NoVirusThanks OSArmor

[AtlBo]

I don't run VoodooShield to turn off the icon, but OSA doesn't create many alerts. However, it seems to me like they are the kind a user would want to know about without having to dig around. I REALLY like the concept for OSArmor. afk could mean missing an alert of a key malware component that could then potentiall run another way, etc. When I come back no alert so I would have to open the interface to check if there have been alerts and then find the log, etc. This way, from the shield I could create an exclusion easily.

If it only appeared on first block in a session, the badge could also be set to disappear if the user sets a rule and/or allows the pending block(s) to remain in place, etc. or badge could even just be disabled entirely like is possible with VS...

 

[DavidLMO]

I have trained OSA now thru 37 versions and get very, very few pop-ups. When I do - I go Hmmmm and investigate what I want to do. Very quiet.
ERP on the other hand - not so much. But IMHO ERP is directed at a much more knowledgeable user. Where as even noobies can pretty much run OSA out of the box without being an Infosec specialist. Again - just my opinion.

@AtlBo - If I understand you correctly, good recomendations. "afk" ???

I do not have VS.

 

[AtlBo]

"afk" ???

Away from keyboard...apologies

 

[WinXPert]

@NoVirusThanks what about adding password protection?

 

[NoVirusThanks]

@Electr0n

Please use the v1.4 (pre-release) test 37:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test37.exe

@WinXPert

Yes it is on the todo list.

 

[ForgottenSeer 58943]

@Electr0n

Please use the v1.4 (pre-release) test 37:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test37.exe

@WinXPert

Yes it is on the todo list.

Fortinite False Positive.

Date/Time: 2/28/2018 7:56:09 PM
Process: [9112]D:\Program Files\Epic Games\Fortnite\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping_BE.exe
Parent: [5584]D:\Program Files (x86)\Epic Games\Launcher\Portal\Binaries\Win64\EpicGamesLauncher.exe
Rule: BlockSuspiciousProcesses
Rule Name: Block execution of suspicious processes
Command Line: "D:/Program Files/Epic Games/Fortnite/Fortnite/FortniteGame/Binaries/Win64/FortniteClient-Win64-Shipping_BE.exe" -AUTH_LOGIN=unused -AUTH_PASSWORD=4d773614ba56445ba2dd5d6db0c49c34 -AUTH_TYPE=exchangecode -epicapp=Fortnite -epicenv=Prod -EpicPortal
Signer: Epic Games Inc.
Parent Signer: Epic Games Inc.

 

[Electr0n]

@Electr0n

Please use the v1.4 (pre-release) test 37:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test37.exe

Thank you, this test 37 version has the option to add manual exclusions, and that's working like a charm.

 

[Electr0n]

Why are you using v1.3 the latest is v1.4_test37 it has more features including exclusion in the prompts

I initially had downloaded it from the official website, now I got the latest version from novirusthanks. Thanks for the headsup though

 

[ForgottenSeer 58943]

False Positives;

Previously mentioned Fortnite. Also, for grins I tested it on some test machines at work and found it doesn't work well at all with Connectwise, Labtech products.

Date/Time: 3/1/2018 9:34:41 AM
Process: [8860]C:\Windows\System32\cmd.exe
Parent: [1700]C:\Windows\LTSvc\LTSVC.exe
Rule: BlockPowerShellMalformedCommands
Rule Name: Block execution of PowerShell malformed commands
Command Line: "cmd.exe" /C "powershell.exe "Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname | format-table -autosize" | find /i "vss writer" | find /i "sql server""
Signer:
Parent Signer: ConnectWise, Inc.

Date/Time: 3/1/2018 9:34:56 AM
Process: [3980]C:\Windows\System32\cmd.exe
Parent: [1700]C:\Windows\LTSvc\LTSVC.exe
Rule: BlockPowerShellMalformedCommands
Rule Name: Block execution of PowerShell malformed commands
Command Line: "cmd.exe" /C "powershell.exe "Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname" | find /i "Citrix" | find /i "Virtual Delivery Agent""
Signer:
Parent Signer: ConnectWise, Inc.

Date/Time: 3/1/2018 10:34:41 AM
Process: [2084]C:\Windows\System32\cmd.exe
Parent: [1700]C:\Windows\LTSvc\LTSVC.exe
Rule: BlockPowerShellMalformedCommands
Rule Name: Block execution of PowerShell malformed commands
Command Line: "cmd.exe" /C "powershell.exe "Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname | format-table -autosize" | find /i "vss writer" | find /i "sql server""
Signer:
Parent Signer: ConnectWise, Inc.

Date/Time: 3/1/2018 10:34:56 AM
Process: [8304]C:\Windows\System32\cmd.exe
Parent: [1700]C:\Windows\LTSvc\LTSVC.exe
Rule: BlockPowerShellMalformedCommands
Rule Name: Block execution of PowerShell malformed commands
Command Line: "cmd.exe" /C "powershell.exe "Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname" | find /i "Citrix" | find /i "Virtual Delivery Agent""
Signer:
Parent Signer: ConnectWise, Inc.

Date/Time: 3/1/2018 11:34:42 AM
Process: [7584]C:\Windows\System32\cmd.exe
Parent: [1700]C:\Windows\LTSvc\LTSVC.exe
Rule: BlockPowerShellMalformedCommands
Rule Name: Block execution of PowerShell malformed commands
Command Line: "cmd.exe" /C "powershell.exe "Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname | format-table -autosize" | find /i "vss writer" | find /i "sql server""
Signer:
Parent Signer: ConnectWise, Inc.

Date/Time: 3/1/2018 11:34:57 AM
Process: [4680]C:\Windows\System32\cmd.exe
Parent: [1700]C:\Windows\LTSvc\LTSVC.exe
Rule: BlockPowerShellMalformedCommands
Rule Name: Block execution of PowerShell malformed commands
Command Line: "cmd.exe" /C "powershell.exe "Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname" | find /i "Citrix" | find /i "Virtual Delivery Agent""
Signer:
Parent Signer: ConnectWise, Inc.

Date/Time: 3/1/2018 12:34:44 PM
Process: [7788]C:\Windows\System32\cmd.exe
Parent: [1700]C:\Windows\LTSvc\LTSVC.exe
Rule: BlockPowerShellMalformedCommands
Rule Name: Block execution of PowerShell malformed commands
Command Line: "cmd.exe" /C "powershell.exe "Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname | format-table -autosize" | find /i "vss writer" | find /i "sql server""
Signer:
Parent Signer: ConnectWise, Inc.

Date/Time: 3/1/2018 12:34:59 PM
Process: [9152]C:\Windows\System32\cmd.exe
Parent: [1700]C:\Windows\LTSvc\LTSVC.exe
Rule: BlockPowerShellMalformedCommands
Rule Name: Block execution of PowerShell malformed commands
Command Line: "cmd.exe" /C "powershell.exe "Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname" | find /i "Citrix" | find /i "Virtual Delivery Agent""
Signer:
Parent Signer: ConnectWise, Inc.

Date/Time: 3/1/2018 1:34:44 PM
Process: [10260]C:\Windows\System32\cmd.exe
Parent: [1700]C:\Windows\LTSvc\LTSVC.exe
Rule: BlockPowerShellMalformedCommands
Rule Name: Block execution of PowerShell malformed commands
Command Line: "cmd.exe" /C "powershell.exe "Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname | format-table -autosize" | find /i "vss writer" | find /i "sql server""
Signer:
Parent Signer: ConnectWise, Inc.

Date/Time: 3/1/2018 1:34:59 PM
Process: [8824]C:\Windows\System32\cmd.exe
Parent: [1700]C:\Windows\LTSvc\LTSVC.exe
Rule: BlockPowerShellMalformedCommands
Rule Name: Block execution of PowerShell malformed commands
Command Line: "cmd.exe" /C "powershell.exe "Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname" | find /i "Citrix" | find /i "Virtual Delivery Agent""
Signer:
Parent Signer: ConnectWise, Inc.

 

[shmu26]

There is an issue with MS Office exploit protection, it doesn't work right with OneDrive on Windows 10 RS3.
Because in this version of Win10, the OneDrive files are not downloaded by default, only placeholders are downloaded on the local system.
So if you click on a Word doc placeholder, to open it, first OneDrive has to download it, and that doesn't work with OSA exploit protection. Word just hangs and eventually you get an error message.

 

[ForgottenSeer 58943]

False Positive with the software controller for Unifi/Ubiquiti AP's.


Date/Time: 3/1/2018 11:50:27 PM
Process: [11204]C:\Users\SV1\Ubiquiti UniFi\bin\mongod.exe
Parent: [5820]C:\Program Files\Java\jre1.8.0_162\bin\java.exe
Rule: BlockProcessesOnSuspiciousFolders
Rule Name: Block processes located in suspicious folders
Command Line: bin\mongod --dbpath "C:\Users\SV1\Ubiquiti UniFi\data\db" --port 27117 --logappend --logpath "C:\Users\SV1\Ubiquiti UniFi\logs\mongod.log" --nohttpinterface --bind_ip 127.0.0.1
Signer:
Parent Signer: Oracle America, Inc.

 

[l0rdraiden]

@Electr0n

Please use the v1.4 (pre-release) test 37:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test37.exe

@WinXPert

Yes it is on the todo list.

How far are we from a version with pop-ups (optional)?

 

[Carphedon]

Hi there,

First of all thank you for your hard work, awesome software!

I want to report the following problem/bug (v1.4 (pre-release) test 37).

If i run inspectre from GRC (GRC | InSpectre ) OSA tries to block the suspicious process (BlockProcessesOnSuspiciousFolders), it shows a popup and creates a log but the process still runs fine, is it supposed to work like that? The process should not be able to run and work like it is supposed to right?

Log:

Date/Time: 2-3-2018 20:55:21
Process: [3512]C:\Users\USER\AppData\Local\inspect64.exe
Parent: [5112]C:\Users\USER\Downloads\InSpectre.exe
Rule: BlockProcessesOnSuspiciousFolders
Rule Name: Block processes located in suspicious folders
Command Line: C:\Users\USER\AppData\Local\inspect64.exe
Signer:
Parent Signer: Gibson Research Corporation

 

[AtlBo]

Is there any chance that OSArmor could contain an alert about an application trying to turn off the Windows firewall? Would be kind of nice to be able to specify installed processes to protect in this way too.

 

[simmerskool]

Speaking of VS.. I installed the latest version to test and it broke almost everything on my test machine and false positives rang out everywhere. That was after whitelisting and enhanced whitelisting and in autopilot mode! I downloaded the good ole' 3.59, and immediately when it executed forced an upgrade to the latest one which was causing all of the issues. Uninstalled, back to OSArmor.

Anyway, the first thing myself, and probably most people that used VS do is to turn off that always on top icon, right?

curious, I run VS 4.18 on win7x64 and rock solid, no false positives. But then I'm not running OSA, yet. Maybe there's some unresolved conflict between the 2.

 

[shmu26]

Anyway, the first thing myself, and probably most people that used VS do is to turn off that always on top icon, right?

Yes, I think that is probably the least favorite feature of VS, and many users disable it right away.
But the dev is of the opinion that it is very useful for the average Joe user. In addition to increasing awareness of the protection level, you can also drag an exe file onto the icon, and VS will scan it for you.

 

[NoVirusThanks]

Here is a new v1.4 (pre-release) (test38):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test38.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block execution of cacls\icacls\xcacls.exe
+ Block execution of takeown.exe
+ By default "Block execution of taskkill.exe" is disabled
+ Improved detection of suspicious processes
+ Improved detection of suspicious command-lines
+ Improved detection of Bitcoin miner command-lines
+ Improved detection of PowerShell malformed commands
+ Improved OSArmor self defense (basic)
+ Self-protection (basic) is enabled by default and can't be disabled
+ Prevent wevtutil.exe from cleaning Windows Eventlog
+ Prevent Windows Firewall from being disabled via command-line
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

@ForgottenSeer 58943

FPs should be fixed, thanks for reporting them.

@shmu26

There is an issue with MS Office exploit protection, it doesn't work right with OneDrive on Windows 10 RS3.

Can you post the log of the blocked event?

@Carphedon

I have fixed the FP.

The process should not be able to run and work like it is supposed to right?

I'm sure it matched some internal whitelist rules.

@AtlBo

Added the option "Prevent Windows Firewall from being disabled via command-line".

It covers sc.exe, wmic.exe, net.exe, netsh.exe, etc. Example:

Date/Time: 05/03/2018 15:55:24
Process: [2680]C:\Windows\System32\netsh.exe
Parent: [4272]C:\Windows\System32\cmd.exe
Rule: PreventWindowsFirewallFromBeingDisabledViaCmdline
Rule Name: Prevent Windows Firewall from being disabled via command-line
Command Line: netsh  advfirewall set allprofiles state off
Signer:
Parent Signer:

Date/Time: 05/03/2018 15:58:24
Process: [3148]C:\Windows\System32\sc.exe
Parent: [1964]C:\Windows\System32\cmd.exe
Rule: PreventWindowsFirewallFromBeingDisabledViaCmdline
Rule Name: Prevent Windows Firewall from being disabled via command-line
Command Line: sc  stop MpsSvc
Signer:
Parent Signer:

 

[shmu26]

@shmu26

Can you post the log of the blocked event?

I did not see a OSA block event, I only saw Word fail to open the doc.

 

[Deleted Member 3a5v73x]

Intel® Driver & Support Assistant

v1.4 (pre-release) (test38)

Date/Time: 3/5/2018 7:21:06 PM
Process: [6736]C:\Windows\System32\cmd.exe
Parent: [1488]C:\Windows\System32\wscript.exe
Rule: AntiExploitWindowsScriptHost
Rule Name: (Anti-Exploit) Protect Windows Script Host
Command Line: "C:\WINDOWS\system32\cmd.exe" /c "C:\Program Files\Intel\SUR\QUEENCREEK\x64\task.bat"
Signer:
Parent Signer:

 

[shmu26]

Intel® Driver & Support Assistant

v1.4 (pre-release) (test38)

Date/Time: 3/5/2018 7:21:06 PM
Process: [6736]C:\Windows\System32\cmd.exe
Parent: [1488]C:\Windows\System32\wscript.exe
Rule: AntiExploitWindowsScriptHost
Rule Name: (Anti-Exploit) Protect Windows Script Host
Command Line: "C:\WINDOWS\system32\cmd.exe" /c "C:\Program Files\Intel\SUR\QUEENCREEK\x64\task.bat"
Signer:
Parent Signer:

Hey, that's an interesting log. I don't often see legit programs using wscript.