NoVirusThanks OSArmor

Homepage
http://www.novirusthanks.org/products/osarmor/
Bundled with PUP
None
P

plat1098

Guest
Just curious, is it Malwarebytes Anti-exploit free? Even if not, what does this offer in addition to Alert? There are always risks of "silent" conflicts, even with exclusions in place. I would not underestimate Alert's capabilities; for example, on here, occasionally it is still squabbling with Sandboxie for control over Firefox plugins and .dll, etc but is very calm with OSArmor, no problems.

HitmanPro.ALERT Support and Discussion Thread
 

Opcode

Level 28
Content Creator
Joined
Aug 17, 2017
Messages
1,733
Malwarebytes Anti-Exploit offers forcing of protection features like Address Space Layout Randomisation (ASLR), Data Execution Prevention (DEP) and can help mitigate exploits for various software. However, Windows 10 now has EMET features built-in and HitmanPro.Alert covers a whole lot more in my opinion.

However, with more functionality provides more system slow-down and more potential problems. I don't know about the performance with HitmanPro.Alert on a regular basis, however I do know it breaks an awful lot of software depending on the configuration, and also after updates to various software. I see a lot of break reports... So I'd say it is probably better for a business who update software/their OS software after check-ups and X amount of time.

Both are good though; don't use both at the same time though.
 

NoVirusThanks

From NoVirusThanks
Developer
Joined
Aug 23, 2012
Messages
167
OS
Windows 10
Here is a new v1.4 (pre-release) (test10):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test10.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block any process executed from javaw.exe (except java.exe)
+ Block any process executed from java.exe
+ Fixed display of GUI and Configurator on multi-monitors
+ Minor fixes and optimizations

This pre-release version can be installed over the top of the previous one.

We're now working on the driver to support Secure Boot.

@shmu26

Some of the HP blocks came back
Should be fixed in this test10.
 

Slyguy

Level 32
Joined
Jan 27, 2017
Messages
2,102
OS
Other OS
Here is a new v1.4 (pre-release) (test10):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test10.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block any process executed from javaw.exe (except java.exe)
+ Block any process executed from java.exe
+ Fixed display of GUI and Configurator on multi-monitors
+ Minor fixes and optimizations

This pre-release version can be installed over the top of the previous one.

We're now working on the driver to support Secure Boot.

@shmu26



Should be fixed in this test10.
The most important fix in this was the ability to use the mouse wheel to scroll through the rules.
 
Joined
Dec 12, 2015
Messages
17
@ NoVirusThanks

Just a FP you should be aware of...

Date/Time: 1/1/2018 1:05:18 AM
Process: [10156]C:\ProgramData\Panda Security\Panda Devices Agent\Downloads\94f8cda3e22ca03b64f714f92fb73415\PSExpCampaign.exe
Parent: [2124]C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe
Rule: BlockSuspiciousProcesses
Rule Name: Block execution of suspicious processes
Command Line: "C:\ProgramData\Panda Security\Panda Devices Agent\Downloads\94f8cda3e22ca03b64f714f92fb73415\PSExpCampaign.exe"
Signer: Panda Security S.L
Parent Signer: Panda Security S.L

and... Thank You for this Excellent program
 
Joined
Jul 28, 2017
Messages
65
Here is a new v1.4 (pre-release) (test10):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test10.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block any process executed from javaw.exe (except java.exe)
+ Block any process executed from java.exe
+ Fixed display of GUI and Configurator on multi-monitors
+ Minor fixes and optimizations

This pre-release version can be installed over the top of the previous one.

We're now working on the driver to support Secure Boot.

@shmu26



Should be fixed in this test10.
You already offer it for free that is a lot but I am just wondering what do you think about making the rules open source, so more people can contribute and you could review them before each release.

Does Osarmor have popups when something is detected? I think it would be useful to have additional information of the file, like a direct link to VT or anything else
 

Umbra

Level 61
Content Creator
Trusted
Joined
May 16, 2011
Messages
17,790
OS
Windows 10
Antivirus
Default-Deny
what do you think about making the rules open source, so more people can contribute and you could review them before each release.
If by that you mean users submitting some rules to be hardcoded. it may be a good idea.
Note that users can already create rules "a la" Smart Object Blocker.
 

Windows_Security

Level 16
Content Creator
Trusted
Joined
Mar 13, 2016
Messages
762
OS
Windows 7
EDIT: IT IS EVEN SIMPLER TO ALLOW ONLY SIGNED PROCESS EXECUTION FROM NORMAL USER FOLDERS

OPEN CONFIGURATOR: CHECK WHETHER THESE SETTINGS ARE ENABLED
Block suspicious Explorer.exe process behaviors
Block processes located in suspicious folders
Block execution of unsigned processes on Local AppData
Block execution of unsigned processes on Roaming AppData
Block execution of unsigned processes on Common AppData

ADD A CUSTOM BLOCK-RULES (change Kees to your name)
; Block executables from data partition D (documents) on main drive and and Q (quick backup) on second harddisk
[%PROCESS%: D:\*]
[%PROCESS%: Q:\*]

; Block executables from public folders on C drive
[%PROCESS%: C:\Users\Public\*]

; Block executables from my user folders on C drive
[%PROCESS%: C:\Users\Kees\Contacts\*]
[%PROCESS%: C:\Users\Kees\Downloads\*]
[%PROCESS%: C:\Users\Kees\Desktop\*]
[%PROCESS%: C:\Users\Kees\Documents\*]
[%PROCESS%: C:\Users\Kees\Music\*]
[%PROCESS%: C:\Users\Kees\Videos\*]
[%PROCESS%: C:\Users\Kees\Saved Games\*]
[%PROCESS%: C:\Users\Kees\Searches\*]

ONLY DOWNSIDE IS THAT YOU HAVE TO INSTALL AND UPDATE FROM YOUR TEMP FOLDER

@NoVirusThanks would it be possible to add a ALLOW SIGNED EXECUTION FROM DESKTOP rule and block execution in other user folders?

--------------------------- Tested with unsigned (AppTimer) and signed (ProcessExplorer) see log below
NOTE PROCESS EXPLORER (SIGNED) WAS ALLOWED TO EXECUTE FROM TEMP AND OTHER APPDATA LOCATIONS

Date/Time: 3-1-2018 12:04:41
Process: [2204]C:\Users\Kees\AppData\Local\Temp\AppTimer.exe
Parent: [2496]C:\Windows\explorer.exe
Rule: BlockSuspiciousExplorerBehaviors
Rule Name: Block suspicious Explorer.exe process behaviors
Command Line: "C:\Users\Kees\AppData\Local\Temp\AppTimer.exe"
Signer:
Parent Signer:

Date/Time: 3-1-2018 12:04:59
Process: [768]C:\Users\Kees\AppTimer.exe
Parent: [2496]C:\Windows\explorer.exe
Rule: BlockProcessesOnSuspiciousFolders
Rule Name: Block processes located in suspicious folders
Command Line: "C:\Users\Kees\AppTimer.exe"
Signer:
Parent Signer:

Date/Time: 3-1-2018 12:05:35
Process: [824]C:\Users\Kees\Documents\AppTimer.exe
Parent: [2496]C:\Windows\explorer.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: "C:\Users\Kees\Documents\AppTimer.exe"
Signer:
Parent Signer:

Date/Time: 3-1-2018 12:06:20
Process: [3232]C:\Users\Kees\Documents\procexp.exe
Parent: [2496]C:\Windows\explorer.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: "C:\Users\Kees\Documents\procexp.exe"
Signer: Microsoft Corporation
Parent Signer:

WITH ABOVE SETTING OS-ARMOR IS NICE FREE REPLACEMENT FOR APPGUARD (DEFAULT MODE, NOT LOCKDOWN).
 
Last edited:
Joined
Dec 23, 2014
Messages
1,534
OS
Windows 10
Antivirus
Microsoft
The rule:
Edit the the CustomBlock.db and Exclusions.db

See ObjectBlcoker explanation of attached file (add a few general block rules and exceptions and you basically have the new and improvend NVT V4) ;)(y)
Thanks for the useful command summary. :)
I noticed that only variables: %PROCESS%, %PARENTPROCESS% and %PROCESSCMDLINE% can be used for OSArmor (Andreas mentioned this in CustomBlock.db). The other variables (from SOB) are probably not supported. So, one cannot block DLL files.:(

But anyway, the variables %PROCESS%, %PARENTPROCESS% and %PROCESSCMDLINE% are very useful.(y)
 

NoVirusThanks

From NoVirusThanks
Developer
Joined
Aug 23, 2012
Messages
167
OS
Windows 10
Just a quick update, new v1.4 (pre-release) (test11):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test11.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Added buttons to save\load protection options to\from a file
+ Some improvements on internal rules
+ Fixed all reported false positives

@Darrin

Thanks for reporting it, should be fixed in this test 11.

I've also fine-tuned some internal rules related to that FP.

@l0rdraiden

what do you think about making the rules open source
We have not plan for that about OSArmor, but you may use the "Custom Block-Rules" to create customized or specific block-rules.

It works the same way as SOB but supports only 3 variables.

However, if you have some ideas about new rules, just let me know via PM or posting there and we'll discuss if add them to OSArmor "Configurator".

Does Osarmor have popups when something is detected?
Yes, it shows a popup dialog when something is blocked.

I think it would be useful to have additional information of the file, like a direct link to VT or anything else
A link to VT would not help much, since many exploits run system processes like cmd.exe, etc, the VT link would show the file as clean.

@Windows_Security

would it be possible to add a ALLOW SIGNED EXECUTION FROM DESKTOP rule and block execution in other user folders?
You mean like adding "Block unsigned processes on Desktop folder" on Configurator right?

We can add it and make it unchecked by default (can create some FPs to regular users).

@Andy Ful

Yes, OSArmor supports only 3 variables for now, but I can add support for %SIGNER% and %PARENTSIGNER% in case.

Then you have all that you need to create very fine-tuned custom process-block rules.
 

Opcode

Level 28
Content Creator
Joined
Aug 17, 2017
Messages
1,733
Would be viable to offer MBR protection?
Just use MBRFilter, it's free. Use it alongside NVT OSArmor. The developer signed up here recently to respond to me, not sure if they are still active here but the developer is smart and experienced and MBRFilter does work quite well (they just need to improve the uninstallation process I think so its more user friendly).
 

Similar Threads

Similar Threads