NoVirusThanks OSArmor

Chimaira

Chimaira

Level 4
Verified
Well-known
Jan 5, 2018
163
I've already reported this to @NoVirusThanks but wanted to inform everybody here. I was having an issue starting with test22 release with the Configurator GUI not opening up, turned out to be a conflict on my end. I was running VooodooShield 4.15, the second I shut it down the GUI popped up.

So just a fair warning to others that you could experience conflicts running OSArmor with Voodoo. I've uninstalled VoodooShield, I'm not giving up my OSArmor. :)
 
  • Like
Reactions: Rebsat, Sunshine-boy, Andy Ful and 4 others
N

NormanF

Level 9
Verified
Jan 11, 2018
404
Chimaira said:
I've already reported this to @NoVirusThanks but wanted to inform everybody here. I was having an issue starting with test22 release with the Configurator GUI not opening up, turned out to be a conflict on my end. I was running VooodooShield 4.15, the second I shut it down the GUI popped up.

So just a fair warning to others that you could experience conflicts running OSArmor with Voodoo. I've uninstalled VoodooShield, I'm not giving up my OSArmor. :)
Click to expand...


If you need an AE, NVT's ERP will run with no conflict alongside OSArmor.
 
  • Like
Reactions: plat1098, Prorootect, Sunshine-boy and 2 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
I enabled some of the advanced options (can't remember exactly which ones), and at reboot, werfault recorded an error from Macrium Reflect UI. (I only knew about it because SpyShelter Firewall politely asked me if Macrium Reflect UI is allowed to execute werfault.exe.)
OSA did not show any block. The number of blocked processes remained zero. I assume that is because the event took place before OSA GUI finished loading?
 
  • Like
Reactions: Sunshine-boy and Andy Ful
Windows_Security

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Prorootect said:
shmu26 wrote:
"cmd.exe should not be blocked for the average user. If it is, there will be problems right and left."

But this is used by ransomware, so .cmd is an important file extension to block.
Click to expand...

I think Windows10 itself uses Powershell, but third-party installers often use CMD in stead of Powershell, so in future there will be less problems by disabling cmd.
 
  • Like
Reactions: Sunshine-boy, Prorootect, Andy Ful and 1 other person
5

509322

@shmu26

Windows uses cmd.exe to update Windows; Average Joe is clueless about what anything is doing. An advanced user can get away with disabling cmd.exe, but it will be more convenient simply to disable .bat and .cmd in User Space and have cmd.exe run with limited privileges.

@Windows_Security

In the vast majority of cases Windows 10 still uses cmd.exe; PowerShell is only used heavily in certain commercial\enterprise environments by IT admins and not by Windows itself. I have no idea why Microsoft chose to replace cmd with PowerShell in the WIN + X menu because cmd.exe is still the go-to choice for the vast majority of home users. Average Joe is just a spectator in all of this.

PowerShell should be disabled by home users if they do not need it.
 
  • Like
Reactions: paulderdash, simmerskool, Sunshine-boy and 4 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Windows_Security said:
I think Windows10 itself uses Powershell, but third-party installers often use CMD in stead of Powershell, so in future there will be less problems by disabling cmd.
Click to expand...
The only time windows 10 uses powershell is every once in a while, when it is installing and/or updating windows store apps, AFAIK.
But cmd.exe is used by a variety of programs, and not just when they are installing. Also during regular use.
I am speaking of the present time. I agree that Microsoft might use powershell more in the future.
 
  • Like
Reactions: Azure, Sunshine-boy, Prorootect and 1 other person
Chimaira

Chimaira

Level 4
Verified
Well-known
Jan 5, 2018
163
shmu26 said:
The only time windows 10 uses powershell is every once in a while, when it is installing and/or updating windows store apps, AFAIK.
But cmd.exe is used by a variety of programs, and not just when they are installing. Also during regular use.
I am speaking of the present time. I agree that Microsoft might use powershell more in the future.
Click to expand...

This is what I figured, I blocked powershell in OSArmor and left cmd.exe unblocked.
 
  • Like
Reactions: Prorootect and shmu26
D

Deleted member 178

shmu26 said:
I enabled some of the advanced options (can't remember exactly which ones), and at reboot, werfault recorded an error from Macrium Reflect UI. (I only knew about it because SpyShelter Firewall politely asked me if Macrium Reflect UI is allowed to execute werfault.exe.)
OSA did not show any block. The number of blocked processes remained zero. I assume that is because the event took place before OSA GUI finished loading?
Click to expand...
it is about MS Altitude mechanism, since OSA drivers are more recent than SpS; so SpS act before OSA, and OSA has nothing to block.
 
  • Like
Reactions: Solarlynx and Andy Ful
T

tiktoshi

Level 5
Verified
Jan 19, 2015
205
Block file as soon as you change the name xxxxxxxx

2018-01-12_12-25-07.jpg



..............................................................................


2018-01-12_12-25-44.jpg
 
  • Like
Reactions: Prorootect, Andy Ful and Deleted member 65228
D

Deleted member 65228

tiktoshi said:
Block file as soon as you change the name xxxxxxxx
Click to expand...
In all fairness, a file-name like xxxxxxxx.exe is pretty damn suspicious - if you execute that when that was the default file-name without ensuring it is truly genuine and safe then that is 100% begging for an infection. Scrap that, the original file-name before the change is suspicious as well in my opinion.

I like how NVT OSArmor blocked it after the file-name change. (y)
 
  • Like
Reactions: plat1098, simmerskool, upnorth and 4 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Umbra said:
it is about MS Altitude mechanism, since OSA drivers are more recent than SpS; so SpS act before OSA, and OSA has nothing to block.
Click to expand...
I was trying to say that Reflect UI was blocked from doing
Umbra said:
it is about MS Altitude mechanism, since OSA drivers are more recent than SpS; so SpS act before OSA, and OSA has nothing to block.
Click to expand...
I was trying to say something different, sorry I was not clear. I was saying that OSA advanced settings made something go wrong with Macrium Reflect, and I only knew that it went wrong because SpyShelter Firewall's application execution control told me about werfault.
 
  • Like
Reactions: simmerskool
E

Evjl's Rain

Level 47
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
Is it possible that we can view the detail of the pre-defined rules? With a button, such as a "?"
for example, I'm using foxit phantomPDF but according to the UI, OSA only support anti-exploit of Foxit reader, if I'm not mistaken

I want to see how you make a rule for a specific program so we can copy and modify it to suit other similar programs

I created a custom block rule for foxit phantomPDF
[%PARENTPROCESS%: C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\FoxitPhantomPDF.exe]
Click to expand...

but this blocked the access of foxit phantom to splwow64.exe so I made 2 exclusion rules
[%PROCESS%: C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\*] [%PARENTPROCESS%: C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\FoxitPhantomPDF.exe]
[%PROCESS%: C:\Windows\splwow64.exe] [%PARENTPROCESS%: C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\FoxitPhantomPDF.exe]
Click to expand...
 
Last edited:
  • Like
Reactions: darko999, harlan4096, simmerskool and 2 others
NoVirusThanks

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
293
Here is a small preview of the new notification dialog:

osarmor-new.png


- You can exclude more easily the events via the "Exclude" button
- The "Exclude" button opens the "Exclusions Helper" GUI with pre-filled fields
- You can open the logs folder via the "Open Logs" button
- You can set the notification dialog to not auto-close and keep it open
- You can manually close the notification dialog via the "X" button on top-right

Will upload the new build tomorrow.

@Evjl's Rain

The Anti-Exploit module uses different rules and additional checks and can't be recreated with custom block-rules.

What we can do in future versions may be to allow user to add new apps inside Anti-Exploit tab.

I will add PhantomPDF to Anti-Exploit tab on the next test build (y)
 
  • Like
Reactions: tonibalas, silversurfer, Deletedmessiah and 8 others

Similar threads

way hodge
    • Like
    • HaHa
    • Wow
Advice Request TTB Internet Security [ Worst Antivirus Program for Mobile & Desktop ]
Replies
8
Views
681
Other security for Windows, Mac, Linux
cartaphilus
cartaphilus
Brownie2019
    • Like
New Update Avast One Basic It’s free
Replies
1
Views
364
Avast
Bot
Bot
D
    • Like
    • +Reputation
    • Love
For additional security/privacy: "MajorPrivacy" (upgraded from "PrivateWin10")
Replies
23
Views
1,843
System utilities
Digmor Crusher
Digmor Crusher

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top