NoVirusThanks OSArmor

[DavidLMO]

Perhaps to make a bit cleaner - change Anti-Exploit tab to Anti-Exploit: Protect and remove the repetitive Protect in each entry.

Love the 3 tab layout and TY for the "Exclusions Helper" GUI.

Great work. TY NVT/@NoVirusThanks

 

[Sunshine-boy]

new features information of Yandex beta

You have to read the ru blog, not English! the English website sucks.
Блог Яндекс.Браузера and Protect: защита браузера от вредоносных программ

 

[Prorootect]

NoVirusThanks - and Protect CENT, Slimjet, Firefox ESR 52 ...,Firefox Nightly (basilisk), New Moon,.. all versions, please?
And K-Meleon?
maybe you have been already Protect all these browsers?..so sorry

And softwares: UltraSurf, PowerTool, PCHunter, adwcleaner, Ultra Adware Killer, CrowdInspect, NetStalker, WISE Disk Cleaner, CCleaner, Malwarebytes Anti-Malware, SpyDllRemover, MCShield,... regedt32 yes yes

 

[Evjl's Rain]

NoVirusThanks - and Protect CENT, Slimjet, Firefox ESR 52 ...,Firefox Nightly (basilisk), New Moon,.. all versions, please?
And K-Meleon?

also could you please teach us how to manually add custom block rules for browsers which are not on the list?
I tried [%PARENTPROCESS%: C:\Program Files\Slimjet\slimjet.exe]
but it broke the browser

 

[Windows_Security]

You have to read the ru blog, not English! the English website sucks.
Блог Яндекс.Браузера and Protect: защита браузера от вредоносных программ

Thanks, I installed Yandex beta to see, nice features

BTW: In Yandex I get translation failed due to server failure

 

[Andy Ful]

You have to read the ru blog, not English! the English website sucks.
Блог Яндекс.Браузера and Protect: защита браузера от вредоносных программ

.​

It is web browser protector (kind of smart HIPS), works independently of the browser.
It protects as follows:

1. Against keyloggers, screenloggers
2. Web browser files and extensions
3. Personal data (passwords, credit card numbers, bookmarks, and browsing history)
4. Against Man In The Middle attack.
5. Web browser configuration.
6. Yandex modules (protection against closing or removing by the malware).

It is hard to say how good it is, no test available. How this will work with OSArmor is an open question.

 

[Sunshine-boy]

maybe you are using an extension that blocks third-party domains? because the Yandex translate(translate.yandex.net) need to load in every webpage or you cant translate that website.
Or maybe internet problem? I got this problem too.but its related to an extension that blocks java or 3rd domains.

with OSArmor is an open question.

Works well!

 

[Windows_Security]

.​

It is web browser protector (kind of smart HIPS), works independently of the browser.
It protects as follows:

1. Against keyloggers, screenloggers
2. Web browser files and extensions
3. Personal data (passwords, credit card numbers, bookmarks, and browsing history)
4. Against Man In The Middle attack.
5. Web browser configuration.
6. Yandex modules (protection against closing or removing by the malware).

It is hard to say how good it is, no test available. How this will work with OSArmor is an open question.

De-installed OSarmor in my play image and installed Yandex beta to play with this beta for a while. As far as I can test OS armor v1.4, it is ready for final, congrats to Andreas (@NoVirusThanks ) OSarmor really works well

RE: Yandex - disappointing results against keyloggers and memory based intrusions, other protections seem to work reasonable well
(THIS IS AN OSARMOR THREAD, SO I WON'T RESPOND TO YANDEX ANYMORE)

 

[Stas]

@NoVirusThanks Can you please add Media Player Classic mpc-hc.exe & mpc-hc64.exe to Anti-Exploit table.

 

[codswollip]

Possible related to my previous post... SyMenu has app updating capability. When I ran this today the update was blocked...

Date/Time: 1/6/2018 11:04:03 AM
Process: [1228]D:\SyMenu\7z.exe
Parent: [5572]D:\SyMenu\SyMenu.exe
Rule: BlockSuspiciousProcesses
Rule Name: Block execution of suspicious processes
Command Line: "D:\SyMenu\7z.exe" x "C:\Users\MyUserName\AppData\Local\Temp\Ocenaudio_sps.paf.exe" -y -o"C:\Users\MyUserName\AppData\Local\Temp\Ocenaudio_sps" -x!$*
Signer:
Parent Signer:

 

[NoVirusThanks]

Here is a new v1.4 (pre-release) (test14):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test14.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block execution of C Sharp compiler (csc.exe) (unchecked by default)
+ Block execution of Visual Basic compiler (vbc.exe) (unchecked by default)
+ Block suspicious processes executed from Rundll32 (unchecked by default)
+ On "Exclusions Helper" GUI do not add the exclusion rule if is already present
+ Added LibreOffice and Kingsoft WPS Office on "Anti-Exploit" tab
+ Block processes executed from C Sharp compiler (csc.exe) (unchecked by default)
+ Block processes executed from Visual Basic compiler (vbc.exe) (unchecked by default)
+ Fixed some false positives

To install this pre-release, first uninstall the old one.

Here is a new video of OSArmor protecting Kingsoft WPS Office:

Block WPS Office Exploit Payloads with OSArmor


@Windows_Security

Your custom rules look good and solid =)

I think you included all needed MS Windows update parent processes, but will need to verify of course.

About the rules for "Block Medium IL (often attacked) system process launch from user folders" they are good, you may get a few FPs within some installers\uninstallers, i.e SlimJet browser (simple to fix via exclusions or disabling protections anyway).

You should include these two MS-related trusted signers in the exclusions:

Microsoft Update
Microsoft Windows Publisher

@Andy Ful

I added that *filepath vars to match the exact file path, however we can discuss if they are useful and in case leave only the process\parentprocess vars.

@Telos

Both reported FPs should be fixed now (test14), please confirm.

@DavidLMO

Will discuss to remove the "Protect" word in "Anti-Exploit" tab checkboxes.

@Prorootect

There is no need to protect (via the Anti-Exploit module) other security software and similar.

We want to only protect web browsers, pdf readers, office suites, and similar apps.

All Firefox versions should be supported by "Protect Mozilla Firefox", but will have to check.

K-Meleon is not digitally signed and I prefer to support only digitally signed apps.

Added SlimJet on test14 build.

@Evjl's Rain

The "Anti-Exploit" module uses different types of rules and additional checks compared to "Custom Block-Rules".

If you want to use "Custom Block-Rules" to block child processes of SlimJet, you can do that like this:

[%PARENTPROCESS%: C:\Program Files\Slimjet\slimjet.exe]

Then on Exclusions, make sure to allow it to run other programs in Program Files folder (just an example):

[%PARENTPROCESS%: C:\Program Files\Slimjet\slimjet.exe] [%PROCESS%: C:\Program Files\*]
[%PARENTPROCESS%: C:\Program Files\Slimjet\slimjet.exe] [%PROCESS%: C:\Program Files (x86)\*]

There may be other FPs that may need to be addressed, but can be handled via Exclusions

I will probably make some tutorials soon.

@Stas

Added MPC, KMPlayer, GOMPlayer, LibreOffice, WPS Office, PDF-XChange Editor, and others.

 

[Andy Ful]

...
@Andy Ful

I added that *filepath vars to match the exact file path, however we can discuss if they are useful and in case leave only the process\parentprocess vars.
...

If the rules:
[%PROCESSFILEPATH%: C:\Users\]
[%PROCESSFILEPATH%: C:\Users\*]
[%PARENTFILEPATH%: C:\Users\*.exe]
means that the rules apply only to the files in C:\Users folder, but not to files in its subfolders, then I vote for keeping them.
.
Edit
Of course, those rules are not especially useful for C:\Users folder but can be useful when one wants to add/exclude several programs from the folder but not from its subfolders.

 

[Prorootect]

NoVirusThanks, thank you!
You wrote: "There is no need to protect (via the Anti-Exploit module) other security software and similar."

- When I had the virus (a few years ago) - this virus intervened badly in PowerTool, Radix etc SpyDllRemover, Gmer...would be nice to protect software... and browser extensions/add-ons.
PowerTool has "simple self-protection", but rather very simple, cause virus intervened.

And what do you think about protecting CENT browser? too Iron, SeaMonkey, Opera?
...and Registry?

 

[DavidLMO]

All Firefox versions should be supported by "Protect Mozilla Firefox", but will have to check.

Clarification - this includes "derived from" products? E.G. Palemoon, Waterfox, Cliqz, and so on?

BTW - TY for all the updates. This is an exciting product.

 

[plat1098]

Very pleased that I can save my rules now. Only have six enabled in Advanced Settings but these will be the baseline for the future. Now I don't have to mess with Windows Defender for the same or similar protections either (ie: block execution of .vbs scripts).

 

[codswollip]

@Telos

Both reported FPs should be fixed now (test14), please confirm.

The Free Download Manager FP is gone. The other was related to an upgrade, so I'll have to wait until another is made available to evaluate. So far, so good. Thank you.

 

[Antimalware18]

I know I've made a post about this before and I've read about all the new releases but are the drivers signed now? thought I might have missed something and I thought it was coming this week

 

[shmu26]

I know I've made a post about this before and I've read about all the new releases but are the drivers signed now? thought I might have missed something and I thought it was coming this week

You didn't miss anything. The dev says it will take him a few more days.

 

[Stas]

I get slow boot on my XP again OSArmor conflicting with Privatefirewall and no errors in log folder, Qihoo 360 startup timer shows 3m53s boot with OSArmor & Privatefirewall, but when I disable Privatefirewall startup process & service boot time is 17sec same boot time if I disable OSArmor startup & enable Privatefirewall startup.

 

[NoVirusThanks]

Here is a new v1.4 (pre-release) (test15):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test15.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block execution of .jar scripts (unchecked by default)
+ Block execution of netsh.exe from specific processes (unchecked by default)
+ Block specific processes from self-executing (unchecked by default) *** Experimental ***
+ Exclusions.db and CustomBlock.db are now in UTF-8 format
+ Improved detection of suspicious Explorer behaviors
+ Minor fixes and optimizations

To install this pre-release, first uninstall the old one.

For final release we miss:

* Driver co-signed with MS for Secure Boot
* Some more days of testing to find out if there are other FPs to fix
* Probably enable "Block execution of .vbs scripts" by default
* Fix issues reported by @Stas (and others) on XP OS

I recommend all OSA users to change the .db file format to UTF-8:

1) Open Notepad as Admin
2) Click File -> Open and select "C:\Program Files\NoVirusThanks\OSArmorDevSvc\Exclusions.db"
3) Click File -> Save As... and choose UTF-8 under "Encoding:", then click on Save and overwrite the existing file
4) Do the same for CustomBlock.db

@Andy Ful

Yes, with the *filepath vars you can allow all processes located in a folder (not subfolders) like this:

[%PROCESSFILEPATH%: C:\MyPrograms\]

Then all .exe files located in C:\MyPrograms\ (not subfolders) are matched.

@Prorootect

Added Cent Browser, and Opera is already present.

Registry protection is not available.

@DavidLMO

Clarification - this includes "derived from" products? E.G. Palemoon, Waterfox, Cliqz, and so on?

No, "Protect Mozilla Firefox" works only for Firefox and Firefox ESR.

I added support for Palemoon and Waterfox with their respective options.