NoVirusThanks OSArmor

vtqhtr413

Level 27
Verified
Top Poster
Well-known
Aug 17, 2017
1,609
I ran OSA with VoodooShield for a couple of days with no issues but took Andy's advice and stopped using them together. I've just upgraded to Windows 10 and will let it settle in before I add any security apps.

Learning/training, it is all the same thing. Different apps call it by different names
As I recall VS has both.:censored:

both fruit and both anti-executables

I read recently heard that technically a banana is a herb:LOL:
 
Last edited:

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,716
I recently got ERP but there is no help info available. How does one determine the Vulnerable files list and whitelisting of command lines ? I have followed your item 1-3 and at the moment there are some vulnerable files and command lines there but not put there by me !

With vulnerables, I think this way. If there is anything Windows that really nags you as potentially dangerous for an attack, you can add it to the list, and you will get an alert every time anything tries to start it. This is very powerful, and you can monitor any part of Windows you like. I used some good lists around for building a list of my own of things to keep an eye on in Windows. I attached a picture of the ones I use from a x64 system (very large picture). Many of the exes had to be added twice due to the 64 bit OS.

I would really like to update this list, but I don't think there has been much energy in improving the lists created for Bouncer a few years ago. BTW, I use basically the same list with Comodo's command-line monitoring. Don't have to add them twice in Comodo thankfully :rolleyes:. Many of them aren't c-l interpreters, so I have no idea what if anything Comodo does with those entries.

With command lines I guess it's a fine line. If you know what spawned it you should be fine to whitelist it. If the command line comes out of the blue unexpectedly or the file that started the episode is strange or in a strange location, I block them. If you want to be effective whitelisting command line, wild-carding is the ever present friend in ERP and something fairly simple to learn...
 

Attachments

  • NVT More Vulnerables All Others.png
    NVT More Vulnerables All Others.png
    605.1 KB · Views: 515

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,716
This is s:love: powerful. Thanks @NoVirusThanks Andreas .:notworthy:

One thing I have always been paranoid about is someone singling out a PC of mine. Is there anything special that can be done to block this happening via Remote Desktop or another protocol? I'd love to feel safe to use Remote Desktop.

Watching a meterpreter attack is creepy...seriously...(n)

Running ERP and OSArmor together on the main security soft tester here. Going to stay this. I have ticked a hoard of settings in OSArmor, so I will try to update how the alerts are. BTW, thanks Andreas for the Passive Logging mode. Very helpful...
 

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,716
Anyone else enjoying the crickets chirping on their system? Turn on all the protections (OK most) and kick back and laugh while you imagine what malware is going to have to do to get even get started with OSArmor. Yes, this is where it is already.

Alright you testers, who's going to throw OSArmor to the wolves? Will we get an efficacy test at some point perhaps or maybe a large number of randoms?
 

codswollip

Level 23
Content Creator
Well-known
Jan 29, 2017
1,201
FP updating Syncovery:

Date/Time: 2/17/2018 1:55:21 PM
Process: [39276]C:\WINDOWS\System32\net.exe
Parent: [39228]C:\Users\Telos\AppData\Local\Temp\is-OPLBD.tmp\Syncovery64Setup7.tmp
Rule: BlockDeletionOfShadowCopies
Rule Name: Block system processes from deleting shadow copies
Command Line: "NET.EXE" stop SyncoveryVSSService
Signer:
Parent Signer:
 

WinXPert

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Jan 9, 2013
1,457
Anyone else enjoying the crickets chirping on their system? Turn on all the protections (OK most) and kick back and laugh while you imagine what malware is going to have to do to get even get started with OSArmor. Yes, this is where it is already.

Alright you testers, who's going to throw OSArmor to the wolves? Will we get an efficacy test at some point perhaps or maybe a large number of randoms?

Wish I have the computer and the time
 
  • Like
Reactions: Vasudev and AtlBo
F

ForgottenSeer 58943

Crickets here, just how I like it. No popups, no fp's , just sitting there waiting to do something.

Well the bad news is, my son almost got infected. The good news is, OSArmor was the only thing that prevented it from taking hold.

A bit of background first.. My son is 'reckless' with his system. He's a gamer, he goes to shady sites and he downloads almost anything that is shiny and new without too much regard. To combat issues I put his system on a PHYSICALLY segregated port on my Fortinet with it's own VDOM. So whatever he does is totally isolated to his system. I put F-Secure Safe on it, along with Heimdal and OSArmor with HitmanPro on-demand.

Over the weekend I decided to 'check' on his computer. Upon boot (immediately) something tried to execute and was picked up and blocked by OSArmor. Further investigation revealed a Netsupport RAT Variant. The trojan was on his system but unable to properly set itself up to execute or cause damage. F-Secure was quiet. Heimdal was quiet. Hitmanpro scanned showed no issues. I installed and ran Malwarebytes 2X and it found and removed it. Based on what it found it failed to properly setup itself to run and only was able to leave it's primary script trigger and an exe in a hidden directory. So basically, without OSArmor, he'd of been infected.. Even with my massive security, OSArmor was the missing piece of the puzzle that was required to protect him. F-Secure was a total letdown in this respect and Deepguard did nothing. But I suspect products with really strong BB might have nixed it... This is why I believe in layered security.
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
293
Here is a new v1.4 (pre-release) (test35):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test35.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Fixed detection of SoftMaker Office 2012
+ Improved detection of suspicious processes
+ Fixed an issue on Windows 10 32-bit OSs
+ Prevent reg.exe from hijacking OSArmor settings (on Main Protections, enabled by default)
+ Improved "Block processes named like *keygen* or *crack*"
+ Updated some text on Configurator
+ Minor fixes and optimizations
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

Let me know if you find any FP or issue, we plan to release v1.4 in the next days if all is well.

@Telos

The FP should be fixed now.

@ForgottenSeer 58943

That's great! Thanks a lot for sharing that.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Well the bad news is, my son almost got infected. The good news is, OSArmor was the only thing that prevented it from taking hold.

A bit of background first.. My son is 'reckless' with his system. He's a gamer, he goes to shady sites and he downloads almost anything that is shiny and new without too much regard. To combat issues I put his system on a PHYSICALLY segregated port on my Fortinet with it's own VDOM. So whatever he does is totally isolated to his system. I put F-Secure Safe on it, along with Heimdal and OSArmor with HitmanPro on-demand.

Over the weekend I decided to 'check' on his computer. Upon boot (immediately) something tried to execute and was picked up and blocked by OSArmor. Further investigation revealed a Netsupport RAT Variant. The trojan was on his system but unable to properly set itself up to execute or cause damage. F-Secure was quiet. Heimdal was quiet. Hitmanpro scanned showed no issues. I installed and ran Malwarebytes 2X and it found and removed it. Based on what it found it failed to properly setup itself to run and only was able to leave it's primary script trigger and an exe in a hidden directory. So basically, without OSArmor, he'd of been infected.. Even with my massive security, OSArmor was the missing piece of the puzzle that was required to protect him. F-Secure was a total letdown in this respect and Deepguard did nothing. But I suspect products with really strong BB might have nixed it... This is why I believe in layered security.
It's great to hear a real life story. Thanks!
 
F

ForgottenSeer 58943

The dev mentioned a while back that it will be freeware, if I remember right.

He shouldn't be afraid to charge for this. People need to be rewarded for their efforts. Privazer averages $60,000.00 a year in donations just from random $5, $10, $20 gifts from people that find it valuable. In all fairness, if you charge or start accepting donations then you will be expected to maintain the product at least somewhat.
 
F

ForgottenSeer 58943

I think that Andreas will probably find a way to incorporate his brilliant code into an even bigger and better product that will actually make him $$$.

A lot of AV's could integrate this technology and become real contenders. Bullguard and F-Secure come to mind as they both seem lacking in this area (exploit, anti-exe, BB or whatever).
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,714
Well the bad news is, my son almost got infected. The good news is, OSArmor was the only thing that prevented it from taking hold.

A bit of background first.. My son is 'reckless' with his system. He's a gamer, he goes to shady sites and he downloads almost anything that is shiny and new without too much regard. To combat issues I put his system on a PHYSICALLY segregated port on my Fortinet with it's own VDOM. So whatever he does is totally isolated to his system. I put F-Secure Safe on it, along with Heimdal and OSArmor with HitmanPro on-demand.

Over the weekend I decided to 'check' on his computer. Upon boot (immediately) something tried to execute and was picked up and blocked by OSArmor. Further investigation revealed a Netsupport RAT Variant. The trojan was on his system but unable to properly set itself up to execute or cause damage. F-Secure was quiet. Heimdal was quiet. Hitmanpro scanned showed no issues. I installed and ran Malwarebytes 2X and it found and removed it. Based on what it found it failed to properly setup itself to run and only was able to leave it's primary script trigger and an exe in a hidden directory. So basically, without OSArmor, he'd of been infected.. Even with my massive security, OSArmor was the missing piece of the puzzle that was required to protect him. F-Secure was a total letdown in this respect and Deepguard did nothing. But I suspect products with really strong BB might have nixed it... This is why I believe in layered security.
Would you mind if I link this story over at Wilders? I believe it would be nice for people that use this product to hear a real life situation where the product successfully protected a user.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top