NoVirusThanks OSArmor

[Gandalf_The_Grey]

New pre-release (not yet final) of OSA released: v1.5.3 Personal.

// Everyone

Here is a pre-release (not yet final) of OSA v1.5.3 Personal:
https://downloads.osarmor.com/personal_1.5.3_test1.exe

Basically, this is what has changed:

+ Improved management of protections rules in OSArmor Configurator
+ Added option to export/import protections rules, settings, all
+ Use exported .ini files with "Automatically update OSArmor settings from a URL"
+ Improved method to auto-update OSArmor settings from a URL
+ Added option to reset protections rules, settings, all
+ Added option to select protections profile
+ Added option to easily search protections rules
+ Added option to check/uncheck all protections rules
+ Added option to select protections rules group via a drop-down box
+ Updated NVT License Manager with latest version
+ Do not recreate Desktop icon after product has been upgraded
+ Fixed session ID issue involving Remote Desktop Protocol (RDP)
+ Added Block any process executed from web browsers
+ Added Block processes located on C:\Windows\Microsoft.NET\Framework\*
+ Added Block execution of Resource File To COFF (cvtres.exe)
+ Fixed all reported false positives
+ Minor improvements
Additionally, we joined some rules together, such as all the LOLBins rules, anti-exploit rules, and other anti-system modifications rules have been merged...

NoVirusThanks OSArmor: An Additional Layer of Defense

Ah I see thanks but when you check all boxes on will it behave like AE? A friend of mine tested with malware and check all in advance and he said it...

www.wilderssecurity.com

Beware that it's pre-release and there could be some problems!
See the posts on Wilders after this announcement.

 

[Gandalf_The_Grey]

New pre-release version:

Just a quick update, here is a pre-release test2 (not yet final) of OSA v1.5.3 Personal:
https://downloads.osarmor.com/personal_1.5.3_test2.exe

Important is that you install this new build over-the-top and that you have an Internet connection active.

Mainly fixed all reported issues and FPs, plus small improvements (such as, auto-update will only update if latest OSA version is higher than current version, etc).

So now there is no need to "disable auto-update to new version".

NoVirusThanks OSArmor: An Additional Layer of Defense

Forgot to write you need to disable auto-update to new version, else it will auto-update to v1.5.2. * Added a note on the main post. @bjm_ That FP...

www.wilderssecurity.com

 

[Ink]

If you have other suggestions or issues please let me know.

Will there be a free tier with limitations?

EXAMPLE (NOT OFFICIAL).

(Image has been manipulated)

 

[Gandalf_The_Grey]

We've released OSArmor v1.5.3, here is the changelog:

[14-Jan-2020] v1.5.3.0

+ Improved management of protections rules in OSArmor Configurator
+ Added option to export/import protections rules, settings, all
+ Use exported .ini files with "Automatically update OSArmor settings from a URL"
+ Improved method to auto-update OSArmor settings from a URL
+ Added option to reset protections rules, settings, all
+ Added option to select protections profile (right-click on Configurator->Protections tab)
+ Added option to easily search protections rules
+ Added option to check/uncheck all protections rules
+ Added option to select protections rules group via a drop-down box
+ Previously exported settings (OSArmor.rules) will not work on this version
+ Updated NVT License Manager with latest version
+ Do not recreate Desktop icon after product has been upgraded
+ Fixed session ID issue involving Remote Desktop Protocol (RDP)
+ Added Block any process executed from web browsers
+ Added Block execution of popular web browsers
+ Added Block processes located on C:\Windows\Microsoft.NET\Framework\*
+ Added Block execution of Resource File To COFF (cvtres.exe)
+ Merged many protections rules into single category-specific rules
+ Protections rules on Configurator have been reduced (merged) from 300 to 185
+ Improved automatic product update procedure
+ By default the setup creates a Desktop icon for all users on new installations
+ The desktop icon is not re-created in case it has been previously removed
+ Added /NODESKTOPICON parameter to use with setup.exe command-line
+ Various improvements in the installer script
+ Added new internal rules to block suspicious behaviors
+ Fixed all reported false positives
+ Minor improvements

IMPORTANT:

* When installing this version it is required an active Internet connection
* This version will automatically apply basic protections rules after installed
* You may require to enable again your custom protections rules (checkboxes) on Configurator
* Now it is easier to manage protections rules via Configurator

NoVirusThanks OSArmor: An Additional Layer of Defense

Yep, same here. I just restarted and OSA is back up and running. :) Nice

www.wilderssecurity.com

 

[Gandalf_The_Grey]

Just a quick update, released OSArmor v1.5.4.0:
Download OSArmor for Windows 7, 8, 10 (32 & 64-bit) | OSArmor

[18-Jan-2020] v1.5.4.0

+ Added new internal rules to block suspicious behaviors
+ Fixed all reported false positives
+ Minor improvements

Blocks, for example, finger.exe (a new LOLBin), and much more.

NoVirusThanks OSArmor: An Additional Layer of Defense

@plat1098 That is a FP, will be fixed in next version. The block rule is located in "Lockdown & Experimental" at the end of the list: [ATTACH]...

www.wilderssecurity.com

 

[NoVirusThanks]

@Spawn

Thanks for the suggestion, currently the free version is not in the "todo-list" but we may discuss about that soon.

@Gandalf_The_Grey

Thanks for keeping the thread up-to-date with new releases details.

 

[Cortex]

Updated - Thanks !

 

[Gandalf_The_Grey]

Here is a pre-release (not final) version of OSArmor v1.5.5:
https://downloads.osarmor.com/osa-1.5.5-test1.exe

The changelog so far is this:

+ Improved handling of licensing errors
+ The service is not terminated in case of licensing errors
+ Improved analysis of digitally signed processes
+ Improved detection of revoked certificates (network check)
+ Added Block processes signed with a revoked certificate
+ Added Block processes signed with a invalid certificate
+ Added Block processes signed with a expired certificate
+ Import a custom .ini settings file via setup.exe /IMPORTSETTINGS=
+ Added new internal rules to block suspicious behaviors
+ Fixed all reported false positives
+ Minor improvements

We're working in adding Trusted Vendors.

If you find issues or false positives please let me know.

NoVirusThanks OSArmor: An Additional Layer of Defense

hi again, Andreas, I may have found the problem. Three consecutive times today the OSArmorDevSvc failed to start after boot->login, so I decided to...

www.wilderssecurity.com

 

[Divine_Barakah]

@NoVirusThanks

Do you offer student discounts? Thank you very much.

 

[Gandalf_The_Grey]

Here is a new pre-release (not final) version of OSArmor Personal 1.5.5 test2:
https://downloads.osarmor.com/osa-1.5.5-test2.exe

We've completed Trusted Vendors, here are a few screenshots:

You can see a new option "Block signers not present in Trusted Vendors".

This option should help in blocking unknown vendors, and thus also malware signed with unknown vendors with not yet revoked certificate, that generally target companies or employees. By default the file TrustedVendors.db contains a list of 200 popular and well-known vendors, if you are extremely paranoid you can empty the file, then in Configurator -> Trusted Vendors there is a button "Scan System" that you can use to scan your system for signers that will be auto-added to Trusted Vendors.

Will make a video later where I'll test various signed malware with these new protection rules.

NoVirusThanks OSArmor: An Additional Layer of Defense

Yes, I also struggle with multiple alerts (not uncommon) piling up one behind the other, and adding all to exclusions list. My "pet peeve" is the alert...

www.wilderssecurity.com

 

[Gandalf_The_Grey]

Here is a new video where I test new OSArmor protection features with a few signed malware samples:


As you can see, thanks to the rule "Block signers not present in Trusted Vendors" the recent malware samples signed with a valid certificate are blocked.

Personally I find this feature definitely useful since you can control what are your Trusted Vendors and block the rest.

Stealing a certificate is not that easy anymore (thanks to USB tokens / eSafeNet, etc) so should be very rare nowadays and hopefully in future even harder.

Blocking of revoked and invalid certificates are also other very useful options to block threats as can be seen in the video.

We'll add a button "Reset Trusted Vendors" to the defaults to restore original vendors list.

NoVirusThanks OSArmor: An Additional Layer of Defense

I'm not sure how exactly this feature works. [...] Trusted Vendors List supports new option "Block signers not present in Trusted Vendors".

www.wilderssecurity.com

 

[Gandalf_The_Grey]

Here is a new pre-release (not final) version of OSArmor Personal 1.5.5 test3:
https://downloads.osarmor.com/osa-1.5.5-test3.exe

Mainly added button to reset Trusted Vendors to default, fixed a small issue when an unsigned process was blocked due to "Block signers not present in Trusted Vendors", you can now exclude events blocked with the "Block signers not present in Trusted Vendors" rule, fixed typos in Configurator, other small improvements.

NoVirusThanks OSArmor: An Additional Layer of Defense

I'm not sure how exactly this feature works. [...] Trusted Vendors List supports new option "Block signers not present in Trusted Vendors".

www.wilderssecurity.com

 

[NoVirusThanks]

We've released a new version of OSArmor v1.5.5:
Download OSArmor for Windows 7, 8, 10 (32 & 64-bit) | OSArmor

Final changelog:

[02-Feb-2021] v1.5.5.0

+ Improved handling of licensing errors
+ The service is not terminated in case of licensing errors
+ Improved analysis of digitally signed processes
+ Improved detection of revoked certificates (network check)
+ Added tab "Trusted Vendors" in Configurator
+ Added button to scan system for vendors (signers)
+ Added button to open TrustedVendors.db file
+ Added button to reset Trusted Vendors to default list
+ Added Block signers not present in Trusted Vendors
+ Added Block processes signed with a revoked certificate
+ Added Block processes signed with an invalid certificate
+ Added Block processes signed with an expired certificate
+ Import a custom .ini settings file via setup.exe /IMPORTSETTINGS=
+ Added new internal rules to block suspicious behaviors
+ Improved installer and uninstaller scripts
+ Fixed all reported false positives
+ Minor improvements

User notice:

* You can install over-the-top
* If you installed test builds you should update to this final version

 

[blackice]

We've released a new version of OSArmor v1.5.5:
Download OSArmor for Windows 7, 8, 10 (32 & 64-bit) | OSArmor

Final changelog:

[02-Feb-2021] v1.5.5.0

+ Improved handling of licensing errors
+ The service is not terminated in case of licensing errors
+ Improved analysis of digitally signed processes
+ Improved detection of revoked certificates (network check)
+ Added tab "Trusted Vendors" in Configurator
+ Added button to scan system for vendors (signers)
+ Added button to open TrustedVendors.db file
+ Added button to reset Trusted Vendors to default list
+ Added Block signers not present in Trusted Vendors
+ Added Block processes signed with a revoked certificate
+ Added Block processes signed with an invalid certificate
+ Added Block processes signed with an expired certificate
+ Import a custom .ini settings file via setup.exe /IMPORTSETTINGS=
+ Added new internal rules to block suspicious behaviors
+ Improved installer and uninstaller scripts
+ Fixed all reported false positives
+ Minor improvements

User notice:

* You can install over-the-top
* If you installed test builds you should update to this final version

After the latest update I can't open the GUI. When I try it just takes me to the license manager. The OSA icon is also no longer in the system tray.

 

[NoVirusThanks]

@blackice

What is the message in the textarea of the license manager?

 

[blackice]

@blackice

What is the message in the textarea of the license manager?

It just has the license key with the button to deactivate.

I ended up deactivating it through the web portal and then uninstalling, rebooting and reinstalling and reactivating and still when I click the GUI shortcut it opens the license manager. I was hoping reinstalling would work, but it seems to be persisting.

I did change out my processor, but I had already deactivated and reactivated for that when it alerted me to noticing the change. It still blocks things, but the alerts don’t show and still no system tray icon.

 

[NoVirusThanks]

Sent you a PM

 

[blackice]

Sent you a PM

Thanks for your help. All seems well now. Great product and service!

 

[Gandalf_The_Grey]

We've released a new version of OSArmor v1.5.6:
Download OSArmor for Windows 7, 8, 10 (32 & 64-bit) | OSArmor

Changelog:
+ Added more signers to Trusted Vendors list
+ Added new internal rules to block suspicious behaviors
+ Alert window is auto-closed when button Exclude is clicked
+ Fixed removal of a registry value related to licensing
+ Fixed DPI-scaling issue on Configurator
+ Fixed all reported false positives
+ Minor improvements

User notice:
* You can install over-the-top

NoVirusThanks OSArmor: An Additional Layer of Defense

@itman May I ask what version # of PE did you run and do you have OSArmor rule: Block execution of unsigned processes on user space box checked when...

www.wilderssecurity.com

 

[SomeRandomCat]

Been playing around with OSArmor. Interesting software. Gotta say I'm not a fan of the need to manually enter data for exclusions, it would be nice if I could just right-click on some sort of blocked process log and create excepts with a couple clicks. I wouldn't think that would be hard to implement, and don't see a benefit in copy/pasting line by line.