- Jul 3, 2015
- 8,153
Have you seen critical files without embedded signatures, that run from user space?
Almost all of the program signing rules in OSA apply to user space, AFAIK.
NoVirusThanks OSArmor
- Thread starter Evjl's Rain
- Start date
Almost all of the program signing rules in OSA apply to user space, AFAIK.
- Mar 13, 2016
- 1,298
WHY USE OS_ARMOR?
Malware writers only use a limited number of hacking techniques (when we exclude user errors like phishing and social engineering). They always try to gain access to Windows build in shells to acquire higher priveledges, drop code, survice re-boot and connect/redirect internet traffic to a controlled server.
Some say it is impossible to fight exploits, because exploits are based on progam errors of which the vendors did not know their software had them. But with the improvemenst in Memory hardening, code control and (C++) compilers Windows 10 is a tough cookie to beat. Windows 10 with all Windows Defender features enabled is pretty hard to break in.
Luckily (for malware writers) Microsoft thought of a way to nullify all these security improvements by providing (new or enhanced) command and script interpretators in Windows itself. When old dynamic code platforms were abondanned (Active-X, HTML application, NTVDM) new ones are quickly introduced (dotNet, Powershell, Windows Management Instrumentation) to give hackers access to your PC.
Malware tend to use what is already there (from exploit-kits to windows build-in shells), so OS-Armor blocking access to command shells and script interpretors and filtering command lines on known exploit tricks reduces the chances of being victim of malware using an exploit to near zero. The beauty of OS_Armor is that it does not try to prevent exploits, but limits gaining access to Windows build-in shell after an exploit is applied.
That is why I recommend using OS_Armor in default settings
Malware writers only use a limited number of hacking techniques (when we exclude user errors like phishing and social engineering). They always try to gain access to Windows build in shells to acquire higher priveledges, drop code, survice re-boot and connect/redirect internet traffic to a controlled server.
Some say it is impossible to fight exploits, because exploits are based on progam errors of which the vendors did not know their software had them. But with the improvemenst in Memory hardening, code control and (C++) compilers Windows 10 is a tough cookie to beat. Windows 10 with all Windows Defender features enabled is pretty hard to break in.
Luckily (for malware writers) Microsoft thought of a way to nullify all these security improvements by providing (new or enhanced) command and script interpretators in Windows itself. When old dynamic code platforms were abondanned (Active-X, HTML application, NTVDM) new ones are quickly introduced (dotNet, Powershell, Windows Management Instrumentation) to give hackers access to your PC.
Malware tend to use what is already there (from exploit-kits to windows build-in shells), so OS-Armor blocking access to command shells and script interpretors and filtering command lines on known exploit tricks reduces the chances of being victim of malware using an exploit to near zero. The beauty of OS_Armor is that it does not try to prevent exploits, but limits gaining access to Windows build-in shell after an exploit is applied.
That is why I recommend using OS_Armor in default settings
Last edited:
- Mar 13, 2016
- 1,298
Yes, with updates (BSOD on Windows 7) that is why advice not using them to avoid problems. The default rules are good to go (see previous post).
Last edited:
- Jan 29, 2017
- 1,201
- Jul 3, 2015
- 8,153
@Windows_Security's point is well taken. You can never be sure what is in a Windows update. So if you enable advanced security, it is best to disable it when running a Windows update, or at least make sure you have a system image backup.
- Mar 13, 2016
- 1,298
Is that what you read in the post? IMO I am telling that OS_Armor does not recognise catalog signed executables, so it is better to leave OS-Armor at default settings, because it could treat siged executables in user folders as unsigned and block them.
- Feb 17, 2018
- 870
False positive is gone
- Aug 23, 2012
- 293
Here is a new v1.4 (pre-release) test60:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test60.exe
*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***
So far this is what's new compared to the previous pre-release:
+ Improved Block suspicious processes
+ Improved Block suspicious command-line strings
+ Improved Block processes located in suspicious folders
+ Added self-protection against process termination via kernel-mode driver
+ Kernel-mode drivers for self-protection are co-signed by Microsoft
+ Only Task Manager can terminate OSArmorDevSvc.exe and OSArmorDevUI.exe
+ Save and restore window size of Configurator GUI
+ Instead of playing the beep sound it now plays a WAV sound when something is blocked
+ Events are now saved as topmost on the log file
+ Minor fixes and optimizations
+ Fixed some false positives
To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.
If you find any false positive or issue please let me know.
@128BPM
Please try this new build, it should fix that FP.
@Windows_Security
Do you still have the log file with the blocked events during the Windows 7 updates?
The internal whitelisting rules should take care of them.
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test60.exe
*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***
So far this is what's new compared to the previous pre-release:
+ Improved Block suspicious processes
+ Improved Block suspicious command-line strings
+ Improved Block processes located in suspicious folders
+ Added self-protection against process termination via kernel-mode driver
+ Kernel-mode drivers for self-protection are co-signed by Microsoft
+ Only Task Manager can terminate OSArmorDevSvc.exe and OSArmorDevUI.exe
+ Save and restore window size of Configurator GUI
+ Instead of playing the beep sound it now plays a WAV sound when something is blocked
+ Events are now saved as topmost on the log file
+ Minor fixes and optimizations
+ Fixed some false positives
To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.
If you find any false positive or issue please let me know.
@128BPM
Please try this new build, it should fix that FP.
@Windows_Security
Do you still have the log file with the blocked events during the Windows 7 updates?
The internal whitelisting rules should take care of them.
- Mar 13, 2016
- 1,298
- Aug 17, 2013
- 1,905
I haven't commented until now, but thank you for all your hard work with OSA it really is appreciated.
He works hard to produce quality software for people (most of which are free or he will give free licenses to those ones which aren't on occasions allegedly) and has very ethical business practices (regular updates for patching any reported bugs and improvement of protection, lack of want for data collection/telemetry, etc.).
The guy actually wants to help keep people protected, there's real passion and motivation for it. His focus isn't 100% on money, it's primarily on keeping people safe from cyber-attacks and that makes ALL the difference.
- Aug 17, 2013
- 1,905
indeed. Very rare qualities these days.
- Oct 22, 2016
- 409
Honestly, I would buy OSArmor without thinking twice if it does not remain free. It's a brilliant software! The work of the developer is exemplary and deserves no doubt to be reimbursed in some way.
OSA is excellent for both Home and corporate use. @NoVirusThanks has a jewel here, he can get a load of cash from corporate customers.
- Aug 17, 2013
- 1,905
I think with OSA, Syshardner and NVT EXE Radar 4 The dev could have an amazing suite if they were combined as an adjunct to Windows defender it's all anyone would need.
- Aug 23, 2012
- 293
Thanks for all the feedbacks guys! Really much appreciated, they fuel our motivation and passion!
Have just uploaded two new videos:
Testing OSArmor with UACME on Windows 7 64-bit
Testing OSArmor with UACME on Windows 10 SCU 1803 64-bit
@Windows_Security
Ok, I'll take a look at that issue (catalog sigs) asap.
Have just uploaded two new videos:
Testing OSArmor with UACME on Windows 7 64-bit
Testing OSArmor with UACME on Windows 10 SCU 1803 64-bit
@Windows_Security
Ok, I'll take a look at that issue (catalog sigs) asap.
- Aug 23, 2012
- 293
Here is a new v1.4 (pre-release) test61:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test61.exe
*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***
So far this is what's new compared to the previous pre-release:
+ Fixed a typo in the Help\FAQs file
+ Fixed detection of parent processes in particular situations
+ Improved Block suspicious command-lines
+ Improved Block suspicious processes
+ Minor fixes and optimizations
+ Fixed some false positives
To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.
If you find any false positive or issue please let me know.
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test61.exe
*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***
So far this is what's new compared to the previous pre-release:
+ Fixed a typo in the Help\FAQs file
+ Fixed detection of parent processes in particular situations
+ Improved Block suspicious command-lines
+ Improved Block suspicious processes
+ Minor fixes and optimizations
+ Fixed some false positives
To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.
If you find any false positive or issue please let me know.
- Jan 25, 2018
- 300
Unbelievable!, i can see the new changes. Thank you so much my friend. count with me for all future beta's. awesome list views!
Similar threads
