NoVirusThanks OSArmor

[Sunshine-boy]

Cameyo Fp:
Process: [4072]C:\Users\Sunshine-boy\AppData\Roaming\VOS\Cameyo\PROG\%Program Files%\Cameyo\Packager.exe
Parent: [1304]C:\Users\Sunshine-boy\Desktop\Cameyo.exe
Rule: BlockUnsignedProcessesAppDataRoaming
Rule Name: Block execution of unsigned processes on Roaming AppData
Command Line: "C:\Users\Sunshine-boy\AppData\Roaming\VOS\Cameyo\PROG\%Program Files%\Cameyo\Packager.exe"
Signer:
Parent Signer:

 

[Windows_Security]

@Sunshine-boy, why don't YOU win the lottery, and buy him a free plane ticket?

He he when I was young I made a list of all the things I wanted to see in life. From the middle east I only visited Petra, i still want to visit historical sites of the Faro's, Mesopotamia and Persia, so Iran is on my to do list. I will definitely visit Iran withing the next 5 years or so.

 

[shmu26]

He he when I was young I made a list of all the things I wanted to see in life. From the middle east I only visited Petra, i still want to visit historical sites of the Faro's, Mesopotamia and Persia, so Iran is on my to do list. I will definitely visit Iran withing the next 5 years or so.

Persia could definitely be cool. I want to go to Hamadan.

 

[tiktoshi]

he is working well

On the default settings


Date/Time: 1/4/2018 10:38:40 AM
Process: [7824]C:\Users\tik\AppData\Local\TempServer.exe
Parent: [6744]C:\Users\tik\Desktop\Test\Test.exe
Rule: BlockProcessesOnSuspiciousFolders
Rule Name: Block processes located in suspicious folders
Command Line: "C:\Users\tik\AppData\Local\TempServer.exe"
Signer:
Parent Signer:

Date/Time: 1/4/2018 10:45:21 AM
Process: [7844]C:\Users\tik\AppData\Roaming\Counter Strike.exe
Parent: [4972]C:\Users\tik\Desktop\Counter Strike\Counter Strike.exe
Rule: BlockProcessesOnSuspiciousFolders
Rule Name: Block processes located in suspicious folders
Command Line: "C:\Users\tik\AppData\Roaming\Counter Strike.exe"
Signer:
Parent Signer:

 

[bribon77]

He he when I was young I made a list of all the things I wanted to see in life. From the middle east I only visited Petra, i still want to visit historical sites of the Faro's, Mesopotamia and Persia, so Iran is on my to do list. I will definitely visit Iran withing the next 5 years or so.

When you go to Iran, pass by Spain. and you teach me too.

 

[ForgottenSeer 58943]

you can brick your system when using it in the wrong way. Don;t want to do that remotely. Chances for average user of running into fileless malware is as likely as me winning the lottery. So when I win the lottery, I will fly over and teach you how to write the rules face to face.

Really? My techs have pulled a LOT of fileless malware off systems in the last few months. I actually think it's becoming much more common than ransomware.

 

[Andy Ful]

Really? My techs have pulled a LOT of fileless malware off systems in the last few months. I actually think it's becoming much more common than ransomware.

I think that maybe those were not home user systems!?

 

[DavidLMO]

Wondering about running OSArmor and Exe Radar Pro at same time. I have been installing a lot of new apps on a new (to me) Win 7 box. I have only received a couple of warnings/popups from OSA but lots from ERP (to be expected). Is this just due to the different nature of the products? Or does ERP do something that allows OSA to ignore?

So far I have not received any false positives with OSA which I run only with the defaults.

Again - thanks for a great product.

 

[Stas]

How about creating a check for updates button? I don't have a problem do manual updates but if installing OSArmor on customer pc most of them will never update it unless it autoupdates or there is check for updates button.

 

[plat1098]

How about creating a check for updates button? I

I agree with you. Here and here, NoVirusThanks says maybe in upcoming versions.

 

[shmu26]

Wondering about running OSArmor and Exe Radar Pro at same time. I have been installing a lot of new apps on a new (to me) Win 7 box. I have only received a couple of warnings/popups from OSA but lots from ERP (to be expected). Is this just due to the different nature of the products? Or does ERP do something that allows OSA to ignore?

So far I have not received any false positives with OSA which I run only with the defaults.

Again - thanks for a great product.

OSA does not produce very many blocks. If you don't do anything unusual on your computer, it will be as silent as a mouse.
Yes, it is compatible with ERP.
ERP does not make OSA any quieter than it is, each program does its own thing, without interfering.

 

[DavidLMO]

TY Schmu26 - that is what I thought - I just wanted to confirm. I have been using OSA with defaults only up to this point and have had no FPs.

 

[NoVirusThanks]

Here is a new v1.4 (pre-release) (test12):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test12.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Improved the "anti-exploit" module used to block payloads
+ You can now check\uncheck the apps monitored with "anti-exploit" module
+ Created 3 tabs for grouping of rules
+ Added %PROCESSSIGNER% and %PARENTSIGNER% vars for exclusions and custom-block rules
+ Minor fixes and optimizations

This pre-release version can be installed over the top of the previous one.

New video of OSArmor tested against 30 doc\xls\swf\pdf exploits:
Block Exploit Payloads with OSArmor

Here are the two new tabs on the Configurator:

@Sunshine-boy

That FP is generated by "Block execution of unsigned processes on Roaming AppData" and we may not fix it internally on OSArmor.

You can add an exclusion rule like this to fix it:

[%PROCESS%: C:\Users\Sunshine-boy\AppData\Roaming\VOS\Cameyo\PROG\%Program Files%\Cameyo\Packager.exe] [%PARENTPROCESS%: C:\Users\Sunshine-boy\Desktop\Cameyo.exe]

Alternatively you can allow all processes from Cameyo.exe:

[%PARENTPROCESS%: C:\Users\Sunshine-boy\Desktop\Cameyo.exe]

@Windows_Security

I've added 2 new vars %PROCESSSIGNER% and %PARENTSIGNER% for exclusions and custom-block rules.

Let me know if they work fine if you'll test them.

Note that OSArmor does not recognize Microsoft Windows (catologue) signatures

Strange, can you send me your C:\Windows\explorer.exe file via PM?

 

[HarborFront]

Hi @NoVirusThanks

Can I check whether the anti-exploit feature of OSArmor will have any compatibility issue with other software's anti-exploit feature like from HMPA, ESET, Windows OS etc?

Thanks

 

[codswollip]

I got this block when closing a portable version of Free Download Manager launched under SyMenu...

Date/Time: 1/4/2018 8:43:48 PM
Process: [2528]C:\WINDOWS\SysWOW64\cscript.exe
Parent: [3288]D:\SyMenu\ProgramFiles\SPSSuite\SyMenuSuite\Free_Download_Manager_sps\App\FreeDownloadManager\fdm.exe
Rule: PreventCscriptChangingScriptEngineE
Rule Name: Prevent cscript.exe from changing script engine via //E:
Command Line: "C:\WINDOWS\System32\cscript.exe" //E:jscript "D:\SyMenu\ProgramFiles\SPSSuite\SyMenuSuite\Free_Download_Manager_sps\App\FreeDownloadManager\\Chrome\chrome.js" check "C:\Users\MyUserName\AppData\Local\Google\Chrome\User Data\\Default\Preferences" "ahmpjcflkgiildlgicmcieglgoilbfdp"
Signer:
Parent Signer: Softdeluxe Ltd.

Maybe it was trying to install a chrome extension? Not sure what is going on here.

 

[ForgottenSeer 58943]

12 really borked me.. Crazy slowdowns on system. Browser lockups. Even my internet speed seemed to tank.

Once removed, everything returned to normal. I was running with default ruleset.

 

[71Hemi]

Hey Andreas, nice job on test 12, as always!
Can I make a anti-exploit feature request for the next test? Can you add Pale Moon Browser to that list or better yet have a option so I can add any program I want to that list !
Thanks

 

[l0rdraiden]

Wondering about running OSArmor and Exe Radar Pro at same time. I have been installing a lot of new apps on a new (to me) Win 7 box. I have only received a couple of warnings/popups from OSA but lots from ERP (to be expected). Is this just due to the different nature of the products? Or does ERP do something that allows OSA to ignore?

So far I have not received any false positives with OSA which I run only with the defaults.

Again - thanks for a great product.

It's the expected behavior
ERP is a HIPS and will create a popup for any new unknown process
OSarmor is more like a behavior blocked, it has a kind of black list of "suspicious actions" and block them.

 

[Andy Ful]

On Windows 64-bit the Cameo application runs in a more complex way, and the process packager64.exe is blocked. This process is invoked 2 times, first time by cameo.exe and the second time by packager.exe. So when using parent processes, 2 exclusions are required. The second thing is, that OSArmor seems to be confused by %Program Files% (it is not environment variable) used in Cameo paths, so I had to replace it with the wildcard. The wildcards were also used for packager.exe and packager64.exe (in %PROCESS% sections) to minimize the number of exclusions. The exclusions work when cameo.exe is started from the Desktop - they should work for both 32-bit and 64-bit Windows:

[%PROCESS%: C:\Users\User_Name\AppData\Roaming\VOS\Cameyo\PROG\*\Cameyo\*] [%PARENTPROCESS%: C:\Users\User_Name\Desktop\Cameyo.exe]
[%PROCESS%: C:\Users\User_Name\AppData\Roaming\VOS\Cameyo\PROG\*\Cameyo\*] [%PARENTPROCESS%: C:\Users\User_Name\AppData\Roaming\VOS\Cameyo\PROG\*\Cameyo\Packager.exe]

 

[Windows_Security]

@NoVirusThanks send you a we transfer link to support for explorer

%PROCESSSIGNER% exclusions are blocked, see below. Tried wildcard also [Microsoft *]

Custom
; Block executables from my user folders on C drive
[%PROCESS%: C:\Users\*]

Exclusion
;allow processes signed Microsoft Windows
[%PROCESS%: C:\Users\*] [%PROCESSSIGNER%: Microsoft Corporation]

LOG
Date/Time: 5-1-2018 12:04:39
Process: [2936]C:\Users\Kees\AppData\Local\Temp\procexp.exe
Parent: [2276]C:\Windows\explorer.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: "C:\Users\Kees\AppData\Local\Temp\procexp.exe"
Signer: Microsoft Corporation
Parent Signer: