NoVirusThanks OSArmor

[Chimaira]

I've already reported this to @NoVirusThanks but wanted to inform everybody here. I was having an issue starting with test22 release with the Configurator GUI not opening up, turned out to be a conflict on my end. I was running VooodooShield 4.15, the second I shut it down the GUI popped up.

So just a fair warning to others that you could experience conflicts running OSArmor with Voodoo. I've uninstalled VoodooShield, I'm not giving up my OSArmor.

 

[NormanF]

I've already reported this to @NoVirusThanks but wanted to inform everybody here. I was having an issue starting with test22 release with the Configurator GUI not opening up, turned out to be a conflict on my end. I was running VooodooShield 4.15, the second I shut it down the GUI popped up.

So just a fair warning to others that you could experience conflicts running OSArmor with Voodoo. I've uninstalled VoodooShield, I'm not giving up my OSArmor.

If you need an AE, NVT's ERP will run with no conflict alongside OSArmor.

 

[Chimaira]

If you need an AE, NVT's ERP will run with no conflict alongside OSArmor.

That is what I am using now, I usually use it but was trying out the new release of Voodoo for fun. Everything running smoothly now with ERP and OSArmor.
Damn powerful combo!

 

[shmu26]

I enabled some of the advanced options (can't remember exactly which ones), and at reboot, werfault recorded an error from Macrium Reflect UI. (I only knew about it because SpyShelter Firewall politely asked me if Macrium Reflect UI is allowed to execute werfault.exe.)
OSA did not show any block. The number of blocked processes remained zero. I assume that is because the event took place before OSA GUI finished loading?

 

[Windows_Security]

shmu26 wrote:
"cmd.exe should not be blocked for the average user. If it is, there will be problems right and left."

But this is used by ransomware, so .cmd is an important file extension to block.

I think Windows10 itself uses Powershell, but third-party installers often use CMD in stead of Powershell, so in future there will be less problems by disabling cmd.

 

[Chimaira]

I think Windows10 itself uses Powershell, but third-party installers often use CMD in stead of Powershell, so in future there will be less problems by disabling cmd.

Would that involve Windows10 installing updates?

 

[509322]

@shmu26

Windows uses cmd.exe to update Windows; Average Joe is clueless about what anything is doing. An advanced user can get away with disabling cmd.exe, but it will be more convenient simply to disable .bat and .cmd in User Space and have cmd.exe run with limited privileges.

@Windows_Security

In the vast majority of cases Windows 10 still uses cmd.exe; PowerShell is only used heavily in certain commercial\enterprise environments by IT admins and not by Windows itself. I have no idea why Microsoft chose to replace cmd with PowerShell in the WIN + X menu because cmd.exe is still the go-to choice for the vast majority of home users. Average Joe is just a spectator in all of this.

PowerShell should be disabled by home users if they do not need it.

 

[shmu26]

I think Windows10 itself uses Powershell, but third-party installers often use CMD in stead of Powershell, so in future there will be less problems by disabling cmd.

The only time windows 10 uses powershell is every once in a while, when it is installing and/or updating windows store apps, AFAIK.
But cmd.exe is used by a variety of programs, and not just when they are installing. Also during regular use.
I am speaking of the present time. I agree that Microsoft might use powershell more in the future.

 

[Chimaira]

The only time windows 10 uses powershell is every once in a while, when it is installing and/or updating windows store apps, AFAIK.
But cmd.exe is used by a variety of programs, and not just when they are installing. Also during regular use.
I am speaking of the present time. I agree that Microsoft might use powershell more in the future.

This is what I figured, I blocked powershell in OSArmor and left cmd.exe unblocked.

 

[shmu26]

This is what I figured, I blocked powershell in OSArmor and left cmd.exe unblocked.

That sounds right to me. In order to monitor cmd.exe properly, you need ERP or something similar. With ERP you can allow some command lines and block others.

 

[Deleted member 178]

I enabled some of the advanced options (can't remember exactly which ones), and at reboot, werfault recorded an error from Macrium Reflect UI. (I only knew about it because SpyShelter Firewall politely asked me if Macrium Reflect UI is allowed to execute werfault.exe.)
OSA did not show any block. The number of blocked processes remained zero. I assume that is because the event took place before OSA GUI finished loading?

it is about MS Altitude mechanism, since OSA drivers are more recent than SpS; so SpS act before OSA, and OSA has nothing to block.

 

[Chimaira]

That sounds right to me. In order to monitor cmd.exe properly, you need ERP or something similar. With ERP you can allow some command lines and block others.

Exactly, ERP allows me to monitor whats accessing cmd.exe. Love the combo with it and OSArmor.

 

[tiktoshi]

Block file as soon as you change the name xxxxxxxx

..............................................................................

 

[Deleted member 65228]

Block file as soon as you change the name xxxxxxxx

In all fairness, a file-name like xxxxxxxx.exe is pretty damn suspicious - if you execute that when that was the default file-name without ensuring it is truly genuine and safe then that is 100% begging for an infection. Scrap that, the original file-name before the change is suspicious as well in my opinion.

I like how NVT OSArmor blocked it after the file-name change.

 

[shmu26]

it is about MS Altitude mechanism, since OSA drivers are more recent than SpS; so SpS act before OSA, and OSA has nothing to block.

I was trying to say that Reflect UI was blocked from doing

it is about MS Altitude mechanism, since OSA drivers are more recent than SpS; so SpS act before OSA, and OSA has nothing to block.

I was trying to say something different, sorry I was not clear. I was saying that OSA advanced settings made something go wrong with Macrium Reflect, and I only knew that it went wrong because SpyShelter Firewall's application execution control told me about werfault.

 

[Sunshine-boy]

Blocking cmd is not a good idea some applications like Nvidia use cmd when the system starts!

 

[ForgottenSeer 58943]

Blocking cmd is not a good idea some applications like Nvidia use cmd when the system starts!

Not only that, third party apps use it.. Stickypassword is the first that comes to mind. If you start implementing too many blocks the incompatibilities will become unmanageable. I stopped using HMPA awhile back because it caused way too many system issues.

 

[Evjl's Rain]

Is it possible that we can view the detail of the pre-defined rules? With a button, such as a "?"
for example, I'm using foxit phantomPDF but according to the UI, OSA only support anti-exploit of Foxit reader, if I'm not mistaken

I want to see how you make a rule for a specific program so we can copy and modify it to suit other similar programs

I created a custom block rule for foxit phantomPDF

[%PARENTPROCESS%: C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\FoxitPhantomPDF.exe]

but this blocked the access of foxit phantom to splwow64.exe so I made 2 exclusion rules

[%PROCESS%: C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\*] [%PARENTPROCESS%: C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\FoxitPhantomPDF.exe]
[%PROCESS%: C:\Windows\splwow64.exe] [%PARENTPROCESS%: C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\FoxitPhantomPDF.exe]

 

[NoVirusThanks]

Here is a small preview of the new notification dialog:

- You can exclude more easily the events via the "Exclude" button
- The "Exclude" button opens the "Exclusions Helper" GUI with pre-filled fields
- You can open the logs folder via the "Open Logs" button
- You can set the notification dialog to not auto-close and keep it open
- You can manually close the notification dialog via the "X" button on top-right

Will upload the new build tomorrow.

@Evjl's Rain

The Anti-Exploit module uses different rules and additional checks and can't be recreated with custom block-rules.

What we can do in future versions may be to allow user to add new apps inside Anti-Exploit tab.

I will add PhantomPDF to Anti-Exploit tab on the next test build

 

[Sunshine-boy]

Pls, add Splash player Aswell thanks.
Osarmor has conflict with ESET HIPS in interactive mode.I couldn't set my rules also windows and Eset hips GUI both were freeze.
Everything backed to normal when I removed the Osarmor.