NoVirusThanks OSArmor

DavidLMO

Level 4
Dec 25, 2017
160
Even the settings that block all unsigned processes in appdata could probably be enabled by most users, but only if the user is ready to disable OSA when installing and updating programs. Otherwise, he will be very frustrated.

This IS a very important thing that Joe/Jane will encounter. I was installing an app (Zoek) and forgot to turn OSA off. (I was only running OSA as a security app at the time to ensure other SecApps were not interfering.)

OSA (running on default settings) blocked the app, but that caused some windows errors and a loop that took me a bit to figure out. Average Joe/Jane would be quite frustrated and likely blame it on OSA.

I am sure that some of the default rules will cause such problems with other progs - particularly when installing.

In this case the program was Zoek (a useful tool for advanced users, but dangerous in the hands of newbies).

Here are the first two Log entries:

Date/Time: 1/9/2018 12:49:41 AM
Process: [11396]C:\Windows\SysWOW64\mshta.exe
Parent: [1896]C:\Windows\SysWOW64\c-m-d.exe
Rule: BlockHtaScripts
Rule Name: Block execution of .hta scripts
Command Line: "C:\Windows\SysWOW64\mshta.exe" "C:\Users\David\AppData\Local\Temp\zoek.hta"
Signer:
Parent Signer:

Date/Time: 1/9/2018 12:49:43 AM
Process: [364]C:\Windows\SysWOW64\reg.exe
Parent: [1896]C:\Windows\SysWOW64\c-m-d.exe
Rule: BlockSuspiciousCmdlines
Rule Name: Block execution of suspicious command-line strings
Command Line: reg.exe add "HKEY_CLASSES_ROOT\.hta" /f
Signer:
Parent Signer:
 

shmu26

Level 85
Verified
Helper
Top poster
Content Creator
Well-known
Jul 3, 2015
8,131
This IS a very important thing that Joe/Jane will encounter. I was installing an app (Zoek) and forgot to turn OSA off. (I was only running OSA as a security app at the time to ensure other SecApps were not interfering.)

OSA (running on default settings) blocked the app, but that caused some windows errors and a loop that took me a bit to figure out. Average Joe/Jane would be quite frustrated and likely blame it on OSA.

I am sure that some of the default rules will cause such problems with other progs - particularly when installing.

In this case the program was Zoek (a useful tool for advanced users, but dangerous in the hands of newbies).

Here are the first two Log entries:

Date/Time: 1/9/2018 12:49:41 AM
Process: [11396]C:\Windows\SysWOW64\mshta.exe
Parent: [1896]C:\Windows\SysWOW64\c-m-d.exe
Rule: BlockHtaScripts
Rule Name: Block execution of .hta scripts
Command Line: "C:\Windows\SysWOW64\mshta.exe" "C:\Users\David\AppData\Local\Temp\zoek.hta"
Signer:
Parent Signer:

Date/Time: 1/9/2018 12:49:43 AM
Process: [364]C:\Windows\SysWOW64\reg.exe
Parent: [1896]C:\Windows\SysWOW64\c-m-d.exe
Rule: BlockSuspiciousCmdlines
Rule Name: Block execution of suspicious command-line strings
Command Line: reg.exe add "HKEY_CLASSES_ROOT\.hta" /f
Signer:
Parent Signer:
Yeah, I see what you mean. It is very unusual for mshta to be used by a program installer, but c-m-d.exe should not be blocked for the average user. If it is, there will be problems right and left.
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
221
Here is a new v1.4 (pre-release) (test22 ):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test22.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ We have now 150+ protection options on Configurator GUI
+ Improved support for Windows XP OS (2)
+ Added an exclamation icon on left of protection options that can create FPs
+ Block execution of .msc scripts outside System folder
+ A lot of internal rules have been improved
+ Fixed all reported false positives

New protection options to mitigate specific attacks and UAC\DeviceGuard\AppLocker\etc bypasses:

+ Prevent winword.exe from loading DLLs with /L switch
+ Prevent DLL\Exe execution via Tracker.exe
+ Prevent ieexec.exe from loading remote files
+ Prevent msiexec.exe from loading MSI files masked as PNG files
+ Block execution of .msi installer scripts (*can create many FPs*)
+ Prevent MavInject32.exe from loading DLLs in running processes
+ Prevent AtBroker.exe from using /start switch to run processes
+ Block processes executed from AtBroker.exe
+ Prevent msxsl.exe from loading .xsl scripts
+ Prevent MSBuild.exe from loading .csproj scripts
+ Prevent odbcconf.exe from loading .rsp scripts
+ Block F# Interactive (fsi.exe) from executing F# scripts
+ And many more, see screenshot:

osa-22.png


Yes, we are very paranoid :)

To install this pre-release, first uninstall the old one (important).

@Evjl's Rain

Will have to check OSA with Fast Boot enabled, should do that tomorrow.

I was researching Fast Boot issues and found this, may be of interest:

Windows 8/8.1 or 10 and Fast Start feature | Norton Community
The Pros and Cons of Windows 10’s “Fast Startup” Mode
Windows 10 Fast Startup could be detrimental to your computer
Recommending Users Turn Off Fast Start | Norton Community
 
Last edited:

Chimaira

Level 4
Verified
Well-known
Jan 5, 2018
180
Here is a new v1.4 (pre-release) (test22 ):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test22.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ We have now 150+ protection options on Configurator GUI
+ Improved support for Windows XP OS (2)
+ Added an exclamation icon on left of protection options that can create FPs
+ Block execution of .msc scripts outside System folder
+ A lot of internal rules have been improved
+ Fixed all reported false positives

New protection options to mitigate specific attacks and UAC\DeviceGuard\AppLocker\etc bypasses:

+ Prevent winword.exe from loading DLLs with /L switch
+ Prevent DLL\Exe execution via Tracker.exe (from Visual Studio)
+ Prevent ieexec.exe from loading remote files
+ Prevent msiexec.exe from loading MSI files masked as PNG files
+ Block execution of .msi installer scripts (*can create many FPs*)
+ Prevent MavInject32.exe from loading DLLs in running processes
+ Prevent AtBroker.exe from using /start switch to run processes
+ Block processes executed from AtBroker.exe
+ Prevent msxsl.exe from loading .xsl scripts
+ Prevent MSBuild.exe from loading .csproj scripts
+ Prevent odbcconf.exe from loading .rsp scripts
+ Block F# Interactive (fsi.exe) from executing F# scripts
+ And many more, see screenshot:

View attachment 177951

Yes, we are very paranoid :)

To install this pre-release, first uninstall the old one (important).

@Evjl's Rain

Will have to check OSA with Fast Boot enabled, should do that tomorrow.

I was researching Fast Boot issues and found this, may be of interest:

The Pros and Cons of Windows 10’s “Fast Startup” Mode
Windows 10 Fast Startup could be detrimental to your computer
Recommending Users Turn Off Fast Start | Norton Community

I know it's paranoia but seeing all those things I can block makes me happy. Every release is joy. :)
 

Chimaira

Level 4
Verified
Well-known
Jan 5, 2018
180
Here is a new v1.4 (pre-release) (test22 ):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test22.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ We have now 150+ protection options on Configurator GUI
+ Improved support for Windows XP OS (2)
+ Added an exclamation icon on left of protection options that can create FPs
+ Block execution of .msc scripts outside System folder
+ A lot of internal rules have been improved
+ Fixed all reported false positives

New protection options to mitigate specific attacks and UAC\DeviceGuard\AppLocker\etc bypasses:

+ Prevent winword.exe from loading DLLs with /L switch
+ Prevent DLL\Exe execution via Tracker.exe
+ Prevent ieexec.exe from loading remote files
+ Prevent msiexec.exe from loading MSI files masked as PNG files
+ Block execution of .msi installer scripts (*can create many FPs*)
+ Prevent MavInject32.exe from loading DLLs in running processes
+ Prevent AtBroker.exe from using /start switch to run processes
+ Block processes executed from AtBroker.exe
+ Prevent msxsl.exe from loading .xsl scripts
+ Prevent MSBuild.exe from loading .csproj scripts
+ Prevent odbcconf.exe from loading .rsp scripts
+ Block F# Interactive (fsi.exe) from executing F# scripts
+ And many more, see screenshot:

View attachment 177951

Yes, we are very paranoid :)

To install this pre-release, first uninstall the old one (important).

@Evjl's Rain

Will have to check OSA with Fast Boot enabled, should do that tomorrow.

I was researching Fast Boot issues and found this, may be of interest:

Windows 8/8.1 or 10 and Fast Start feature | Norton Community
The Pros and Cons of Windows 10’s “Fast Startup” Mode
Windows 10 Fast Startup could be detrimental to your computer
Recommending Users Turn Off Fast Start | Norton Community

The Configurator won't open on this release for me. I've uninstalled the previous version and removed all traces and installed the new version.
 
  • Like
Reactions: AtlBo

Slyguy

Level 44
Jan 27, 2017
3,329
I'm becoming worried with each new release. I feel it could be blocking too much and causing too many headaches. With earlier versions I could put it on my sons computer and not have any issues. As subsequent versions were installed it's become more of an issue with a good many conflicts involved with it. It was blocking Smite, Smite's Anti-Cheat Engine and some bootleg Runescape servers, possibly other things so I simply had to remove it as I don't have time to tweak it.

Maybe I am in the minority but as it's complexity has risen, so have issues and it's become much more than a small fire and forget app to supplement security. :unsure:

Also, I'm astounded anyone is running Windows XP in 2018.. Especially since XP (and hardware running XP) will likely never receive any fixes for Meltdown and Spectre. XP is viewed as incredibly dangerous to run in the modern age. Just my opinion, but why?
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
221
I updated test22 setup file, please re-download it and install the new one:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test22.exe

File: osarmor_setup_1.4_test22.exe
File size: 6,52 MB (6.839.448 bytes)
MD5 checksum: F3F0F66CBCA78EBD01252A6D797312B9
SHA1 checksum: 9A1B71DEC2E1944E516C7312FB4B40829815D3D2
SHA256 checksum: 81A94C5B33D4D1FFCD30531F25456E9D1B49AAE608A7A048291AC88FEAE55351

* Make sure these options are not enabled by default (issue on the previous test22 setup):
* Block execution of Windows Command Prompt (c-m-d.exe)
* Block execution of Windows PowerShell

@Chimaira

Try to uninstall it, reboot and install the new test22.

@Slyguy

On next v1.5 version we'll make it very simple, it'll allow user to select 3 protection options:

Basic Protection (good for any beginner user)
Medium Protection (good for experienced users)
Extreme Protection (good for very experienced users)

Now that we have completed most protection options, we just need to show it simpler to the user.
 
Last edited:

Chimaira

Level 4
Verified
Well-known
Jan 5, 2018
180
I updated test22 setup file, please re-download it and install the new one:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test22.exe

File: osarmor_setup_1.4_test22.exe
File size: 6,52 MB (6.839.448 bytes)
MD5 checksum: F3F0F66CBCA78EBD01252A6D797312B9
SHA1 checksum: 9A1B71DEC2E1944E516C7312FB4B40829815D3D2
SHA256 checksum: 81A94C5B33D4D1FFCD30531F25456E9D1B49AAE608A7A048291AC88FEAE55351

* Make sure these options are not enabled by default (issue on the previous test22 setup):
* Block execution of Windows Command Prompt (c-m-d.exe)
* Block execution of Windows PowerShell

@Chimaira

Try to uninstall it, reboot and install the new test22.

Uninstalled, rebooted, installed the updated version. Still the same issue. :(
 

Chimaira

Level 4
Verified
Well-known
Jan 5, 2018
180
Alright. I will be away from the site for several hours, if you need any information from me let me know and I will provide it later on today.
 
  • Like
Reactions: AtlBo

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
221
Here is a new v1.4 (pre-release) (test23):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test23.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Now calc.exe is blocked via the Anti-Exploit module
+ Block execution of unsigned processes on Temp Folder (unchecked by default)
+ Block execution of unsigned processes on Windows Temp (unchecked by default)
+ Minor fixes and optimizations

To install this pre-release, first uninstall the old one.

Here is a new video where I tested OSArmor (test23) with HitmanPro.Alert Exploit Test Tool:

 
Last edited:

Andy Ful

Level 79
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,812
Yep, fully agree with you, but give Andreas some time. Maybe in future @NoVirusThanks adds a slider and automate this for the average PC-user (with loose, medium, strict and paranoid as options on the slider). For the time being this is a safe set of options.

@Andy Ful would you please have a look and dubbel check the options I have enabled (but more important deselected). The idea is to allow scripts and shell (don't disable them), but block them from acting suspiciously (e.g add them to exploit protection and block spawning of processes by them).
Sadly, I cannot check the options because the options in the different OSArmor versions have different ordering numbers.
From my previous tests it follows that VBS scripts cannot run EXE files from disk, when the below options are checked:
  1. Block any process executed from wscript.exe
  2. Block any process executed from cscript.exe
  3. Block any process executed from mmc.exe
  4. Block any process executed from wmiprvse.exe
This should also block running EXE files via : JS and WSF scripts.
 
Last edited:

NormanF

Level 2
Verified
Jan 11, 2018
51
Sadly, I cannot check the options because the options in the different OSArmor versions have different ordering numbers.
From my previous tests it follows that VBS scripts cannot run EXE files from disk, when the below options are checked:
  1. Block any process executed from wscript.exe
  2. Block any process executed from cscript.exe
  3. Block any process executed from mmc.exe
  4. Block any process executed from wmiprvse.exe
This should also block running EXE files via : JS and WSF scripts.

It blocks some useful vbs. scripts like the one that clears and resets Windows systray icons.