NoVirusThanks OSArmor

[codswollip]

@Telos

Are the alerts related to "Block suspicious processes" gone with build 47?

These disappeared for me with build 46. I'll keep an eye on 47. The majority of alerts I'm getting now are of my own making... such as "unsigned processes on Local AppData".

Installing 47 next...

EDIT1: This got me thinking... maybe I should drop back to the default settings as maybe settings such as "unsigned processes on Local AppData" are keeping the "Block suspicious processes" alerts from happening.

 

[codswollip]

I upgraded Calibre launching the downloaded installer from the Firefox Downloads dropdown... I'm pretty sure the popup said "block suspicious processes"... but when I opened the log the trigger read "(Anti-Exploit) Protect Mozilla Firefox". FWIW, here's the log:

Date/Time: 4/2/2018 5:16:31 PM
Process: [5244]C:\WINDOWS\System32\msiexec.exe
Parent: [6656]D:\Program Files\Mozilla Firefox\firefox.exe
Rule: AntiExploitFirefox
Rule Name: (Anti-Exploit) Protect Mozilla Firefox
Command Line: "C:\WINDOWS\System32\msiexec.exe" /i "F:\Downloads\calibre-64bit-3.20.0.msi"
Signer:
Parent Signer: Mozilla Corporation
User/Domain: Telos/Domain
Integrity Level: Medium

 

[bjm_]

@Telos > FWIW ~ I tried to reproduce in Firefox sandbox (calibre-64bit-3.20.0.msi" download from filehorse).
Date/Time: 4/2/2018 7:07:36 PM
Process: [7256]C:\Windows\System32\msiexec.exe
Parent: [7220]C:\Program Files\Mozilla Firefox\firefox.exe
Rule: AntiExploitFirefox
Rule Name: (Anti-Exploit) Protect Mozilla Firefox
Command Line: "C:\WINDOWS\System32\msiexec.exe" /i "C:\Users\bjms\Desktop\calibre-64bit-3.20.0.msi"
Signer:
Parent Signer: Mozilla Corporation
User/Domain: ANONYMOUS LOGON/NT AUTHORITY
Integrity Level: Untrusted
(test47 all rules checked)

 

[codswollip]

I mentioned this small thing some time ago... After alerting with a pop-up, the alert pop-up remains present in the "Alt-Tab". Window. Here's a screen grab and the only things present are Firefox and the alert pop-up from a few hours ago. Selecting the alert pop-up doesn't do anything and just returns me to ny Desktop. Only a reboot seems to clear its presence from the "Alt-Tab" window.

If you look really hard, you'll also notice that the alert was "Suspicious Process Blocked" even though this was a "(Anti-Exploit) Protect Mozilla Firefox" alert.

 

[Chimaira]

I mentioned this small thing some time ago... After alerting with a pop-up, the alert pop-up remains present in the "Alt-Tab". Window. Here's a screen grab and the only things present are Firefox and the alert pop-up from a few hours ago. Selecting the alert pop-up doesn't do anything and just returns me to ny Desktop. Only a reboot seems to clear its presence from the "Alt-Tab" window.

View attachment 184634

If you look really hard, you'll also notice that the alert was "Suspicious Process Blocked" even though this was a "(Anti-Exploit) Protect Mozilla Firefox" alert.

This happens to me too but clicking the X button on the Alt-Tab window always clears it for me and it goes away.

 

[codswollip]

This happens to me too but clicking the X button on the Alt-Tab window always clears it for me and it goes away.

I'm on Win 8.1 and I have no "x" on Alt-Tab. Still... that shouldn't be the solution. The "ghost" window should not appear in Alt-Tab.

 

[Chimaira]

I'm on Win 8.1 and I have no "x" on Alt-Tab. Still... that shouldn't be the solution. The "ghost" window should not appear in Alt-Tab.

I agree, it needs to be fixed.

 

[Stas]

FPs with Internet Download Manager

Date/Time: 4/04/2018 10:32:24 PM
Process: [4028]C:\Windows\System32\regsvr32.exe
Parent: [3556]C:\Windows\SysWOW64\regsvr32.exe
Rule: PreventRegsvr32LoadingDLLs
Rule Name: Prevent regsvr32.exe from loading .DLLs
Command Line: /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
Signer:
Parent Signer:
User/Domain: xxx/xxx
Integrity Level: High

Date/Time: 4/04/2018 10:32:24 PM
Process: [2448]C:\Windows\System32\regsvr32.exe
Parent: [3672]C:\Windows\SysWOW64\regsvr32.exe
Rule: PreventRegsvr32LoadingDLLs
Rule Name: Prevent regsvr32.exe from loading .DLLs
Command Line: /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
Signer:
Parent Signer:
User/Domain: xxx/xxx
Integrity Level: High

Date/Time: 4/04/2018 10:32:24 PM
Process: [3340]C:\Windows\System32\regsvr32.exe
Parent: [3416]C:\Windows\SysWOW64\regsvr32.exe
Rule: PreventRegsvr32LoadingDLLs
Rule Name: Prevent regsvr32.exe from loading .DLLs
Command Line: /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
Signer:
Parent Signer:
User/Domain: xxx/xxx
Integrity Level: High

Date/Time: 4/04/2018 10:32:24 PM
Process: [2192]C:\Windows\System32\regsvr32.exe
Parent: [3984]C:\Windows\SysWOW64\regsvr32.exe
Rule: PreventRegsvr32LoadingDLLs
Rule Name: Prevent regsvr32.exe from loading .DLLs
Command Line: /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
Signer:
Parent Signer:
User/Domain: xxx/xxx
Integrity Level: High

 

[ForgottenSeer 58943]

FPs with Internet Download Manager

Date/Time: 4/04/2018 10:32:24 PM
Process: [4028]C:\Windows\System32\regsvr32.exe
Parent: [3556]C:\Windows\SysWOW64\regsvr32.exe
Rule: PreventRegsvr32LoadingDLLs
Rule Name: Prevent regsvr32.exe from loading .DLLs
Command Line: /s "C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll"
Signer:
Parent Signer:
User/Domain: xxx/xxx
Integrity Level: High

Date/Time: 4/04/2018 10:32:24 PM
Process: [2448]C:\Windows\System32\regsvr32.exe
Parent: [3672]C:\Windows\SysWOW64\regsvr32.exe
Rule: PreventRegsvr32LoadingDLLs
Rule Name: Prevent regsvr32.exe from loading .DLLs
Command Line: /s "C:\Program Files (x86)\Internet Download Manager\IDMGetAll64.dll"
Signer:
Parent Signer:
User/Domain: xxx/xxx
Integrity Level: High

Date/Time: 4/04/2018 10:32:24 PM
Process: [3340]C:\Windows\System32\regsvr32.exe
Parent: [3416]C:\Windows\SysWOW64\regsvr32.exe
Rule: PreventRegsvr32LoadingDLLs
Rule Name: Prevent regsvr32.exe from loading .DLLs
Command Line: /s "C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll"
Signer:
Parent Signer:
User/Domain: xxx/xxx
Integrity Level: High

Date/Time: 4/04/2018 10:32:24 PM
Process: [2192]C:\Windows\System32\regsvr32.exe
Parent: [3984]C:\Windows\SysWOW64\regsvr32.exe
Rule: PreventRegsvr32LoadingDLLs
Rule Name: Prevent regsvr32.exe from loading .DLLs
Command Line: /s "C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll"
Signer:
Parent Signer:
User/Domain: xxx/xxx
Integrity Level: High

You are probably 1 out of 10 in the entire world still using a download speedup tool in 2018. Back when segmented downloads and acceleration weren't part of browsers I could see.. But now?

 

[128BPM]

Question:

Are you guys having alerts\FPs with the option "Block suspicious processes" (build 47)?

Unfortunately I still have these messages in 47

Date/Time: 30/03/2018 05:33:37 p.m.
Process: [4372]C:\Windows\System32\dllhost.exe
Parent: [760]C:\Windows\System32\svchost.exe
Rule: BlockSuspiciousSvchostBehaviors
Rule Name: Block suspicious Svchost.exe process behaviors
Command Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
Signer:
Parent Signer:
User/Domain: SYSTEM/NT AUTHORITY
Integrity Level: System

Date/Time: 30/03/2018 05:20:50 p.m.
Process: [3400]C:\Windows\System32\dllhost.exe
Parent: [772]C:\Windows\System32\svchost.exe
Rule: BlockSuspiciousSvchostBehaviors
Rule Name: Block suspicious Svchost.exe process behaviors
Command Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
Signer:
Parent Signer:
User/Domain: PC/PC
Integrity Level: Medium

 

[NoVirusThanks]

Here is a new v1.4 (pre-release) test48:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test48.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Fixed a typo on Exclusions.db and CustomBlock.db
+ New option: Block "ExecutionPolicy Unrestricted" on command-line (PowerShell)
+ Improved Prevent regsvr32.exe from loading .sct files
+ Improved Prevent rundll32.exe from using Control_RunDLL (shell32.dll)
+ Improved Block loading of .inf files via advpack.dll,LaunchINFSection
+ Improved Block "ExecutionPolicy Bypass" on command-line (PowerShell)
+ Improved Block suspicious command-lines
+ Improved Block suspicious Svchost.exe process behaviors
+ Minor fixes and optimizations
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

@128BPM @Stas @bjm_ @Telos

FPs should be fixed now.

 

[Sunshine-boy]

Just found an old but interesting topic:
Not all anti-virus firms are of interest to the NSA and GCHQ
NoVirusThanks keep up the good work you are important to NSA.

 

[Digmor Crusher]

test 48 running well here alongside EAM.

 

[Stas]

You are probably 1 out of 10 in the entire world still using a download speedup tool in 2018. Back when segmented downloads and acceleration weren't part of browsers I could see.. But now?

Download Managers are used by many ppl some use for resume support & acceleration some for grabbing audio & video from sites like youtube, browser will need additional add-ons to do that, I prefer IDM.

 

[Deleted member 178]

some for grabbing audio & video from sites like youtube, browser will need additional add-ons to do that, I prefer IDM.

IDM is the best to do it, i tried all others , they suxx. i miss my license ^^

 

[Deletedmessiah]

IDM is the best to do it, i tried all others , they suxx. i miss my license ^^

Try XDM. Not as good as IDM of course but the best free one imo.

 

[Stas]

On test48 can't open explorer test47 was working

Date/Time: 5/04/2018 10:32:42 PM
Process: [3924]C:\Windows\explorer.exe
Parent: [804]C:\Windows\System32\svchost.exe
Rule: BlockSuspiciousSvchostBehaviors
Rule Name: Block suspicious Svchost.exe process behaviors
Command Line: C:\Windows\explorer.exe /factory,{ceff45ee-c862-41de-aee2-a022c81eda92} -Embedding
Signer:
Parent Signer:
User/Domain: xxx/xxx
Integrity Level: High

 

[128BPM]

@NoVirusThanks

Thanks, the previous FPs have been fixed but now I have this:

Date/Time: 04/04/2018 11:39:55 a.m.
Process: [3704]C:\Windows\System32\dllhost.exe
Parent: [764]C:\Windows\System32\svchost.exe
Rule: BlockUnknownProcessesOnWindowsFolder
Rule Name: Block unknown processes on Windows folder
Command Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
Signer:
Parent Signer:
User/Domain: PC/PC
Integrity Level: Medium

Date/Time: 04/04/2018 11:55:39 a.m.
Process: [2340]C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
Parent: [2652]C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
Rule: BlockProcessesExecutedFromCSC
Rule Name: Block processes executed from C Sharp compiler (csc.exe)
Command Line: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\PC\AppData\Local\Temp\RES3C2F.tmp" "c:\Users\PC\AppData\Local\Temp\CSC3C2E.tmp"
Signer: Microsoft Corporation
Parent Signer: Microsoft Corporation
User/Domain: PC/PC
Integrity Level: Medium

Date/Time: 04/04/2018 11:50:20 a.m.
Process: [3944]C:\Windows\System32\control.exe
Parent: [1596]C:\Windows\explorer.exe
Rule: BlockSuspiciousCmdlines
Rule Name: Block execution of suspicious command-line strings
Command Line: "C:\Windows\System32\control.exe" "C:\Windows\system32\timedate.cpl",
Signer:
Parent Signer:
User/Domain: PC/PC
Integrity Level: Medium

 

[L0ckJaw]

Nice ! i wait for the final release

 

[AtlBo]

Date/Time: 04/04/2018 11:55:39 a.m.
Process: [2340]C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
Parent: [2652]C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
Rule: BlockProcessesExecutedFromCSC
Rule Name: Block processes executed from C Sharp compiler (csc.exe)
Command Line: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\PC\AppData\Local\Temp\RES3C2F.tmp" "c:\Users\PC\AppData\Local\Temp\CSC3C2E.tmp"
Signer: Microsoft Corporation
Parent Signer: Microsoft Corporation
User/Domain: PC/PC
Integrity Level: Medium

@128BPM, do you have the Intel Rapid Storage running on your system? It caused this same issue on two computers here by starting this process chain->starts csc.exe->starts cvtres.exe, leading to the .tmp drop.

Just a note for NVT, I mentioned I think before that this has been noted as a way to pass malware. The dirty work in this case (Intel Rapid Storage) happens out of the range of parent monitoring to the preceding process of the transaction parent. I guess it could happen with malware if it were started, but I don't know if this is an issue or not. However, it does make for a dilemma, since the command line is very generic and whitelisting would basically mean allowing anything to use this means for dropping and starting a .tmp.

BTW, tracked this down using the NVT ERP log