NoVirusThanks OSArmor

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,421
Just released OSArmor v1.5.8:

+ Added more signers to Trusted Vendors list
+ Added new internal rules to block suspicious behaviors
+ Fixed all reported false positives
+ Minor improvements

Download:
Download OSArmor for Windows 7, 8, 10 (32 & 64-bit) | OSArmor
 

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,421
Here is a pre-release version of OSArmor Personal 1.5.9:

This is what's new so far:

+ Added more signers to Trusted Vendors list
+ Added new internal rules to block suspicious behaviors
+ Improved method to show icon in the system tray
+ Added "Enable paranoid process behavioral detection rules"
+ Fixed all reported false positives
+ Minor improvements

We added many new internal rules to block suspicious process behaviors, we improved/optimized current internal rules, and we introduced a new protection option "Enable paranoid process behavioral detection rules" in the "Lockdown & Experimental" rules. This option is designed mainly for companies/businesses/offices, for home users it may generate some FPs. Would be good if you guys can test (enable) this option to see if you get FPs, and how frequently in case.

Let me know if you find any issue with this new test build.

The FP related to AdGuard installation will not be fixed because there are not enough parameters to make a generalized exclusion. Would be awesome if AdGuard installation process would call directly schtasks.exe so that we can get as parent process AdGuard process and not cmd.exe.
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
293
The OSA 1.5.9 test 1 build has issues with Edge, fixed in this new build test 2:

Code:
https://downloads.osarmor.com/osarmor_personal_1.5.9_test2.exe

Let me know if you find issues guys :)

@SFox

We've not yet discussed about it so can't say much at the moment.

@shmu26

Some videos where I test OSArmor can be found here:

 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
293
New build test 3 here:

https://downloads.osarmor.com/osarmor_personal_1.5.9_test3.exe

Added new protection option "Prevent unsigned processes in user space from starting system processes" on "Lockdown & Experimental" section, improved internal rules, added new internal rules to block suspicious process behaviors.

Let me know if you find issues or FPs.

Thanks guys :)
 

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,421
  • Thanks
  • Like
Reactions: JB007 and oldschool

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,421
New build test 5 can be downloaded here:


@plat1098 @bjm_

The problem related to the message dialog that is displayed also if you don't click the "Save" button in the Configurator is fixed now.

The user still needs to type a custom file name when exporting its settings.

About the loon.wav file, nothing was changed and I can't reproduce the issue here.

I remember you sent me time ago your custom WAV file and here it worked fine (it played when something got blocked).

Will try to dig more but seems a very strange behavior.
 

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,421
We've released OSArmor v1.5.9:
Prevent Malware & Ransomware Infections on Windows PC | OSArmor

This is the changelog:

[06-Aug-2021] v1.5.9.0

+ Added more signers to Trusted Vendors list
+ Added new internal rules to block suspicious behaviors
+ Added Prevent unsigned processes in user space from starting system processes
+ Improved support for Windows 11 OS
+ Improved method to show icon in the system tray
+ Fixed display of message dialog when settings are exported
+ Fixed all reported false positives
+ Minor improvements

If you find issues or FPs please let me know.

* You can install over-the-top of a previous version (reboot is not needed).
* If you have auto-update option enabled you should get the update automatically.

Thanks guys!
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
293
Just uploaded a new video testing the .RTF "version" of CVE-2021-40444 triggered via "Preview pane":

Testing OSArmor with "Preview Pane" .RTF CVE-2021-40444



In this video we test OSArmor with recent CVE-2021-40444 (MS Office Exploit) RTF "version" that is automatically executed via Windows "Preview pane" option used to preview the file content. As you can see, OSArmor blocked the exploit infection chain and prevented the execution of the payload (calc), thus keeping the system safe.

At the end of the video, we disable OSArmor protection to show you what would have happened: once we click one time on the .rtf document, Windows generates the preview of the file content (spawning an hidden window of Microsoft Word) and the exploit payload (calc) is automatically and silently executed in the system.
 

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,421
Here is a pre-release test build of OSArmor Personal 1.6.0:


Changelog so far:

+ Added more signers to Trusted Vendors list
+ Added new internal rules to block suspicious behaviors
+ Fixed all reported false positives
+ Minor improvements
Let me know if you find any issues guys =)

Thanks!
 

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,421
We've released OSArmor v1.6:
Prevent Malware & Ransomware Infections on Windows PC | OSArmor

This is the changelog:

[14-Sep-2021] v1.6.0.0

+ Improved installer scripts
+ Added more signers to Trusted Vendors list
+ Added option Merge with Default List on Trusted Vendors tab
+ Added option Merge TrustedVendors.db with updated list when product is upgraded
+ Improved option Block signers not present in Trusted Vendors
+ Added new internal rules to block suspicious behaviors
+ Fixed all reported false positives
+ Minor improvements
If you find issues or FPs please let me know.

* You may need to add Novirusthanks Company S.R.L. in the list of Trusted Vendors before updating.
* You can install over-the-top of a previous version (reboot is not needed).
* If you have auto-update option enabled you should get the update automatically.

Here you can find a new short video:

Testing OSArmor with "Hidusi" CVE-2021-40444


Just testing OSA with the CVE-2021-40444 "in-the-wild" sample that was hosted in the "hidusi" malicious website.

 

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,421
Since GlobalSign has changed our company name in the code sign cert, there is this issue with auto-update from v1.5.9 to v1.6. We're going to get this solved with GlobalSign, should take some days. Once done, we'll will release v1.6.1 that will re-allow auto-update from v1.5.9. Sorry guys, the issue doesn't depend on us, anyway should be fixed within days. A quick workaround is as done by @Buddel, download OSA v1.6 from its official website and install over-the-top of v1.5.9.
 

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,421
Here is a pre-release test build of OSArmor Personal 1.6.1:


Changelog so far:
+ Added more signers to Trusted Vendors list
+ Updated OpenSSL DLLs (libeay32.dll and ssleay32.dll)
+ Added support for TLSv1.2 on download functions
+ Added new internal rules to block suspicious behaviors
+ Enabled by default "Automatically download and install product updates"
+ Updated NVT License Manager with latest version
+ Application is no longer signed with SHA1 code signing certificate
+ Fixed all reported false positives
+ Minor improvements
We will no longer sign our apps with SHA1 code signing certificate.

If you use an old version of Windows OS, we recommend to read the following pages:
https://www.sevenforums.com/news/42...gning-support-update-windows-7-sept-10-a.html
SHA2 and Windows

Let me know if you find any issues.

Thanks guys!
 

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,421
Some interesting remarks about PrivaZer and OSA on Wilders:
Running PrivaZer 4.0.34 results in a constant barrage of pop ups. Hopefully they can be whitelisted internally without having to whitelist each alert. Otherwise I shall consider uninstalling OSA as I find it becoming far to annoying of late anyway.

If and or when PrivaZer finishes on my laptop I shall attached the log just from today.
Woops! I uninstalled OSA including logs. I guess either someone else will have to upload the logs after running PrivaZer, or @novirusthanks might have to run it himself.
I tried PrivaZer and I got the following notifications from OSA with Extreme Protection profile set:
Date/Time: 11/12/2021 2:24:04 AM
Process: [5248]C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process MD5 Hash: 0689841A69F138E76C7639C15C77B527
Parent: [6412]C:\Windows\System32\cmd.exe
Rule: BlockPowerShellExecution
Rule Name: Block execution of Windows PowerShell
Command Line: powershell "wevtutil el | foreach { wevtutil cl $_ }"
Signer: <NULL>
Parent Signer: <NULL>
System File: True
Parent System File: True
Integrity Level: High
Parent Integrity Level: High
The above command uses powershell.exe and wevtutil to clean Windows events logs. However, also ransomware use this technique to remove their traces:

"In the Clop ransomware sample that was used in the Software AG case, there is something that if remember right, wasn't before: it uses wevtutil.exe to clear event logs..."


"To remove its(or its component’s) execution traces from the infected system, KillDisk uses the Windows event utility (wevtutil)"
https://www.mcafee.com/blogs/other-...zing-killdisk-ransomware-part-1-whitelisting/

"The adversary used PsExec to invoke the "wevtutil.exe" utility. This utility cleared the contents of local security event logs on systems."
WastedLocker Goes "Big-Game Hunting" in 2020

Would be better in my personal opinion if PrivaZer could use Windows APIs to do the job:
Windows Event Log Functions - Win32 apps
Event Logging Functions - Win32 apps
Date/Time: 11/12/2021 2:23:47 AM
Process: [4300]C:\Windows\System32\cacls.exe
Process MD5 Hash: AF3BC8CFE8C9AFE83781356CA9DD32AC
Parent: [7128]C:\Windows\System32\cmd.exe
Rule: BlockCaclsIcaclsExecution
Rule Name: Block execution of cacls\icacls\xcacls.exe
Command Line: cacls "C:\System Volume Information\Chkdsk" /E /G Dev:F
Signer: <NULL>
Parent Signer: <NULL>
System File: True
Parent System File: True
Integrity Level: High
Parent Integrity Level: High
The above command uses system process cacls.exe to gain access to "System Volume Information", but unfortunately this technique is also used by malware.

cacls.exe and xcacls.exe are other system processes commonly abused by malware and ransomware.
Date/Time: 11/12/2021 2:23:24 AM
Process: [796]C:\Windows\SysWOW64\taskkill.exe
Process MD5 Hash: A5189BE7FF73B8D69F20B7CC031F9990
Parent: [1440]C:\Windows\SysWOW64\cmd.exe
Rule: BlockTaskkillExecution
Rule Name: Block execution of taskkill.exe
Command Line: C:\Windows\\System32\TASKKILL.exe /F /IM SCserver.exe
Signer: <NULL>
Parent Signer: <NULL>
System File: True
Parent System File: True
Integrity Level: High
Parent Integrity Level: High
The above command uses system process taskkill.exe to kill/terminate scserver.exe process. Malware also use taskkill.exe to kill Antivirus processes and other processes like MSSQL server, etc.

The same can be done via Windows APIs, that would be better in my personal opinion since taskkill.exe is yet another system process abused by malware.

From my personal point of view, the execution of system processes should be drastically limited (if possible of course) since malware and ransowmare are known to abuse them heavily (see certutil.exe, powershell.exe, etc). Many companies tend to block/restrict the execution of many system processes to block infection chains of malware/ransomware/exploits. This is unfortunate, because yes we have system processes that can help do amazing things and automate things easily via command-line, but at the same time this is true also for malware, ransomware, etc.

A possible workaround for PrivaZer (and any other program) would be to directly execute the specific system processes so we know PrivaZer.exe is the parent process, example:

Instead of using cmd.exe -> taskkill.exe, it could be like PrivaZer.exe -> taskkill.exe, same is for cmd.exe -> cacls.exe that can be PrivaZer.exe -> cacls.exe

Regarding wevtutil.exe, it can be done in the same way with PrivaZer.exe as parent process and that covers all system events logs sections:

PrivaZer.exe -> wevtutil.exe clear-log application
PrivaZer.exe -> wevtutil.exe clear-log security
PrivaZer.exe -> wevtutil.exe clear-log setup
PrivaZer.exe -> wevtutil.exe clear-log system

In the above cases we can better write safe whitelist/exclusion rules by matching parent process PrivaZer.exe and parent signer Goversoft LLC.

@The_PrivaZer_Team can you have a look at this?
A possible workaround for PrivaZer (and any other program) would be to directly execute the specific system processes so we know PrivaZer.exe is the parent process, example:

Instead of using cmd.exe -> taskkill.exe, it could be like PrivaZer.exe -> taskkill.exe, same is for cmd.exe -> cacls.exe that can be PrivaZer.exe -> cacls.exe

Regarding wevtutil.exe, it can be done in the same way with PrivaZer.exe as parent process and that covers all system events logs sections:

PrivaZer.exe -> wevtutil.exe clear-log application
PrivaZer.exe -> wevtutil.exe clear-log security
PrivaZer.exe -> wevtutil.exe clear-log setup
PrivaZer.exe -> wevtutil.exe clear-log system

In the above cases we can better write safe whitelist/exclusion rules by matching parent process PrivaZer.exe and parent signer Goversoft LLC.
 

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,421
Hi NVT,

Oh, I see. I only had OSA Medium Protection enabled but your post explains the issue pretty well that even I get the gist. I'm one of the slower members of class.
:(
:(

As this is way above my pay grade, if it's OK with you I will invite @The_PrivaZer_Team to visit this thread, and your post, with hopes that a suitable alternative method can be found.

I sincerely appreciate your time investigating this issue.
:thumb:
(y)

Thank you!
 

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,421

plat

Level 29
Top Poster
Sep 13, 2018
1,793
A new non-test build has been released. v.1.6.1


Main changes explained in the link. Exited out of test build, then installed over the top. So far, so good. (y)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top