NoVirusThanks OSArmor

[Av Gurus]

I think the OSA 1.3 didn't have the options for disabling protection, should i update to the 1.4 beta ?

http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test61.exe

 

[mekelek]

I think the OSA 1.3 didn't have the options for disabling protection, should i update to the 1.4 beta ?

1.4 latest beta is running without issues, i dont see why you wouldnt update

 

[Deleted member 65228]

@Syafiq If you do not update to the latest versions then all you will end up doing is missing out on bug/vulnerability patches, protection enhancements and new user-experience features.

You don't have to update immediately after an update is released, but keeping track on progress and change-log history with updates will be in your best interest.

 

[L0ckJaw]

The latest beta is running smooth and fine, so update without any hassle!

 

[AtlBo]

Digging a little bit deeper about NVT OSArmor. The video showing UAC protections on Windows 7 caused me to be curious if UAC and other areas of Windows that OSA protects should be classified as "unpatched" vulnerabilities. I would love to hear any input on this, not that I am looking for a reason to complain about MS. Attempting to classify OSA I think... Having a hard time knowing how to classify the scope of the protections and also gauging a best configuration for the program.

I "think" OSArmor really could block many potential vulnerabilities too that aren't even known. Not sure about this however...

 

[Deleted member 65228]

I "think" OSArmor really could block many potential vulnerabilities too that aren't even known. Not sure about this however...

Due to how the product is designed its main capability stems around post-exploitation payload blocking IMO. Either way the product is useful and great, I like it a lot.

If your browser gets hit with a file-less RCE exploit from the web, NVT OSArmor is not going to be able to stop it. However, the post-exploitation payload might cause additional process creation instead of continuing code execution on the host environment via the browser process for the rest of the operation -> NVT OSArmor monitoring scope is now in action.

Bear in mind, things like registry operations would indirectly cause reg.exe to spawn, and NVT OSArmor monitors this as well (for example). So even without directly spawning another process, an operation performed by the payload could cause it... and thus lead to being blocked by NVT OSArmor.

Even if payload is not stopped immediately, better later than never... = less damage in the end.

Don't expect it to behave like other "Anti-Exploit", it doesn't patch memory to intercept on code execution flow nor scan memory for in-memory signatures... or things like call stack checking. It simply doesn't work like that. However because of how it works, it'll behave very light and won't manipulate 3rd party software, plus it is still useful. And should be compatible when combined with other AE. That way you can use one AE to cover those areas, and NVT OSArmor to focus on different things, and lock down the configuration a bit more to help cut off legs of an attackers payload.

Think of it like an Anti-Executable except it isn't an Anti-Executable but will automatically block process creation depending on the configuration. If the configuration has an enabled rule about bcdedit.exe, the command line will be checked when it is spawned (before the main thread of bcdedit.exe is resumed so it doesn't start any operation yet) and depending on that command line matching the rule in the configuration -> block process creation (as an example).

 

[AtlBo]

Think of it like an Anti-Executable except it isn't an Anti-Executable but will automatically block process creation depending on the configuration. If the configuration has an enabled rule about bcdedit.exe, the command line will be checked when it is spawned (before the main thread of bcdedit.exe is resumed so it doesn't start any operation yet) and depending on that command line matching the rule in the configuration -> block process creation (as an example).

Thanks @Opcode. Helps tremendously.

I tend to classify protections based on the scope of their coverage as in this covers script activity or this handles memory issues etc. or just consider X + Y + Z protections all covered when it comes to Comodo Firewall etc. Just trying to cover Umbra's layers. Well, OSArmor seems to cross so many barriers it's crazy. Normally, I would think of UAC bypasses as something MS would automatically patch, which adds to the puzzle for me. Anyway, OSArmor appears to cover so many potential vulnerabilities like these that it's hard for me to classify the program, because I guess I would expect MS to have fixed many of the issues that OSA protects against. Talking about W7 here, and I guess most of them are fixed in W10. Still, I would have expected MS to have fixed them in W7 too since it is still officially supported until 2020.

Could be I am off base about how to classify things like UAC bypasses, or it could be MS has patched most of the holes and others like MMC abuse and so on. I don't know much about MS patches that's for sure. Clearly not much was ever done in W7 about protection against wayward script activity.

If you have an opportunity, I would like to know if it's fair to say that memory exploitation is in its first stages always the result of malware abuse of a vulnerability in a program (i.e. browser etc.). Also, is exploitation always in the form of memory abuse? Thx for the helpful comments.

 

[NoVirusThanks]

Here is a new v1.4 (pre-release) test62:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test62.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Improved Block suspicious command-lines
+ Minor fixes and optimizations
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

If you find any false positive or issue please let me know.

* The option "Block suspicious command-lines" contains an experimental rule, if you notice a FP let me know *

@l0rdraiden

The FP should be fixed now, thank you for sharing it.

@Opcode

Very useful and informative comments!

 

[Syafiq]

Date/Time: 05/05/2018 20:12:58
Process: [5988]C:\Windows\System32\rundll32.exe
Process MD5 Hash: 731A783A36A8E69A6434D19D98B12A09
Parent: [3832]C:\Windows\explorer.exe
Rule: BlockCPLApplets
Rule Name: Block execution of .cpl applets outside System folder
Command Line: "C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL PowerCfg.cpl @0,/editplan:381b4222-f694-41f0-9685-ff5bb260df2e
Signer:
Parent Signer: Microsoft Windows
User/Domain: Syafiq/DESKTOP-FFK9MV6
System File: True
Parent System File: True
Integrity Level: Medium
Parent Integrity Level: Medium
@NoVirusThanks
I have enabled the "block execution of cpl applets outside the system folder" but when i was opening the advanced power options in the control panel, it display an alert. Should I disable that options or exclude it?

 

[ForgottenSeer 58943]

NVT, I would recommend dropping all XP support.

Those 2 fools running XP over at Wilders and complaining about OSArmor not working properly aren't worth a single second of your development time. They are running systems from 2002 that should be thrown out. They probably take 30 minutes to load Chrome up.

A machine that is 900 times better can be purchased for $99 refurbished at Microcenter. It's time they be told the truth.. LET IT DIE BRO. Do yourself a favor, declare OSArmor as not supporting XP.

 

[Deleted member 65228]

I don't even know how someone can seriously use Windows XP and even try to act like they know what they're doing with security... It's disgusting.

Forget NVT OSArmor if you're on Windows XP, you need to hire the Pentagon LOL

 

[ForgottenSeer 58943]

I don't even know how someone can seriously use Windows XP and even try to act like they know what they're doing with security... It's disgusting.

Forget NVT OSArmor if you're on Windows XP, you need to hire the Pentagon LOL

It drives me insane to see any developer waste 2 seconds on XP. Even worse, XP people seem to bring it up and talk like they are doing something edgy and unique, like Techno-Hipsters that drive around in 1987 Caprice Classics with Man Buns. When in reality they are only making themselves look foolish. One of the guys over there is complaining OSArmor adds latency to his PENTIUM 4 system..

You know what you tell that guy? If he insists on using a Pentium 4 then put a lightweight linux Distro on that box and go away.

 

[mekelek]

NVT, I would recommend dropping all XP support.

Those 2 fools running XP over at Wilders and complaining about OSArmor not working properly aren't worth a single second of your development time. They are running systems from 2002 that should be thrown out. They probably take 30 minutes to load Chrome up.

A machine that is 900 times better can be purchased for $99 refurbished at Microcenter. It's time they be told the truth.. LET IT DIE BRO. Do yourself a favor, declare OSArmor as not supporting XP.

they are so blinded that they flat out ignored my comment about hoping the uninstallment was done on their system and not OSArmor.
i absolutley agreed, wasted time and resource on fixing stuff for windows f. XP

 

[ForgottenSeer 69673]

like Techno-Hipsters that drive around in 1987 Caprice Classics with Man Buns.

LOL now that is funny. I did have a 1967 Caprice Classic with a 396 big block and a quadraphonic 8 track player but would never consider wearing a man bun at my age And moved away from XP years ago.

 

[Deleted member 178]

NVT, I would recommend dropping all XP support.

+1

 

[ForgottenSeer 58943]

XP is like the IT/Technology version of Godwin's Law.

The very second XP is mentioned, a conversation should end.

 

[NoVirusThanks]

Here is a new v1.4 (pre-release) test63:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test63.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Improved OSArmor self defense (basic)
+ Improved Block suspicious command-lines
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

If you find any false positive or issue please let me know.

@Syafiq

The FP should be fixed now, thanks for sharing it.

Should I disable that options or exclude it?

You should always try to exclude the blocked-event (if is a False Positive) instead of completely disable the entire protection option.

@ForgottenSeer 58943

Yeah, we'll discuss if continue XP support asap.

 

[ForgottenSeer 58943]

OSArmor doesn't work with SEPC.

Causes SEPC to spike CPU by 30-60% and throws off tampering warnings in SEPC w/blocks.

 

[Carphedon]

I am using perfect privacy VPN and i have trouble getting the VPN manager to work with OSA (v1.4 (pre-release) test63) without disabling some crucial settings. The VPN manager makes an openvpn connection and then executes various scripts to force all programs through vpn, prevent ip leaks, set dns etc. Because the ip you get assigned changes most of the time i can not exclude these command lines.

I have attached the log file.

 

[NoVirusThanks]

Here is a new v1.4 (pre-release) test64:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test64.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Improved Block suspicious processes
+ Improved Block execution of PowerShell malformed commands
+ Disabled by default "Block reg.exe from hijacking Registry startup entries"
+ Minor fixes and optimizations
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

If you find any false positive or issue please let me know.

@Carphedon

Should be fixed now.