NoVirusThanks OSArmor

[Deleted member 178]

Pls, add Splash player Aswell thanks.
Osarmor has conflict with ESET HIPS in interactive mode.I couldn't set my rules also windows and Eset hips GUI both were freeze.
Everything backed to normal when I removed the Osarmor.

Why you want to use OSA while you use ESET HIPS? It is redundant and worthless.
ESET HIPS monitors more stuff and will surely react before OSA....
OSA is made for people with HIPS/BB-less systems.

 

[codswollip]

Just curious... Does OSA offer protection beyond what ERP provides?

 

[l0rdraiden]

Here is a small preview of the new notification dialog:

View attachment 178018

- You can exclude more easily the events via the "Exclude" button
- The "Exclude" button opens the "Exclusions Helper" GUI with pre-filled fields
- You can open the logs folder via the "Open Logs" button
- You can set the notification dialog to not auto-close and keep it open
- You can manually close the notification dialog via the "X" button on top-right

Will upload the new build tomorrow.

@Evjl's Rain

The Anti-Exploit module uses different rules and additional checks and can't be recreated with custom block-rules.

What we can do in future versions may be to allow user to add new apps inside Anti-Exploit tab.

I will add PhantomPDF to Anti-Exploit tab on the next test build

In the popup I miss the information about the rule that triggered the popup at least but if you could replicate this information would be perfect Redirect Notice

When you exclude it via popup, it has been already blocked? I mean OsArmor has blocked already the event breaking whatever was happening in case of FP. If that is the case I would prefer a pop-up system like a normal hips where you can avoid break things

 

[Sunshine-boy]

But Eset hips don't block things that osarmor can block! like methods to bypassing UAC or blocking unsigned stuff in app data or win temp folder also block fake system process and more ...Eset hips cant do what osarmor can.
P.s i fix it


Time;Application;Operation;Target;Action;Rule;Additional information
14/01/2018 14:38:05;C:\Program Files\NoVirusThanks\OSArmorDevSvc\OSArmorDevSvc.exe;Get access to another application;C:\Program Files\ESET\ESET Security\egui.exe;some access blocked;Self-Defense: Protect ekrn and egui processes;Terminate/suspend another application,Modify state of another application,Get access to another application

This the problem!NoVirusThanks can you pls learn Osarmor to don't bother Eset processes?I fixed the problem and they are working well! but you need to make some changes in your codes

IF someone wants to make it work: put hips in automatic mode then allow everything(file, application and registry operations) for these 2 files: OSArmorDevCfg and OSArmorDevSvc, and again turn on the interactive moe!otherwise, it will conflict with Eset hips.

 

[shmu26]

Just curious... Does OSA offer protection beyond what ERP provides?

OSA has a lot of rules that you won't find in ERP 3 at default settings. A user could add a lot of rules to ERP manually, if he is knowledgeable enough, but then he would be recreating what OSA already does.
I can't comment on ERP 4, because I haven't seen the more recent builds.

 

[NoVirusThanks]

Here is a new v1.4 (pre-release) (test24):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test24.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block reg.exe from hijacking Registry startup entries
+ Block execution of unsigned processes on Desktop folder
+ Block execution of processes on Documents folder
+ Moved Block ExecutionPolicy Bypass and WindowStyle Hidden to Advanced tab
+ Added PhantomPDF on Anti-Exploit tab
+ Added many new internal rules
+ Improved handling of false positives
+ Added new tab "Settings" on Configurator
+ New option: Enable Passive Logging (do not block the process, just log the event)
+ New option: Show a notification window when something is blocked
+ New option: Automatically close the notification window
+ You can exclude more easily the events via the "Exclude" button
+ The "Exclude" button opens the "Exclusions Helper" GUI with pre-filled fields
+ You can open the logs folder via the "Open Logs" button
+ You can set the notification dialog to not auto-close and keep it open
+ You can manually close the notification dialog via the "X" button on top-right
+ Minor fixes and optimizations

Here is a screenshot:

@l0rdraiden

Added the label with the protection option triggered (on the notification window).

When you exclude it via popup, it has been already blocked?

Yes, we'll discuss about the possibility to add an ask dialog (as an option).

@Sunshine-boy

I've update OSArmor to exclude ESET, hope this will fix it.

But I still think you may need to exclude OSArmor in ESET HIPS.

 

[509322]

A user could add a lot of rules to ERP manually, if he is knowledgeable enough, but then he would be recreating what OSA already does.

@NoVirusThanks can confirm this, but you cannot recreate OSA with ERP rules; OSA and ERP are two different products internally. Andreas is using software restriction policy (an internal set of rules) and a simplified GUI for the user in OSA. ERP uses a pre-defined set of default rules along with a rules wizard where the user can craft their own execution rules. In a nutshell, ERP rules are based upon trusted publisher, location within file system, command line, user settings, etc. OSA rules are generic, user setting dependent.

ERP and OSA are complimentary products. You cannot recreate one product in the other.

 

[HarborFront]

Why you want to use OSA while you use ESET HIPS? It is redundant and worthless.
ESET HIPS monitors more stuff and will surely react before OSA....
OSA is made for people with HIPS/BB-less systems.

I thought ESET is more of HIPS and OSA is more of a BB? So having both complementing each other should be OK, no?

 

[dinosaur07]

I just installed this software and i must say i like it. One has to be very careful at the customized settings, what we tick and untick there. Good solution and software they have. Thanks,

 

[codswollip]

FYI... Uninstalling test23 and IOBit Uninstaller identified leftover files...

 

[509322]

I thought ESET is more of HIPS and OSA is more of a BB? So having both complementing each other should be OK, no?

Who said OSArmor is a Behavior Blocker ? It's right in the name - "OSAmor" is to harden the Operating System via SRP\hardening rules. I guess it is in the way the product was initially written up. If I block regsvr.exe from loading .dlls and similar rules I suppose you can call it behavior blocking but strictly speaking it isn't technically correct.

OSArmor prevents bad process behaviors through rule enforcement ! It is not a behavior blocker in the sense of a fine-tuned HIPS !

 

[CMLew]

Recently I tried to installed the K-lite codec pack and OSA block one of the process: powershell.exe
So I supposed no issue happened? Since I'm still able to use the codec without any issue..

 

[HarborFront]

Who said OSArmor is a Behavior Blocker ? It's right in the name - "OSAmor" is to harden the Operating System via SRP\hardening rules. I guess it is in the way the product was initially written up. If I block regsvr.exe from loading .dlls and similar rules I suppose you can call it behavior blocking but strictly speaking it isn't technically correct.

The devleoper should be able to state one of the below. The options are

1) a 100% BB
2) a 100% HIPS
3) more of BB and less of HIPS
4) more of HIPS and less of BB
5) none of the above. Please state what is it

 

[509322]

The devleoper should be able to state one of the below. The options are

1) a 100% BB
2) a 100% HIPS
3) more of BB and less of HIPS
4) more of HIPS and less of BB
5) none of the above

I already know what it does.

It blocks dangerous and unwanted process behaviors by enforcing rules.

 

[HarborFront]

I already know what it does.

Just let the developer confirm, ok?

 

[509322]

Just let the developer confirm, ok?

The developer explains what it does on page 1.

 

[HarborFront]

The developer explains what it does on page 1.

He already stated it's 'like a BB'

 

[509322]

He already stated it's 'like a BB'

Once again "like a BB" is not the same as "a BB." It is a subtle difference that you guys will carry across the line.

OSAmor enforces rules that prevent processes from performing unwanted and dangerous actions - among other things.

The difference is this:

The Emsisoft behavior blocker will prevent a weaponized Microsoft Word document from launching PowerShell.exe, cmd.exe, cscript.exe, wscript.exe (and others) in real time whereas OSArmor will not unless the user has enabled that particular setting. OSArmor is not a real-time behavior blocker, but it will achieve most of the same behavior blocker results (deny access to most of the processes) in the case of Microsoft WINWORD.exe and EXCEL.exe IF the user has enabled the setting in OSArmor.

 

[Deleted member 178]

Once again "like a BB" is not the same as "a BB." It is a subtle difference that you guys will carry across the line.

Totally agree.

OSA is closer to an SRP than a BB

 

[509322]

Totally agree.

OSA is closer to an SRP than a BB

@NoVirusThanks used the terminology behavioral monitoring in his initial introduction and write up. People on this forum are misinterpreting what he said and taking that to mean OSArmor is a real-time behavior blocker. Well, the rules are enforced once you enable the the rules. It's a case of semantics.

OSArmor = enforces rules to harden your OS (operating system) against unwanted and dangerous process behaviors - among other things.