NoVirusThanks OSArmor

[Deleted member 178]

Hi do armor and radar do the same thing

both monitors executable,
1- OSA use a kind of hybrid "behavioral/SRP" approach.
2- ERP is strict anti-exe, what isn't whitelisted generates prompts/blocks.

or can both be used together?THks

yes

 

[Andytay70]

both monitors executable,
1- OSA use a kind of hybrid "behavioral/SRP" approach.
2- ERP is strict anti-exe, what isn't whitelisted generates prompts/blocks.


yes

Hi @Umbra do you use OSA on default settings or have you tweaked it?

 

[Deleted member 178]

Hi @Umbra do you use OSA on default settings or have you tweaked it?

Umbra using default-settings? ummmmm...not going to happen ever ever ^^

More seriously, custom setiings, basically i left only 2-3 advanced options unticked.

 

[codswollip]

Care to share which are ticked and which are not ticked?

Clearly I'm not Umbra, but for me all non-colored options are checked active.

 

[shmu26]

The options you should leave unchecked depend on your specific security config. It is a question of what other security apps you are running, and how you have configured them.
You can tick all of the options, if you want, but then you might have stupid overkill.

 

[Garzaman]

Clearly I'm not Umbra, but for me all non-colored options are checked active.

I am a novice user of NVT OSA. Applying default rules and trying to learn.

I want a balance between safety and comfort, but I will learn little by little. At the moment I am impressed and grateful to @NoVirusThanks for the different software (and great) he is making

 

[l0rdraiden]

@NoVirusThanks

More FP's after installing updates on windows server 2016, the problem is that the probably dimhost tries to execute after the block under a different process so the manual whitelist after the alert is useless

• [%PROCESS%: C:\Windows\Temp\F5FBA037-9593-4675-BCED-C26C7C05B870\DismHost.exe] [%PROCESSCMDLINE%: C:\Windows\TEMP\F5FBA037-9593-4675-BCED-C26C7C05B870\dismhost.exe {A5DA863C-DB44-4683-A77B-FE00167ED919}] [%FILESIGNER%: Microsoft Corporation] [%PARENTPROCESS%: C:\Windows\System32\wbem\WmiPrvSE.exe]
• [%PROCESS%: C:\Windows\Temp\F2FA2996-6B04-4B9C-AA7D-DF43F2CEBD83\DismHost.exe] [%PROCESSCMDLINE%: C:\Windows\TEMP\F2FA2996-6B04-4B9C-AA7D-DF43F2CEBD83\dismhost.exe {48BF688B-C04B-42F3-8578-0AB249F07E7E}] [%FILESIGNER%: Microsoft Corporation] [%PARENTPROCESS%: C:\Windows\System32\wbem\WmiPrvSE.exe]
• [%PROCESS%: C:\Windows\Temp\30B925C1-3E4C-48AB-9575-516DA1CD3800\DismHost.exe] [%PROCESSCMDLINE%: C:\Windows\TEMP\30B925C1-3E4C-48AB-9575-516DA1CD3800\dismhost.exe {16D0CE06-8F82-44F8-BE3D-20E05A5BE215}] [%FILESIGNER%: Microsoft Corporation] [%PARENTPROCESS%: C:\Windows\System32\wbem\WmiPrvSE.exe]
• [%PROCESS%: C:\Windows\Temp\B4D503C8-46CC-4A06-A131-EE5CBC5A041F\DismHost.exe] [%PROCESSCMDLINE%: C:\Windows\TEMP\B4D503C8-46CC-4A06-A131-EE5CBC5A041F\dismhost.exe {6CE46AC6-6F97-4CA2-B66C-91DE70838AC5}] [%FILESIGNER%: Microsoft Corporation] [%PARENTPROCESS%: C:\Windows\System32\wbem\WmiPrvSE.exe]

LOG

Date/Time: 01/05/2018 9:12:13
Process: [5768]C:\Windows\Temp\B4D503C8-46CC-4A06-A131-EE5CBC5A041F\DismHost.exe
Process MD5 Hash: 418299F70B35752CB048ED773C59002E
Parent: [5104]C:\Windows\System32\wbem\WmiPrvSE.exe
Rule: AntiExploitWMIProviderHost
Rule Name: (Anti-Exploit) Protect WMI Provider Host
Command Line: C:\Windows\TEMP\B4D503C8-46CC-4A06-A131-EE5CBC5A041F\dismhost.exe {6CE46AC6-6F97-4CA2-B66C-91DE70838AC5}
Signer: Microsoft Corporation
Parent Signer:
User/Domain: SYSTEM/NT AUTHORITY
System File: False
Parent System File: True
Integrity Level: System
Parent Integrity Level: System


Date/Time: 01/05/2018 9:11:07
Process: [5328]C:\Windows\Temp\30B925C1-3E4C-48AB-9575-516DA1CD3800\DismHost.exe
Process MD5 Hash: 418299F70B35752CB048ED773C59002E
Parent: [5104]C:\Windows\System32\wbem\WmiPrvSE.exe
Rule: AntiExploitWMIProviderHost
Rule Name: (Anti-Exploit) Protect WMI Provider Host
Command Line: C:\Windows\TEMP\30B925C1-3E4C-48AB-9575-516DA1CD3800\dismhost.exe {16D0CE06-8F82-44F8-BE3D-20E05A5BE215}
Signer: Microsoft Corporation
Parent Signer:
User/Domain: SYSTEM/NT AUTHORITY
System File: False
Parent System File: True
Integrity Level: System
Parent Integrity Level: System


Date/Time: 01/05/2018 9:10:01
Process: [5944]C:\Windows\Temp\6F145D6E-B1DD-4E47-A7D5-92FCB44156A0\DismHost.exe
Process MD5 Hash: 418299F70B35752CB048ED773C59002E
Parent: [5104]C:\Windows\System32\wbem\WmiPrvSE.exe
Rule: AntiExploitWMIProviderHost
Rule Name: (Anti-Exploit) Protect WMI Provider Host
Command Line: C:\Windows\TEMP\6F145D6E-B1DD-4E47-A7D5-92FCB44156A0\dismhost.exe {4FE3045D-920E-4744-AC04-5C249525BDC7}
Signer: Microsoft Corporation
Parent Signer:
User/Domain: SYSTEM/NT AUTHORITY
System File: False
Parent System File: True
Integrity Level: System
Parent Integrity Level: System


Date/Time: 01/05/2018 9:08:56
Process: [4996]C:\Windows\Temp\D193A37C-C65A-464C-9F42-71B0F41A19E0\DismHost.exe
Process MD5 Hash: 418299F70B35752CB048ED773C59002E
Parent: [5104]C:\Windows\System32\wbem\WmiPrvSE.exe
Rule: AntiExploitWMIProviderHost
Rule Name: (Anti-Exploit) Protect WMI Provider Host
Command Line: C:\Windows\TEMP\D193A37C-C65A-464C-9F42-71B0F41A19E0\dismhost.exe {3F73A32F-2DFC-47B7-BEAA-CCECC5B980F5}
Signer: Microsoft Corporation
Parent Signer:
User/Domain: SYSTEM/NT AUTHORITY
System File: False
Parent System File: True
Integrity Level: System
Parent Integrity Level: System

 

[Deleted member 178]

Care to share which are ticked and which are not ticked?

all are ticked except
- Edge
- schtasks.exe
- Taskkill.exe
- bitsadmin.exe
- regasm.exe

 

[Flak]

I saw this asked a couple times but never answered (or I just missed the answer).
Are OSA and MBAE, installed together, redundant/Would OSA replace MBAE in a security setup?

 

[Deleted member 65228]

Are OSA and MBAE, installed together, redundant/Would OSA replace MBAE in a security setup?

NoVirusThanks OSArmor will not replace Malwarebytes Anti-Exploit and vice-versa.

Malwarebytes Anti-Exploit supports enforcing Bottom-Up ASLR, DEP and a few other mitigation's. Furthermore, it performs Remote Code Execution (RCE) into monitored applications and uses this as an advantage to locally intervene with the behavior of the application to assist it in identifying and preventing exploitation attacks. Bear in mind, it also has specific mitigation's for some things and also supports protection with targets like Java.

NoVirusThanks OSArmor does not do the things Malwarebytes Anti-Exploit does, in the same way that Malwarebytes Anti-Exploit does not do what NoVirusThanks OSArmor does. In fact, they both work entirely differently and I would not even estimate that a conflict would be 30% probable.

If you already have Malwarebytes Anti-Exploit, fear not, NoVirusThanks OSArmor will NOT be useless (and vice-versa). If they work well when combined on your environment, and as long as they provide your requirements, then it should be really good.

NoVirusThanks OSArmor is actually extremely light and non-intrusive from my experience and as long as you set it up which is right for you, it can be incredibly helpful. It might not work the same way that other vendors approach their exploit mitigation techniques, but it doesn't mean that the product is lesser than another.

If you're looking for something lightweight, reliable and non-intrusive, then NVT OSArmor is the solution. Since it doesn't work like a majority of other Anti-Exploit components (e.g. it will not touch the memory of another running application nor the Windows Kernel aside from documented and Microsoft-approved techniques), it won't degrade performance of an applications general operations through interception and it'll neither break other applications through external manipulation (e.g. cause them to crash due to a bug in memory modification).

 

[shmu26]

I saw this asked a couple times but never answered (or I just missed the answer).
Are OSA and MBAE, installed together, redundant/Would OSA replace MBAE in a security setup?

The short answer is they are doing different things, so they don't replace one another.

 

[Deleted member 178]

The short answer is they are doing different things, so they don't replace one another.

yes

 

[Syafiq]

@NoVirusThanks , I have a few question regarding NVT OS Armor(Non Beta, version 1.3). Why when I disabled NVT OS Armor to Install something by exiting it, it is still active... It is blocking the command lines and I need to end the NVT OS Armor's service to totally disable it. Does this normal?

 

[codswollip]

@NoVirusThanks , I have a few question regarding NVT OS Armor(Non Beta, version 1.3). Why when I disabled NVT OS Armor to Install something by exiting it, it is still active... It is blocking the command lines and I need to end the NVT OS Armor's service to totally disable it. Does this normal?

Open Window's Services (services.msc) and stop NoVirusThanks OSArmorDevSvc.

 

[ForgottenSeer 58943]

I like OSArmor in default mode. It's incredibly protective out of the box leaving it default and will cause less issues.

 

[shmu26]

@NoVirusThanks , I have a few question regarding NVT OS Armor(Non Beta, version 1.3). Why when I disabled NVT OS Armor to Install something by exiting it, it is still active... It is blocking the command lines and I need to end the NVT OS Armor's service to totally disable it. Does this normal?

"Exiting" is not disabling protection, is it only disabling GUI.

 

[Syafiq]

@shmu26 Thanks for the answer Then, How I can disable it?

 

[Carphedon]

@shmu26 Thanks for the answer Then, How I can disable it?

Protection -> Disable Protection ...

 

[Syafiq]

I think the OSA 1.3 didn't have the options for disabling protection, should i update to the 1.4 beta ?

 

[shmu26]

I think the OSA 1.3 didn't have the options for disabling protection, should i update to the 1.4 beta ?

Definitely you should update. Take the latest build. It is best for most users, I see you are on Windows 10, no reason I can think of not to use the latest version.