NoVirusThanks OSArmor

[Mr.X]

I think that Andreas will probably find a way to incorporate his brilliant code into an even bigger and better product that will actually make him $$$.

I think he actually sells tailored solutions based on his great freeware to big businesses/enterprises, and there my friends, there is the real money.

Spoiler

We just help him to alpha/beta/stable test, all of us. No big deal it is great for us to contribute right?

 

[plat1098]

With test35, as per developer, I enabled some of OSArmor's self protection rules (4).

--Prevent reg.exe from importing .reg files (Advanced tab/Attacks Mitigation Rules)
--Prevent reg.exe from hijacking OSArmor Settings (Main Protections)***
--Block execution of .reg scripts (Advanced/Block Scripts Execution)
--Block reg.exe from hijacking registry startup entries (Advanced/Other Useful Block-Rules)

source: NoVirusThanks OSArmor: An Additional Layer of Defense

I feel better now.

Edit: this setting moved to under Settings tab in test36

 

[NoVirusThanks]

Here is a new v1.4 (pre-release) (test36):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test36.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Improved detection of suspicious folders
+ Improved detection of suspicious command-lines
+ Block execution of processes on All Users folder
+ Prevent attrib.exe from setting +h or +s attributes
+ Exclude "/a" execution for "Block execution of Shutdown.exe"
+ Renamed "Block execution of PsExec.exe from Sysinternals" to "Block execution of PsTools Suite from Sysinternals"
+ Block execution of PsTools Suite from Sysinternals
+ Renamed "Prevent reg.exe from hijacking OSArmor settings" to "Enable OSArmor self defense (basic)"
+ Enable OSArmor self defense (basic) -> Moved on Settings
+ Improved detection of known fake file extensions
+ User must be in the Administrators Group to change protection (Configurator -> Settings, disabled by default)
+ Block execution of taskkill.exe
+ Minor fixes and optimizations

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

The basic self defense now blocks net.exe, net1.exe, taskkill.exe, sc.exe, reg.exe, pskill.exe, etc from terminating\hijacking OSArmorDevSvc.

It also prevents silent uninstallation via /VERYSILENT and /SILENT (unins000.exe).

We'll add better self defense via kernel-mode driver in the next version.

@ForgottenSeer 58943

A lot of AV's could integrate this technology and become real contenders.

We definitely welcome such possibilities.

@silversurfer

Is that error appearing for the first time with test 35 or was it present also in older builds?

@Azure Phoenix

Would you mind if I link this story over at Wilders? I believe it would be nice for people that use this product to hear a real life situation where the product successfully protected a user.

That would be awesome!

Question:

For users who reported the "30000 timeout" issue with the service:

Is the new build 35 or 36 working fine now?

Let me know if you find any error message on the Event Viewer related to OSArmorDevSvc.

 

[ForgottenSeer 58943]

Would you mind if I link this story over at Wilders? I believe it would be nice for people that use this product to hear a real life situation where the product successfully protected a user.

Go for it.. I don't read Wilders and I am not a member so feel free.

 

[plat1098]

OK, I look forward to the additional self-protection measures.

Since there were "minor optimizations," I notice a faster machine shutdown with test36 that wasn't there for the past few versions. Anyone else?

 

[silversurfer]

@silversurfer
Is that error appearing for the first time with test 35 or was it present also in older builds?

It happened for the first time with build 35, older builds worked always perfectly!

 

[AMD1]

Not sure if it's an issue with OSArmor which I recently installed or EXE Radar Pro but when my PC logs off after a period of inactivity, normally I would click the screen which would bring up the password login however I have had a couple of instances when I click the screen and nothing happens (just a black screen) and therefore I have to press the on/off button on the main PC Unit to turn off and then to turn on. I have also had instances where KTS fails to update in the background when I am not logged on.

Any help appreciated.

Andy

 

[shmu26]

Not sure if it's an issue with OSArmor which I recently installed or EXE Radar Pro but when my PC logs off after a period of inactivity, normally I would click the screen which would bring up the password login however I have had a couple of instances when I click the screen and nothing happens (just a black screen) and therefore I have to press the on/off button on the main PC Unit to turn off and then to turn on. I have also had instances where KTS fails to update in the background when I am not logged on.

Any help appreciated.

Andy

That black screen is because of ERP. I know it well. Try putting it in training mode, and do a few restarts and sign in and out of your various user accounts. Sometimes, one restart isn't enough to whitelist everything in the boot sequence.

 

[AtlBo]

Confirmed. Worst case->safe mode->msconfig.msc->startups->disable NVTOSArmor.

Think one of the OSArmor settings shut down a boot recently on a PC here. In the system tray, only a few things loaded and it was the last one to load. Didn't get the alert, but after rebooting I got an alert and I am not having any issues.

 

[509322]

That black screen is because of ERP. I know it well. Try putting it in training mode, and do a few restarts and sign in and out of your various user accounts. Sometimes, one restart isn't enough to whitelist everything in the boot sequence.

Study and learn what has been whitelisted otherwise you are just playing with security softs.

99.998 % of people on the security forums are just playing with security softs.

Security begins with knowledge and a state of mind.

 

[ForgottenSeer 58943]

Well the bad news is, my son almost got infected. The good news is, OSArmor was the only thing that prevented it from taking hold.

A bit of background first.. My son is 'reckless' with his system. He's a gamer, he goes to shady sites and he downloads almost anything that is shiny and new without too much regard. To combat issues I put his system on a PHYSICALLY segregated port on my Fortinet with it's own VDOM. So whatever he does is totally isolated to his system. I put F-Secure Safe on it, along with Heimdal and OSArmor with HitmanPro on-demand.

Over the weekend I decided to 'check' on his computer. Upon boot (immediately) something tried to execute and was picked up and blocked by OSArmor. Further investigation revealed a Netsupport RAT Variant. The trojan was on his system but unable to properly set itself up to execute or cause damage. F-Secure was quiet. Heimdal was quiet. Hitmanpro scanned showed no issues. I installed and ran Malwarebytes 2X and it found and removed it. Based on what it found it failed to properly setup itself to run and only was able to leave it's primary script trigger and an exe in a hidden directory. So basically, without OSArmor, he'd of been infected.. Even with my massive security, OSArmor was the missing piece of the puzzle that was required to protect him. F-Secure was a total letdown in this respect and Deepguard did nothing. But I suspect products with really strong BB might have nixed it... This is why I believe in layered security.

I did some experimentation after this 'event' in the lab at work. After testing with this particular threat I switched up my son to GData, which actually would have protected him and dropped F-Secure off of his box. Maybe a bit reactionary but keep in mind his box is isolated to a physical port and VDOM so I don't babysit it, and don't feel I NEED to babysit it.

I have a major network rebuild this weekend with some new technologies being dropped in. Including - get this - live, on the fly Virus Total evaluation of files as they are downloaded from the internet to any device on the network.. That should be interesting.

 

[509322]

I did some experimentation after this 'event' in the lab at work. After testing with this particular threat I switched up my son to GData, which actually would have protected him and dropped F-Secure off of his box. Maybe a bit reactionary but keep in mind his box is isolated to a physical port and VDOM so I don't babysit it, and don't feel I NEED to babysit it.

I have a major network rebuild this weekend with some new technologies being dropped in. Including - get this - live, on the fly Virus Total evaluation of files as they are downloaded from the internet to any device on the network.. That should be interesting.

I thought no one in the house was using Windows any longer ? Didn't you transition everyone to Chromebook ?

 

[Azure]

I thought no one in the house was using Windows any longer ? Didn't you transition everyone to Chromebook ?

I believe @ForgottenSeer 58943 said he still had some gaming PC that had Windows. And since his son is a gamer based on his previous post, then I'm going to assume that was the computer his son used.

 

[ForgottenSeer 58943]

I believe @ForgottenSeer 58943 said he still had some gaming PC that had Windows. And since his son is a gamer based on his previous post, then I'm going to assume that was the computer his son used.

This is correct and I noted it already, he has one of 4 gaming systems. Technically only 3 now since my daughter rarely turns on her 8 Core, 1070GTX desktop as she prefers mobile/chromebook games over PC games anyway.

I've done significant hardening of my internal network by simply removing Windows from the equation to the maximum extent I can. Of course, it's still the Windows machines getting attacked the most aggressively.. Right now my environment is significantly Debian, Android 7/8, Chromebook and Raspbian based. All four of which are fairly sturdy from attack/compromise out of the box but they also enjoy other hardening tweaks. Beyond those, just 3 'active' Windows gaming PC's.

Further hardening will take place this weekend. My wireless controller will be moved to a Debian Micro-PC. My camera server will be migrated to Debian (Sighthound). I am creating a zone-based system of network security at home. Red/Green/Blue zones for higher level isolation. Right now those Windows boxes are all segregated physically, rather than VLAN tags so they aren't talking to ANYTHING on my network except the local DNS server via restricted protocol and port only with inspection of that traffic.

Work in progress this weekend.

 

[In2an3_PpG]

This is correct and I noted it already, he has one of 4 gaming systems. Technically only 3 now since my daughter rarely turns on her 8 Core, 1070GTX desktop as she prefers mobile/chromebook games over PC games anyway.

I've done significant hardening of my internal network by simply removing Windows from the equation to the maximum extent I can. Of course, it's still the Windows machines getting attacked the most aggressively.. Right now my environment is significantly Debian, Android 7/8, Chromebook and Raspbian based. All four of which are fairly sturdy from attack/compromise out of the box but they also enjoy other hardening tweaks. Beyond those, just 3 'active' Windows gaming PC's.

Further hardening will take place this weekend. My wireless controller will be moved to a Debian Micro-PC. My camera server will be migrated to Debian (Sighthound). I am creating a zone-based system of network security at home. Red/Green/Blue zones for higher level isolation. Right now those Windows boxes are all segregated physically, rather than VLAN tags so they aren't talking to ANYTHING on my network except the local DNS server via restricted protocol and port only with inspection of that traffic.

Work in progress this weekend.

Please share in your configuration thread. I am very interested to know what you have going on. Always intrigued to learn more.

 

[Deletedmessiah]

This is correct and I noted it already, he has one of 4 gaming systems. Technically only 3 now since my daughter rarely turns on her 8 Core, 1070GTX desktop as she prefers mobile/chromebook games over PC games anyway.

I've done significant hardening of my internal network by simply removing Windows from the equation to the maximum extent I can. Of course, it's still the Windows machines getting attacked the most aggressively.. Right now my environment is significantly Debian, Android 7/8, Chromebook and Raspbian based. All four of which are fairly sturdy from attack/compromise out of the box but they also enjoy other hardening tweaks. Beyond those, just 3 'active' Windows gaming PC's.

Further hardening will take place this weekend. My wireless controller will be moved to a Debian Micro-PC. My camera server will be migrated to Debian (Sighthound). I am creating a zone-based system of network security at home. Red/Green/Blue zones for higher level isolation. Right now those Windows boxes are all segregated physically, rather than VLAN tags so they aren't talking to ANYTHING on my network except the local DNS server via restricted protocol and port only with inspection of that traffic.

Work in progress this weekend.

One thing I want to ask, you mentioned before that Chromebooks are surprisingly well behaved when it comes to privacy and data collection after you turn off all the spying settings available on the system. How good is Android OS in this regard after you turn off all its available spying settings on the phone? Is it worse or as bad as Windows 10?

 

[Av Gurus]

I have a major network rebuild this weekend with some new technologies being dropped in. Including - get this - live, on the fly Virus Total evaluation of files as they are downloaded from the internet to any device on the network.. That should be interesting.

I'm interesting in this (red) settings. How did you do it?

 

[ForgottenSeer 58943]

One thing I want to ask, you mentioned before that Chromebooks are surprisingly well behaved when it comes to privacy and data collection after you turn off all the spying settings available on the system. How good is Android OS in this regard after you turn off all its available spying settings on the phone? Is it worse or as bad as Windows 10?

Android seems to vary depending on vendor, builds and other factors. Also it depends on the 'apps' installed to a huge extent. Is a VANILLA Android OS more privacy than Windows 10? I think so based on our tests, Windows 10 is an absolute privacy catastrophe IMO. However once you start installing apps on Android and enabling permissions and such Android can become a mess as well. Chromebooks are immeasurably less 'chatty' compared to Windows 10 as long as you select NOT to help Google with the OS and disable a few things in the browser.

For Android, IMO the trick is to limit yourself to the very minimum of 'needed' applications. Restrict Permissions of Apps. Disable unneeded background processes. Then you aren't too bad. If you want to take it even further, disable core-apps like GoogleMaps, install third party ones with reduced permissions to 'spread' your risk out a bit more from on firm controlling everything. You can install a no-root Firewall and control things even more, disable background data use, etc.. Maybe install a microphone block application and an adblocking app and you should be good. It all depends on what level you want to take it and how much you care about all of it I guess.

 

[DavidLMO]

One thing I want to ask, you mentioned before that Chromebooks are surprisingly well behaved when it comes to privacy and data collection after you turn off all the spying settings available on the system.

Note that my Living Room PC is a Chromebook - used for a couple of years and quite pleased. (Posting from mt Win 7/64 box.)

@ForgottenSeer 58943 - two ?s

1 - Are you not the person who was going to go with a bunch of Chromebooks? How happy are you with them.
2 - Can you summarize the spying settings? I want to be sure I have my bases covered.

For those unfamiliar with Chromebooks, the OS is under continuing development and the built in Chrome based browser is thus also changing periodically. Which does make it a bit difficult to keep up with.

 

[Deletedmessiah]

Android seems to vary depending on vendor, builds and other factors. Also it depends on the 'apps' installed to a huge extent. Is a VANILLA Android OS more privacy than Windows 10? I think so based on our tests, Windows 10 is an absolute privacy catastrophe IMO. However once you start installing apps on Android and enabling permissions and such Android can become a mess as well. Chromebooks are immeasurably less 'chatty' compared to Windows 10 as long as you select NOT to help Google with the OS and disable a few things in the browser.

For Android, IMO the trick is to limit yourself to the very minimum of 'needed' applications. Restrict Permissions of Apps. Disable unneeded background processes. Then you aren't too bad. If you want to take it even further, disable core-apps like GoogleMaps, install third party ones with reduced permissions to 'spread' your risk out a bit more from on firm controlling everything. You can install a no-root Firewall and control things even more, disable background data use, etc.. Maybe install a microphone block application and an adblocking app and you should be good. It all depends on what level you want to take it and how much you care about all of it I guess.

Thanks for sharing the info.