NoVirusThanks OSArmor

[AtlBo]

That is it, process execution interception which is handled system-wide via a kernel-mode device driver. Nothing more, nothing less.

Maybe it could be thought of this way. OSArmor is a hand crafted set of VERY good policies, all together in one application that is basically 100% hands off with regards to controls. Apps that behave and aren't full of sketchy code don't get flagged. Install OSArmor underneath what you already use and enjoy the confidence of knowing that an attacker is really going to have to work for his money LOL. Perfect name for the app...add armor plating to your existing security setup...

 

[cruelsister]

Evjl- I tried Chrome portable with OSA build 27 at default and it worked fine I must assume that you have enabled some optional settings that blocks process spawning,

Stas- There is no discernible difference between the build I used in the video and the current 27 build. And regarding Signed malware- any Blackhat worth her salt (like Ophelia) has a throwaway certificate that can can be used to sign malware. Although crap like this would be blocked by any decent AV, it would easily bypass any Rule in place.

OpCode- Really superb post. It's important for folk to understand that OSA is Rule Based and not some sort of a BB. It is a very elegant way of stopping scriptors in their tracks (ie JScript, Powershell, VB) no matter what the ACTUAL payload is (ransomware, Bankers, etc), but it will not stop other malware that work by arcane mechanisms UNLESS a plethora of Rules are put in place that may make the system unusable for day-to-day purposes (Evjl's issue with Chrome Portable).

NVT- you have a lovely and elegant security product. Please, please do not overthink it in reaction to posts.

 

[Evjl's Rain]

Evjl- I tried Chrome portable with OSA build 27 at default and it worked fine I must assume that you have enabled some optional settings that blocks process spawning,

hi CS, NVT said it was fixed in test 27 and I can confirm the FP was totally fixed. It happened only with test26

 

[bribon77]

@cruelsister Well: maybe I'll say a sovereign nonsense. But, since you're here. I ask.
What would OSA contribute to its configuration in Comodo Firewall?
Greetings to (Ophelia)

 

[NoVirusThanks]

@Evjl's Rain

I've uploaded two video tutorials to exclude OSArmor on Avast and ESET HIPS:

How to Exclude OSArmor on Avast Antivirus



How to Exclude OSArmor on ESET HIPS



NOTE:

In my case OSArmor worked fine even without excluding it, but since users have asked for these guides, I've made them.

@l0rdraiden

I do not have personally tested it on Windows Server 2016 yet, but it should work fine.

@cruelsister

NVT- you have a lovely and elegant security product. Please, please do not overthink it in reaction to posts.

Yes, I agree with you.

 

[Evjl's Rain]

hi, I made some exclusions exactly like what you demonstrated in the video and I also excluded C:\Windows\System32\drivers\OSArmorDevDrv.sys
however, it still doesn't work. I noticed after a few hours of browsing after a reboot, OSA randomly worked magically but didn't work earlier
do you try it on windows 8 and 10? I think it worked on your tested VM on w7 but maybe not on w8+

 

[Deleted member 65228]

I noticed after a few hours of browsing after a reboot, OSA randomly worked magically

Sorry for interrupting but I wanted to quickly ask, do you know if the NoVirusThanks OSArmor service was active when it wasn't working? The reason I ask is because maybe it didn't activate for whatever reason until after reboot. It automatically starts up because of a registry modification for the Services location, so on the reboot you did, Windows would have automatically started up the service for the kernel-mode device driver (and the user-mode service).

If it stops working again in the same way as earlier, I recommend grabbing Process Hacker and doing the following steps.
1. Open Process Hacker (with Administrator)
2. Navigate to the Services tab
3. Search for the file-name of the NVT -> if nothing shows up then filter and check the list to see if you can locate NVT OSArmor services (I don't have it installed to check the name ATM)
4. Check if the service/s are actually active or if they have been stopped

If you cannot find the services at all then that would also be the cause of a problem (services not registered -> deleted or bug in creation).

Just food for thought which could help diagnose the issue if it can't be replicated but happens again in the future

 

[Evjl's Rain]

Sorry for interrupting but I wanted to quickly ask, do you know if the NoVirusThanks OSArmor service was active when it wasn't working? The reason I ask is because maybe it didn't activate for whatever reason until after reboot. It automatically starts up because of a registry modification for the Services location, so on the reboot you did, Windows would have automatically started up the service for the kernel-mode device driver (and the user-mode service).

If it stops working again in the same way as earlier, I recommend grabbing Process Hacker and doing the following steps.
1. Open Process Hacker (with Administrator)
2. Navigate to the Services tab
3. Search for the file-name of the NVT -> if nothing shows up then filter and check the list to see if you can locate NVT OSArmor services (I don't have it installed to check the name ATM)
4. Check if the service/s are actually active or if they have been stopped

If you cannot find the services at all then that would also be the cause of a problem (services not registered -> deleted or bug in creation).

Just food for thought which could help diagnose the issue if it can't be replicated but happens again in the future

yes I'm 100% sure everything is running
I also tried to exit both OSA processes and restarted them manually several times + uninstalled -> re-installed. Nothing has worked until this moment. The laptop has been running for ~36 minutes
by the way, I don't see anything in Event viewer either

 

[shmu26]

yes I'm 100% sure everything is running
I also tried to exit both OSA processes and restarted them manually several times + uninstalled -> re-installed. Nothing has worked until this moment. The laptop has been running for ~36 minutes
by the way, I don't see anything in Event viewer either
View attachment 178596

If @NoVirusThanks can't reproduce the issue, maybe he can do a remote debugging session with you, or something like that, because I too can confirm the issue with Avast and OSA on Windows 10 (although I must admit that I have not yet tried build 27)

 

[Deleted member 65228]

Heads up if you forcefully restart the OSArmor processes it could break, I still remember VoodooShield... Easily broken and then it would require a full re-installation. You could try re-installing it for that matter though, I guess it wouldn't hurt to see if it changes anything for your situation.

I have another thing for you to test if you're up for it but be careful because I am not sure about compatibility with your environment and I'd hate for a BSOD to occur (since the next one relies on a product which does some hefty undocumented things).

1. PC Hunter Download / Download PC Hunter - MajorGeeks
2. Run it as Administrator
3. Navigate to the Kernel tab
4. See if the NVT OSArmor device driver (*.sys) is in the list and post a screenshot of the results where it is displayed if it is

Hopefully it will be shown as having registered a "CreateProcess" callback, which represents PsSetCreateProcessNotifyRoutine/Ex/2 kernel-mode callback. If it isn't displayed then this indicates that the callback routine isn't being registered for whatever reason and this would be why the process monitoring is failing, so if you want to help narrow down the cause a bit more then this is the next step

 

[Deleted member 65228]

I also tried to exit both OSA processes and restarted them manually several times + uninstalled -> re-installed. Nothing has worked until this moment. The laptop has been running for ~36 minutes

What about the service for the driver?

There should be two services, one for the kernel-mode driver and one for the user-mode service. The user-mode service should point to a SYSTEM process ( session 0 ) but there should also be another service for the kernel-mode driver.

So if there is only one service active for NVT OSArmor then the issue is the driver isn't loaded.

Has the driver been co-signed by Microsoft yet? If it hasn't and you have Secure Boot enabled, this could be the cause.

 

[shmu26]

Has the driver been co-signed by Microsoft yet? If it hasn't and you have Secure Boot enabled, this could be the cause.

Not co-signed yet, but if that was the problem, then our dear friend's PC would not boot at all. Been there, done it.

 

[Deleted member 65228]

Not co-signed yet, but if that was the problem, then our dear friend's PC would not boot at all. Been there, done it.

Not always. Sometimes the driver just won't be allowed to load

See here: OSR's ntdev List: Issue with Driver signing Windows 10 - OP of the post had an EV certificate from Symantec but he did not have it co-signed by MS so some of the customers couldn't have the product properly installed as the driver was being refused by Windows

Edit:
Fixed link

 

[Evjl's Rain]

Heads up if you forcefully restart the OSArmor processes it could break, I still remember VoodooShield... Easily broken and then it would require a full re-installation. You could try re-installing it for that matter though, I guess it wouldn't hurt to see if it changes anything for your situation.

I have another thing for you to test if you're up for it but be careful because I am not sure about compatibility with your environment and I'd hate for a BSOD to occur (since the next one relies on a product which does some hefty undocumented things).

1. PC Hunter Download / Download PC Hunter - MajorGeeks
2. Run it as Administrator
3. Navigate to the Kernel tab
4. See if the NVT OSArmor device driver (*.sys) is in the list and post a screenshot of the results where it is displayed if it is

Hopefully it will be shown as having registered a "CreateProcess" callback, which represents PsSetCreateProcessNotifyRoutine/Ex/2 kernel-mode callback. If it isn't displayed then this indicates that the callback routine isn't being registered for whatever reason and this would be why the process monitoring is failing, so if you want to help narrow down the cause a bit more then this is the next step

the first time I ran PChunter, it was blocked by avast's self-defense module. This was the first time ever I see this message -> I had to disable self-defense to proceed. The driver was present

What about the service for the driver?

There should be two services, one for the kernel-mode driver and one for the user-mode service. The user-mode service should point to a SYSTEM process ( session 0 ) but there should also be another service for the kernel-mode driver.

So if there is only one service active for NVT OSArmor then the issue is the driver isn't loaded.

Has the driver been co-signed by Microsoft yet? If it hasn't and you have Secure Boot enabled, this could be the cause.

I'm clueless about the services for the driver. there is only 1
yes, it's not signed by microsoft but I had no problem with any other AV. It was working perfectly with KIS and in the same day, I saw shmu26's message -> I installed avast and confirmed it wasn't working so it's definitely avast's fault

 

[Deleted member 65228]

the first time I ran PChunter, it was blocked by avast's self-defense module. This was the first time ever I see this message -> I had to disable self-defense to proceed.

They do it for the Process Hacker driver as well

Avast should block the kprocesshacker.sys driver if it's enabled

They'd done this since end 2015 or beginning-mid 2016

 

[Mr.X]

If @NoVirusThanks can't reproduce the issue, maybe he can do a remote debugging session with you

I always do. When something gets really elusive.

 

[NoVirusThanks]

Here is a new v1.4 (pre-release) test28:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test28.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Fixed false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install test 28.

@Evjl's Rain

Tomorrow will try Avast + OSA on W10 VM.

 

[shmu26]

Here is a new v1.4 (pre-release) test28:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test28.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Fixed false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install test 28.

@Evjl's Rain

Tomorrow will try Avast + OSA on W10 VM.

The link to test 28 is not working for me for some reason

 

[shmu26]

The link to test 28 is not working for me for some reason

Never mind, it started working. Just slow for some reason.

 

[Sunshine-boy]

NoVirusThanks Any new release ?are you sleeping?omg,wake up boy