NoVirusThanks OSArmor

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Anyway .... for this app, I believe the developers are working on 3 settings that can be installed - somewhere here or over at Wilders this has been discussed.
Right. I made that feature request, for 3 pre-set levels of protection. The dev said he will do it. I hope it will be implemented soon.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
The settings you should use depends a lot on what other security software you have. For instance, if you already have a SRP solution, you don't need to duplicate it by blocking unsigned processes from appdata.
If you already have ERP 3 beta, you don't need to duplicate it by blocking the very same vulnerable processes in OSA. Etc.

If you don't have any other advanced security softs, and you are the adventurous type, then do like @l0rdraiden suggested: enable all protections, and see what kind of prompts you get. Maybe you won't get very many, and you can just make a few exceptions. If it gets to be too much, just disable the setting that is driving you crazy.
 

vtqhtr413

Level 27
Verified
Top Poster
Well-known
Aug 17, 2017
1,609
The settings you should use depends a lot on what other security software you have. For instance, if you already have a SRP solution, you don't need to duplicate it by blocking unsigned processes from appdata.
If you already have ERP 3 beta, you don't need to duplicate it by blocking the very same vulnerable processes in OSA. Etc.

What would you shmu26 say would be a logical combo with OSA. I'm running it along side VoodooShield, No issues so far, light as a feather but is this combo redundant.
 
Last edited by a moderator:
  • Like
Reactions: AtlBo and shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
What would you shmu26 say would be a logical combo with OSA. I'm running it along side VoodooShield, No issues so far, light as a feather but is this combo redundant.
OSA+VS is a good question, and I don't know a good answer.
It depends to a certain extent on what voodooshield settings you are using, and to a greater extent on what is hardcoded into voodooshield, and I don't think the dev has publically revealed his secret recipe.
Maybe @Andy Ful has some insight on this.

Some people use OSA with Appguard, or with NVT ERP. They do this not because OSA is stronger, but because it is an alternative to doing an advanced configuration of Appguard or NVT ERP. In other words, OSA does the thinking for you.

But the best use of OSA is simply to complement your AV.

I would not use OSA with ReHIPS, I think that would be really redundant. ReHIPS does everything already.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,604
OSA+VS is a good question, and I don't know a good answer.
It depends to a certain extent on what voodooshield settings you are using, and to a greater extent on what is hardcoded into voodooshield, and I don't think the dev has publically revealed his secret recipe.
Maybe @Andy Ful has some insight on this.
...
I think, that using OSArmor and VoodooShield in combo is mostly redundant. Yet, as I tested today, OSArmor has stronger Anti-Exploit protection. I can bypass VoodooShield (Always ON mode), and this bypass is actually stopped by OSArmor. I will send the details to Dan.
 
D

Deleted member 65228

I can bypass VoodooShield (Always ON mode), and this bypass is actually stopped by OSArmor.
Make the binary appear closer to a genuine one from genuine, well-known software, as opposed to malware. Fatten up the Import Address Table (IAT), fatten up the strings, fatten up the PE details, add an icon and mess a bit more with the resource data, and that would probably be sufficient.

Afterwards, change any of the Proof-Of-Concept "malicious" code to using dynamic imports and string obfuscation (hard-coded - no packing otherwise it'll ruin the above changes and make the entropy high). However, even with the string obfuscation for the real parts, the extensive dummy code with the non-obfuscated strings will even it out.

The Ai score with VoodooAi should be so low that it'll be seen as "safe"/"clean"/"trusted" (whatever it's labelled in VoodooShield) and Auto-Pilot mode won't mind it, and thus won't display any alerts.

You can literally go around with a fake chrome.exe binary, as long as it looks legit and the characteristics mislead it into believing it's closer to the real Google Chrome's chrome.exe, it'll not be warned about with the Auto-Pilot mode (no digital signature necessary). You may also need to pump the binary a bit.

VoodooAi still flags a lot of malicious software though, it works because it takes into account characteristics like entropy level and thus a lot of packed program's will be in the firing line for being flagged. Since a lot of malware (especially ransomware) is packed.
 

DavidLMO

Level 4
Verified
Dec 25, 2017
158
I do not have some of these apps, so I cannot answer these questions. The following is regardless of Firewalls - I run Windows Firewall with Windows Firewall Control.

Anyway, I am running:

NVT OSArmor and NVT Exe Radar Pro. (Yes - I realize that there is some redundancy there - I am testing. Turn one on (other off) and do some things for testing. Turn it off and turn the other on. Turn both on or off. Do some things testing and check results.)

Question. With one or both these, is there a benefit to using HitManPro.Alert or Malwarebytes Anti-Exploit? My hunch is no.

For AV I use either Avast or Bitdefender (not both at same time.) Have also been testing Comodo Cloud Antivirus.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,604
Make the binary appear closer to a genuine one from genuine, well-known software, as opposed to malware. Fatten up the Import Address Table (IAT), fatten up the strings, fatten up the PE details, add an icon and mess a bit more with the resource data, and that would probably be sufficient.

Afterwards, change any of the Proof-Of-Concept "malicious" code to using dynamic imports and string obfuscation (hard-coded - no packing otherwise it'll ruin the above changes and make the entropy high). However, even with the string obfuscation for the real parts, the extensive dummy code with the non-obfuscated strings will even it out.

The Ai score with VoodooAi should be so low that it'll be seen as "safe"/"clean"/"trusted" (whatever it's labelled in VoodooShield) and Auto-Pilot mode won't mind it, and thus won't display any alerts.

You can literally go around with a fake chrome.exe binary, as long as it looks legit and the characteristics mislead it into believing it's closer to the real Google Chrome's chrome.exe, it'll not be warned about with the Auto-Pilot mode (no digital signature necessary). You may also need to pump the binary a bit.

VoodooAi still flags a lot of malicious software though, it works because it takes into account characteristics like entropy level and thus a lot of packed program's will be in the firing line for being flagged. Since a lot of malware (especially ransomware) is packed.
The bypass is related to the bug in VoodooShield, and is very simple. It will be surely corrected by Dan.
In my tests, I use known techniques applied by malware in the wild (nothing especially complicated). :)
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,604
I think, that using OSArmor and VoodooShield in combo is mostly redundant. Yet, as I tested today, OSArmor has stronger Anti-Exploit protection. I can bypass VoodooShield (Always ON mode), and this bypass is actually stopped by OSArmor. I will send the details to Dan.
Please, do not treat my post as a software comparison. OSArmor and VoodooShield are too different to be truly compared. Furthermore, OSArmor is a new software and should be carefully tested. VoodooShield is more mature and well tested against malware in the wild.
 
D

Deleted member 65228

VoodooShield is more mature and well tested against malware in the wild.
Actually OSArmor and VoodooShield more or less work the same in terms of accomplishing the core functionality to do what they need to do. They use a kernel-mode callback and send the data back to the user-mode service which returns the response. The main difference is the purpose both are intended for, one being meant as an anti-executable and the other doing buffer comparisons for the command line details to decide to block/allow - and given VoodooShield has other things like "Ai" scanning then it'll have it's stuff for all that as well of course.

NVT EXE Radar is quite mature as well and relies on the same underlying technology for process interception.

OSArmor is stable, but depending on the configuration it might not be convenient.

It's true OSArmor is less tested against malware but if you meant in general then I don't agree because OSArmor is pretty much using EXE Radar technology which is well-tested.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,604
Actually OSArmor and VoodooShield more or less work the same in terms of accomplishing the core functionality to do what they need to do. They use a kernel-mode callback and send the data back to the user-mode service which returns the response. The main difference is the purpose both are intended for, one being meant as an anti-executable and the other doing buffer comparisons for the command line details to decide to block/allow - and given VoodooShield has other things like "Ai" scanning then it'll have it's stuff for all that as well of course.

NVT EXE Radar is quite mature as well and relies on the same underlying technology for process interception.

OSArmor is stable, but depending on the configuration it might not be convenient.

It's true OSArmor is less tested against malware but if you meant in general then I don't agree because OSArmor is pretty much using EXE Radar technology which is well-tested.
The technology that is lying under OSArmor is very general and well tested. But, our concern here is the set of rules that will be usable, user-friendly and efficient. That should be tested for sure. OSArmor Anti-Exploit has many default-deny rules especially for Office documents, so it is stronger (in that area) than VoodooShield free in AutoPilot mode, that partially depends on AI and multi-engine blacklist. Anyway, VoodooShield is very strong in Always On mode. From the user side, both programs behave very differently. But in the real world scenario when in combo with antivirus, their anti-malware efficiency may be similar.(y)
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Make the binary appear closer to a genuine one from genuine, well-known software, as opposed to malware. Fatten up the Import Address Table (IAT), fatten up the strings, fatten up the PE details, add an icon and mess a bit more with the resource data, and that would probably be sufficient.

Afterwards, change any of the Proof-Of-Concept "malicious" code to using dynamic imports and string obfuscation (hard-coded - no packing otherwise it'll ruin the above changes and make the entropy high). However, even with the string obfuscation for the real parts, the extensive dummy code with the non-obfuscated strings will even it out.

The Ai score with VoodooAi should be so low that it'll be seen as "safe"/"clean"/"trusted" (whatever it's labelled in VoodooShield) and Auto-Pilot mode won't mind it, and thus won't display any alerts.

You can literally go around with a fake chrome.exe binary, as long as it looks legit and the characteristics mislead it into believing it's closer to the real Google Chrome's chrome.exe, it'll not be warned about with the Auto-Pilot mode (no digital signature necessary). You may also need to pump the binary a bit.

VoodooAi still flags a lot of malicious software though, it works because it takes into account characteristics like entropy level and thus a lot of packed program's will be in the firing line for being flagged. Since a lot of malware (especially ransomware) is packed.
Yes, it has been demonstrated that you can build a binary that will get past Voodoo Ai. But there are reasons for this:
1 your custom binary has zero detections on virus total
2 your custom binary does not have typical malware characteristics
3 it only gets past VS when it is on autopilot, and the dev readily admits that autopilot is less secure. He does not recommend autopilot.
So it doesn't prove that voodooshield is ineffective.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
I do not have some of these apps, so I cannot answer these questions. The following is regardless of Firewalls - I run Windows Firewall with Windows Firewall Control.

Anyway, I am running:

NVT OSArmor and NVT Exe Radar Pro. (Yes - I realize that there is some redundancy there - I am testing. Turn one on (other off) and do some things for testing. Turn it off and turn the other on. Turn both on or off. Do some things testing and check results.)

Question. With one or both these, is there a benefit to using HitManPro.Alert or Malwarebytes Anti-Exploit? My hunch is no.

For AV I use either Avast or Bitdefender (not both at same time.) Have also been testing Comodo Cloud Antivirus.
HMPA does a lot of things that NVT products do not do. MBAE also does things that NVT products do not do, although MBAE is not as powerful as HMPA.
This question was recently discussed over here: NoVirusThanks OSArmor: An Additional Layer of Defense
A little bit later in that same thread, the subject was explained further.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,604
...
So it doesn't prove that voodooshield is ineffective.
@shmu, I do not think that @Opcode had in mind showing the ineffectiveness of VoodooShield.:)
He probably wanted to say that any security can be bypassed and showed the way how to create the 0-day malware that possibly could bypass many security applications. In fact, some malware samples are created in this way, but most malicious files are the repetitions of existent malware + minor changes + code obfuscation.
Any AI works as follows: If something has four legs as a dog, barks as a dog and bites as a dog, then with 90% it should be a dog. So, it is sufficient to create something that is very similar to have the 0-day dog.:)
 
Last edited:

tonibalas

Level 40
Verified
Honorary Member
Top Poster
Well-known
Sep 26, 2014
2,973
I have been watching this thread from the beggining and OSA is a great software.
I have a question. Is there an ETA?
I don't want to use a beta version even though at the moment seems to be very stable.
I think it will work very good alongside EAV.
 

Chimaira

Level 4
Verified
Well-known
Jan 5, 2018
163
I have been watching this thread from the beggining and OSA is a great software.
I have a question. Is there an ETA?
I don't want to use a beta version even though at the moment seems to be very stable.
I think it will work very good alongside EAV.

Developer stated there should only be a couple more test releases before the official is released.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top