NoVirusThanks OSArmor

[71Hemi]

@NoVirusThanks

Are you considering adding your Registry Guard program to this? Also Beginner, Advanced, and Expert profiles? Thanks Again!

 

[71Hemi]

@ NoVirusThanks
Me again... I have just had an issue with installing test 32 and this has happened twice before but I don't remember what versions, I run the installer and all goes well but sometimes I get a greyed out icon in the task bar and protection is disabled, other times I get no icon in the task bar(this time). Both times WinPatrol Scotty doesn't notify me of OsArmor wanting to create an start up entry. This is on Windows 7 Ultimate 64bit. Seems that Registry Guard is blocking something, if I disable Reg Guard protection and rerun the installer then OsArmor behaves correctly at install. Has anybody had this issue?

 

[NoVirusThanks]

@Antimalware18

To test if OSArmor is working correctly, just rename a .exe file to invoice.pdf.exe and try to execute it.

If it is blocked then OSArmor is working fine.

@Darrin

Are you considering adding your Registry Guard program to this?

Probably no, it would make OSArmor much difficult to use.

Seems that Registry Guard is blocking something

Yes, that means Registry Guard is doing its job.

You need to exclude OSArmor in Registry Guard, post the Registry Guard logs here so we can help you create the exclusion rule in case.

 

[Antimalware18]

To test if OSArmor is working correctly, just rename a .exe file to invoice.pdf.exe and try to execute it.

If it is blocked then OSArmor is working fine.

Yep, it was blocked so protection is working fine. Thanks

 

[71Hemi]

@NoVirusThanks
As per request;

Datetime: 2/2/2018 9:47:12 PM
Operation: Write Value
Process: [728]C:\Windows\System32\services.exe
Parent: [596]C:\Windows\System32\wininit.exe
Thread Id: 2820
Key: \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\OSArmorDevSvc
Value: ImagePath
Rule: [%OPR%: WRITE_VALUE] [%EXE%: *] [%KEY%: *\SYSTEM\ControlSet*\Services\*] [%VAL%: ImagePath]

Thank You!

 

[NoVirusThanks]

Here is a new v1.4 (pre-release) (test33):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test33.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block execution of Java
+ Fixed cosmetic GUI issue (Anti-Exploit listbox aligned)
+ Improved detection of suspicious folders
+ Improved detection of suspicious processes
+ Improved detection of suspicious command-lines
+ Improved detection of commands used to download remote files
+ Improved detection of PowerShell encoded commands
+ Improved detection of PowerShell malformed commands
+ Improved detection of PowerShell ExecutionPolicy Bypass
+ Improved detection of PowerShell WindowStyle Hidden
+ Configurator can have only a single instance running
+ Removed "Enable Passive Logging" option from the Configurator
+ Passive Logging can be enabled\disabled via tray icon
+ Block execution of any process related to Sysinternals
+ New method to detect suspicious processes
+ Prevent cmd.exe from executing powershell.exe
+ Categorized options in Advanced tab
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

We're very near to the official v1.4 release, if you find any FP or issue please share them.

*** Notice ***

Actually the rule "Block any process executed from Sysinternals" is blocking mainly only psexec tools (I'll update the name).

The company that asked for this rule (block psexec.exe from Sysinternals) shared these links:

Psexec flagged as malware by Sophos

The tool itself is no malware, but some malware bundles it and uses it. So ignore the warning.

Analyzing the Fileless, Code-injecting SOREBRECT Ransomware

SOREBRECT’s attack chain involves the abuse of PsExec, a legitimate, Windows command-line utility that lets system administrators execute commands or run executable files on remote systems.

HC7 GOTYA Ransomware Installed via Remote Desktop Services. Spread with PsExec

Currently the attackers are hacking into exposed remote desktop services, and once inside, use PsExec to install the ransomware on other computers in the network.

Would anyone benefit from blocking ALL Sysinternals tools?

Else we can just update and rename the rule to "Block execution of psexec.exe from Sysinternals".

@Darrin

Try to add this exclusion rule in Registry Guard:

[%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet*\Services\OSArmorDevSvc] [%VAL%: ImagePath]

 

[Antimalware18]

Latest version working great here

Is a internal updater on the docket? because if not may I suggest one?

 

[Evjl's Rain]

@NoVirusThanks hi, I installed test 33 yesterday and it has been working well but I had 1 issue this morning

1/ When I tried to execute a newly created batch file on my desktop (I created it), I received no alert from OSA and no cmd popup, nothing. I tried to execute the batch several times but I didn't see anything. Then, I checked the OSA's UI, and my batch was blocked by OSA without any notification = silently

Spoiler: log

Date/Time: 2/7/2018 9:09:48 AM
Process: [1668]C:\Windows\System32\cmd.exe
Parent: [5912]C:\Windows\explorer.exe
Rule: BlockSuspiciousScripts
Rule Name: Block execution of suspicious scripts
Command Line: C:\Windows\system32\cmd.exe /c ""C:\Users\evjlsrain\Desktop\New Text Document (2).bat" "
Signer:
Parent Signer: Microsoft Windows

2/ I tried to test it by checking "Block execution of Windows command prompt (cmd.exe)" -> execute the batch -> the OSA's Popup showed -> it worked

 

[shmu26]

@Evjl's Rain, is OSA playing nicely now with Avast, or still issues?

 

[Evjl's Rain]

@Evjl's Rain, is OSA playing nicely now with Avast, or still issues?

I gave up. Avast doesn't work with OSA on my Win 8.1 machine. Perhaps, it woulsld work on windows 10

I will try to install avast 17.8 (latest 17.9, problematic)

 

[Azure]

I gave up. Avast doesn't work with OSA on my Win 8.1 machine. Perhaps, it woulsld work on windows 10

I will try to install avast 17.8 (latest 17.9, problematic)

Did you tried the exclusions here?

 

[Evjl's Rain]

Did you tried the exclusions here?

I did but not successful

 

[shmu26]

I gave up. Avast doesn't work with OSA on my Win 8.1 machine. Perhaps, it woulsld work on windows 10

I will try to install avast 17.8 (latest 17.9, problematic)

I tried the latest build today on Windows 10 x64 RS3 with Avast free and thankfully I did not see any issues. I switched back and forth between user accounts, and the protection continued to work. The system tray icon was there, too.

 

[NoVirusThanks]

Here is a new v1.4 (pre-release) (test34):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test34.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Added SoftMaker Office to Anti-Exploit tab
+ Block execution of PsExec.exe from Sysinternals
+ Added Media Player Classic Black Edition to Anti-Exploit tab
+ Improved detection of suspicious processes
+ Updated the Anti-Exploit module
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

@Evjl's Rain

I could reproduce the issue with the popup, sometimes it is not displayed, will be fixed on the next build.

@Antimalware18

An auto-updater is on the todo list.

 

[plat1098]

A false positive with Controlled folder access (Windows Defender) during installation of test34. Good thing this is close to release, right? In general, OSArmor has been exceptionally problem-free on here!

Spoiler

edited out info in screen snip.

 

[codswollip]

FP updating XYplorer using in program updater...

Date/Time: 2/7/2018 10:34:56 PM
Process: [33252]C:\WINDOWS\explorer.exe
Parent: [30036]C:\Users\Telos\AppData\Local\Temp\XYplorer_18.70.0100_Install.exe
Rule: BlockSuspiciousExplorerBehaviors
Rule Name: Block suspicious Explorer.exe process behaviors
Command Line: "C:\WINDOWS\explorer.exe" "D:\Program Files (x86)\XYplorer\XYplorer.exe"
Signer: Microsoft Windows
Parent Signer:

 

[codswollip]

I just noticed that my most recent alert pop-up has found a home in Alt-Tab. When I select it nothing appears... a ghost window?

 

[71Hemi]

@NoVirusThanks
Well the exclusion rule in Registry Guard didn't work out to well, sorry, I did a fresh install of test 34 and got a desktop icon as always but no icon in task bar till I clicked the desktop icon, then the task bar icon showed up but was grayed out and showed no protection. Hmmm... Not a big deal really as I can just disable Reg Guard to install OsArmor, but it would be nice to not have to... Thank You anyway for your time and help! If you think of anything I can do for you on this just holler.

 

[Overkill]

Do any of you guys mind sharing your settings? there's alot of settings I have no clue what they are and if I should tick them

 

[DavidLMO]

I think a lot of us are in that boat. Note that here I am just blowing off steam.

One general problem - and this has nothing specifically to do with OSA - Many of us run several high powered apps - many of which can be highly configured. E.G. Running any firewall, a virus scanner, anti-exploit, etc. I know my brain sometimes turns to mush when I get down into the innards. This can be particularly problematic when different terminology is used between different apps.

Anyway .... for this app, I believe the developers are working on 3 settings that can be installed - somewhere here or over at Wilders this has been discussed.