NoVirusThanks OSArmor

[Andy Ful]

PowerShell scripts blocked when executing, cannot be also edited via powershell_ise.exe or notepad.exe - both execution and edition is blocked by NVTOSA 1.1. But, VBS scripts blocked when executing, can be edited by notepad.exe.
Tested PowerShell script:

$mpX = New-Object System.Net.WebClient; $mpX.Headers['User-Agent'] = 'ff-user'; $mpX.DownloadFile('http://downloads.novirusthanks.org/files/osarmor_setup.exe', $env:USERPROFILE + '\Downloads\osarmor_setup.exe'); (New-Object -com Shell.Application).ShellExecute($env:USERPROFILE + '\Downloads\osarmor_setup.exe',"")

Tested VBS script:

Set WshShell = CreateObject("WScript.Shell")[/COLOR][/LEFT]
[COLOR=rgb(29, 33, 41)]
[LEFT]WshShell.Run("c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -command (New-Object System.Net.WebClient).DownloadFile('https://kcsoftwares.com/files/sumo_lite.exe',$env:USERPROFILE + '\Downloads\sumo_lite.exe')")
WScript.Sleep(10000)
path = WshShell.ExpandEnvironmentStrings("%userprofile%\\Downloads\\sumo_lite.exe")
WshShell.Run(path)
WScript.Quit

​

 

[Deletedmessiah]

Secure boot is a feature in the firmware/BIOS, that is where you turn it on or off.
Windows 10, in the later versions, has an additional restriction related to secure boot, it will not allow Windows to start if drivers are not co-signed. That is the issue with OSA. As far as I know, Windows 8.1 does not have this restriction.
If you try to install something, and the drivers are problematic, Windows will warn you right away. So it's a no-brainer. If you get the Windows warning, just cancel the installation, until you disable secure boot.

Thanks man!

 

[shmu26]

blocks of valid processes:

Date/Time: 12/19/2017 1:15:46 PM
Process: [10032]C:\Windows\System32\rundll32.exe
Parent: [9972]C:\Windows\SysWOW64\rundll32.exe
Rule: BlockExpPayload
Rule Name: Basic anti-exploit protection (parent->child process)
Command Line: C:\Windows\system32\rundll32.exe "C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\BabylonDocTranslation64PI.dll",AdminAction64 3 0
Signer:
Parent Signer:

Date/Time: 12/19/2017 1:15:46 PM
Process: [10048]C:\Windows\System32\rundll32.exe
Parent: [10020]C:\Windows\SysWOW64\rundll32.exe
Rule: BlockExpPayload
Rule Name: Basic anti-exploit protection (parent->child process)
Command Line: C:\Windows\system32\rundll32.exe "C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\BabylonOffice64PI.dll",AdminAction64 3 0
Signer:
Parent Signer:

 

[shmu26]

Here are some more blocked processes, this time from my HP officejet printer

Date/Time: 12/19/2017 3:29:15 PM
Process: [6260]C:\Windows\System32\rundll32.exe
Parent: [5472]C:\Windows\System32\rundll32.exe
Rule: BlockExpPayload
Rule Name: Basic anti-exploit protection (parent->child process)
Command Line: RunDLL32.exe C:\Windows\system32\spool\DRIVERS\x64\3\hpinksts7212.dll,RunDLLEntry FRIENDLYNAME=HP Officejet Pro 6830 (Network);JOBID=2;DOCNAME=Microsoft Word - Document1;MONITORNAME=WSD Port Monitor;CALLSTATE=PRIMARY;
Signer:
Parent Signer:
Date/Time: 12/19/2017 3:29:31 PM
Process: [2036]C:\Windows\System32\rundll32.exe
Parent: [4760]C:\Windows\System32\rundll32.exe
Rule: BlockExpPayload
Rule Name: Basic anti-exploit protection (parent->child process)
Command Line: RunDLL32.exe C:\Windows\system32\spool\DRIVERS\x64\3\hpinksts7212.dll,RunDLLEntry FRIENDLYNAME=HP Officejet Pro 6830 (Network);JOBID=2;MONITORNAME=WSD Port Monitor;CALLSTATE=APPINFO;APPNAME=Microsoft_Word;TOTALPAGES=1;PAGESPRINTED=0;
Signer:
Parent Signer:
Date/Time: 12/19/2017 3:30:33 PM
Process: [4600]C:\Windows\System32\rundll32.exe
Parent: [8920]C:\Program Files\Microsoft Office\Office16\WINWORD.EXE
Rule: BlockExpPayload
Rule Name: Basic anti-exploit protection (parent->child process)
Command Line: RunDLL32.exe C:\Windows\system32\spool\DRIVERS\x64\3\HPOJ6830FaxPCSendRenderPlugin.dll,RunDLLEntry Fax - HP Officejet Pro 6830 (Network)
Microsoft Word - Document1
TH4AR6D1JD:NW
InkJet
Parent Signer: Microsoft Corporation

 

[Andy Ful]

blocks of valid processes:

Date/Time: 12/19/2017 1:15:46 PM
Process: [10032]C:\Windows\System32\rundll32.exe
Parent: [9972]C:\Windows\SysWOW64\rundll32.exe
Rule: BlockExpPayload
Rule Name: Basic anti-exploit protection (parent->child process)
Command Line: C:\Windows\system32\rundll32.exe "C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\BabylonDocTranslation64PI.dll",AdminAction64 3 0
Signer:
Parent Signer:

Date/Time: 12/19/2017 1:15:46 PM
Process: [10048]C:\Windows\System32\rundll32.exe
Parent: [10020]C:\Windows\SysWOW64\rundll32.exe
Rule: BlockExpPayload
Rule Name: Basic anti-exploit protection (parent->child process)
Command Line: C:\Windows\system32\rundll32.exe "C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\BabylonOffice64PI.dll",AdminAction64 3 0
Signer:
Parent Signer:

The Babylon search toolbar (bundled with Babylon) was identified as a browser hijacker some years ago. How is the Babylon status today?

 

[Deleted member 65228]

The Babylon search toolbar (bundled with Babylon) was identified as a browser hijacker some years ago. How is the Babylon status today?

How to remove the Babylon toolbar, home page and search engine | Firefox Help

Probably isn't very reputable nowadays either. I wouldn't trust them after their past history. Babylon made around 50+ million on average because of those tool-bars AFAIK.

 

[shmu26]

The Babylon search toolbar (bundled with Babylon) was identified as a browser hijacker some years ago. How is the Babylon status today?

I have Babylon translator installed as a desktop app, and I use it regularly in my work (I have subscriptions to premium dictionaries). Babylon integrates into the browser, but does not redirect searches or exhibit any unwanted behavior.

 

[shmu26]

How to remove the Babylon toolbar, home page and search engine | Firefox Help

Probably isn't very reputable nowadays either. I wouldn't trust them after their past history. Babylon made around 50+ million on average because of those tool-bars AFAIK.

I have been using it on a daily basis for years, and never saw unwanted behavior. It is an essential work tool for me.

EDIT: Just to make it clear, I am speaking of Babylon translator the desktop application. I don't use the toolbar. It is not a part of the Babylon translator. Maybe it was, ten years ago. Don't remember.

 

[Andy Ful]

I have Babylon translator installed as a desktop app, and I use it regularly in my work (I have subscriptions to premium dictionaries). Babylon integrates into the browser, but does not redirect searches or exhibit any unwanted behavior.

The problem is probably with the free version (not Pro).
Anyway, it will be hard to whitelist all popular software that can use rundll32.exe .

 

[shmu26]

The problem is probably with the free version (not Pro).
Anyway, it will be hard to whitelist all popular software that can use rundll32.exe .

1 The free version is essentially the same, except for ads to buy the pro version.
2 You are absolutely right, impossible to whitelist all the rundll32.exe. When Andreas adds an option to allow exceptions, that will solve the problem.

 

[Deleted member 65228]

Just to make it clear, I am speaking of Babylon translator the desktop application. I don't use the toolbar.

Ah, I was thinking of the Babylon tool-bar yes. I'm not sure about their translator software, but I'll take your word for it considering you use it daily.

 

[Andy Ful]

1 The free version is essentially the same, except for ads to buy the pro version.
2 You are absolutely right, impossible to whitelist all the rundll32.exe. When Andreas adds an option to allow exceptions, that will solve the problem.

I installed Babylon free - it is a desktop application that integrates with Microsoft Office and web browsers. It tries installing the addon into Firefox (without informing). In Firefox v57.0.2 the installation fails because the addon is incompatible. Also when installing Babylon, the NVTOSA 1.1 blocks regsvr32.exe :
Date/Time: 19.12.2017 16:43:25
Process: [4952]C:\Windows\System32\regsvr32.exe
Parent: [3336]C:\Windows\SysWOW64\regsvr32.exe
Rule: BlockExpPayload
Rule Name: Basic anti-exploit protection (parent->child process)
Command Line: /s "C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\BabylonOffice64PI.dll"
Signer:
Parent Signer:
.
Edit
Babylon used NPAPI plugin to install the toolbar, and it could not be uninstalled in the standard way.
Edge, Chrome, and Firefox do not accept NPAPI plugins anymore.
Babylon was not alone in aggressive advertising bundled with the free versions, the same was with WhiteSmoke.

 

[shmu26]

I installed Babylon free - it is a desktop application that integrates with Microsoft Office and web browsers. It tries installing the addon into Firefox (without informing). In Firefox v57.0.2 the installation fails because the addon is incompatible. Also when installing Babylon, the NVTOSA 1.1 blocks regsvr32.exe :
Date/Time: 19.12.2017 16:43:25
Process: [4952]C:\Windows\System32\regsvr32.exe
Parent: [3336]C:\Windows\SysWOW64\regsvr32.exe
Rule: BlockExpPayload
Rule Name: Basic anti-exploit protection (parent->child process)
Command Line: /s "C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\BabylonOffice64PI.dll"
Signer:
Parent Signer:
.
Edit
Babylon used NPAPI plugin to install the toolbar, and it could not be uninstalled in the standard way.
Edge, Chrome, and Firefox do not accept NPAPI plugins anymore.
Babylon was not alone in aggressive advertising bundled with the free versions, the same was with WhiteSmoke.

Yes, aggressive advertising is definitely correct, and even an understatement. And the aggressive installation of browser plugins is a real pain. I can't stand it.

 

[NoVirusThanks]

I've released a new version v1.2:
Prevent Malware and Ransomware with OSArmor | NoVirusThanks

[19-Dec-2017] v1.2.0.0

+ Block processes named like *keygen* or *crack* (unchecked by default)
+ Block execution of schtasks.exe is now unchecked by default
+ Prevent Regsvr32.exe from using /i: powershell
+ Fixed some false positives

@plat1098 @harlan4096 @shmu26 @Andy Ful

All reported FPs about rundll32, regsvr32, Clover should be fixed now.

I've uploaded a new short video about a malicious .DOC file received two days ago via email spam:
Hancitor (Chanitor) .DOC Exploit Payload Blocked by OSArmor

 

[shmu26]

I've released a new version v1.2:
Prevent Malware and Ransomware with OSArmor | NoVirusThanks

[19-Dec-2017] v1.2.0.0

+ Block processes named like *keygen* or *crack* (unchecked by default)
+ Block execution of schtasks.exe is now unchecked by default
+ Prevent Regsvr32.exe from using /i: powershell
+ Fixed some false positives

@plat1098 @harlan4096 @shmu26 @Andy Ful

All reported FPs about rundll32, regsvr32, Clover should be fixed now.

I've uploaded a new short video about a malicious .DOC file received two days ago via email spam:
Hancitor (Chanitor) .DOC Exploit Payload Blocked by OSArmor

Thanks!

 

[Glashouse]

Thanks Andreas,

it would also be great if we would have a option to pause / temp. disable OS Amor to do installations for example...

 

[AtlBo]

I've released a new version v1.2:
Prevent Malware and Ransomware with OSArmor | NoVirusThanks

[19-Dec-2017] v1.2.0.0

+ Block processes named like *keygen* or *crack* (unchecked by default)
+ Block execution of schtasks.exe is now unchecked by default
+ Prevent Regsvr32.exe from using /i: powershell
+ Fixed some false positives

Andreas, with specialty protections like these, have you considered attempting to represent protections by set of classifications? Would it help to be able to see them in a schematic of some kind maybe too? Might make settings interesting if, for example, you had a section of settings for which exclusions could be created and then another set of unique single protection settings that could themselves be classified somehow, like by area of protection (i.e registry, etc.). I know your project is early in development, so maybe this kind of thinking is too early . For me, representing complex scenarios with some symmetry has helped me in the past or seeing something represented that way etc.

This really is beginning to remind me of a standalone BB. Most of them don't have very many control options, however. Don't recall of hand who first mentioned this, but I think that was a clever observation.

Thanks for all your work through the years by the way. Wish the best for you with this 100% as I am sure everyone here does...

 

[harlan4096]

@NoVirusThanks: I can confirm FP with Clover is fixed in version 1.2.0.0, thanks!

 

[Prorootect]

NoVirusThanks - Thank You! - it's my first software download in ages! so you see I have big confidency on you...
I've downloaded latest v1.2.
One little problem I see: to memorise notched (by me) blocks in Configurator, start OSArmorDevCfg.exe file from the C:\OSArmorDevSvc folder, if not it's not memorised from OSArmor UI...
- What do you advise to notch from those unnotched, please?

 

[harlan4096]

@NoVirusThanks: version 1.2.0.0 (default settings), new block with KTS2019beta 19.0.0.798, but I guess that probably will get the same in stable versions KAV/KIS/KTS 2017, 2018:

Date/Time: 20/12/2017 8:12:07
Process: [2092]C:\Windows\System32\cmd.exe
Parent: [2208]C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Rule: BlockExpPayload
Rule Name: Basic anti-exploit protection (parent->child process)
Command Line: C:\WINDOWS\system32\cmd.exe /d /c "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Total Security Technical Preview 19.0.0\plugins-setup.exe" chrome-extension://amkpcclbbgegoafihnpgomddadjhcadd/ --parent-window=0 < \\.\pipe\chrome.nativeMessaging.in.87ba7fe2bfed235 > \\.\pipe\chrome.nativeMessaging.out.87ba7fe2bfed235
Signer:
Parent Signer: Google Inc