NoVirusThanks OSArmor

[AtlBo]

Added the option "Prevent Windows Firewall from being disabled via command-line".

It covers sc.exe, wmic.exe, net.exe, netsh.exe, etc. Example:

Great thankyou. Thought of another one that might be good. Had an issue last night with the connection, so I found a video that explained changing to hard settings for the IP and DNS settings. Followed the advice but when I checked the IP it had changed to a 169.x.x.x IP on the local network which was really strange. I never understood what happened but I got it sorted out by resetting the IP. No issues since. Maybe something to block attempts to change those settings via command line. DNS too for sure...

 

[askmark]

Followed the advice but when I checked the IP it had changed to a 169.x.x.x IP on the local network which was really strange. I never undestood what happened but I got it sorted out by resetting the IP

If your IP changed to 169.254.x.x then it sounds like your PC couldn't get an address from your DHCP server (usually your router performs this role in a home network). Windows has a feature, called APIPA (Automatic Private Internet Protocol Addressing) which basically means it will automatically give itself an IP (starting with 169.254) until it can get a proper one from your DHCP server.
See here for more info:

https://www.lifewire.com/automatic-private-internet-protocol-addressing-816437

 

[AtlBo]

If your IP changed to 169.254.x.x then it sounds like your PC couldn't get an address from your DHCP server (usually your router performs this role in a home network).

OK, thanks for this information @askmark. I think what happened was that the "hard setting" ip video showed a way to set ips that doesn't resolve (intentionally) to set users up for the last part which was a dns that was probably not a good one to use. It was in India, so maybe he meant it for Indians, but the primary dns he chose was in the local range.

I decided to try it, but I didn't change dns, because that would be dangerous o/c.

Well, I guess I can release the ip. I have it in a local rule on another machine where I blocked it using FortKnox.:

169.254.194.40

Not used to this kind of thing making sense. It intimidated me at first, since I noticed it at the command prompt (ipconfig /all) and then with <inbound> alert on the other PC. I feel like I did pick up a little bit of insight into what it would be like to be really hacked by someone who knows how to create silent malware and then come and go as he pleases, etc. Creepy...but I didn't jump to conclusions and acted fairly appropriately I guess considering I am still in the more or less very early stages of learning networking and net protection...

 

[ForgottenSeer 58943]

169.254 just means your DHCP server wasn't reachable.

 

[NoVirusThanks]

Here is a new v1.4 (pre-release) test39:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test39.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Prevent Base Filtering Engine (BSE) from being disabled via cmdline
+ Improved detection of suspicious command-lines
+ Improved OSArmor self defense (basic)
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

@shmu26

Ok, will try to reproduce the issue tomorrow.

@davisd

Interesting event, it is fixed now.

 

[NoVirusThanks]

A client has just sent me a log file of OSArmor that blocked a recent "MuddyWater" APT threat in a few workstations:

Date/Time: 06/03/2018 11:18:59
Process: [5104]C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Parent: [4132]C:\Windows\System32\wmiprvse.exe
Rule: BlockPowerShellEncodedCommands
Rule Name: Block execution of PowerShell encoded commands
Command Line: powershell.exe  -exec Bypass -c iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String((get-content C:\\ProgramData\\WindowsDefender.ini))))
Signer:
Parent Signer:

Here are more information about recent "MuddyWater" attack:
A Quick Dip into MuddyWater's Recent Activity

//Everyone

I plan to enable a few option in Advancted tab by default prior to releave OSA 1.4:

Block specific locations

Block execution of processes on Public Folder
Block execution of processes on All Users Folder

Block scripts execution

Block execution of .msc scripts outside System folder

Other useful block-rules

Block reg.exe from hijacking Registry startup entries
Prevent attrib.exe from setting +h or +s attributes
Prevent regedit.exe from silently loading .reg scripts
Prevent wevtutil.exe from cleaning Windows Eventlog
Prevent important Windows services from being disabled

Attacks mitigation rules

Block reg.exe from importing .reg files
Block reg.exe from disabling UAC
Prevent ieexec.exe from loading remote files
Prevent DLL\Exe execution via Tracer.exe
Prevent msiexec.exe from loading MSI files masked as PNG files
Prevent MacInject.exe from loading DLLs in running processes
Prevent AtBroker.exe from using /start switch to run processes
Block processes executed from AtBroker.exe
Prevent msxsl.exe from loading .xsl scripts
Prevent odbcconf.exe from loading .rsp scripts
Prevent rcsi.exe from executing C# (.csx) scripts
Block processes executed from dnx.exe
Block Bginfo.exe from loading .bgi scripts
Prevent pubprn.vbs from executing inline scripts
Prevent regsvcs.exe from loading .DLL files
Prevent regasm.exe from loading .DLL files
Block processes executed from RuntimeBroker

These rules should not create FPs and should be fine with beginner users too.

What do you think guys?

 

[Chimaira]

If it meets the criteria you've mentioned, good for beginners and no FPs, I think it should be done.

 

[ForgottenSeer 58943]

A client has just sent me a log file of OSArmor that blocked a recent "MuddyWater" APT threat in a few workstations:
What do you think guys?

What I think is, you have a real contender here. Not only for run of the mill junk malware, but for APT activity as noted above. My home is a good example, it comes under regular assault, several researchers and a couple of companies are using my home as a sort of stealth location to test a variety of technologies and to honeypot threats. So it makes a great location to test OSArmor, and I can tell you of two incidents where OSArmor prevented some advanced malware from activating that had faithfully avoided the AV products and my extensive security infrastructure. (that has passed no less than 3 major pentest firm tests)

I suspect your product is already triggering a 'closer' look by specific agencies, so be sure to protect your code with encryption and be careful where you store it. Also I would recommend you shore up the product's self defense capabilities as they'll be looking to find ways to disable or brick it. Finally, I would avoid all transmission of telemetry and logs so you don't bleed out who is using it and providing information to external sources. I could see this being used by a lot of people, especially in this day and age of mass surveillance and TAO.

 

[AtlBo]

I don't see why NVT should be concerned about agendas with this. I mean devs have already made their claim with OS Armor in the most important senses. Looks to me like NVT can do as they wish with the concept at this point. Also, with the software already on client machines, why would anyone want to get in the way of a good thing? That wouldn't make sense. Plenty of excellent ideas to go around ...

Questions for @NVT. What about Dismhost.exe and Dism generally? I watched a video on how Dismhost is used to create and actually deploy images. It can also create and grab images, so that's why I ask if it's a security risk on any level. It runs every time Comodo Programs Manager runs, I know that much and I believe it's associated with sfc. Here is the video:


https://www.youtube.com/watch?v=gI6qa-LIOTk
Also, noticed a process called UIODetect.exe when I installed a GitHub app called IP Monitor that can monitor the actual IP for the machine registered with the ISP/globally. It can detect a change. The Windows UIODetect.exe process is called Interactive services detection. Don't know if it could be abused, but in 17 years since starting with XP, I don't recall seeing this before. I think also associated with this same app I installed is mqsvc.exe (message queuing service). Stupid javascript IP app I wanted to take a look at lol and Java gets blamed for all its net activities.

There sure are alot of tools in Windows with the potential to be used via c-l or powershell. Seems like a new one comes along for me more and more oftenly these days.

 

[NoVirusThanks]

Here is a new v1.4 (pre-release) test40:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test40.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Joined "Prevent Base Filtering Engine (BSE) from being disabled via cmdline" and "Prevent Windows Firewall from being disabled via command-line" in "Prevent important Windows Services from being disabled"
+ Added Windows Defender, Security Essentials, Windows Update, Security Center to "Prevent important Windows Services from being disabled"
+ Block cmstp.exe from loading .inf files (AppLocker bypass)
+ Improved detection of PowerShell malformed commands
+ Advanced -> Block execution of processes on Public Folder (C:\Users\Public) -> Enabled by default
+ Advanced -> Block execution of processes on All Users folder -> Enabled by default
+ Advanced -> Block execution of .msc scripts outside System folder -> Enabled by default
+ Advanced -> Block reg.exe from hijacking Registry startup entries -> Enabled by default
+ Advanced -> Prevent attrib.exe from setting +h or +s attributes -> Enabled by default
+ Advanced -> Prevent wevtutil.exe from cleaning Windows Eventlog -> Enabled by default
+ Advanced -> Prevent important Windows Services from being disabled -> Enabled by default
+ Advanced -> Block reg.exe from disabling UAC (User Access Control) -> Enabled by default
+ Improved "Prevent important Windows Services from being disabled"
+ Block execution of regini.exe

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

Let me know if you find any FP with the 8 options enabled by default in Advanced tab.

@AtlBo

Will check Dismhost.exe and Dism.exe soon.

 

[erreale]

Hey guys, in Advanced tab what do you recommend to activate, in addition to the one already enabled by default?

 

[Deleted member 178]

Hey guys, in Advanced tab what do you recommend to activate, in addition to the one already enabled by default?

This one you have to do it by yourself, since we don't know what you are running on your system and how you use it. Trial & Error is the best way to learn.

 

[Azure]

This one you have to do it by yourself, since we don't know what you are running on your system and how you use it. Trial & Error is the best way to learn.

@erreale could also enable passive logging if he feels unsure about enabling advance settings

 

[Sunshine-boy]

ill check Dismhost.exe and Dism.exe soon.

What about runonce.exe,CompatTelRunner.exe,ROUTE.EXE, WMIADAP.exe,ngentask.exe and WaaSMedic.exe.can they be dangerous?

 

[Sunshine-boy]

runonce.

This one seems to autostart Applications?! or smth like that?i feel bad about it.

 

[509322]

This one seems to autostart Applications?! or smth like that?i feel bad about it.

You already know that runonce can be abused. Just like all the other autostart options on Windows. But if you block all the legitimate autostart mechanisms then you might as well never plug your system into a power outlet because you have turned the system into a brick.

 

[509322]

What about runonce.exe,CompatTelRunner.exe,ROUTE.EXE, WMIADAP.exe,ngentask.exe and WaaSMedic.exe.can they be dangerous?

runonce.exe and route.exe are known to be abused by malc0ders.

CompatTelRunner.exe, WMIADAP.exe, ngentask.exe and WaaSMedic.exe could be abused. I didn't find any documented abuse, but then again I didn't look too hard either. Off the top of my head I don't recall. Of the four I would suspect WMIADAP.exe to be targeted.

Start doing your own research !

 

[ForgottenSeer 58943]

Got this today trying to printer an Amazon Return Label at someones office.

Date/Time: 3/6/2018 9:38:44 AM
Process: [8216]C:\Windows\System32\rundll32.exe
Parent: [3844]C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Rule: AntiExploitChrome
Rule Name: (Anti-Exploit) Protect Google Chrome
Command Line: rundll32 C:\WINDOWS\system32\spool\DRIVERS\x64\3\hpmsn140.DLL,MonitorPrintJobStatus /pjob=2 /pname"NPI6858CD (HP LaserJet 400 M401dne)"
Signer:
Parent Signer: Google Inc

 

[AtlBo]

Below is block of legit attempt to delete a task by Revo Uninstaller uninstall (I will use portable instead) module. Excluded hoping the uninstaller would ask for the opportunity to try again but it did not. Luckily, I guess the task wasn't in Task Scheduler, because I don't see it there now. I would have just deleted it myself no problem. However, it did bring to mind another scenario. If the uninstaller had tried to create a scheduled task or perhaps a .tmp file had done so, then the task would not have been created. If the routine was a one and done, could there be a problem (rare and sounds like a bad idea I know...)? What if the task points to a delete on boot routine or something? O/C an uninstaller removes itself once it is done, and .tmp may not function as .exe after running. Maybe some boot time setting could get messed up in an unlikely scenario idk.

When you do your fine tuning, might you consider perhaps adding a disclaimer or notification of some kind to indicate when a write from a .tmp file or uninstaller of a legit application to a Windows area was blocked that could produce an undesirable result? This being an uninstall routine...removing Revo itself, don't know how this might be handled. Maybe there are other OS Armor rules that block writes to formal Windows areas that could also cause an epsode of some kind.

Personally, I certainly like to know when a scheduled event is being created. I like all the settings . Anyway, whether the scenario points to any potential risk when blocking uninstall routines and maybe any legit one run routines that delete/modify/add windows files or data too, I cannot say. If they are run from a .tmp, it might only get one chance. Because of the log, maybe the disclaimer after the block would be good enough for scheduled tasks (created by legit or legit .tmp). User can know about the problem from the log at least.

Oh, what about a pause for these (some blocks) rather than a block? Or is that happening already? Then the choice to exclude could be the allow unpause? I mean pause the parent. As I mentioned, I didn't see the task in the task scheduler so I don't know how that is handled now. Seems to me that might be useful for some of the protections though LOL idk...

Date/Time: 3/7/2018 10:32:40 AM
Process: [11780]C:\Windows\System32\schtasks.exe
Parent: [7748]C:\Users\ME USER ACCOUNT \AppData\Local\Temp\_iu14D2N.tmp
Rule: BlockSchtasksExe
Rule Name: Block execution of schtasks.exe
Command Line: "schtasks.exe" /Delete /TN "Revo Uninstaller Pro Hunter Mode" /F
Signer:
Parent Signer:

No idea how to accomplish this command line or if I need to do anything. Does it just delete a scheduled task? It's not in Task Scheduler already if that is what this does...

 

[ForgottenSeer 58943]

Date/Time: 3/7/2018 10:32:40 AM
Process: [11780]C:\Windows\System32\schtasks.exe
Parent: [7748]C:\Users\Transource W764-LTD\AppData\Local\Temp\_iu14D2N.tmp
Rule: BlockSchtasksExe
Rule Name: Block execution of schtasks.exe
Command Line: "schtasks.exe" /Delete /TN "Revo Uninstaller Pro Hunter Mode" /F
Signer:
Parent Signer:

No idea how to accomplish this command line or if I need to do anything. Does it just delete a scheduled task? It's not in Task Scheduler already if that is what this does...

Just open an elevated command prompt and run the command line manually. : "schtasks.exe" /Delete /TN "Revo Uninstaller Pro Hunter Mode" /F

All that does is delete a scheduled task, nothing more. Or you can go to Task Scheduler and simply delete the task yourself.