NoVirusThanks OSArmor

Homepage
http://www.novirusthanks.org/products/osarmor/
Bundled with PUP
None

Windows_Security

Level 18
Content Creator
Verified
Joined
Mar 13, 2016
Messages
893
OS
Windows 7
OS Armor is a strong layer of defense. Andreas is constantly adding recognition strings to commands used to bypass PC defenses (antivirus solutions).

Most fileless malware and ransomware use remote access and build-in shells like Windows Management Instrumentation, powershell and dotNet which can't be turned of like old command shells as wscript and cmd.

The changes of running into these type of malware is not that big when you apply safe HEX and have decent security in place. But the price (free) and low performance impact make OS Armor something to consider for any setup.

Now with latest option to allow only signed processes in user space, one only needs to add addtional partitions/drives to your custom block rules, it is as easy as this, where X is the drive letter: [%PROCESSFILEPATH%: X:\*]

So when you split your harddisk into C for programs and D for files it would look like: [%PROCESSFILEPATH%: D:\*]

Great job Andreas @NoVirusThanks thanks (y)
 

Telos

Level 12
Verified
Joined
Jan 29, 2017
Messages
574
Now with latest option to allow only signed processes in user space, one only needs to add addtional partitions/drives to your custom block rules, it is as easy as this, where X is the drive letter: [%PROCESSFILEPATH%: X:\*]

So when you split your harddisk into C for programs and D for files it would look like: [%PROCESSFILEPATH%: D:\*]
I want to block writing to "G" partition by all except Signer: Microsoft.

So I entered a block... simply....
[%PROCESSFILEPATH%: G:\*]

and ran a program that normally writes to "G" and there was no interception. What am I doing wrong?
 

NoVirusThanks

From NoVirusThanks
Developer
Verified
Joined
Aug 23, 2012
Messages
177
OS
Windows 10
Here is a new v1.4 (pre-release) test57:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test57.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Improved Block download of remote URLs via command-lines
+ Block unsigned processes outside system partition (e.g. C:\)
+ Block ALL processes outside system partition (e.g. C:\)
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

If you find any false positive or issue please let me know.

With the new rules you can now block any (or only unsigned) processes executed outside system partition (e.g. C:\).

So a process executed, e.g., from F:\ or G:\ will be blocked, see this screenshot:

osa3.png


@128BPM

That FP shoud be fixed now, please confirm.

@Windows_Security

1. Is starting other programs covered by the anti-exploit option of Word?
Yes.

2. Do you have made allow exceptions for print spool and touch keyboard?
Yes.

I am asking because for wscript.exe you have:
The option to block any process from wscript.exe was specifically asked by a company and to be separate from the anti-exploit tab.

So when you split your harddisk into C for programs and D for files it would look like: [%PROCESSFILEPATH%: D:\*]
You may find these new options useful:

+ Block unsigned processes outside system partition (e.g. C:\)
+ Block ALL processes outside system partition (e.g. C:\)

:)

@Telos

With the block-rule:

[%PROCESSFILEPATH%: G:\*]

OSA would block any process located on G:\

It doesn't block a process from writing to that path (OSA doesn't monitor writing of files).

To exclude Microsoft-signed processes just add this to Exclusion rules:

[%PROCESSFILEPATH%: G:\*] [%FILESIGNER%: Microsoft Windows]
[%PROCESSFILEPATH%: G:\*] [%FILESIGNER%: Microsoft Corporation]
 

Windows_Security

Level 18
Content Creator
Verified
Joined
Mar 13, 2016
Messages
893
OS
Windows 7
You may find these new options useful:

+ Block unsigned processes outside system partition (e.g. C:\)
+ Block ALL processes outside system partition (e.g. C:\)

:)
Andreas,

Does the rule BLOCK ALL PROCESSES OUTSIDE also includes USB and RAM disk (other options)?

I would prefer it to apply the rule "block all" on harddisks only, so user has granular control on others (USB, CD Rom, Ram etc) with other options.
 

Umbra

Level 85
Content Creator
Verified
Joined
May 16, 2011
Messages
18,422
OS
Windows 10
Antivirus
Default-Deny
Andreas,

Does the rule BLOCK ALL PROCESSES OUTSIDE also includes USB and RAM disk (other options)?

I would prefer it to apply the rule "block all" on harddisks only, so user has granular control on others (USB, CD Rom, Ram etc) with other options.
You can just make exclusions then, it is what i do.
 
Likes: Garzaman
Joined
Feb 21, 2018
Messages
69
@NoVirusThanks


When entering in option "change calendar settings", the previous FP (Block execution of suspicious command-line strings) was corrected. But now this appears:


Date/Time: 12/04/2018 08:18:38 p.m.
Process: [3208]C:\Windows\System32\control.exe
Process MD5 Hash: FD3F34830C39F4B554106ADA19924F4E
Parent: [3132]C:\Windows\System32\rundll32.exe
Rule: BlockSuspiciousProcessesFromRundll32
Rule Name: Block suspicious processes executed from Rundll32
Command Line: "C:\Windows\System32\control.exe" "C:\Windows\system32\intl.cpl",,/p:"date"
Signer:
Parent Signer:
User/Domain: PC/PC
Integrity Level: Medium
Parent Integrity Level: Medium
 

Telos

Level 12
Verified
Joined
Jan 29, 2017
Messages
574
Tried to reboot to Safe Mode (Shift-Restart) and got this...

Date/Time: 4/13/2018 1:35:37 PM
Process: [8608]C:\WINDOWS\System32\shutdown.exe
Process MD5 Hash: 0AA80010E37F8F8546CDD6D725D79A28
Parent: [3088]C:\WINDOWS\explorer.exe
Rule: BlockShutdownExeExecution
Rule Name: Block execution of shutdown.exe
Command Line: shutdown.exe /r /o /t 0
Signer:
Parent Signer: Microsoft Windows
User/Domain: Telos/Domain
Integrity Level: Medium
Parent Integrity Level: Medium


Still I was able to Restart without the Shift-key ... so I'm a bit perlexed.

That all said, I must have scanned the rules list 3 times before I could locate this one. I'm guessing it would be too much to ask for a rule search feature.
 
Last edited:

NoVirusThanks

From NoVirusThanks
Developer
Verified
Joined
Aug 23, 2012
Messages
177
OS
Windows 10
Here is a new v1.4 (pre-release) test58:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test58.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Show System File: True\False on log file
+ Show Parent System File: True\False on log file
+ Improved detection of parent processes
+ Improved detection of UAC-bypass attempts
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

If you find any false positive or issue please let me know.
 

NoVirusThanks

From NoVirusThanks
Developer
Verified
Joined
Aug 23, 2012
Messages
177
OS
Windows 10
Here is a new v1.4 (pre-release) test59:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test59.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Added "Windows Live Mail" on Anti-Exploit tab
+ Added "PotPlayer" on Anti-Exploit tab
+ Added an Help\FAQs file (tray-icon -> Help\FAQs, Main menu -> Help -> Help\FAQs, GUI "?" top-right border icon)
+ Renamed Block system processes from cleaning Windows Eventlog
+ Minor fixes and optimizations

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

If you find any false positive or issue please let me know.
 
Joined
Feb 21, 2018
Messages
69
@NoVirusThanks


In System Properties/Hardware/Device Installation Settings. I have this log:


Date/Time: 17/04/2018 03:15:45 p.m.
Process: [1188]C:\Windows\System32\rundll32.exe
Process MD5 Hash: C36BB659F08F046B139C8D1B980BF1AC
Parent: [4756]C:\Windows\System32\SystemPropertiesComputerName.exe
Rule: BlockKnownUACBypassAttempts
Rule Name: Block known and possible UAC-bypass attempts
Command Line: "C:\Windows\System32\rundll32.exe" newdev.dll,DeviceInternetSettingUi 3
Signer:
Parent Signer:
User/Domain: PC/PC
System File: True
Parent System File: False
Integrity Level: High
Parent Integrity Level: High
 

Similar Threads

Similar Threads