NoVirusThanks OSArmor

l0rdraiden

Level 3
Verified
Jul 28, 2017
117
We've released the official OSArmor v1.4 (final) version:

* Make sure to first uninstall v1.3 and then install the new version




You can download it from our website:
Prevent Malware and Ransomware with OSArmor | NoVirusThanks

We'll start to work on v1.5 from middle of July * See below for important features in the todo list *




Thanks everyone for the help, suggestions and testing!

If you find any FP or issue please share them here.

Are the notifications popups with allow/block buttons part of any roadmap? for me is the most important feature, at least for personal use, I understand that at enterprises, won't be that useful but I guess it shouldn't be hard to implement (I hope)
 
  • Like
Reactions: vtqhtr413 and JB007

SearchLight

Level 13
Verified
Top Poster
Well-known
Jul 3, 2017
626
We've released the official OSArmor v1.4 (final) version:

* Make sure to first uninstall v1.3 and then install the new version




You can download it from our website:
Prevent Malware and Ransomware with OSArmor | NoVirusThanks

We'll start to work on v1.5 from middle of July * See below for important features in the todo list *




Thanks everyone for the help, suggestions and testing!

If you find any FP or issue please share them here.

Regard the Custom protection modes scheduled for v1.5, will this replace the ability to use the program just as it is with no config as in v1.4? In other words, would I be able to just install it, and run it as I am doing in v1.4?
 

Yellowing

Level 5
Verified
Jun 7, 2018
221
@JB007
I do not understand why OSA did not react when the exe is on the desktop ?
Because the desktop is not a suspicious folder, but "C:\Users\Robert\RS\AV\GDATA\ " is. That is governed by:
Rule: BlockProcessesOnSuspiciousFolders
Rule Name: Block processes located in suspicious folders


I think you believe that OSArmor scans files for threats. But that is not the case. It is not a scanner of any sorts. :geek:
 

JB007

Level 26
Verified
Top Poster
Well-known
May 19, 2016
1,581
@JB007
Because the desktop is not a suspicious folder, but "C:\Users\Robert\RS\AV\GDATA\ " is. That is governed by:
Rule: BlockProcessesOnSuspiciousFolders
Rule Name: Block processes located in suspicious folders


I think you believe that OSArmor scans files for threats. But that is not the case. It is not a scanner of any sorts. :geek:
Thanks @Yellowing :)
 

Michyon

Level 2
Verified
May 18, 2018
50
I have a strange issue, when using OSArmor, and even checking in all options the Lockdown section, it blocks nothing. It appears to run (GUI) fine on machine. Its blocking nothing on hmpalert-test.exe either, after disabling other security soft. It is as if its completely placebo, along with anti-exec from NVT. Can anyone help?
 
  • Like
Reactions: oldschool and JB007

Yellowing

Level 5
Verified
Jun 7, 2018
221
I have a strange issue, when using OSArmor, and even checking in all options the Lockdown section, it blocks nothing. It appears to run (GUI) fine on machine. Its blocking nothing on hmpalert-test.exe either, after disabling other security soft. It is as if its completely placebo, along with anti-exec from NVT. Can anyone help?
I did the same test. It blocks nothing. It's kind of concerning. (Though I had to allow some of it in ReHIPS and NVT ERP.)
But that's probably why they made it: To make you concerned and buy Hitman Pro.

Does anyone know more about all this? Why is it not blocked? Too many false positives?
 

Nightwalker

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339
Oh, thanks! :D No, I didn't. :oops: This also answers my question: "Too many false positives?", with yes. :LOL:

Out of this list I only have the WordPad as 32bit application. It doesn't block anything. Yes, I choose WordPad in the HMPAlert tester.

False positives? Could you elaborate, please?

In my tests OS Armor blocked everything ...


Example (Word 2016):

word.JPG
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,714
Just tested OSArmor with HMP.Alert exploit tool.

I used Windows Media Player 12 as the 32bits application. I'm no expert but imagine the result could vary depending on the application you choose.

OSArmor blocked everything, except the following.

- DEP
- ROP - wow64 bypass
- NULL page
- SEHOP
- Heap Spray 3
- Load library

- UrlMon (however this one stated that payload couldn't be downloaded. If there's no payload then I assume there's nothing for OSArmor to block)
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,714
of course , OSA isn't an anti-exploit.
The point was to indicate that OSArmor was indeed working, which it was.

...
What else is it? :)
>Payload

It blocks payload not the actual exploit technique. Which is why it didn't react on the UrlMon test. The payload couldn't be downloaded.
 
D

Deleted member 178

...
Basic Anti-Exploit
Analyze parent processes and child processes blocking exploit payloads.
What else is it? :)
This is not anti-exploit, but anti post-exploitation. OSA doesn't block code Injection or modification of the targeted process; it prevent harm that it will do.

imagine a process as a human:
1- the exploit is the zombie virus. You get infected , your DNA is modified.
2- the payload is the infected saliva when it bit you.
3- anti-exploit like HMPA is like a biohazard suit (prevent you to be infected by the virus itself)
4- OSA is a vaccine that prevent the saliva to infect you but it doesn't cure you.

now everybody uses the "anti-exploit" term as marketing gimmicks.
 

JB007

Level 26
Verified
Top Poster
Well-known
May 19, 2016
1,581
This is not anti-exploit, but anti post-exploitation. OSA doesn't block code Injection or modification of the targeted process; it prevent harm that it will do.

imagine a process as a human:
1- the exploit is the zombie virus. You get infected , your DNA is modified.
2- the payload is the infected saliva when it bit you.
3- anti-exploit like HMPA is like a biohazard suit (prevent you to be infected by the virus itself)
4- OSA is a vaccine that prevent the saliva to infect you but it doesn't cure you.

now everybody uses the "anti-exploit" term as marketing gimmicks.
Bonjour Umbra;)
Thanks+++, your explanations are very helpful for beginers like me(y)
 
D

Deleted member 178

Don't understand what you're trying to say (both with this and the actual anti exploit protections), if the saliva doesn't infect you, what is there to cure?
the saliva infected you when bitten, you just don't suffer the effects.

1- exploitation: a process is owned by the exploit (code injection, etc....), can be prevented by anti-exploits mechanisms (HMPA, MBAE, Windows' ExploitGuard)
2- post-exploitation: the attack (exploit) uses the exploited process to do further actions. (like creating a backdoor and call home, downloading additional malwares, etc...), can be prevented by any anti-exe, SRP, HIPS, Behavior Blocker.
The exploited process is still exploited but can't use other processes to do its malicious tasks.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top