NoVirusThanks OSArmor

[NoVirusThanks]

@Andy Ful

Feel free to send me the bypasses via PM, thank you

@Xtwillight

Great! Emsisoft, Bitdefender and F-Secure have fixed the FP.

I already contacted GData and Cyren.

@Evjl's Rain

OSArmor already guards java.exe and javaw.exe, but we can add the option to "Block any process executed from java.exe and javaw.exe" (unchecked by default).

About teamviewer processes, yes we can add them too.

@Aktiffiso

OSArmor should work fine with other security software.

If you need a free lifetime license for ERPv3 just PM me, I'll send it via PM

//Everyone

Here are two more videos that demonstrate OSArmor in action:

Block MS Word (DOC) Exploit Payload with OSArmor

* In the above case the DOC exploit payload executed (and blocked) is svchost.exe

Block MS Excel Exploit Payload with OSArmor

 

[Andy Ful]

@Andy Ful
Feel free to send me the bypasses via PM, thank you
...

Sent.
Your welcome.

 

[Glashouse]

@NoVirusThanks this looks great so far!
Having the chance to whitelist folders / files would make this a winner!

 

[bribon77]

This program can be used together with Hard_Configurator.

 

[Evjl's Rain]

I have this report. It blocked the official Teamviewer package to run. TV created temp files. Besides unchecking the rule, is there any to run way it?
EDIT: teamviewer portable works => I will switch to TV portable permanently

Spoiler: code

Date/Time: 12/18/2017 3:55:15 PM
Process: [7948]C:\Users\evjlsrain\AppData\Local\Temp\TeamViewer\TeamViewer_.exe
Parent: [624]D:\TeamViewer_Setup.exe
Rule: BlockSuspiciousProcesses
Rule Name: Block execution of suspicious processes
Command Line: "C:\Users\EVJLSR~1\AppData\Local\Temp\TeamViewer\TeamViewer_.exe"
Signer: TeamViewer GmbH
Parent Signer: TeamViewer GmbH

 

[Andy Ful]

This program can be used together with Hard_Configurator.

Yes. They overlap in many things, but also have some unique features.
As for OSArmor it needs whitelisting some processes:

• C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:8388616 WinX:0 WinY:0 IEFrame:0000000000000000
• "C:\Program Files\WindowsApps\Microsoft.WindowsStore_11711.1001.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe" -ServerName:App.AppXc75wvwned5vhz4xyxxecvgdjhdkgsdza.mca

and probably some others ran by rundll32.exe or svchost.exe

 

[Aktiffiso]

One cuestion can Os armor work alongside NVT Exe radar or are redundant?

 

[Andy Ful]

I thought that exiting OSArmor would stop the protection. But it is not true for some actions. Here is the log entry, when I tried opening for the edition in notepad, the PowerShell script in Total Commander:
Date/Time: 18.12.2017 23:14:13
Process: [5868]C:\Windows\notepad.exe
Parent: [6240]C:\Program Files\totalcmd\TOTALCMD64.EXE
Rule: BlockDownloadOfURLsCmdline
Rule Name: Block download of remote URLs via command-lineCommand Line: C:\Windows\notepad.exe C:\Users\Admin\Downloads\temp\RunRemote_System.Net.WebClient_Shell.Application.ps1
Signer: Parent Signer: Ghisler Software GmbH
.
Also, the vbs script is blocked (harmless trojan downloader, that downloads and runs sumo_lite.exe):
Date/Time: 18.12.2017 23:33:10
Process: [9288]C:\Users\Admin\Downloads\sumo_lite.exe
Parent: [5556]C:\Windows\System32\wscript.exe
Rule: BlockProcessesFromWscript
Rule Name: Block any process executed from wscript.exe
Command Line: "C:\Users\Admin\Downloads\sumo_lite.exe"
Signer: KC SoftwaresParent Signer:
.
It seems that some features are still active.

 

[bribon77]

Yes. They overlap in many things, but also have some unique features.
As for OSArmor it needs whitelisting some processes:

• C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:8388616 WinX:0 WinY:0 IEFrame:0000000000000000
• "C:\Program Files\WindowsApps\Microsoft.WindowsStore_11711.1001.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe" -ServerName:App.AppXc75wvwned5vhz4xyxxecvgdjhdkgsdza.mca

and probably some others ran by rundll32.exe or svchost.exe

That is question.. Can there be conflicts or not?
I'm interested because I'm using, Hard_Configurator

 

[Aktiffiso]

I know nvt but dont tknow how os armor work i like to use it alongside or contribute testing nvt software in return for the licence. Tell me if have any issues using together and if have to disable secureboot

 

[NoVirusThanks]

I've released a new version v1.1:
Prevent Malware and Ransomware with OSArmor | NoVirusThanks

This is the changelog:

[18-Dec-2017] v1.1.0.0

+ Block any process executed from java.exe and javaw.exe (unchecked by default)
+ Block any process executed from mmc.exe (unchecked by default)
+ Block any process executed from wmiprvse.exe (unchecked by default)
+ Block any process executed from mstsc.exe (Remote Desktop) (unchecked by default)
+ Block unknown processes executed from TeamViewer (unchecked by default)
+ Block execution of any process related to TeamViewer (unchecked by default)
+ Block execution of .wsf scripts
+ Improved detection of suspicious processes
+ Improved detection of suspicious svchost.exe behaviors
+ Fixed hiding of the GUI window on PC reboot
+ Fixed some false positives

To update just uninstall the old version and install the new one.

No reboot needed.

@Andy Ful

Thanks for posting the content of the log file, it helps me understand why it was blocked.

I'll fix that FPs in the next build. If you find new ones just post them here.

If you close the OSArmor UI the protection is still active via the service, soon we'll add the option to disable the protection.

Actually the only way to avoid a FP is to disable the rule that caused it, via the Configurator.

@Evjl's Rain

The FP with TeamViewer should be fixed now.

Try to see if these two options work as you expected:

+ Block unknown processes executed from TeamViewer (unchecked by default)
+ Block execution of any process related to TeamViewer (unchecked by default) -> Some malware uses TeamViewer hence why I added it

@Glashouse

We'll add an option to exclude some events.

@Aktiffiso

You can help testing OSArmor by installing it and using normally your PC.
Would be very useful for me to know if it blocks some legit processes (false positives), so I can fix them.
Please post the content of the event that is blocked (taken from the log file).

 

[plat1098]

@NoVirusThanks: please consider to whitelist Stardock/ObjectDock. The message from OSA appears at startup and no obvious issues with the dock afterward. Thank you.

 

[Aktiffiso]

Should i have to desactivate secure boot from bios before install it?

 

[Solarlynx]

OSA feels nice on my Windows 7, even managed to make some blocking during short period of testing. Is OSA redundant alongside VoodooShield and MBAE?

 

[shmu26]

Should i have to desactivate secure boot from bios before install it?

If you are on windows 10, latest version, you need to turn off secure boot, unless your win10 is an old version, or is an upgrade from an earlier version of windows, in which case you don't need to. The way to know for sure is to try installing OSA, and see if you get a warning from windows, about unsigned drivers. If you get the warning, cancel the installation, disable secure boot, and then install.

 

[Deletedmessiah]

If you are on windows 10, latest version, you need to turn off secure boot, unless your win10 is an old version, or is an upgrade from an earlier version of windows, in which case you don't need to. The way to know for sure is to try installing OSA, and see if you get a warning from windows, about unsigned drivers. If you get the warning, cancel the installation, disable secure boot, and then install.

There's no secure boot on Windows 8.1 right?

 

[shmu26]

There's no secure boot on Windows 8.1 right?

Secure boot is a feature in the firmware/BIOS, that is where you turn it on or off.
Windows 10, in the later versions, has an additional restriction related to secure boot, it will not allow Windows to start if drivers are not co-signed. That is the issue with OSA. As far as I know, Windows 8.1 does not have this restriction.
If you try to install something, and the drivers are problematic, Windows will warn you right away. So it's a no-brainer. If you get the Windows warning, just cancel the installation, until you disable secure boot.

 

[Windows_Security]

Overhead of NVT OSArmor on Intel G3240 Pentium with Samsung 850 SSD is just under half a second on my low spec 3,5 year old Pentium dual core (running at 3.1 Ghz), so on most systems it should be less than 0.2 secs (which is barely noticeable).

C:\Program Files\Google\Chrome\Application\chrome.exe - 5 (first cold start from disk, second to fifth cached from memory)
0.9974
0.5693
0.5170
0.5664
0.5312

C:\Program Files\Google\Chrome\Application\chrome.exe - 5 executions with NVT OSArmor (cached delay indicates CPU overhead)
1.0564
1.1627
1.0454
0.9800
0.8386

 

[harlan4096]

@NoVirusThanks:
NVTOSA 1.1 (Default Settings): blocking Clover (Chrome tabbed style file browser):

Date/Time: 19/12/2017 8:17:03
Process: [2032]D:\Program Files (x86)\Clover\Clover.exe
Parent: [6100]C:\Windows\explorer.exe
Rule: BlockSuspiciousProcesses
Rule Name: Block execution of suspicious processes
Command Line: "D:\Program Files (x86)\Clover\clover.exe"
Signer: Shanghai Oriental Webcasting Co. Ltd.
Parent Signer: Microsoft Windows

 

[Andy Ful]

That is question.. Can there be conflicts or not?
I'm interested because I'm using, Hard_Configurator

It is too early to use OSArmor on the real system (I test it with Shadow Defender). It is in the testing phase. No conflicts so far with Hard_Configurator.