NoVirusThanks OSArmor

codswollip

Level 23
Content Creator
Well-known
Jan 29, 2017
1,201
XYplorer updater still an issue:

Date/Time: 3/7/2018 7:20:52 PM
Process: [96]C:\WINDOWS\explorer.exe
Parent: [7796]C:\Users\Telos\AppData\Local\Temp\XYplorer_18.80.0000_Install.exe
Rule: BlockSuspiciousExplorerBehaviors
Rule Name: Block suspicious Explorer.exe process behaviors
Command Line: "C:\WINDOWS\explorer.exe" "D:\Program Files (x86)\XYplorer\XYplorer.exe"
Signer: Microsoft Windows
Parent Signer:
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Installed test40 at default settings on win10 x64 RS3. (The only custom setting I made is to block cmd.)
Glad to say that I did not see the issue I reported before, about Word being unable to open docs that were "placeholders" in OneDrive.

But I am still having issues that OSA starts up disabled, and I can't enable it. This happens in the following situation:
1 I log into user account 1. Then I "lock", i.e., I don't actually sign out, I just go to lock screen
2 I log into user account 2. Then I "lock" that user, and return to user account 1
3 at this point, I am logged into two user accounts simultaneously.
4 user account 1 shows OSA as disabled. Protection is not active.

Another minor point: If cmd.exe is blocked (advanced settings), and OneDrive has an issue with signing in, it runs a process that gets blocked by OSA.
log says:
Date/Time: 3/8/2018 9:58:14 AM
Process: [10920]C:\Windows\System32\cmd.exe
Parent: [3112]C:\Windows\explorer.exe
Rule: BlockCmdExeExecution
Rule Name: Block execution of Windows Command Prompt (cmd.exe)
Command Line: "C:\Windows\System32\cmd.exe" /q /c rmdir /s /q "C:\Users\Simcha\AppData\Local\Microsoft\OneDrive\17.005.0107.0008"
Signer:
Parent Signer: Microsoft Windows

And this is the allow rule I made for it:
[%PROCESS%: C:\Windows\System32\cmd.exe] [%PROCESSCMDLINE%: "C:\Windows\System32\cmd.exe" /q /c rmdir /s /q "C:\Users\*\AppData\Local\Microsoft\OneDrive\*\amd64"] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PARENTSIGNER%: Microsoft Windows]

Just thought I would mention it, even though it's my own fault for blocking cmd.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Followup on above-reported "OSA starts up disabled": I shut down, and then powered up. OSA did not start.
I did a restart, and this time OSA started, and it was enabled, but it forgot my settings.
 
  • Like
Reactions: AtlBo

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Question about suspicious svchost and explorer.exe behavior: is this related to process hollowing? If not, what is it related to?
 
F

ForgottenSeer 58943

The application is not very functional.

It's very functional. I've tested it on many systems and I am now testing it in an enterprise environment. But you must tread carefully, enabling the wrong features can have a significant negative impact on your system. For example in a corporate environment you can't be blocking ALL scripts, since many of you know, AD environments often use logon scripts to handle backend functions.

Tread carefully, it's not only functional, but VERY powerful adjunct to an antivirus product.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
It's very functional. I've tested it on many systems and I am now testing it in an enterprise environment. But you must tread carefully, enabling the wrong features can have a significant negative impact on your system. For example in a corporate environment you can't be blocking ALL scripts, since many of you know, AD environments often use logon scripts to handle backend functions.

Tread carefully, it's not only functional, but VERY powerful adjunct to an antivirus product.
For a home user, what do you think are the wrong mitigations to enable?
At first I thought blocking cmd.exe would be a mistake, but then I saw that the exceptions rule builder is convenient and reliable, it accepts wildcards, it basically saves the day.
 
F

ForgottenSeer 58943

For a home user, what do you think are the wrong mitigations to enable?
At first I thought blocking cmd.exe would be a mistake, but then I saw that the exceptions rule builder is convenient and reliable, it accepts wildcards, it basically saves the day.

It depends on the environment. But you are correct in that wildcards are usable and VERY handy. I simply wildcard a full directory tree where I don't want specific things blocked. For example if you don't want it impacting your games, *.* your steam apps folder and be done with it. To be honest, I'm more worried about it protecting my user folder tree and windows system folders more than anything.
 
F

ForgottenSeer 58943

@NoVirusThanks I can already smell the stable version of this great product coming along pretty soon, so I just wanted to remind you to please make a sharper difference in the icon colors, so we can easily see the difference between enabled and disabled.

Off should be red, not white.

Also, when you double click it to bring up the interface it should assume a front stance focus on the desktop. Now it opens behind all other windows.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Hello everyone,

I wondered if OSA can detect kernel drivers dropped to disk?
I think the question is more about how those drivers would be downloaded, and how they would be registered or loaded. OSA has mitigations for that.
 
  • Like
Reactions: AtlBo

codswollip

Level 23
Content Creator
Well-known
Jan 29, 2017
1,201
I'm just fishing here... but is there anything new in test40 that might be affecting Task Scheduler? My daily Macrium images are failing to run (Macrium error 0x01) and there are no helpful logs in Macrium Reflect, OSA or Event Viewer. I've uninstalled both OSA and ERP to see if there is a relationship (this is the only system change I've made recently).

If Task Scheduler continues to execute imaging I'll reinstall ERP and assuming no change in imaging execution, OSA. My eyes are on OSA right now (no problems with test38; I missed test39).

As an aside... When I reboot after setting OSA to inactive, it always reverts to "alert" on boot.
 
F

ForgottenSeer 58943

I'm just fishing here... but is there anything new in test40 that might be affecting Task Scheduler? My daily Macrium images are failing to run (Macrium error 0x01) and there are no helpful logs in Macrium Reflect, OSA or Event Viewer.

You aren't fishing.. I've seen this happen with a different program with OSA installed but no logs. No alerts. Nothing. I suspect something on the backend was blocking it but it wasn't triggering the alert. I wish I had more data, I do not right now.
 

AtlBo

Level 28
Verified
Top Poster
Content Creator
Well-known
Dec 29, 2014
1,716
Question about suspicious svchost and explorer.exe behavior: is this related to process hollowing? If not, what is it related to?

@shmu26...is this a general question or maybe pointed at a previous comment perhaps? Curious if you have noticed this on your PC or while using OSArmor...
 

vtqhtr413

Level 27
Verified
Top Poster
Well-known
Aug 17, 2017
1,609
I'm just fishing here... but is there anything new in test40 that might be affecting Task Scheduler? My daily Macrium images are failing to run (Macrium error 0x01) and there are no helpful logs in Macrium Reflect, OSA or Event Viewer. I've uninstalled both OSA and ERP to see if there is a relationship (this is the only system change I've made recently).
This is happening to me also, I've just recently started using Macrium so I assumed it was me, although it looked to be set correctly. I'm on Window 10 home x64 at default settings and running VoodooShield alongside, that's it?
Edit, I have never installed OSA or ERP since I installed Windows 10 about a week ago.
 
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
@shmu26...is this a general question or maybe pointed at a previous comment perhaps? Curious if you have noticed this on your PC or while using OSArmor...
It is just a general question that arose in my mind while pondering the various settings that OSA has to offer, with no connection to any actual events on my computer.
 
  • Like
Reactions: AtlBo

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top