NoVirusThanks OSArmor

[Andy Ful]

@NoVirusThanks send you a we transfer link to support for explorer

%PROCESSSIGNER% exclusions are blocked, see below. Tried wildcard also [Microsoft *]

Custom
; Block executables from my user folders on C drive
[%PROCESS%: C:\Users\*]

Exclusion
;allow processes signed Microsoft Windows
[%PROCESS%: C:\Users\*] [%PROCESSSIGNER%: Microsoft Corporation]

LOG
Date/Time: 5-1-2018 12:04:39
Process: [2936]C:\Users\Kees\AppData\Local\Temp\procexp.exe
Parent: [2276]C:\Windows\explorer.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: "C:\Users\Kees\AppData\Local\Temp\procexp.exe"
Signer: Microsoft Corporation
Parent Signer:

The 'C:\Users\*' exclusion is probably applied only to files in 'C:\Users' but not into its subfolders.

[%PROCESS%: C:\Users\*] [%PROCESSSIGNER%: Microsoft Corporation]
[%PROCESS%: C:\Users\*\*] [%PROCESSSIGNER%: Microsoft Corporation]
[%PROCESS%: C:\Users\*\*\*] [%PROCESSSIGNER%: Microsoft Corporation]
[%PROCESS%: C:\Users\*\*\*\*] [%PROCESSSIGNER%: Microsoft Corporation]
[%PROCESS%: C:\Users\*\*\*\*\*] [%PROCESSSIGNER%: Microsoft Corporation]
[%PROCESS%: C:\Users\*\*\*\*\*\*] [%PROCESSSIGNER%: Microsoft Corporation]

The above should work for files ran in 'C:\Users' root folder and for files in its subfolders of n-th order (n < 6). This is the way how Disallowed rules work in SRP.
Maybe Andreas can show us a simpler way to do it. In some applications, two asterisks symbol '**' is used to do such exclusions.

 

[NoVirusThanks]

@Windows_Security

Sorry, the var is %FILESIGNER% and not %PROCESSSIGNER%.

Have tested it now and it works fine.

@Andy Ful

The 'C:\Users\*' exclusion is applied to C:\Users\ and all its subfolders\files.

Wildcard char * means any character and any length.

@ForgottenSeer 58943

Can you try to first uninstall OSA and then install it?

I suspect the issue may come up if OSA is installed over the top or due to some strange Windows 10 behaviors.

Or if the new OSA (.exe files changes) is not whitelisted\excluded in the currently installed security software.

Moreover, probably a reboot would fix it somehow.

@HarborFront

It should work fine with HMPA, ESET, Windows OS, etc.

@Telos

Will fix that FP in the next build.

@Darrin

Yes, will add Pale Moon and other browsers to the list.

 

[shmu26]

@Windows_Security

Sorry, the var is %FILESIGNER% and not %PROCESSSIGNER%.

Have tested it now and it works fine.

@Andy Ful

The 'C:\Users\*' exclusion is applied to C:\Users\ and all its subfolders\files.

Wildcard char * means any character and any length.

@ForgottenSeer 58943

Can you try to first uninstall OSA and then install it?

I suspect the issue may come up if OSA is installed over the top or due to some strange Windows 10 behaviors.

Or if the new OSA (.exe files changes) is not whitelisted\excluded in the currently installed security software.

Moreover, probably a reboot would fix it somehow.

@HarborFront

It should work fine with HMPA, ESET, Windows OS, etc.

@Telos

Will fix that FP in the next build.

@Darrin

Yes, will add Pale Moon and other browsers to the list.

The program actually works pretty well at this point. Why not release a public version with cosigned drivers?

 

[Andy Ful]

@Windows_Security
...
@Andy Ful

The 'C:\Users\*' exclusion is applied to C:\Users\ and all its subfolders\files.

Wildcard char * means any character and any length.
...

I understand.
So, to exclude files only in C:\Users\ (not into subfolders), one could try using the rule with C:\Users\*.*
But, this is an illusion because, in fact, this rule excludes all files (with extension) in C:\Users\ and all its subfolders.
The rule with C:\Users\*.exe excludes all EXE files in C:\Users\ folder and all its subfolders.
But, how to exclude files only in C:\Users\ folder (not into its subfolders)?
Not a big problem, but maybe worth to be mentioned.
.
Edit
Post edited.

 

[NoVirusThanks]

@shmu26

We're still working on the co-signed driver, hope to have it ready in a few days and then we'll make v1.4 public.

@Andy Ful

Good point, you may use regular expressions, example:

[REGEX:%PROCESS%: ^C\:\\Users\\[a-zA-Z0-9\.\s\,-_\#]*\.exe$]

Another option is to introduce %PROCESSPATH% var and then it would be like:

[%PROCESSPATH%: C:\Users\]

 

[Sunshine-boy]

[%PROCESS%: C:\Users\Sunshine-boy\AppData\Roaming\VOS\Cameyo\PROG\%Program Files%\Cameyo\Packager.exe] [%PARENTPROCESS%: C:\Users\Sunshine-boy\Desktop\Cameyo.exe]

Thanks. I already did the same thing but it doesn't work! Andy ful gave me the right rule:

[%PROCESS%: C:\Users\Sunshine-boy\AppData\Roaming\VOS\Cameyo\PROG\*\Cameyo\*] [%PARENTPROCESS%: C:\Users\Sunshine-boy\Desktop\Cameyo.exe]
[%PROCESS%: C:\Users\Sunshine-boy\AppData\Roaming\VOS\Cameyo\PROG\*\Cameyo\*] [%PARENTPROCESS%: C:\Users\Sunshine-boy\AppData\Roaming\VOS\Cameyo\PROG\*\Cameyo\Packager.exe]

nvm it already posted.
Pls, add a Gui for making exceptions.plssssssssssssssssssssssssssssssssssssssssss

 

[Andy Ful]

@shmu26

We're still working on the co-signed driver, hope to have it ready in a few days and then we'll make v1.4 public.

@Andy Ful

Good point, you may use regular expressions, example:

[REGEX:%PROCESS%: ^C\:\\Users\\[a-zA-Z0-9\.\s\,-_\#]*\.exe$]

Another option is to introduce %PROCESSPATH% var and then it would be like:

[%PROCESSPATH%: C:\Users\]

Thanks for the explanation. I could use REGEX, but most users will love exclusions GUI.

 

[Sunshine-boy]

Date/Time: 1/4/2018 10:07:44 PM
Process: [3924]C:\Users\Sunshine-boy\Desktop\Wps office.exe
Parent: [1836]C:\Windows\explorer.exe
Rule: BlockSuspiciousProcesses
Rule Name: Block execution of suspicious processes
Command Line: "C:\Users\Sunshine-boy\Desktop\Wps office.exe"
Signer: Zhuhai Kingsoft Office Software Co.,Ltd
Parent Signer:
I know how to Exclude it but why do you consider Kingsoft as malware?its safe and legitime Do you consider USA based products(likeVipre) as malware too?

 

[Andy Ful]

Date/Time: 1/4/2018 10:07:44 PM
Process: [3924]C:\Users\Sunshine-boy\Desktop\Wps office.exe
Parent: [1836]C:\Windows\explorer.exe
Rule: BlockSuspiciousProcesses
Rule Name: Block execution of suspicious processes
Command Line: "C:\Users\Sunshine-boy\Desktop\Wps office.exe"
Signer: Zhuhai Kingsoft Office Software Co.,Ltd
Parent Signer:
I know how to Exclude it but why do you consider Kingsoft as malware?its safe and legitime Do you consider USA based products(likeVipre) as malware too?

OSArmor does not consider Kingsoft software as malware. It is built to block suspicious behaviors, except those from excluded processes. You can exclude all signed Kingsoft applications using %FILESIGNER% rules.

 

[ForgottenSeer 58943]

OSArmor does not consider Kingsoft software as malware. It is built to block suspicious behaviors, except those from excluded processes. You can exclude all signed Kingsoft applications using %FILESIGNER% rules.

I consider Kingsoft malware. I bought a lifetime license for the home. Then discovered some pretty incredible backend telemetry. Worse, it called out and sometimes received data from known malicious domains. Not surprised one bit WPS is triggering OSArmor.

 

[NoVirusThanks]

Here is a new v1.4 (pre-release) (test13):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test13.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Added more applications on the "Anti-Exploit" tab
+ Added a basic GUI app to create exclusions
+ Added %FILESIGNER%, %PROCESSFILEPATH%, %PARENTFILEPATH%, %PARENTSIGNER% variables
+ Minor fixes and optimizations

To install this pre-release test13, first uninstall the old one.

Here is a screenshot of the "Exclusions Helper" GUI:

@Sunshine-boy

That is an FP but I can't reproduce it, is not blocked in my system.

Please try this new test13 build and if it happens again, can you make a video showing when it is blocked and then the content of the log file?

@Telos

The FP about FDM should be fixed.

 

[Andy Ful]

I consider Kingsoft malware. I bought a lifetime license for the home. Then discovered some pretty incredible backend telemetry. Worse, it called out and sometimes received data from known malicious domains. Not surprised one bit WPS is triggering OSArmor.

You can be right considering Kinsoft software as shady. But, anyway it is triggering OSArmor for other reasons than suspicious telemetry.
Yet, maybe it would be a good move to add the trusted vendor list to OSArmor.

 

[ForgottenSeer 58943]

Add Yandex Beta to the exploit protection or not needed since the beta has it's own exploit protection for itself?

 

[Sunshine-boy]

+ Added a basic GUI app to create exclusions

Many thanks<3 you are the man!

 

[NoVirusThanks]

@ForgottenSeer 58943

Have added Yandex Browser and others:

 

[Windows_Security]

@NoVirusThanks

Andreas thanks new variables work like a charm. I have two questions.

1. The medium IL system processes are not protected by UAC from side by side attacks (e.g. by poisoned Office documents clicked on as normal user). Does blocking starting medium IL processes (explorer svchost etc) from user folders provide any real world protection?
2. OS_Armor (like many security programs) has trouble with "unsigned" Windows processes like Windows Explorer (explorer.exe) which have catalog signing (C:\Windows\System32\catroot), so I added %parentprocess% to include Windows Update processes as Exclusions. Did I include all windows update processes (to less or to much)?

Click on spoiler to see above two rules

Spoiler

Custom
; Block executables from data partitions F (files) and P (Private) on second harddisk
[%PROCESSFILEPATH%: F:\*]
[%PROCESSFILEPATH%: P:\*]

; Block executables from my user folders on C drive
[%PROCESSFILEPATH%: C:\Users\*]

; Block Medium IL (often attacked) system process launch from user folders
[%PROCESS%: *\explorer.exe] [%PARENTFILEPATH%: C:\Users\*]
[%PROCESS%: *\svchost.exe] [%PARENTFILEPATH%: C:\Users\*]
[%PROCESS%: *\dwm.exe] [%PARENTFILEPATH%: C:\Users\*]
[%PROCESS%: *\schtasks.exe] [%PARENTFILEPATH%: C:\Users\*]


Exclusions
;allow spawning of printer, webbrowser and pdfreader by already installed programs
[%PROCESS%: C:\Windows\splwow64.exe] [%PARENTFILEPATH%: C:\Program Files\*]
[%PROCESS%: C:\Program Files\Chromium\chrome.exe] [%PARENTFILEPATH%: C:\Program Files\*]
[%PROCESS%: C:\Program Files\Utilities\SumatraPDF.exe] [%PARENTFILEPATH%: C:\Program Files\*]

;allow signed processes of windows and system programs to update automaticallly
[%PROCESSFILEPATH%: C:\Users\*] [%FILESIGNER%: Microsoft Windows]
[%PROCESSFILEPATH%: C:\Users\*] [%FILESIGNER%: Microsoft Corporation]
[%PROCESSFILEPATH%: C:\Users\*] [%FILESIGNER%: Microsoft Dynamic Code Publisher Corporation]
[%PROCESSFILEPATH%: C:\Users\*] [%FILESIGNER%: Microsoft Windows Third Party Application Component]
[%PROCESSFILEPATH%: C:\Users\*] [%FILESIGNER%: Intel(R) Smart Connect software]
[%PROCESSFILEPATH%: C:\Users\*] [%FILESIGNER%: Intel Corporation - Software and Firmware Products]
[%PROCESSFILEPATH%: C:\Users\*] [%FILESIGNER%: Intel Corporation - Intel® Management Engine Firmware]
[%PROCESSFILEPATH%: C:\Users\*] [%FILESIGNER%: Intel Corporation - Software and Firmware Products]
[%PROCESSFILEPATH%: C:\Users\*] [%FILESIGNER%: Broadcom Corporation]
[%PROCESSFILEPATH%: C:\Users\*] [%FILESIGNER%: Realtek Semiconductor Corp]
[%PROCESSFILEPATH%: C:\Users\*] [%FILESIGNER%: NoVirusThanks Company Srl]

;allow Microsoft Windows update and installer parent processes
[%PROCESSFILEPATH%: C:\Users\*] [%PARENTFILEPATH%: C:\Windows\System32\wuauclt.exe]
[%PROCESSFILEPATH%: C:\Users\*] [%PARENTFILEPATH%: C:\Windows\System32\wusa.exe]
[%PROCESSFILEPATH%: C:\Users\*] [%PARENTFILEPATH%: C:\Windows\servicing\TrustedInstaller.exe]

 

[Andy Ful]

...
;allow processes started by Windows update and installer PARENT processes
[%PROCESSFILEPATH%: C:\Users\*] %PARENTPROCESS%: C:\Windows\System32\wuauclt.exe]
[%PROCESSFILEPATH%: C:\Users\*] %PARENTPROCESS%: C:\Windows\System32\wusa.exe]
[%PROCESSFILEPATH%: C:\Users\*] %PARENTPROCESS%: C:\Windows\servicing\TrustedInstaller.exe]
...

@Windows_Security
Very interesting setup. (you missed 3 left parentheses).

 

[Andy Ful]

@NoVirusThanks
Andreas, what is the reason for using %PROCESSFILEPATH% and %PARENTFILEPATH% instead of %PROCESS% and %PARENTPROCESS% ?

 

[Windows_Security]

@NoVirusThanks
Andreas, what is the reason for using %PROCESSFILEPATH% and %PARENTFILEPATH% instead of %PROCESS% and %PARENTPROCESS% ?

OKAY had missed parentfilepath, will update setup. Also thanks for pointing the lacking [ ] out (something goes wrong when I copy-paste). I can imagine that when you use regex it takes less processing time when you make process regex specific with filepath or vice versa.

 

[codswollip]

@Telos

The FP about FDM should be fixed.

Uninstalled test12... Installed test13... Still see the popup on closing FDM.

Date/Time: 1/5/2018 9:54:58 PM
Process: [3116]C:\WINDOWS\SysWOW64\cscript.exe
Parent: [11032]D:\SyMenu\ProgramFiles\SPSSuite\SyMenuSuite\Free_Download_Manager_sps\App\FreeDownloadManager\fdm.exe
Rule: PreventCscriptChangingScriptEngineE
Rule Name: Prevent cscript.exe from changing script engine via //E:
Command Line: "C:\WINDOWS\System32\cscript.exe" //E:jscript "D:\SyMenu\ProgramFiles\SPSSuite\SyMenuSuite\Free_Download_Manager_sps\App\FreeDownloadManager\\Chrome\chrome.js" check "C:\Users\MyUserName\AppData\Local\Google\Chrome\User Data\\Default\Preferences" "ahmpjcflkgiildlgicmcieglgoilbfdp"
Signer:
Parent Signer: Softdeluxe Ltd.