NoVirusThanks OSArmor

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,716
I don't run VoodooShield to turn off the icon, but OSA doesn't create many alerts. However, it seems to me like they are the kind a user would want to know about without having to dig around. I REALLY like the concept for OSArmor. afk could mean missing an alert of a key malware component that could then potentiall run another way, etc. When I come back no alert so I would have to open the interface to check if there have been alerts and then find the log, etc. This way, from the shield I could create an exclusion easily.

If it only appeared on first block in a session, the badge could also be set to disappear if the user sets a rule and/or allows the pending block(s) to remain in place, etc. or badge could even just be disabled entirely like is possible with VS...
 
Last edited:

DavidLMO

Level 4
Verified
Dec 25, 2017
158
I have trained OSA now thru 37 versions and get very, very few pop-ups. When I do - I go Hmmmm and investigate what I want to do. Very quiet.
ERP on the other hand - not so much. But IMHO ERP is directed at a much more knowledgeable user. Where as even noobies can pretty much run OSA out of the box without being an Infosec specialist. Again - just my opinion.

@AtlBo - If I understand you correctly, good recomendations. "afk" ???

I do not have VS.
 
  • Like
Reactions: vtqhtr413 and AtlBo
F

ForgottenSeer 58943

@Electr0n

Please use the v1.4 (pre-release) test 37:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test37.exe

@WinXPert

Yes it is on the todo list.

Fortinite False Positive.

Date/Time: 2/28/2018 7:56:09 PM
Process: [9112]D:\Program Files\Epic Games\Fortnite\Fortnite\FortniteGame\Binaries\Win64\FortniteClient-Win64-Shipping_BE.exe
Parent: [5584]D:\Program Files (x86)\Epic Games\Launcher\Portal\Binaries\Win64\EpicGamesLauncher.exe
Rule: BlockSuspiciousProcesses
Rule Name: Block execution of suspicious processes
Command Line: "D:/Program Files/Epic Games/Fortnite/Fortnite/FortniteGame/Binaries/Win64/FortniteClient-Win64-Shipping_BE.exe" -AUTH_LOGIN=unused -AUTH_PASSWORD=4d773614ba56445ba2dd5d6db0c49c34 -AUTH_TYPE=exchangecode -epicapp=Fortnite -epicenv=Prod -EpicPortal
Signer: Epic Games Inc.
Parent Signer: Epic Games Inc.
 
F

ForgottenSeer 58943

False Positives;

Previously mentioned Fortnite. Also, for grins I tested it on some test machines at work and found it doesn't work well at all with Connectwise, Labtech products.

Date/Time: 3/1/2018 9:34:41 AM
Process: [8860]C:\Windows\System32\cmd.exe
Parent: [1700]C:\Windows\LTSvc\LTSVC.exe
Rule: BlockPowerShellMalformedCommands
Rule Name: Block execution of PowerShell malformed commands
Command Line: "cmd.exe" /C "powershell.exe "Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname | format-table -autosize" | find /i "vss writer" | find /i "sql server""
Signer:
Parent Signer: ConnectWise, Inc.

Date/Time: 3/1/2018 9:34:56 AM
Process: [3980]C:\Windows\System32\cmd.exe
Parent: [1700]C:\Windows\LTSvc\LTSVC.exe
Rule: BlockPowerShellMalformedCommands
Rule Name: Block execution of PowerShell malformed commands
Command Line: "cmd.exe" /C "powershell.exe "Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname" | find /i "Citrix" | find /i "Virtual Delivery Agent""
Signer:
Parent Signer: ConnectWise, Inc.

Date/Time: 3/1/2018 10:34:41 AM
Process: [2084]C:\Windows\System32\cmd.exe
Parent: [1700]C:\Windows\LTSvc\LTSVC.exe
Rule: BlockPowerShellMalformedCommands
Rule Name: Block execution of PowerShell malformed commands
Command Line: "cmd.exe" /C "powershell.exe "Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname | format-table -autosize" | find /i "vss writer" | find /i "sql server""
Signer:
Parent Signer: ConnectWise, Inc.

Date/Time: 3/1/2018 10:34:56 AM
Process: [8304]C:\Windows\System32\cmd.exe
Parent: [1700]C:\Windows\LTSvc\LTSVC.exe
Rule: BlockPowerShellMalformedCommands
Rule Name: Block execution of PowerShell malformed commands
Command Line: "cmd.exe" /C "powershell.exe "Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname" | find /i "Citrix" | find /i "Virtual Delivery Agent""
Signer:
Parent Signer: ConnectWise, Inc.

Date/Time: 3/1/2018 11:34:42 AM
Process: [7584]C:\Windows\System32\cmd.exe
Parent: [1700]C:\Windows\LTSvc\LTSVC.exe
Rule: BlockPowerShellMalformedCommands
Rule Name: Block execution of PowerShell malformed commands
Command Line: "cmd.exe" /C "powershell.exe "Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname | format-table -autosize" | find /i "vss writer" | find /i "sql server""
Signer:
Parent Signer: ConnectWise, Inc.

Date/Time: 3/1/2018 11:34:57 AM
Process: [4680]C:\Windows\System32\cmd.exe
Parent: [1700]C:\Windows\LTSvc\LTSVC.exe
Rule: BlockPowerShellMalformedCommands
Rule Name: Block execution of PowerShell malformed commands
Command Line: "cmd.exe" /C "powershell.exe "Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname" | find /i "Citrix" | find /i "Virtual Delivery Agent""
Signer:
Parent Signer: ConnectWise, Inc.

Date/Time: 3/1/2018 12:34:44 PM
Process: [7788]C:\Windows\System32\cmd.exe
Parent: [1700]C:\Windows\LTSvc\LTSVC.exe
Rule: BlockPowerShellMalformedCommands
Rule Name: Block execution of PowerShell malformed commands
Command Line: "cmd.exe" /C "powershell.exe "Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname | format-table -autosize" | find /i "vss writer" | find /i "sql server""
Signer:
Parent Signer: ConnectWise, Inc.

Date/Time: 3/1/2018 12:34:59 PM
Process: [9152]C:\Windows\System32\cmd.exe
Parent: [1700]C:\Windows\LTSvc\LTSVC.exe
Rule: BlockPowerShellMalformedCommands
Rule Name: Block execution of PowerShell malformed commands
Command Line: "cmd.exe" /C "powershell.exe "Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname" | find /i "Citrix" | find /i "Virtual Delivery Agent""
Signer:
Parent Signer: ConnectWise, Inc.

Date/Time: 3/1/2018 1:34:44 PM
Process: [10260]C:\Windows\System32\cmd.exe
Parent: [1700]C:\Windows\LTSvc\LTSVC.exe
Rule: BlockPowerShellMalformedCommands
Rule Name: Block execution of PowerShell malformed commands
Command Line: "cmd.exe" /C "powershell.exe "Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname | format-table -autosize" | find /i "vss writer" | find /i "sql server""
Signer:
Parent Signer: ConnectWise, Inc.

Date/Time: 3/1/2018 1:34:59 PM
Process: [8824]C:\Windows\System32\cmd.exe
Parent: [1700]C:\Windows\LTSvc\LTSVC.exe
Rule: BlockPowerShellMalformedCommands
Rule Name: Block execution of PowerShell malformed commands
Command Line: "cmd.exe" /C "powershell.exe "Get-ItemProperty HKLM:\software\microsoft\windows\currentversion\uninstall\* | select-object displayname" | find /i "Citrix" | find /i "Virtual Delivery Agent""
Signer:
Parent Signer: ConnectWise, Inc.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
There is an issue with MS Office exploit protection, it doesn't work right with OneDrive on Windows 10 RS3.
Because in this version of Win10, the OneDrive files are not downloaded by default, only placeholders are downloaded on the local system.
So if you click on a Word doc placeholder, to open it, first OneDrive has to download it, and that doesn't work with OSA exploit protection. Word just hangs and eventually you get an error message.
 
F

ForgottenSeer 58943

False Positive with the software controller for Unifi/Ubiquiti AP's.


Date/Time: 3/1/2018 11:50:27 PM
Process: [11204]C:\Users\SV1\Ubiquiti UniFi\bin\mongod.exe
Parent: [5820]C:\Program Files\Java\jre1.8.0_162\bin\java.exe
Rule: BlockProcessesOnSuspiciousFolders
Rule Name: Block processes located in suspicious folders
Command Line: bin\mongod --dbpath "C:\Users\SV1\Ubiquiti UniFi\data\db" --port 27117 --logappend --logpath "C:\Users\SV1\Ubiquiti UniFi\logs\mongod.log" --nohttpinterface --bind_ip 127.0.0.1
Signer:
Parent Signer: Oracle America, Inc.
 

Carphedon

Level 1
Mar 2, 2018
11
Hi there,

First of all thank you for your hard work, awesome software!

I want to report the following problem/bug (v1.4 (pre-release) test 37).

If i run inspectre from GRC (GRC | InSpectre ) OSA tries to block the suspicious process (BlockProcessesOnSuspiciousFolders), it shows a popup and creates a log but the process still runs fine, is it supposed to work like that? The process should not be able to run and work like it is supposed to right?

Log:

Date/Time: 2-3-2018 20:55:21
Process: [3512]C:\Users\USER\AppData\Local\inspect64.exe
Parent: [5112]C:\Users\USER\Downloads\InSpectre.exe
Rule: BlockProcessesOnSuspiciousFolders
Rule Name: Block processes located in suspicious folders
Command Line: C:\Users\USER\AppData\Local\inspect64.exe
Signer:
Parent Signer: Gibson Research Corporation
 

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,792
Speaking of VS.. I installed the latest version to test and it broke almost everything on my test machine and false positives rang out everywhere. That was after whitelisting and enhanced whitelisting and in autopilot mode! I downloaded the good ole' 3.59, and immediately when it executed forced an upgrade to the latest one which was causing all of the issues. Uninstalled, back to OSArmor.

Anyway, the first thing myself, and probably most people that used VS do is to turn off that always on top icon, right?

curious, I run VS 4.18 on win7x64 and rock solid, no false positives. But then I'm not running OSA, yet. Maybe there's some unresolved conflict between the 2.
 
  • Like
Reactions: oldschool

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Anyway, the first thing myself, and probably most people that used VS do is to turn off that always on top icon, right?
Yes, I think that is probably the least favorite feature of VS, and many users disable it right away.
But the dev is of the opinion that it is very useful for the average Joe user. In addition to increasing awareness of the protection level, you can also drag an exe file onto the icon, and VS will scan it for you.
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
293
Here is a new v1.4 (pre-release) (test38):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test38.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block execution of cacls\icacls\xcacls.exe
+ Block execution of takeown.exe
+ By default "Block execution of taskkill.exe" is disabled
+ Improved detection of suspicious processes
+ Improved detection of suspicious command-lines
+ Improved detection of Bitcoin miner command-lines
+ Improved detection of PowerShell malformed commands
+ Improved OSArmor self defense (basic)
+ Self-protection (basic) is enabled by default and can't be disabled
+ Prevent wevtutil.exe from cleaning Windows Eventlog
+ Prevent Windows Firewall from being disabled via command-line
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

@ForgottenSeer 58943

FPs should be fixed, thanks for reporting them.

@shmu26

There is an issue with MS Office exploit protection, it doesn't work right with OneDrive on Windows 10 RS3.

Can you post the log of the blocked event?

@Carphedon

I have fixed the FP.

The process should not be able to run and work like it is supposed to right?

I'm sure it matched some internal whitelist rules.

@AtlBo

Added the option "Prevent Windows Firewall from being disabled via command-line".

It covers sc.exe, wmic.exe, net.exe, netsh.exe, etc. Example:

Code:
Date/Time: 05/03/2018 15:55:24
Process: [2680]C:\Windows\System32\netsh.exe
Parent: [4272]C:\Windows\System32\cmd.exe
Rule: PreventWindowsFirewallFromBeingDisabledViaCmdline
Rule Name: Prevent Windows Firewall from being disabled via command-line
Command Line: netsh  advfirewall set allprofiles state off
Signer:
Parent Signer:

Date/Time: 05/03/2018 15:58:24
Process: [3148]C:\Windows\System32\sc.exe
Parent: [1964]C:\Windows\System32\cmd.exe
Rule: PreventWindowsFirewallFromBeingDisabledViaCmdline
Rule Name: Prevent Windows Firewall from being disabled via command-line
Command Line: sc  stop MpsSvc
Signer:
Parent Signer:
 
D

Deleted Member 3a5v73x

Intel® Driver & Support Assistant

v1.4 (pre-release) (test38)

Date/Time: 3/5/2018 7:21:06 PM
Process: [6736]C:\Windows\System32\cmd.exe
Parent: [1488]C:\Windows\System32\wscript.exe
Rule: AntiExploitWindowsScriptHost
Rule Name: (Anti-Exploit) Protect Windows Script Host
Command Line: "C:\WINDOWS\system32\cmd.exe" /c "C:\Program Files\Intel\SUR\QUEENCREEK\x64\task.bat"
Signer:
Parent Signer:
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Intel® Driver & Support Assistant

v1.4 (pre-release) (test38)

Date/Time: 3/5/2018 7:21:06 PM
Process: [6736]C:\Windows\System32\cmd.exe
Parent: [1488]C:\Windows\System32\wscript.exe
Rule: AntiExploitWindowsScriptHost
Rule Name: (Anti-Exploit) Protect Windows Script Host
Command Line: "C:\WINDOWS\system32\cmd.exe" /c "C:\Program Files\Intel\SUR\QUEENCREEK\x64\task.bat"
Signer:
Parent Signer:
Hey, that's an interesting log. I don't often see legit programs using wscript.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top