- Jul 3, 2015
- 8,153
Right. I made that feature request, for 3 pre-set levels of protection. The dev said he will do it. I hope it will be implemented soon.
NoVirusThanks OSArmor
- Thread starter Evjl's Rain
- Start date
I think it will be more practical having pop-ups and use the highest preset
- Jul 3, 2015
- 8,153
The settings you should use depends a lot on what other security software you have. For instance, if you already have a SRP solution, you don't need to duplicate it by blocking unsigned processes from appdata.
If you already have ERP 3 beta, you don't need to duplicate it by blocking the very same vulnerable processes in OSA. Etc.
If you don't have any other advanced security softs, and you are the adventurous type, then do like @l0rdraiden suggested: enable all protections, and see what kind of prompts you get. Maybe you won't get very many, and you can just make a few exceptions. If it gets to be too much, just disable the setting that is driving you crazy.
If you already have ERP 3 beta, you don't need to duplicate it by blocking the very same vulnerable processes in OSA. Etc.
If you don't have any other advanced security softs, and you are the adventurous type, then do like @l0rdraiden suggested: enable all protections, and see what kind of prompts you get. Maybe you won't get very many, and you can just make a few exceptions. If it gets to be too much, just disable the setting that is driving you crazy.
- Aug 17, 2017
- 1,513
What would you shmu26 say would be a logical combo with OSA. I'm running it along side VoodooShield, No issues so far, light as a feather but is this combo redundant.
Last edited by a moderator:
- Jul 3, 2015
- 8,153
OSA+VS is a good question, and I don't know a good answer.
It depends to a certain extent on what voodooshield settings you are using, and to a greater extent on what is hardcoded into voodooshield, and I don't think the dev has publically revealed his secret recipe.
Maybe @Andy Ful has some insight on this.
Some people use OSA with Appguard, or with NVT ERP. They do this not because OSA is stronger, but because it is an alternative to doing an advanced configuration of Appguard or NVT ERP. In other words, OSA does the thinking for you.
But the best use of OSA is simply to complement your AV.
I would not use OSA with ReHIPS, I think that would be really redundant. ReHIPS does everything already.
- Aug 17, 2017
- 1,513
I use the free version of VS which means default settings and I've left the settings alone in OSA also, don't know enough about them to fiddle.
Thanks though shmu26.
- Dec 23, 2014
- 8,190
I think, that using OSArmor and VoodooShield in combo is mostly redundant. Yet, as I tested today, OSArmor has stronger Anti-Exploit protection. I can bypass VoodooShield (Always ON mode), and this bypass is actually stopped by OSArmor. I will send the details to Dan.
Make the binary appear closer to a genuine one from genuine, well-known software, as opposed to malware. Fatten up the Import Address Table (IAT), fatten up the strings, fatten up the PE details, add an icon and mess a bit more with the resource data, and that would probably be sufficient.
Afterwards, change any of the Proof-Of-Concept "malicious" code to using dynamic imports and string obfuscation (hard-coded - no packing otherwise it'll ruin the above changes and make the entropy high). However, even with the string obfuscation for the real parts, the extensive dummy code with the non-obfuscated strings will even it out.
The Ai score with VoodooAi should be so low that it'll be seen as "safe"/"clean"/"trusted" (whatever it's labelled in VoodooShield) and Auto-Pilot mode won't mind it, and thus won't display any alerts.
You can literally go around with a fake chrome.exe binary, as long as it looks legit and the characteristics mislead it into believing it's closer to the real Google Chrome's chrome.exe, it'll not be warned about with the Auto-Pilot mode (no digital signature necessary). You may also need to pump the binary a bit.
VoodooAi still flags a lot of malicious software though, it works because it takes into account characteristics like entropy level and thus a lot of packed program's will be in the firing line for being flagged. Since a lot of malware (especially ransomware) is packed.
- Dec 25, 2017
- 158
I do not have some of these apps, so I cannot answer these questions. The following is regardless of Firewalls - I run Windows Firewall with Windows Firewall Control.
Anyway, I am running:
NVT OSArmor and NVT Exe Radar Pro. (Yes - I realize that there is some redundancy there - I am testing. Turn one on (other off) and do some things for testing. Turn it off and turn the other on. Turn both on or off. Do some things testing and check results.)
Question. With one or both these, is there a benefit to using HitManPro.Alert or Malwarebytes Anti-Exploit? My hunch is no.
For AV I use either Avast or Bitdefender (not both at same time.) Have also been testing Comodo Cloud Antivirus.
Anyway, I am running:
NVT OSArmor and NVT Exe Radar Pro. (Yes - I realize that there is some redundancy there - I am testing. Turn one on (other off) and do some things for testing. Turn it off and turn the other on. Turn both on or off. Do some things testing and check results.)
Question. With one or both these, is there a benefit to using HitManPro.Alert or Malwarebytes Anti-Exploit? My hunch is no.
For AV I use either Avast or Bitdefender (not both at same time.) Have also been testing Comodo Cloud Antivirus.
- Dec 23, 2014
- 8,190
The bypass is related to the bug in VoodooShield, and is very simple. It will be surely corrected by Dan.
In my tests, I use known techniques applied by malware in the wild (nothing especially complicated).
- Dec 23, 2014
- 8,190
Please, do not treat my post as a software comparison. OSArmor and VoodooShield are too different to be truly compared. Furthermore, OSArmor is a new software and should be carefully tested. VoodooShield is more mature and well tested against malware in the wild.
Actually OSArmor and VoodooShield more or less work the same in terms of accomplishing the core functionality to do what they need to do. They use a kernel-mode callback and send the data back to the user-mode service which returns the response. The main difference is the purpose both are intended for, one being meant as an anti-executable and the other doing buffer comparisons for the command line details to decide to block/allow - and given VoodooShield has other things like "Ai" scanning then it'll have it's stuff for all that as well of course.
NVT EXE Radar is quite mature as well and relies on the same underlying technology for process interception.
OSArmor is stable, but depending on the configuration it might not be convenient.
It's true OSArmor is less tested against malware but if you meant in general then I don't agree because OSArmor is pretty much using EXE Radar technology which is well-tested.
You are comparing appels with bananas, VS has nothing to do with OSArmor, different type of protection
- Dec 23, 2014
- 8,190
The technology that is lying under OSArmor is very general and well tested. But, our concern here is the set of rules that will be usable, user-friendly and efficient. That should be tested for sure. OSArmor Anti-Exploit has many default-deny rules especially for Office documents, so it is stronger (in that area) than VoodooShield free in AutoPilot mode, that partially depends on AI and multi-engine blacklist. Anyway, VoodooShield is very strong in Always On mode. From the user side, both programs behave very differently. But in the real world scenario when in combo with antivirus, their anti-malware efficiency may be similar.
- Jul 3, 2015
- 8,153
Yes, it has been demonstrated that you can build a binary that will get past Voodoo Ai. But there are reasons for this:
1 your custom binary has zero detections on virus total
2 your custom binary does not have typical malware characteristics
3 it only gets past VS when it is on autopilot, and the dev readily admits that autopilot is less secure. He does not recommend autopilot.
So it doesn't prove that voodooshield is ineffective.
- Jul 3, 2015
- 8,153
HMPA does a lot of things that NVT products do not do. MBAE also does things that NVT products do not do, although MBAE is not as powerful as HMPA.
This question was recently discussed over here: NoVirusThanks OSArmor: An Additional Layer of Defense
A little bit later in that same thread, the subject was explained further.
- Dec 23, 2014
- 8,190
@shmu, I do not think that @Opcode had in mind showing the ineffectiveness of VoodooShield.
He probably wanted to say that any security can be bypassed and showed the way how to create the 0-day malware that possibly could bypass many security applications. In fact, some malware samples are created in this way, but most malicious files are the repetitions of existent malware + minor changes + code obfuscation.
Any AI works as follows: If something has four legs as a dog, barks as a dog and bites as a dog, then with 90% it should be a dog. So, it is sufficient to create something that is very similar to have the 0-day dog.
Last edited:
- Jul 3, 2015
- 8,153
I think you are right. But some people have already misunderstood his intentions, so I just wanted to help make things clear.@shmu, I do not think that @Opcode had in mind showing the ineffectiveness of VoodooShield.
- Sep 26, 2014
- 2,973
I have been watching this thread from the beggining and OSA is a great software.
I have a question. Is there an ETA?
I don't want to use a beta version even though at the moment seems to be very stable.
I think it will work very good alongside EAV.
I have a question. Is there an ETA?
I don't want to use a beta version even though at the moment seems to be very stable.
I think it will work very good alongside EAV.
- Jan 5, 2018
- 163
Developer stated there should only be a couple more test releases before the official is released.
Similar threads
