NoVirusThanks OSArmor

[codswollip]

XYplorer updater still an issue:

Date/Time: 3/7/2018 7:20:52 PM
Process: [96]C:\WINDOWS\explorer.exe
Parent: [7796]C:\Users\Telos\AppData\Local\Temp\XYplorer_18.80.0000_Install.exe
Rule: BlockSuspiciousExplorerBehaviors
Rule Name: Block suspicious Explorer.exe process behaviors
Command Line: "C:\WINDOWS\explorer.exe" "D:\Program Files (x86)\XYplorer\XYplorer.exe"
Signer: Microsoft Windows
Parent Signer:

 

[shmu26]

Installed test40 at default settings on win10 x64 RS3. (The only custom setting I made is to block cmd.)
Glad to say that I did not see the issue I reported before, about Word being unable to open docs that were "placeholders" in OneDrive.

But I am still having issues that OSA starts up disabled, and I can't enable it. This happens in the following situation:
1 I log into user account 1. Then I "lock", i.e., I don't actually sign out, I just go to lock screen
2 I log into user account 2. Then I "lock" that user, and return to user account 1
3 at this point, I am logged into two user accounts simultaneously.
4 user account 1 shows OSA as disabled. Protection is not active.

Another minor point: If cmd.exe is blocked (advanced settings), and OneDrive has an issue with signing in, it runs a process that gets blocked by OSA.
log says:
Date/Time: 3/8/2018 9:58:14 AM
Process: [10920]C:\Windows\System32\cmd.exe
Parent: [3112]C:\Windows\explorer.exe
Rule: BlockCmdExeExecution
Rule Name: Block execution of Windows Command Prompt (cmd.exe)
Command Line: "C:\Windows\System32\cmd.exe" /q /c rmdir /s /q "C:\Users\Simcha\AppData\Local\Microsoft\OneDrive\17.005.0107.0008"
Signer:
Parent Signer: Microsoft Windows

And this is the allow rule I made for it:
[%PROCESS%: C:\Windows\System32\cmd.exe] [%PROCESSCMDLINE%: "C:\Windows\System32\cmd.exe" /q /c rmdir /s /q "C:\Users\*\AppData\Local\Microsoft\OneDrive\*\amd64"] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PARENTSIGNER%: Microsoft Windows]

Just thought I would mention it, even though it's my own fault for blocking cmd.

 

[MITKH]

The application is not very functional.

 

[shmu26]

Followup on above-reported "OSA starts up disabled": I shut down, and then powered up. OSA did not start.
I did a restart, and this time OSA started, and it was enabled, but it forgot my settings.

 

[shmu26]

Question about suspicious svchost and explorer.exe behavior: is this related to process hollowing? If not, what is it related to?

 

[ForgottenSeer 58943]

The application is not very functional.

It's very functional. I've tested it on many systems and I am now testing it in an enterprise environment. But you must tread carefully, enabling the wrong features can have a significant negative impact on your system. For example in a corporate environment you can't be blocking ALL scripts, since many of you know, AD environments often use logon scripts to handle backend functions.

Tread carefully, it's not only functional, but VERY powerful adjunct to an antivirus product.

 

[shmu26]

It's very functional. I've tested it on many systems and I am now testing it in an enterprise environment. But you must tread carefully, enabling the wrong features can have a significant negative impact on your system. For example in a corporate environment you can't be blocking ALL scripts, since many of you know, AD environments often use logon scripts to handle backend functions.

Tread carefully, it's not only functional, but VERY powerful adjunct to an antivirus product.

For a home user, what do you think are the wrong mitigations to enable?
At first I thought blocking cmd.exe would be a mistake, but then I saw that the exceptions rule builder is convenient and reliable, it accepts wildcards, it basically saves the day.

 

[ForgottenSeer 58943]

For a home user, what do you think are the wrong mitigations to enable?
At first I thought blocking cmd.exe would be a mistake, but then I saw that the exceptions rule builder is convenient and reliable, it accepts wildcards, it basically saves the day.

It depends on the environment. But you are correct in that wildcards are usable and VERY handy. I simply wildcard a full directory tree where I don't want specific things blocked. For example if you don't want it impacting your games, *.* your steam apps folder and be done with it. To be honest, I'm more worried about it protecting my user folder tree and windows system folders more than anything.

 

[codswollip]

The application is not very functional.

How so? Please be specific.

 

[shmu26]

@NoVirusThanks I can already smell the stable version of this great product coming along pretty soon, so I just wanted to remind you to please make a sharper difference in the icon colors, so we can easily see the difference between enabled and disabled.

 

[ForgottenSeer 58943]

@NoVirusThanks I can already smell the stable version of this great product coming along pretty soon, so I just wanted to remind you to please make a sharper difference in the icon colors, so we can easily see the difference between enabled and disabled.

Off should be red, not white.

Also, when you double click it to bring up the interface it should assume a front stance focus on the desktop. Now it opens behind all other windows.

 

[128BPM]

Hello everyone,

I wondered if OSA can detect kernel drivers dropped to disk?

 

[shmu26]

Hello everyone,

I wondered if OSA can detect kernel drivers dropped to disk?

I think the question is more about how those drivers would be downloaded, and how they would be registered or loaded. OSA has mitigations for that.

 

[128BPM]

OSA has mitigations for that.

Even if the malicious driver was installed before OSA?

 

[shmu26]

Even if the malicious driver was installed before OSA?

Probably not. But you might be really lucky and it will try to do something that OSA blocks.

 

[codswollip]

I'm just fishing here... but is there anything new in test40 that might be affecting Task Scheduler? My daily Macrium images are failing to run (Macrium error 0x01) and there are no helpful logs in Macrium Reflect, OSA or Event Viewer. I've uninstalled both OSA and ERP to see if there is a relationship (this is the only system change I've made recently).

If Task Scheduler continues to execute imaging I'll reinstall ERP and assuming no change in imaging execution, OSA. My eyes are on OSA right now (no problems with test38; I missed test39).

As an aside... When I reboot after setting OSA to inactive, it always reverts to "alert" on boot.

 

[ForgottenSeer 58943]

I'm just fishing here... but is there anything new in test40 that might be affecting Task Scheduler? My daily Macrium images are failing to run (Macrium error 0x01) and there are no helpful logs in Macrium Reflect, OSA or Event Viewer.

You aren't fishing.. I've seen this happen with a different program with OSA installed but no logs. No alerts. Nothing. I suspect something on the backend was blocking it but it wasn't triggering the alert. I wish I had more data, I do not right now.

 

[AtlBo]

Question about suspicious svchost and explorer.exe behavior: is this related to process hollowing? If not, what is it related to?

@shmu26...is this a general question or maybe pointed at a previous comment perhaps? Curious if you have noticed this on your PC or while using OSArmor...

 

[vtqhtr413]

I'm just fishing here... but is there anything new in test40 that might be affecting Task Scheduler? My daily Macrium images are failing to run (Macrium error 0x01) and there are no helpful logs in Macrium Reflect, OSA or Event Viewer. I've uninstalled both OSA and ERP to see if there is a relationship (this is the only system change I've made recently).

This is happening to me also, I've just recently started using Macrium so I assumed it was me, although it looked to be set correctly. I'm on Window 10 home x64 at default settings and running VoodooShield alongside, that's it?
Edit, I have never installed OSA or ERP since I installed Windows 10 about a week ago.

 

[shmu26]

@shmu26...is this a general question or maybe pointed at a previous comment perhaps? Curious if you have noticed this on your PC or while using OSArmor...

It is just a general question that arose in my mind while pondering the various settings that OSA has to offer, with no connection to any actual events on my computer.