
- Aug 23, 2012
- 293
Here is a new v1.4 (pre-release) (test10):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test10.exe
*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***
So far this is what's new compared to the previous pre-release:
+ Block any process executed from javaw.exe (except java.exe)
+ Block any process executed from java.exe
+ Fixed display of GUI and Configurator on multi-monitors
+ Minor fixes and optimizations
This pre-release version can be installed over the top of the previous one.
We're now working on the driver to support Secure Boot.
@shmu26
Should be fixed in this test10.
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test10.exe
*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***
So far this is what's new compared to the previous pre-release:
+ Block any process executed from javaw.exe (except java.exe)
+ Block any process executed from java.exe
+ Fixed display of GUI and Configurator on multi-monitors
+ Minor fixes and optimizations
This pre-release version can be installed over the top of the previous one.
We're now working on the driver to support Secure Boot.
@shmu26
Should be fixed in this test10.
The most important fix in this was the ability to use the mouse wheel to scroll through the rules.
@ NoVirusThanks
Just a FP you should be aware of...
Date/Time: 1/1/2018 1:05:18 AM
Process: [10156]C:\ProgramData\Panda Security\Panda Devices Agent\Downloads\94f8cda3e22ca03b64f714f92fb73415\PSExpCampaign.exe
Parent: [2124]C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe
Rule: BlockSuspiciousProcesses
Rule Name: Block execution of suspicious processes
Command Line: "C:\ProgramData\Panda Security\Panda Devices Agent\Downloads\94f8cda3e22ca03b64f714f92fb73415\PSExpCampaign.exe"
Signer: Panda Security S.L
Parent Signer: Panda Security S.L
and... Thank You for this Excellent program
Just a FP you should be aware of...
Date/Time: 1/1/2018 1:05:18 AM
Process: [10156]C:\ProgramData\Panda Security\Panda Devices Agent\Downloads\94f8cda3e22ca03b64f714f92fb73415\PSExpCampaign.exe
Parent: [2124]C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe
Rule: BlockSuspiciousProcesses
Rule Name: Block execution of suspicious processes
Command Line: "C:\ProgramData\Panda Security\Panda Devices Agent\Downloads\94f8cda3e22ca03b64f714f92fb73415\PSExpCampaign.exe"
Signer: Panda Security S.L
Parent Signer: Panda Security S.L
and... Thank You for this Excellent program
Is ERP really necessary when running OSArmor and MBAE Premium and NVT Registry Guard ?
Thanks Guys
Thanks Guys
- Jul 3, 2015
- 8,153
It depends whether you feel that you need a default/deny setup or not. None of the programs you mentioned will prompt or block unknown exe files.
You already offer it for free that is a lot but I am just wondering what do you think about making the rules open source, so more people can contribute and you could review them before each release.
Does Osarmor have popups when something is detected? I think it would be useful to have additional information of the file, like a direct link to VT or anything else
If by that you mean users submitting some rules to be hardcoded. it may be a good idea.
Note that users can already create rules "a la" Smart Object Blocker.
- Mar 13, 2016
- 1,298
Edit the the CustomBlock.db and Exclusions.db
See ObjectBlcoker explanation of attached file (add a few general block rules and exceptions and you basically have the new and improvend NVT V4)
See ObjectBlcoker explanation of attached file (add a few general block rules and exceptions and you basically have the new and improvend NVT V4)
Last edited:
- Mar 13, 2016
- 1,298
EDIT: IT IS EVEN SIMPLER TO ALLOW ONLY SIGNED PROCESS EXECUTION FROM NORMAL USER FOLDERS
OPEN CONFIGURATOR: CHECK WHETHER THESE SETTINGS ARE ENABLED
Block suspicious Explorer.exe process behaviors
Block processes located in suspicious folders
Block execution of unsigned processes on Local AppData
Block execution of unsigned processes on Roaming AppData
Block execution of unsigned processes on Common AppData
ADD A CUSTOM BLOCK-RULES (change Kees to your name)
; Block executables from data partition D (documents) on main drive and and Q (quick backup) on second harddisk
[%PROCESS%: D:\*]
[%PROCESS%: Q:\*]
; Block executables from public folders on C drive
[%PROCESS%: C:\Users\Public\*]
; Block executables from my user folders on C drive
[%PROCESS%: C:\Users\Kees\Contacts\*]
[%PROCESS%: C:\Users\Kees\Downloads\*]
[%PROCESS%: C:\Users\Kees\Desktop\*]
[%PROCESS%: C:\Users\Kees\Documents\*]
[%PROCESS%: C:\Users\Kees\Music\*]
[%PROCESS%: C:\Users\Kees\Videos\*]
[%PROCESS%: C:\Users\Kees\Saved Games\*]
[%PROCESS%: C:\Users\Kees\Searches\*]
ONLY DOWNSIDE IS THAT YOU HAVE TO INSTALL AND UPDATE FROM YOUR TEMP FOLDER
@NoVirusThanks would it be possible to add a ALLOW SIGNED EXECUTION FROM DESKTOP rule and block execution in other user folders?
--------------------------- Tested with unsigned (AppTimer) and signed (ProcessExplorer) see log below
NOTE PROCESS EXPLORER (SIGNED) WAS ALLOWED TO EXECUTE FROM TEMP AND OTHER APPDATA LOCATIONS
Date/Time: 3-1-2018 12:04:41
Process: [2204]C:\Users\Kees\AppData\Local\Temp\AppTimer.exe
Parent: [2496]C:\Windows\explorer.exe
Rule: BlockSuspiciousExplorerBehaviors
Rule Name: Block suspicious Explorer.exe process behaviors
Command Line: "C:\Users\Kees\AppData\Local\Temp\AppTimer.exe"
Signer:
Parent Signer:
Date/Time: 3-1-2018 12:04:59
Process: [768]C:\Users\Kees\AppTimer.exe
Parent: [2496]C:\Windows\explorer.exe
Rule: BlockProcessesOnSuspiciousFolders
Rule Name: Block processes located in suspicious folders
Command Line: "C:\Users\Kees\AppTimer.exe"
Signer:
Parent Signer:
Date/Time: 3-1-2018 12:05:35
Process: [824]C:\Users\Kees\Documents\AppTimer.exe
Parent: [2496]C:\Windows\explorer.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: "C:\Users\Kees\Documents\AppTimer.exe"
Signer:
Parent Signer:
Date/Time: 3-1-2018 12:06:20
Process: [3232]C:\Users\Kees\Documents\procexp.exe
Parent: [2496]C:\Windows\explorer.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: "C:\Users\Kees\Documents\procexp.exe"
Signer: Microsoft Corporation
Parent Signer:
WITH ABOVE SETTING OS-ARMOR IS NICE FREE REPLACEMENT FOR APPGUARD (DEFAULT MODE, NOT LOCKDOWN).
OPEN CONFIGURATOR: CHECK WHETHER THESE SETTINGS ARE ENABLED
Block suspicious Explorer.exe process behaviors
Block processes located in suspicious folders
Block execution of unsigned processes on Local AppData
Block execution of unsigned processes on Roaming AppData
Block execution of unsigned processes on Common AppData
ADD A CUSTOM BLOCK-RULES (change Kees to your name)
; Block executables from data partition D (documents) on main drive and and Q (quick backup) on second harddisk
[%PROCESS%: D:\*]
[%PROCESS%: Q:\*]
; Block executables from public folders on C drive
[%PROCESS%: C:\Users\Public\*]
; Block executables from my user folders on C drive
[%PROCESS%: C:\Users\Kees\Contacts\*]
[%PROCESS%: C:\Users\Kees\Downloads\*]
[%PROCESS%: C:\Users\Kees\Desktop\*]
[%PROCESS%: C:\Users\Kees\Documents\*]
[%PROCESS%: C:\Users\Kees\Music\*]
[%PROCESS%: C:\Users\Kees\Videos\*]
[%PROCESS%: C:\Users\Kees\Saved Games\*]
[%PROCESS%: C:\Users\Kees\Searches\*]
ONLY DOWNSIDE IS THAT YOU HAVE TO INSTALL AND UPDATE FROM YOUR TEMP FOLDER
@NoVirusThanks would it be possible to add a ALLOW SIGNED EXECUTION FROM DESKTOP rule and block execution in other user folders?
--------------------------- Tested with unsigned (AppTimer) and signed (ProcessExplorer) see log below
NOTE PROCESS EXPLORER (SIGNED) WAS ALLOWED TO EXECUTE FROM TEMP AND OTHER APPDATA LOCATIONS
Date/Time: 3-1-2018 12:04:41
Process: [2204]C:\Users\Kees\AppData\Local\Temp\AppTimer.exe
Parent: [2496]C:\Windows\explorer.exe
Rule: BlockSuspiciousExplorerBehaviors
Rule Name: Block suspicious Explorer.exe process behaviors
Command Line: "C:\Users\Kees\AppData\Local\Temp\AppTimer.exe"
Signer:
Parent Signer:
Date/Time: 3-1-2018 12:04:59
Process: [768]C:\Users\Kees\AppTimer.exe
Parent: [2496]C:\Windows\explorer.exe
Rule: BlockProcessesOnSuspiciousFolders
Rule Name: Block processes located in suspicious folders
Command Line: "C:\Users\Kees\AppTimer.exe"
Signer:
Parent Signer:
Date/Time: 3-1-2018 12:05:35
Process: [824]C:\Users\Kees\Documents\AppTimer.exe
Parent: [2496]C:\Windows\explorer.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: "C:\Users\Kees\Documents\AppTimer.exe"
Signer:
Parent Signer:
Date/Time: 3-1-2018 12:06:20
Process: [3232]C:\Users\Kees\Documents\procexp.exe
Parent: [2496]C:\Windows\explorer.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: "C:\Users\Kees\Documents\procexp.exe"
Signer: Microsoft Corporation
Parent Signer:
WITH ABOVE SETTING OS-ARMOR IS NICE FREE REPLACEMENT FOR APPGUARD (DEFAULT MODE, NOT LOCKDOWN).
Last edited:
- Dec 23, 2014
- 8,510
The rule:
I noticed that only variables: %PROCESS%, %PARENTPROCESS% and %PROCESSCMDLINE% can be used for OSArmor (Andreas mentioned this in CustomBlock.db). The other variables (from SOB) are probably not supported. So, one cannot block DLL files.
But anyway, the variables %PROCESS%, %PARENTPROCESS% and %PROCESSCMDLINE% are very useful.
Thanks for the useful command summary.Edit the the CustomBlock.db and Exclusions.db
See ObjectBlcoker explanation of attached file (add a few general block rules and exceptions and you basically have the new and improvend NVT V4)
I noticed that only variables: %PROCESS%, %PARENTPROCESS% and %PROCESSCMDLINE% can be used for OSArmor (Andreas mentioned this in CustomBlock.db). The other variables (from SOB) are probably not supported. So, one cannot block DLL files.
But anyway, the variables %PROCESS%, %PARENTPROCESS% and %PROCESSCMDLINE% are very useful.
- Aug 23, 2012
- 293
Just a quick update, new v1.4 (pre-release) (test11):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test11.exe
*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***
So far this is what's new compared to the previous pre-release:
+ Added buttons to save\load protection options to\from a file
+ Some improvements on internal rules
+ Fixed all reported false positives
@Darrin
Thanks for reporting it, should be fixed in this test 11.
I've also fine-tuned some internal rules related to that FP.
@l0rdraiden
We have not plan for that about OSArmor, but you may use the "Custom Block-Rules" to create customized or specific block-rules.
It works the same way as SOB but supports only 3 variables.
However, if you have some ideas about new rules, just let me know via PM or posting there and we'll discuss if add them to OSArmor "Configurator".
Yes, it shows a popup dialog when something is blocked.
A link to VT would not help much, since many exploits run system processes like cmd.exe, etc, the VT link would show the file as clean.
@Windows_Security
You mean like adding "Block unsigned processes on Desktop folder" on Configurator right?
We can add it and make it unchecked by default (can create some FPs to regular users).
@Andy Ful
Yes, OSArmor supports only 3 variables for now, but I can add support for %SIGNER% and %PARENTSIGNER% in case.
Then you have all that you need to create very fine-tuned custom process-block rules.
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test11.exe
*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***
So far this is what's new compared to the previous pre-release:
+ Added buttons to save\load protection options to\from a file
+ Some improvements on internal rules
+ Fixed all reported false positives
@Darrin
Thanks for reporting it, should be fixed in this test 11.
I've also fine-tuned some internal rules related to that FP.
@l0rdraiden
We have not plan for that about OSArmor, but you may use the "Custom Block-Rules" to create customized or specific block-rules.
It works the same way as SOB but supports only 3 variables.
However, if you have some ideas about new rules, just let me know via PM or posting there and we'll discuss if add them to OSArmor "Configurator".
Yes, it shows a popup dialog when something is blocked.
A link to VT would not help much, since many exploits run system processes like cmd.exe, etc, the VT link would show the file as clean.
@Windows_Security
You mean like adding "Block unsigned processes on Desktop folder" on Configurator right?
We can add it and make it unchecked by default (can create some FPs to regular users).
@Andy Ful
Yes, OSArmor supports only 3 variables for now, but I can add support for %SIGNER% and %PARENTSIGNER% in case.
Then you have all that you need to create very fine-tuned custom process-block rules.
- Dec 23, 2014
- 8,510
Will those variables recognize only files with a faithful digital signatures?
Can anyone post a screenshot of OSarmor popup?
@NoVirusThanks for rules maybe you can take some ideas from CryptoPrevent
CryptoPrevent Malware Prevention
Would be viable to offer MBR protection?
@NoVirusThanks for rules maybe you can take some ideas from CryptoPrevent
CryptoPrevent Malware Prevention
Would be viable to offer MBR protection?
Last edited:
Just use MBRFilter, it's free. Use it alongside NVT OSArmor. The developer signed up here recently to respond to me, not sure if they are still active here but the developer is smart and experienced and MBRFilter does work quite well (they just need to improve the uninstallation process I think so its more user friendly).
Similar threads
