NoVirusThanks OSArmor

[NoVirusThanks]

Here is a new v1.4 (pre-release) test45:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test45.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Improved Block suspicious command-lines
+ Show process username/domain and integrity level on the log file of blocked processes
+ Improved Block execution of syskey.exe\cipher.exe
+ Improved Block execution of .vbs\.vbe\.js\.jse\etc scripts
+ Improved Block execution of .hta scripts
+ Improved Block suspicious processes
+ Improved rules related to blocking UAC-bypass behaviors
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

@mekelek

Can you share the event of the blocked process? So I can see if I can fix it internally.

About "exclusions are ignored when ...", please post the exclusion rule you are using.

 

[codswollip]

Date/Time: 3/28/2018 11:38:33 PM
Process: [2892]D:\Program Files (x86)\TeamViewer\tv_x64.exe
Parent: [2628]D:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
Rule: BlockSuspiciousProcesses
Rule Name: Block execution of suspicious processes
Command Line: "D:\Program Files (x86)\TeamViewer\tv_x64.exe" --action hooks --log D:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log
Signer: TeamViewer GmbH
Parent Signer: TeamViewer GmbH
User/Domain: SYSTEM/NT AUTHORITY
Integrity Level: System

 

[codswollip]

Date/Time: 3/29/2018 9:58:28 AM
Process: [4040]D:\Program Files (x86)\Adguard\Adguard.Tools.exe
Parent: [1520]D:\Program Files (x86)\Adguard\AdguardSvc.exe
Rule: BlockSuspiciousProcesses
Rule Name: Block execution of suspicious processes
Command Line: "D:\Program Files (x86)\Adguard\Adguard.Tools.exe"
Signer: Performix LLC
Parent Signer: Performix LLC
User/Domain: SYSTEM/NT AUTHORITY
Integrity Level: System

 

[codswollip]

A busy day for suspicious processes...

... and a request... can we get control over how long the pop-up window is present. Often these close before I can get to them.

Date/Time: 3/29/2018 10:00:53 AM
Process: [3056]D:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe
Parent: [852]D:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
Rule: BlockSuspiciousProcesses
Rule Name: Block execution of suspicious processes
Command Line: "D:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe" --windowsDefence fw-
Signer: Comodo Security Solutions, Inc.
Parent Signer: Comodo Security Solutions, Inc.
User/Domain: SYSTEM/NT AUTHORITY
Integrity Level: System

Date/Time: 3/29/2018 12:23:22 PM
Process: [9900]D:\Program Files\Syncovery\ExtremeVSS64Helper.exe
Parent: [3240]D:\Program Files\Syncovery\SyncoveryVSS.exe
Rule: BlockSuspiciousProcesses
Rule Name: Block execution of suspicious processes
Command Line: "D:\Program Files\Syncovery\ExtremeVSS64Helper.exe" C:\ "C:\Users\Telos\AppData\Local\Temp\VSSTempFile53728711546.$$$"
Signer: Super Flexible Software Ltd. & Co. KG
Parent Signer: Super Flexible Software Ltd. & Co. KG
User/Domain: SYSTEM/NT AUTHORITY
Integrity Level: System

 

[EASTER]

I removed the checkmark from the box under SETTINGS where it says "Automatically close the notification window"

 

[codswollip]

I removed the checkmark from the box under SETTINGS where it says "Automatically close the notification window"

I completely missed that. Thank you.

 

[AtlBo]

Anyone have a short list of settings to avoid for normal use in 45? I have about 25 rules turned off in v40, and I'm about to go to 45. Thanks again to NVT...

 

[NoVirusThanks]

Here is a new v1.4 (pre-release) test46:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test46.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Improved Block suspicious processes
+ Improved Block suspicious command-lines
+ Improved Block execution of .hta scripts (2)
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

@Telos

All FPs are fixed.

 

[128BPM]

Hi @NoVirusThanks,

A few weeks ago I posted this:

Date/Time: 11/03/2018 05:24:38 p.m.
Process: [4660]C:\Windows\System32\dllhost.exe
Parent: [724]C:\Windows\System32\svchost.exe
Rule: BlockFakeSystemProcesses
Rule Name: Block fake system processes
Command Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
Signer:
Parent Signer:


Opcode kindly offered to help me by analyzing the binaries svchost/dllhost and his final verdict was FP.
That FP disappeared in test41, but now I have this:


Date/Time: 30/03/2018 05:33:37 p.m.
Process: [4372]C:\Windows\System32\dllhost.exe
Parent: [760]C:\Windows\System32\svchost.exe
Rule: BlockSuspiciousSvchostBehaviors
Rule Name: Block suspicious Svchost.exe process behaviors
Command Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
Signer:
Parent Signer:
User/Domain: SYSTEM/NT AUTHORITY
Integrity Level: System

And

Date/Time: 30/03/2018 05:20:50 p.m.
Process: [3400]C:\Windows\System32\dllhost.exe
Parent: [772]C:\Windows\System32\svchost.exe
Rule: BlockSuspiciousSvchostBehaviors
Rule Name: Block suspicious Svchost.exe process behaviors
Command Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
Signer:
Parent Signer:
User/Domain: PC/PC
Integrity Level: Medium


Thanks

 

[NoVirusThanks]

@128BPM

Do you have it with build 46?

 

[128BPM]

@128BPM

Do you have it with build 46?

I did the test with 45 but I'll try now with 46.

 

[128BPM]

@128BPM

Do you have it with build 46?

@NoVirusThanks

Confirmed with 46 also appear.

 

[codswollip]

Pop-up message truncated...

Should read... Block execution of unsigned processes on Roaming AppData

 

[AtlBo]

Windows 7 x64. Curious how I should think of this attempted transaction. I did some research, and I have seen this type of activity associated with a vulnerability of the .NET Framework and also straightaway with malware activity.

Date/Time: 3/30/2018 9:04:31 PM
Process: [7124]C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
Parent: [5704]C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
Rule: BlockProcessesExecutedFromCSC
Rule Name: Block processes executed from C Sharp compiler (csc.exe)
Command Line: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\<StandardUSER>\AppData\Local\Temp\RESA5D1.tmp" "c:\Users\<Standard USER>\AppData\Local\Temp\CSCA5D0.tmp"
Signer: Microsoft Corporation
Parent Signer: Microsoft Corporation
User/Domain: <StandardUSER>-/<AdminUSER>
Integrity Level: Medium

Microsoft running Microsoft, so is this normal activity? Seems odd to me for anything Windows to be working with csc.exe, so I have not excluded the transaction at this point. Thanks for any input...

Here is some detailed information on the sequence of the vulnerability breach and some information on a malware that is active in this area of Windows:

.NET Framework zero day Vulnerability (CVE-2017-8759) - Sequretek

SonicWALL Security Center

 

[NoVirusThanks]

@AtlBo

OSA with default settings blocks both CVE-2017-8759 and Dropper.MN_25.

You may want to check these files on VirusTotal:

C:\Users\<Standard USER>\AppData\Local\Temp\CSCA5D0.tmp
C:\Users\<Standard USER>\AppData\Local\Temp\RESA5D1.tmp

@Telos @128BPM

WIll take a look at that.

 

[AtlBo]

Thanks for the information. The files do not exist, so whatever it was, Windows or otherwise, deleted them I guess. Think I will have more time to look at .tmps in the future and maybe inspect them. OSArmor is great for this . Now to get OSArmor on the second machine...

v45 looks great. Surprised there aren't more alerts.

 

[AtlBo]

->double post

 

[NoVirusThanks]

Here is a new v1.4 (pre-release) test47:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test47.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Changed "Exit" to "Exit GUI" on main menu of OSArmorDevUI
+ New option: Prevent installutil.exe from loading .DLL files
+ New option: Prevent resgvr32.exe from loading DLLs
+ New option: Prevent odbcconf.exe from using {REGSVR} to load DLLs
+ New option: Prevent pcalua.exe from using -a to run processes
+ New option: Prevent AppVLP.exe from running processes
+ New option: Prevent SyncAppvPublishing.exe from running processes
+ New option: Block execution of SyncAppvPublishing.vbs
+ New option: Prevent rundll32.exe from using Control_RunDLL (shell32.dll)
+ New option: Prevent runscripthelper.exe from using surfacecheck
+ New option: Block PowerShell "-version 2"
+ New option: Block loading of .inf files via advpack.dll,LaunchINFSection
+ Option "Prevent pubprn.vbs from executing inline scripts" is enabled by default
+ Improved Block suspicious command-lines
+ Improved Block execution of .reg scripts
+ Improved Prevent regedit.exe from silently loading .reg scripts
+ Improved Block "WindowStyle Hidden" on command-line (PowerShell)
+ Improved Block "ExecutionPolicy Bypass" on command-line (PowerShell)
+ Improved Prevent wscript.exe from changing script engine
+ Improved Prevent cscript.exe from changing script engine
+ Improved Prevent ieexec.exe from loading remote files
+ Improved Prevent msiexec.exe from loading MSI files maskes as PNG files
+ Improved Block execution of .msi installer scripts
+ Improved Prevent AtBroker.exe from using /start switch to run processes
+ Improved Prevent schtasks.exe from creating tasks
+ Improved Prevent regsvcs.exe from loading .DLL files
+ Improved Prevent regasm.exe from loading .DLL files
+ Improved Prevent odbcconf.exe from loading .rsp scripts
+ Minor fixes and optimizations
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

Here is a screenshot:

Question:

Are you guys having alerts\FPs with the option "Block suspicious processes" (build 47)?

Please let me know in case.

@Telos

Are the alerts related to "Block suspicious processes" gone with build 47?

 

[plat1098]

I searched here and at Wilders for this: installed over the top a few times with no ill effects. Can one do this routinely or no? By the way, test47 is on page 47 of this thread, what are the odds? So far, no alerts at any time with "block suspicious processes," with any build up to test 47.

 

[askmark]

I searched here and at Wilders for this: installed over the top a few times with no ill effects. Can one do this routinely or no? By the way, test47 is on page 47 of this thread, what are the odds? So far, no alerts at any time with "block suspicious processes," with any build up to test 47.

I've installed over the top for every test build since test 25 was released last year with no issues.