Are the notifications popups with allow/block buttons part of any roadmap? for me is the most important feature, at least for personal use, I understand that at enterprises, won't be that useful but I guess it shouldn't be hard to implement (I hope)
NoVirusThanks OSArmor
- Thread starter Evjl's Rain
- Start date
Are the notifications popups with allow/block buttons part of any roadmap? for me is the most important feature, at least for personal use, I understand that at enterprises, won't be that useful but I guess it shouldn't be hard to implement (I hope)
- Jul 3, 2017
- 626
Regard the Custom protection modes scheduled for v1.5, will this replace the ability to use the program just as it is with no config as in v1.4? In other words, would I be able to just install it, and run it as I am doing in v1.4?
- Jun 7, 2018
- 221
@JB007
Rule: BlockProcessesOnSuspiciousFolders
Rule Name: Block processes located in suspicious folders
I think you believe that OSArmor scans files for threats. But that is not the case. It is not a scanner of any sorts.
Because the desktop is not a suspicious folder, but "C:\Users\Robert\RS\AV\GDATA\ " is. That is governed by:
Rule: BlockProcessesOnSuspiciousFolders
Rule Name: Block processes located in suspicious folders
I think you believe that OSArmor scans files for threats. But that is not the case. It is not a scanner of any sorts.
- May 19, 2016
- 1,580
Thanks @Yellowing@JB007
Because the desktop is not a suspicious folder, but "C:\Users\Robert\RS\AV\GDATA\ " is. That is governed by:
Rule: BlockProcessesOnSuspiciousFolders
Rule Name: Block processes located in suspicious folders
I think you believe that OSArmor scans files for threats. But that is not the case. It is not a scanner of any sorts.
- May 18, 2018
- 50
I have a strange issue, when using OSArmor, and even checking in all options the Lockdown section, it blocks nothing. It appears to run (GUI) fine on machine. Its blocking nothing on hmpalert-test.exe either, after disabling other security soft. It is as if its completely placebo, along with anti-exec from NVT. Can anyone help?
- Jun 7, 2018
- 221
I did the same test. It blocks nothing. It's kind of concerning. (Though I had to allow some of it in ReHIPS and NVT ERP.)
But that's probably why they made it: To make you concerned and buy Hitman Pro.
Does anyone know more about all this? Why is it not blocked? Too many false positives?
- Jun 7, 2018
- 221
Oh, thanks!
No, I didn't. This also answers my question: "Too many false positives?", with yes. Out of this list I only have the WordPad as 32bit application. It doesn't block anything. Yes, I choose WordPad in the HMPAlert tester.
Last edited:
- May 26, 2014
- 1,339
Oh, thanks!
Out of this list I only have the WordPad as 32bit application. It doesn't block anything. Yes, I choose WordPad in the HMPAlert tester.
False positives? Could you elaborate, please?
In my tests OS Armor blocked everything ...
Example (Word 2016):
Just tested OSArmor with HMP.Alert exploit tool.
I used Windows Media Player 12 as the 32bits application. I'm no expert but imagine the result could vary depending on the application you choose.
OSArmor blocked everything, except the following.
- DEP
- ROP - wow64 bypass
- NULL page
- SEHOP
- Heap Spray 3
- Load library
- UrlMon (however this one stated that payload couldn't be downloaded. If there's no payload then I assume there's nothing for OSArmor to block)
I used Windows Media Player 12 as the 32bits application. I'm no expert but imagine the result could vary depending on the application you choose.
OSArmor blocked everything, except the following.
- DEP
- ROP - wow64 bypass
- NULL page
- SEHOP
- Heap Spray 3
- Load library
- UrlMon (however this one stated that payload couldn't be downloaded. If there's no payload then I assume there's nothing for OSArmor to block)
- Jun 7, 2018
- 221
Sure. If they implemented the protections for all programs instead of those listed there, it would probably create many false positives. (I think)
I could only test with WordPad.
From what I can see, OSArmor does indeed works. And there's nothing to be concerned about.
- Jun 7, 2018
- 221
The point was to indicate that OSArmor was indeed working, which it was.
>Payload...
What else is it?
It blocks payload not the actual exploit technique. Which is why it didn't react on the UrlMon test. The payload couldn't be downloaded.
This is not anti-exploit, but anti post-exploitation. OSA doesn't block code Injection or modification of the targeted process; it prevent harm that it will do....
Basic Anti-Exploit
Analyze parent processes and child processes blocking exploit payloads.
What else is it?
imagine a process as a human:
1- the exploit is the zombie virus. You get infected , your DNA is modified.
2- the payload is the infected saliva when it bit you.
3- anti-exploit like HMPA is like a biohazard suit (prevent you to be infected by the virus itself)
4- OSA is a vaccine that prevent the saliva to infect you but it doesn't cure you.
now everybody uses the "anti-exploit" term as marketing gimmicks.
- May 19, 2016
- 1,580
- Jun 7, 2018
- 221
Don't understand what you're trying to say (both with this and the actual anti exploit protections), if the saliva doesn't infect you, what is there to cure?
the saliva infected you when bitten, you just don't suffer the effects.
1- exploitation: a process is owned by the exploit (code injection, etc....), can be prevented by anti-exploits mechanisms (HMPA, MBAE, Windows' ExploitGuard)
2- post-exploitation: the attack (exploit) uses the exploited process to do further actions. (like creating a backdoor and call home, downloading additional malwares, etc...), can be prevented by any anti-exe, SRP, HIPS, Behavior Blocker.
The exploited process is still exploited but can't use other processes to do its malicious tasks.
Similar threads
