NoVirusThanks OSArmor

[Deleted member 65228]

But a set and forget in case an average inexperienced user was interested would still be good and probably useful to even experienced users*

Just the chances of it actually being actively used by inexperienced users is so low. Not because the app is bad, it really isn't, this app is great. But because of how inexperienced users are, not wanting to learn/understand/not having the time to do so even if they wanted,among many other factors

 

[Andy Ful]

Well it's completely different and I'd say it's actually adapted like a proper BB. I consider NVT OSArmor a BB but a different type because it works differently.

NVT OSArmor is more like a HIPS using OS abuses to block malware. For example, monitoring behaviors for Temp folders, bcdedit usage, etc. Whereas the Emsisoft BB is more automatic resolving and has checks in place to help it determine good from bad, as well as a monitoring scope for behavior which is more used in genuine malicious software (e.g. attacking of the MBR, file encryption, etc.).

NVT OSArmor FPs can be lowered with a custom configuration but NVT OSArmor is currently completely unknown in its mind to how accurate the detection is, like a HIPS which just monitors and alerts/blocks based on configuration. Unlike the Emsisoft BB which won't necessarily block, has a cloud network which is damn huge to not monitor known and reputable software, built-in characteristic checks, etc.

Both of them work completely differently but at the same time both of them are great. I'm a big fan of this application but I really cannot see a true average inexperienced user using it. It just won't work well.

Emsisoft dropped Mamutu because they had hardly any users, not enough to cover costings. EAM is popular with inexperienced as well because it isn't just a BB, it's a full AM suite which makes it appropriate. People can install and forget and be protected by real-time protection, web protection, and zero-day dynamic protection which is tuned for auto-resolving more and designed to be less intrusive now (thanks to their cloud and other factors). If you take the Emsisoft BB without the cloud network integration, built-in checks to decide on decisions/monitoring and make it standalone, only geeks will use it.

I can fully agree with that.
I was rather thinking about how inexperienced user was going to find out why he/she should install EAM, where he/she could find the installer, etc.
In the real world, an inexperienced user asks his/her friend (or relative) to find/install/configure an AV, and even then has a problem when something is blocked/quarantined/alerted.
I am not sure if it is possible to create 'setup & forget' BB, but It will be much fun helping to make one.

 

[Deleted member 65228]

I think that a set and forget with this software may have the potential to be the best one ever made for that purpose simply because of how it works, but I don't think a vendor like COMODO can do that with their HIPS or another vendor because they tend to use a variety of techniques and different ideas and it just won't work for it IMO... But this app may very well fit the job for it. I just don't know how the word will be spread to those inexperienced users and get them to use it :/

Maybe a less FP config by default, but while still strong protection? For example, the bcdedit setting can be enabled indefinitely for set and forget because no inexperienced user will be touching that. But the AppData stuff can conflict with a normal installer.

Hmmmmm... its tricky

 

[Andy Ful]

I think that a set and forget with this software may have the potential to be the best one ever made for that purpose simply because of how it works, but I don't think a vendor like COMODO can do that with their HIPS or another vendor because they tend to use a variety of techniques and different ideas and it just won't work for it IMO... But this app may very well fit the job for it. I just don't know how the word will be spread to those inexperienced users and get them to use it :/

Maybe a less FP config by default, but while still strong protection? For example, the bcdedit setting can be enabled indefinitely for set and forget because no inexperienced user will be touching that. But the AppData stuff can conflict with a normal installer.

Hmmmmm... its tricky

I said that it will be much fun.

 

[shmu26]

But a set and forget in case an average inexperienced user was interested would still be good and probably useful to even experienced users*

Just the chances of it actually being actively used by inexperienced users is so low. Not because the app is bad, it really isn't, this app is great. But because of how inexperienced users are, not wanting to learn/understand/not having the time to do so even if they wanted,among many other factors

If it works good, then every geek will install it on all the PCs of his family and friends. (If it's not so good, then on the PCs of his enemies...)

 

[Deleted member 65228]

If it works good, then every geek will install in on all the PCs of his family and friends. (If it's not so good, then on the PCs of his enemies...)

Big difference between a geek and a security geek though

An average geek probably uses the term "virus" instead of "malware" unless appropriate to do so. Likely doesn't know the real difference, and probably believes that malware in the wild can make your PC grow wings and fly off into a desert

BBC can claim that installing Norton or McAfee will make your PC talk to you and grow a moustache and that you should download XXXXXX but people will likely still ignore it and just upgrade their McAfee trial which came with their new Intel laptop or purchase the Norton license from a shop

 

[Windows_Security]

@NoVirusThanks Andreas don't lose yourself in more rules and options, expand your audience and find as much false positives as you can.

Just read Everet M. Roger's diffusion of innovation. Read the WIKI page a little further, down to the bottom and realize that in 1962 a professor in rural sociology already mentioned people, social systems and communication channels as key actors for adoption of innovation (did I hear someone say social media?).

Keep the six key characteristics in mind when developing options and features for software:

1. Relative advantage
2. Compatibility with existing systems
3. Complexity in use
4. Trial-ability
5. Observed effects (how easy are these to communicate, the fameous elevator pitch is based on this)
6. Sustainability or reinvention purpose (use it for different goals over a longer period of time, e.g. use it to block new malware),

It is still the playbook to follow when going to market with IT innovations, so I challenge you stay focused: when you need more than three lines text to explain the purpose of OS Armor your ship has set sail without paying passengers aboard.

 

[Andy Ful]

Two features to kill false positives:
1. Automatic learning/whitelisting on install.
2. Adopting reputation cloud for suspicious files.
I have a good experience with SmartScreen Application Reputation (Windows 8+) for application installers. It has less false positives than Virus Total. So on Windows 8+, it is sufficient to check if the EXE file, has the appropriate 'Mark Of The Web' and if so, then all rules for that file could be skipped. Such solution is totally safe on Windows 10, where one can block the option of bypassing SmartScreen prompt.
The above could be also effective when forcing SmartScreen for any suspicious EXE files. But then, there would be more false positives, because normally, the EXE files embedded in installers are not checked by SmartScreen, so they hardly will get a good reputation. This can be improved by skipping OSArmor rules for files that have the parent installer checked by Smartscreen.

 

[Windows_Security]

Example of how wannabee cook (me ) thinks he can beat a star chef (Andreas ) in a masterchef cook-off

I disabled configuration rule "Basic anti-exploit protection (parent->child process) because only office is mentioned and I want to include chrome also and the rule "Prevent Adobe Acrobat from running MS office applications" because I use SumatraPDF reader and don't want to my PDF reader to start any process.

So I created some custom block rules . . .
; Block rich content processing programs starting other programs
[%PROCESS%: *] [%PARENTPROCESS%: *\SumatraPDF.exe]
[%PROCESS%: *] [%PARENTPROCESS%: *\WMPlayer.exe]
[%PROCESS%: *] [%PARENTPROCESS%: *\winword.exe]
[%PROCESS%: *] [%PARENTPROCESS%: *\excel.exe]
[%PROCESS%: *] [%PARENTPROCESS%: *\powerpnt.exe]
[%PROCESS%: *] [%PARENTPROCESS%: *\outlook.exe]
[%PROCESS%: *] [%PARENTPROCESS%: *\chrome.exe]

. . . and some custom Exclusion rules
; Allow spawning of printer, webbrowser and pdfreader
[%PROCESS%: C:\Windows\splwow64.exe] [%PARENTPROCESS%: C:\Program Files\*]
[%PROCESS%: C:\Program Files\Chromium\chrome.exe] [%PARENTPROCESS%: C:\Program Files\*]
[%PROCESS%: C:\Program Files\Utilities\SumatraPDF.exe] [%PARENTPROCESS%: C:\Program Files\*]

Andreas: what is the intended audience? When you made rules optional and facilitated for custom block rules, you crossed the line from average users to enthousiasts and maybe power user level IMO. But are this the people you are developing OSArmor for?

 

[Deleted member 65228]

It has less false positives than Virus Total

The engines on VirusTotal aren't always identical to the ones implemented into consumer products, and SmartScreen reputation will be accurate because of how many users there are on Windows. I don't think they can be compared because they are two completely different services entirely

 

[Andy Ful]

The engines on VirusTotal aren't always identical to the ones implemented into consumer products, and SmartScreen reputation will be accurate because of how many users there are on Windows. I don't think they can be compared because they are two completely different services entirely

I know.
But, anyway Virus Total is used sometimes as a kind of reputation feature. For example, if less than six engines mark the file as not good than the file is treated as good.

 

[NoVirusThanks]

Great suggestions and feedbacks guys, much appreciated

Have just uploaded another video about OSArmor in action:
Block MS Office CVE-2017-11-882 Exploit Payload with OSArmor

@Windows_Security

"Basic anti-exploit protection (parent->child process)" monitors MS Office Apps, Chrome, Firefox, IE, Opera, Adobe PDF, Windows Media Player, and some other apps. In future versions we'll add single options like "Monitor MS Office Word", "Monitor MS Office Excel", "Monitor SumatraPDF", etc. Btw, yeah using custom rules (like yours) you can control mostly any application behavior

what is the intended audience?

Mainly inexperienced users (pre-checked options), but at the same time also experts and average\curious users (enable\disable options, custom block-rules). The plan is to keep it very simple and minimal, with no prompt dialogs, and write very fine-tuned and smart internal rules lowering the common FPs near to 0.

With just a few options enabled, the regular user has already a good protection (i.e basic anti-exploit, USB protection, bcdedit\pif\com block, double file extensions, block suspicious scripts, etc), that will protect popular ways used by malware to be deployed in the system (malspam, docs\pdf, exploit payloads, USB autorun, js\vbs scripts, etc) with low FPs. We can find the right balance between good protection (with default settings) and low FPs.

@l0rdraiden

We would like to avoid an allow\block dialog, users may find it annoying (but may be very useful for advanced users). We'll try to fix all common FPs and fine-tune the internal rules and see how it performs. So far, OSArmor was released one week ago and with v1.4 test11 we fixed\fine-tuned a lot of FPs already (thanks to all users that tested the program). We will discuss about the possibility to automate exclusions (i.e with a single button), a sort of internal learning mode and about a GUI to create exclusions (thanks everyone for the great suggestions and comments!).

 

[Andy Ful]

It would be good to test OSArmor against malicious documents, scripts, scriptlets, JAR files, etc. , with disabled AV protection. This would show its potential weak points.

 

[tiktoshi]

hi pls add button exclusions and block and enable\disable usb devices next ver beta

 

[shmu26]

"Basic anti-exploit protection (parent->child process)" monitors MS Office Apps, Chrome, Firefox, IE, Opera, Adobe PDF, Windows Media Player, and some other apps.

In fact, I tested this a few days ago, on Chrome.
I uploaded powershell.exe to google drive, sent myself a link, downloaded it in Chrome, and clicked to run it. Blocked, due to parent-child process.
NV, Thanks!

 

[Sunshine-boy]

WITH ABOVE SETTING OS-ARMOR IS NICE FREE REPLACEMENT FOR APPGUARD

But Appguard has memory protection.when will you learn me how to create rules for MemProtect? whennnnn????

 

[Windows_Security]

Mainly inexperienced users (pre-checked options), but at the same time also experts and average\curious users (enable\disable options, custom block-rules). The plan is to keep it very simple and minimal, with no prompt dialogs, and write very fine-tuned and smart internal rules lowering the common FPs near to 0.

Well when you target inexperienced, enthousiast and power users, I will be happily using the %PROCESSSIGNER% option to make OSArmor a better than AppLocker whitelisting application. Any idea when you make this available in CUSTOM and EXCEPTION rules?

Note that OSArmor does not recognize Microsoft Windows (catologue) signatures, see log example:

Date/Time: 3-1-2018 12:04:41
Process: [2204]C:\Users\Kees\AppData\Local\Temp\AppTimer.exe
Parent: [2496]C:\Windows\explorer.exe
Rule: BlockSuspiciousExplorerBehaviors
Rule Name: Block suspicious Explorer.exe process behaviors
Command Line: "C:\Users\Kees\AppData\Local\Temp\AppTimer.exe"
Signer:
Parent Signer

(AppTimer is unsigned, Windows Explorer is signed):

 

[Windows_Security]

But Appguard has memory protection.when will you learn me how to create rules for MemProtect? whennnnn????

you can brick your system when using it in the wrong way. Don;t want to do that remotely. Chances for average user of running into fileless malware is as likely as me winning the lottery. So when I win the lottery, I will fly over and teach you how to write the rules face to face.

 

[Sunshine-boy]

Hahaha, thnx for the answer.

 

[shmu26]

Hahaha, thnx for the answer.

@Sunshine-boy, why don't YOU win the lottery, and buy him a free plane ticket?