NoVirusThanks OSArmor

Discussion in 'NoVirusThanks' started by Evjl's Rain, Dec 17, 2017.

  1. Andy Ful

    Andy Ful Level 22

    Dec 23, 2014
    1,107
    4,737
    business
    Poland
    Windows 10
    Microsoft
    I can fully agree with that.:)(y)
    I was rather thinking about how inexperienced user was going to find out why he/she should install EAM, where he/she could find the installer, etc.
    In the real world, an inexperienced user asks his/her friend (or relative) to find/install/configure an AV, and even then has a problem when something is blocked/quarantined/alerted.
    I am not sure if it is possible to create 'setup & forget' BB, but It will be much fun helping to make one.:)
     
    AtlBo, Sunshine-boy and Opcode like this.
  2. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    891
    6,322
    Caille
    Windows 10
    I think that a set and forget with this software may have the potential to be the best one ever made for that purpose simply because of how it works, but I don't think a vendor like COMODO can do that with their HIPS or another vendor because they tend to use a variety of techniques and different ideas and it just won't work for it IMO... But this app may very well fit the job for it. I just don't know how the word will be spread to those inexperienced users and get them to use it :/

    Maybe a less FP config by default, but while still strong protection? For example, the bcdedit setting can be enabled indefinitely for set and forget because no inexperienced user will be touching that. But the AppData stuff can conflict with a normal installer.

    Hmmmmm... its tricky :(
     
    AtlBo, simmerskool, DavidLMO and 2 others like this.
  3. Andy Ful

    Andy Ful Level 22

    Dec 23, 2014
    1,107
    4,737
    business
    Poland
    Windows 10
    Microsoft
    I said that it will be much fun.:)
     
  4. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,273
    13,595
    Utopia
    If it works good, then every geek will install it on all the PCs of his family and friends. (If it's not so good, then on the PCs of his enemies...)
     
    AtlBo, BryanB, simmerskool and 2 others like this.
  5. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    891
    6,322
    Caille
    Windows 10
    #345 Opcode, Jan 3, 2018
    Last edited: Jan 3, 2018
    Big difference between a geek and a security geek though

    An average geek probably uses the term "virus" instead of "malware" unless appropriate to do so. Likely doesn't know the real difference, and probably believes that malware in the wild can make your PC grow wings and fly off into a desert

    BBC can claim that installing Norton or McAfee will make your PC talk to you and grow a moustache and that you should download XXXXXX but people will likely still ignore it and just upgrade their McAfee trial which came with their new Intel laptop or purchase the Norton license from a shop
     
    AtlBo, shmu26 and Andy Ful like this.
  6. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    615
    2,884
    Holland
    Windows 7
    Default-Deny
    #346 Windows_Security, Jan 3, 2018
    Last edited: Jan 3, 2018
    @NoVirusThanks Andreas don't lose yourself in more rules and options, expand your audience and find as much false positives as you can.

    Just read Everet M. Roger's diffusion of innovation. Read the WIKI page a little further, down to the bottom and realize that in 1962 a professor in rural sociology already mentioned people, social systems and communication channels as key actors for adoption of innovation (did I hear someone say social media?).

    Keep the six key characteristics in mind when developing options and features for software:
    1. Relative advantage
    2. Compatibility with existing systems
    3. Complexity in use
    4. Trial-ability
    5. Observed effects (how easy are these to communicate, the fameous elevator pitch is based on this)
    6. Sustainability or reinvention purpose (use it for different goals over a longer period of time, e.g. use it to block new malware),
    It is still the playbook to follow when going to market with IT innovations, so I challenge you stay focused: when you need more than three lines text to explain the purpose of OS Armor your ship has set sail without paying passengers aboard.
     
  7. Andy Ful

    Andy Ful Level 22

    Dec 23, 2014
    1,107
    4,737
    business
    Poland
    Windows 10
    Microsoft
    Two features to kill false positives:
    1. Automatic learning/whitelisting on install.
    2. Adopting reputation cloud for suspicious files.
    I have a good experience with SmartScreen Application Reputation (Windows 8+) for application installers. It has less false positives than Virus Total. So on Windows 8+, it is sufficient to check if the EXE file, has the appropriate 'Mark Of The Web' and if so, then all rules for that file could be skipped. Such solution is totally safe on Windows 10, where one can block the option of bypassing SmartScreen prompt.
    The above could be also effective when forcing SmartScreen for any suspicious EXE files. But then, there would be more false positives, because normally, the EXE files embedded in installers are not checked by SmartScreen, so they hardly will get a good reputation. This can be improved by skipping OSArmor rules for files that have the parent installer checked by Smartscreen.
     
  8. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    615
    2,884
    Holland
    Windows 7
    Default-Deny
    #348 Windows_Security, Jan 3, 2018
    Last edited: Jan 3, 2018
    Example of how wannabee cook (me (n)) thinks he can beat a star chef (Andreas (y)) in a masterchef cook-off

    I disabled configuration rule "Basic anti-exploit protection (parent->child process) because only office is mentioned and I want to include chrome also and the rule "Prevent Adobe Acrobat from running MS office applications" because I use SumatraPDF reader and don't want to my PDF reader to start any process.

    So I created some custom block rules . . .
    ; Block rich content processing programs starting other programs
    [%PROCESS%: *] [%PARENTPROCESS%: *\SumatraPDF.exe]
    [%PROCESS%: *] [%PARENTPROCESS%: *\WMPlayer.exe]
    [%PROCESS%: *] [%PARENTPROCESS%: *\winword.exe]
    [%PROCESS%: *] [%PARENTPROCESS%: *\excel.exe]
    [%PROCESS%: *] [%PARENTPROCESS%: *\powerpnt.exe]
    [%PROCESS%: *] [%PARENTPROCESS%: *\outlook.exe]
    [%PROCESS%: *] [%PARENTPROCESS%: *\chrome.exe]

    . . . and some custom Exclusion rules
    ; Allow spawning of printer, webbrowser and pdfreader
    [%PROCESS%: C:\Windows\splwow64.exe] [%PARENTPROCESS%: C:\Program Files\*]
    [%PROCESS%: C:\Program Files\Chromium\chrome.exe] [%PARENTPROCESS%: C:\Program Files\*]
    [%PROCESS%: C:\Program Files\Utilities\SumatraPDF.exe] [%PARENTPROCESS%: C:\Program Files\*]

    Andreas: what is the intended audience? When you made rules optional and facilitated for custom block rules, you crossed the line from average users to enthousiasts and maybe power user level IMO. But are this the people you are developing OSArmor for?
     
    AtlBo, Telos, silversurfer and 5 others like this.
  9. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    891
    6,322
    Caille
    Windows 10
    The engines on VirusTotal aren't always identical to the ones implemented into consumer products, and SmartScreen reputation will be accurate because of how many users there are on Windows. I don't think they can be compared because they are two completely different services entirely :)
     
  10. Andy Ful

    Andy Ful Level 22

    Dec 23, 2014
    1,107
    4,737
    business
    Poland
    Windows 10
    Microsoft
    I know.:)
    But, anyway Virus Total is used sometimes as a kind of reputation feature. For example, if less than six engines mark the file as not good than the file is treated as good.(y)
     
  11. NoVirusThanks

    NoVirusThanks From NoVirusThanks
    Developer

    Aug 23, 2012
    55
    738
    Italy
    Windows 10
    #351 NoVirusThanks, Jan 3, 2018
    Last edited: Jan 3, 2018
    Great suggestions and feedbacks guys, much appreciated :)

    Have just uploaded another video about OSArmor in action:
    Block MS Office CVE-2017-11-882 Exploit Payload with OSArmor

    @Windows_Security

    "Basic anti-exploit protection (parent->child process)" monitors MS Office Apps, Chrome, Firefox, IE, Opera, Adobe PDF, Windows Media Player, and some other apps. In future versions we'll add single options like "Monitor MS Office Word", "Monitor MS Office Excel", "Monitor SumatraPDF", etc. Btw, yeah using custom rules (like yours) you can control mostly any application behavior :)

    Mainly inexperienced users (pre-checked options), but at the same time also experts and average\curious users (enable\disable options, custom block-rules). The plan is to keep it very simple and minimal, with no prompt dialogs, and write very fine-tuned and smart internal rules lowering the common FPs near to 0.

    With just a few options enabled, the regular user has already a good protection (i.e basic anti-exploit, USB protection, bcdedit\pif\com block, double file extensions, block suspicious scripts, etc), that will protect popular ways used by malware to be deployed in the system (malspam, docs\pdf, exploit payloads, USB autorun, js\vbs scripts, etc) with low FPs. We can find the right balance between good protection (with default settings) and low FPs.

    @l0rdraiden

    We would like to avoid an allow\block dialog, users may find it annoying (but may be very useful for advanced users). We'll try to fix all common FPs and fine-tune the internal rules and see how it performs. So far, OSArmor was released one week ago and with v1.4 test11 we fixed\fine-tuned a lot of FPs already (thanks to all users that tested the program). We will discuss about the possibility to automate exclusions (i.e with a single button), a sort of internal learning mode and about a GUI to create exclusions (thanks everyone for the great suggestions and comments!).
     
    AtlBo, BryanB, silversurfer and 5 others like this.
  12. Andy Ful

    Andy Ful Level 22

    Dec 23, 2014
    1,107
    4,737
    business
    Poland
    Windows 10
    Microsoft
    It would be good to test OSArmor against malicious documents, scripts, scriptlets, JAR files, etc. , with disabled AV protection. This would show its potential weak points.
     
    AtlBo, BryanB, simmerskool and 5 others like this.
  13. tiktoshi

    tiktoshi Level 4
    AV Tester

    Jan 19, 2015
    163
    1,189
    hi pls add button exclusions and block and enable\disable usb devices next ver beta
     
    AtlBo, BryanB, shmu26 and 1 other person like this.
  14. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,273
    13,595
    Utopia
    In fact, I tested this a few days ago, on Chrome.
    I uploaded powershell.exe to google drive, sent myself a link, downloaded it in Chrome, and clicked to run it. Blocked, due to parent-child process.
    NV, Thanks!
     
  15. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    1,177
    5,203
    IRAN
    Windows 10
    ESET
    But Appguard has memory protection.when will you learn me how to create rules for MemProtect? whennnnn????:D
     
    AtlBo, BryanB and bribon77 like this.
  16. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    615
    2,884
    Holland
    Windows 7
    Default-Deny
    #356 Windows_Security, Jan 4, 2018
    Last edited: Jan 4, 2018
    Well when you target inexperienced, enthousiast and power users, I will be happily using the %PROCESSSIGNER% option to make OSArmor a better than AppLocker whitelisting application. Any idea when you make this available in CUSTOM and EXCEPTION rules?

    Note that OSArmor does not recognize Microsoft Windows (catologue) signatures, see log example:

    Date/Time: 3-1-2018 12:04:41
    Process: [2204]C:\Users\Kees\AppData\Local\Temp\AppTimer.exe
    Parent: [2496]C:\Windows\explorer.exe
    Rule: BlockSuspiciousExplorerBehaviors
    Rule Name: Block suspicious Explorer.exe process behaviors
    Command Line: "C:\Users\Kees\AppData\Local\Temp\AppTimer.exe"
    Signer:
    Parent Signer

    (AppTimer is unsigned, Windows Explorer is signed):
     
    BryanB and Sunshine-boy like this.
  17. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    615
    2,884
    Holland
    Windows 7
    Default-Deny
    you can brick your system when using it in the wrong way. Don;t want to do that remotely. Chances for average user of running into fileless malware is as likely as me winning the lottery. So when I win the lottery, I will fly over and teach you how to write the rules face to face.
     
    simmerskool, BryanB, DavidLMO and 3 others like this.
  18. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    1,177
    5,203
    IRAN
    Windows 10
    ESET
    Hahaha, thnx for the answer.
     
    AtlBo, BryanB, bribon77 and 1 other person like this.
  19. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,273
    13,595
    Utopia
    @Sunshine-boy, why don't YOU win the lottery, and buy him a free plane ticket?
     
    AtlBo, simmerskool and Sunshine-boy like this.
  20. Sunshine-boy

    Sunshine-boy Level 22

    Apr 1, 2017
    1,177
    5,203
    IRAN
    Windows 10
    ESET
    Cameyo Fp:
    Process: [4072]C:\Users\Sunshine-boy\AppData\Roaming\VOS\Cameyo\PROG\%Program Files%\Cameyo\Packager.exe
    Parent: [1304]C:\Users\Sunshine-boy\Desktop\Cameyo.exe
    Rule: BlockUnsignedProcessesAppDataRoaming
    Rule Name: Block execution of unsigned processes on Roaming AppData
    Command Line: "C:\Users\Sunshine-boy\AppData\Roaming\VOS\Cameyo\PROG\%Program Files%\Cameyo\Packager.exe"
    Signer:
    Parent Signer:
     
    AtlBo and Andy Ful like this.
Loading...
Similar Threads Forum Date
Video Review OSArmor by NoVirusThanks- An Overview Video Reviews Jan 12, 2018
Hello from NoVirusThanks New Member Introductions Dec 17, 2017
NoVirusThanks YaGuard Other Security for Windows Apr 18, 2017