NoVirusThanks OSArmor

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
293
Here is a new v1.4 (pre-release) test51:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test51.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Improved detection of WannaCry ransomware

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

If you find any false positive please let me know.

Just a quick update.
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
293
Another quick update (sorry :D)

Here is a new v1.4 (pre-release) test52:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test52.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block execution of nslookup.exe
+ Block processes executed from regasm.exe
+ Block netsh.exe "import" and "exec" commands
+ Improved Block suspicious command-lines
+ Improved Block suspicious processes
+ Minor fixes and optimizations

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

We're planning to release v1.4 on 10 April (Tuesday), let me know if you find any FPs.
 

mekelek

Level 28
Verified
Well-known
Feb 24, 2017
1,661
Another quick update (sorry :D)

Here is a new v1.4 (pre-release) test52:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test52.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block execution of nslookup.exe
+ Block processes executed from regasm.exe
+ Block netsh.exe "import" and "exec" commands
+ Improved Block suspicious command-lines
+ Improved Block suspicious processes
+ Minor fixes and optimizations

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

We're planning to release v1.4 on 10 April (Tuesday), let me know if you find any FPs.
you shouldn't be sorry about rapid development. :p
 

128BPM

Level 2
Verified
Feb 21, 2018
90
We're planning to release v1.4 on 10 April (Tuesday), let me know if you find any FPs.

@NoVirusThanks

On the taskbar clock when I try to change date and time settings, this still appears:

Date/Time: 07/04/2018 05:04:56 p.m.
Process: [1488]C:\Windows\System32\control.exe
Parent: [1592]C:\Windows\explorer.exe
Rule: BlockSuspiciousCmdlines
Rule Name: Block execution of suspicious command-line strings
Command Line: "C:\Windows\System32\control.exe" "C:\Windows\system32\timedate.cpl",
Signer:
Parent Signer:
User/Domain: PC/PC
Integrity Level: Medium


With build 52

Thanks.
 

MeltdownEnemy

Level 7
Verified
Well-known
Jan 25, 2018
300
NVTOA it does a excelent work on my windows 7. thank you for free software product. I just ask you please enlarge the configurator box to be expandable so that don't depend on the scrollbar and the mouse wheel inside that little configurator box, because it is very uncomfortable to work a huge list in a small box .. This program does not is for small screen of smarthpone, most of us have screens with 1920x1080 and upper.
 
Last edited:

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,415
I think it's not really a FP: when using @Andy Ful 's Configure Defender the powershell commands gets blocked:
Code:
Date/Time: 7-4-2018 18:35:53
Process: [2796]C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Parent: [8012]D:\Downloads\Software\ConfigureDefender_1.0.0.1\ConfigureDefender_x64.exe
Rule: BlockPowerShellMalformedCommands
Rule Name: Block execution of PowerShell malformed commands
Command Line: c:\Windows\System32\WindowsPowerShell\v1.0\PowerShell -NonInteractive -WindowStyle hidden $Preferences=Get-MpPreference;$path='HKLM:\SOFTWARE\Policies\Microsoft\Windows\safer_Hard_Configurator\Defender\TEMP'; New-ItemProperty -Path $path -Name 'PreferencesTest' -Value $Preferences.DisableRealtimeMonitoring -PropertyType String -Force | Out-Null; function SetRegistryKey ([string]$name){$svalue=$Preferences.$name;New-ItemProperty -Path $path -Name $name -Value $svalue -PropertyType DWORD -Force | Out-Null}; SetRegistryKey('EnableNetworkProtection'); SetRegistryKey( 'EnableControlledFolderAccess');SetRegistryKey('DisableRealtimeMonitoring'); SetRegistryKey('DisableBehaviorMonitoring'); SetRegistryKey('DisableBlockAtFirstSeen'); SetRegistryKey('MAPSReporting');SetRegistryKey('SubmitSamplesConsent');SetRegistryKey('DisableIOAVProtection'); SetRegistryKey('DisableScriptScanning'); SetRegistryKey('PUAProtection'); SetRegistryKey('ScanAvgCPULoadFactor');
Signer:
Parent Signer:
User/Domain:
Integrity Level: High
Made an exclusion:
Code:
[%PROCESS%: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe] [%PROCESSCMDLINE%: c:\Windows\System32\WindowsPowerShell\v1.0\PowerShell -NonInteractive -WindowStyle hidden $Preferences=Get-MpPreference;$path='HKLM:\SOFTWARE\Policies\Microsoft\Windows\safer_Hard_Configurator\Defender\TEMP'; New-ItemProperty -Path $path -Name 'PreferencesTest' -Value $Preferences.DisableRealtimeMonitoring -PropertyType String -Force | Out-Null; function SetRegistryKey ([string]$name){$svalue=$Preferences.$name;New-ItemProperty -Path $path -Name $name -Value $svalue -PropertyType DWORD -Force | Out-Null}; SetRegistryKey('EnableNetworkProtection'); SetRegistryKey( 'EnableControlledFolderAccess');SetRegistryKey('DisableRealtimeMonitoring'); SetRegistryKey('DisableBehaviorMonitoring'); SetRegistryKey('DisableBlockAtFirstSeen'); SetRegistryKey('MAPSReporting');SetRegistryKey('SubmitSamplesConsent');SetRegistryKey('DisableIOAVProtection'); SetRegistryKey('DisableScriptScanning'); SetRegistryKey('PUAProtection'); SetRegistryKey('ScanAvgCPULoadFactor');] [%PARENTPROCESS%: D:\Downloads\Software\ConfigureDefender_1.0.0.1\ConfigureDefender_x64.exe]
And all is working fine (y)
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
293
Here is a new v1.4 (pre-release) test54:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test54.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Improved Block suspicious command-lines
+ Improved Block suspicious processes
+ Improved Block suspicious Svchost.exe process behaviors
+ Block execution of unsigned processes on user space
+ Block unsigned processes to run with high or system privileges
+ Block processes executed from netsh.exe
+ Block possible UAC bypass attempts [method 1]
+ Block possible UAC bypass attempts [method 2] (disabled at the moment, need to complete this)
+ Block execution of ftp\tftp\telnet.exe
+ Block suspicious process elevation attempts
+ Block InfDefaultInstall.exe if executed by unknown processes
+ Some rules have been moved to their appropriate section
+ Added text-link to reset statistics on Main GUI
+ Configurator GUI can be maximized and is resizeable
+ Added a dark-gray frame on the notification window
+ Removed Block ALL autoelevate system processes
+ Removed Block known system files used for UAC-bypass
+ Show parent process integrity level on log file
+ Show process md5 hash on log file
+ Minor fixes and optimizations
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

If you find any false positive or issue please let me know (official release will be postponed of some days).

Here is a screenshot:

new-osa-54.png


@128BPM

Should be fixed now.

@MeltdownEnemy

Done.
 

128BPM

Level 2
Verified
Feb 21, 2018
90
@NoVirusThanks


Thanks, previous FPs were fixed, but:

Date/Time: 10/04/2018 12:43:19 p.m.
Process: [2764]C:\Windows\System32\control.exe
Process MD5 Hash: FD3F34830C39F4B554106ADA19924F4E
Parent: [1632]C:\Windows\explorer.exe
Rule: BlockUnknownProcessesOnWindowsFolder
Rule Name: Block unknown processes on Windows folder
Command Line: "C:\Windows\System32\control.exe" "C:\Windows\system32\timedate.cpl",
Signer:
Parent Signer:
User/Domain: PC/PC
Integrity Level: Medium
Parent Integrity Level: Medium


Date/Time: 10/04/2018 04:54:27 p.m.
Process: [456]C:\Windows\System32\SndVol.exe
Process MD5 Hash: C3489639EC8E181044F6C6BFD3D01AC9
Parent: [1512]C:\Windows\explorer.exe
Rule: BlockUnknownProcessesOnWindowsFolder
Rule Name: Block unknown processes on Windows folder
Command Line: SndVol.exe -f 49546462 26531
Signer:
Parent Signer:
User/Domain: PC/PC
Integrity Level: Medium
Parent Integrity Level: Medium


Date/Time: 10/04/2018 04:54:46 p.m.
Process: [4460]C:\Windows\SysWOW64\dllhost.exe
Process MD5 Hash: A63DC5C2EA944E6657203E0C8EDEAF61
Parent: [768]C:\Windows\System32\svchost.exe
Rule: BlockUnknownProcessesOnWindowsFolder
Rule Name: Block unknown processes on Windows folder
Command Line: C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
Signer:
Parent Signer:
User/Domain: PC/PC
Integrity Level: Medium
Parent Integrity Level: System
 
  • Like
Reactions: AtlBo

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
293
Here is a new v1.4 (pre-release) test55:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test55.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Fixed Block suspicious processes
+ Block "tricks" used to run UAC-bypass system processes
+ Block unsigned processes to run with high privileges
+ Block unsigned processes to run with system privileges
+ Renamed and improved UAC-bypass mitigation rules
+ Renamed Block execution of unsigned processes on Common AppData (\ProgramData\)
+ Readded Block execution of ALL "autoelevate" system processes
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

If you find any false positive or issue please let me know.

Here is a screenshot of the new rules:

osanew1.png


@128BPM

Should be fixed now.
 

128BPM

Level 2
Verified
Feb 21, 2018
90
@NoVirusThanks


Previous FPs are fixed, now:


Date/Time: 10/04/2018 07:50:36 p.m.
Process: [3376]C:\Windows\System32\rundll32.exe
Process MD5 Hash: C36BB659F08F046B139C8D1B980BF1AC
Parent: [2568]C:\Windows\System32\control.exe
Rule: PreventRundll32Control_RunDLL
Rule Name: Prevent rundll32.exe from using Control_RunDLL (shell32.dll)
Command Line: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\timedate.cpl",
Signer:
Parent Signer:
User/Domain: PC/PC
Integrity Level: Medium
Parent Integrity Level: Medium



Date/Time: 10/04/2018 08:07:11 p.m.
Process: [5100]C:\Windows\System32\mmc.exe
Process MD5 Hash: 007665F8DE4B18F82CEC63313F8ADCD2
Parent: [1548]C:\Windows\explorer.exe
Rule: BlockMSCScripts
Rule Name: Block execution of .msc scripts
Command Line: "C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc
Signer:
Parent Signer:
User/Domain: PC/PC
Integrity Level: High
Parent Integrity Level: Medium



Date/Time: 10/04/2018 08:08:18 p.m.
Process: [4620]C:\Windows\System32\DeviceDisplayObjectProvider.exe
Process MD5 Hash: 7E2EB3A4AE11190EF4C8A9B9A9123234
Parent: [764]C:\Windows\System32\svchost.exe
Rule: BlockSuspiciousSvchostBehaviors
Rule Name: Block suspicious Svchost.exe process behaviors
Command Line: C:\Windows\system32\DeviceDisplayObjectProvider.exe -Embedding
Signer:
Parent Signer:
User/Domain: PC/PC
Integrity Level: Medium
Parent Integrity Level: System


Note: Could you add an option to reset the log?

Thanks.
 
Last edited:

Carphedon

Level 1
Mar 2, 2018
11
I have a feature suggestion. It would be nice to have an option to block (unauthorized) access to camera and microphone. Most of the time these devices are not in use by regular programs and applications should not have access without the user knowing about it. This could prevent spying on user through webcam and microphone.

Keep up the good work, awesome software.
 

Carphedon

Level 1
Mar 2, 2018
11
... I'm sure this is well-intentioned, but I'm not a supporter of feature "bloat" which strays from OSA's core of threat protection.

I am also not a supporter of feature bloat but i think this would be a nice addition. I disagree that this strays away from osa core as this is about protecting camera and microphone threat.
 
  • Like
Reactions: AtlBo

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
293
Here is a new v1.4 (pre-release) test56:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test56.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Improved showing of main GUI via tray icon -> Show/Hide Window
+ Improved Block suspicious Svchost.exe process behaviors
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

If you find any false positive or issue please let me know.

@Carphedon

Will discuss about it, in case we can create a specific program for that.

@128BPM

Fixed all FPs, except:

Date/Time: 10/04/2018 08:07:11 p.m.
Process: [5100]C:\Windows\System32\mmc.exe
Process MD5 Hash: 007665F8DE4B18F82CEC63313F8ADCD2
Parent: [1548]C:\Windows\explorer.exe
Rule: BlockMSCScripts
Rule Name: Block execution of .msc scripts
Command Line: "C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc
Signer:
Parent Signer:
User/Domain: PC/PC
Integrity Level: High
Parent Integrity Level: Medium

That is normal behavior, you may uncheck:

Block execution of .msc scripts

And instead check this:

Block execution of .msc scripts outside System folder

Note: Could you add an option to reset the log?

Sure, added in the todo list.
 

128BPM

Level 2
Verified
Feb 21, 2018
90
@NoVirusThanks

The FPs were fixed, for now I think that only this one remains:


Date/Time: 11/04/2018 04:54:30 p.m.
Process: [1980]C:\Windows\System32\control.exe
Process MD5 Hash: FD3F34830C39F4B554106ADA19924F4E
Parent: [2800]C:\Windows\System32\rundll32.exe
Rule: BlockSuspiciousCmdlines
Rule Name: Block execution of suspicious command-line strings
Command Line: "C:\Windows\System32\control.exe" "C:\Windows\system32\intl.cpl",,/p:"date"
Signer:
Parent Signer:
User/Domain: PC/PC
Integrity Level: Medium
Parent Integrity Level: Medium


This appears in the option "change calendar settings"
If I find more, I'll let you know.

Thanks.
 

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Uploaded a new video, used OSArmor 1.4 (pre-release) build 56 with default settings:




Andreas,

I used to add a rules that that Word as a parent process was not allowed to start other programs (except print spool and touch screen keyboard processes). I see that the video blocks launching word processes from user space. Two questions:

1. Is starting other programs covered by the anti-exploit option of Word?
2. Do you have made allow exceptions for print spool and touch keyboard?


I am asking because for wscript.exe you have:
- "Block any process executed from wscript" (in Main Protections) AND
- "Protect Windows Script" (Microsoft processes secrion of Anti-Exploit)

So I thought Exploit protection only blocks execution from user space.

Thx

Regards Kees
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top