NoVirusThanks OSArmor

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
293
A quick update:

We've officially released NoVirusThanks OSArmor v1.6.2:
Download OSArmor for Windows 7, 8, 10 (32 & 64-bit) | OSArmor

Changelog 14 Nov 2021:

+ Added Block installation of Windows Apps via AppInstaller
+ Fixed UTF-8 encoding when loading TrustedVendors.db
+ Fixed UTF-8 encoding on Exclusions Helper
+ Improved detection of some known bad behaviors
+ Fixed all reported false positives
+ Minor improvements

The new protection option "Block installation of Windows Apps via AppInstaller" can be used to mitigate this:

Here is a screenshot of when "ms-appinstaller:" HREF link is clicked:

test.png


The targets of the attack are (for now) companies, so home users may not need to enable that option.

If you find FPs or issues please let me know.

Thanks guys!
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
293
Another quick update:

We've officially released NoVirusThanks OSArmor v1.6.5:

Changelog:

+ Fixed all reported false positives
+ Added new internal rules to block suspicious behaviors
+ Minor improvements

We've added covering of more LOLbins, and also InstallerFileTakeOver PoC:



Looks like the PoC exploits Microsoft Edge's Elevation Service to elevate the payload as SYSTEM (local privilege escalation).

As always, if you find FPs or issues please let me know.

Thanks!
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
I already box Edge w/dropped Admin. rights but this will add to the protection and any future exploits (not that they're common to begin with for Home users). Exited UI and installed over top. Until next time....(y)

PS: It seems this new rule is under the Main Protections in orange-colored text so it's easy to find and was already enabled when I searched for it.
 

bjm_

Level 15
Verified
Top Poster
Well-known
May 17, 2015
715
PS: It seems this new rule is under the Main Protections in orange-colored text so it's easy to find and was already enabled when I searched for it.
Um, what new rule did you search?
I think ... + Added new internal rules to block suspicious behaviors are "internal rules".
 
  • Like
Reactions: plat and Sorrento

Mops21

Level 36
Verified
Honorary Member
Content Creator
Oct 25, 2014
2,503
Hi all

Here is a pre-release test build of OSArmor Personal 1.6.6



Changelog so far:

+ Fixed all reported false positives
+ On OSArmor UI you can view the last applied protection profile
+ Added button Contact Us on OSArmor UI on main menu Help
+ Small improvements on OSArmor UI design
+ Added Block unsigned processes with high privileges on user space
+ Added Block unsigned processes with system privileges on user space
+ Added new internal rules to block suspicious behaviors
+ Updated NVT License Manager with latest version
+ Minor improvements

Regarding this "On OSArmor UI you can view the last applied protection profile" you will have to re-apply the protection profile so it will be saved in the registry and OSArmor UI can correctly show it, else it will show "Basic Protection (Default)".

The protection option "Block unsigned processes with system privileges" can be useful to mitigate InstallerFileTakeOver PoC (or other similar PoCs) since when it overwrites the target file to gain system privileges the payload is unsigned:

Let me know if you find any issues.

With best Regards
Mops21
 

Attachments

  • 105193-047ac9912b66c09904e99fd25b7e0f00.png
    105193-047ac9912b66c09904e99fd25b7e0f00.png
    77.6 KB · Views: 151

bjm_

Level 15
Verified
Top Poster
Well-known
May 17, 2015
715
Here is a new pre-release OSArmor Personal v1.6.6 (test 3):

https://downloads.osarmor.com/osa_v1.6.6_personal_setup_test3.exe
What's new compared to previous test 1 changelog:

+ Added more signers to Trusted Vendors list
+ Added Block unsigned processes modified less than 15 days ago
+ Added Block processes marked as hidden files
 

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,420
is this software free?
No, License Type: Shareware
 

bjm_

Level 15
Verified
Top Poster
Well-known
May 17, 2015
715
Version 1.6.6 of OSA released.

Code:
+ Fixed all reported false positives
+ On OSArmor UI you can view the last applied protection profile
+ Added button Contact Us on OSArmor UI on main menu Help
+ Small improvements on OSArmor UI design
+ Added more signers to Trusted Vendors list
+ Added Block unsigned processes with high privileges on user space
+ Added Block unsigned processes with system privileges on user space
+ Added Block unsigned processes modified less than 15 days ago
+ Added Block processes with hidden file (+H) disk attribute
+ Added new internal rules to block suspicious behaviors
+ Updated NVT License Manager with latest version
+ Minor improvements
Change log: Changelog History | OSArmor
Download: Download OSArmor for Windows 7, 8, 10 (32 & 64-bit) | OSArmor

Users that installed the pre-release test 1 and test 3 builds should upgrade to the official release.
 

bjm_

Level 15
Verified
Top Poster
Well-known
May 17, 2015
715
We've released OSArmor v1.6.7:
Here is the changelog:

+ Fixed all reported false positives
+ Removed Block unsigned processes modified less than 15 days ago
+ Improved internal rules to block suspicious behaviors
+ Improved detection of processes signed with a malformed certificate
+ Added Block signers known to bundle installers with adware
+ Improved detection of some known bad behaviors
+ Improved the saving of new protection options during an update
+ Improved installer and uninstaller scripts
+ Minor improvements

The option "Block unsigned processes modified less than 15 days ago" was causing too many FPs, thus we have removed it. Better to use the already present option "Block unsigned processes on user space" if needed.

Another important update is that now when the product is upgraded it correctly apply new protection rules based on protection profile.

Change log: Changelog History | OSArmor
Download: Download OSArmor for Windows 7, 8, 10 (32 & 64-bit) | OSArmor
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
293
Here is a small Xmas gift for everyone:

Use coupon code XMAS2021 for 𝟰𝟬% 𝐎𝐅𝐅 on OSArmor Personal:

Valid until 31 December 2021 for OSArmor Personal version | The discount is permanent and applies to all next renewals.

Happy and warm holidays to everyone :)🧑‍🎄
 

bjm_

Level 15
Verified
Top Poster
Well-known
May 17, 2015
715
what this does " Block execution of format.com" ? it prevent a drive from formatting or what?
NoVirusThanks - Support wrote:
Format.com is a system process used to format a disk, more info:
What is format.com?
Some companies requested to add that rule to block its execution.
Hope that helps.
Best regards,
Andreas
~ admitting the "" was ?
png_13254.png
 
Last edited:

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,420
Here is a pre-release test build for OSArmor Personal v1.6.8:

This is the changelog so far:
+ Fixed all reported false positives
+ Added more signers to Trusted Vendors list
+ Improved internal rules to block suspicious behaviors
+ Improved detection of malformed/obfuscated command-lines
+ Minor improvements

If you find issues or FPs please let me know.
 

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,420
Here is a pre-release test 2 for OSArmor Personal v1.6.8:

This is the changelog so far:
+ Fixed all reported false positives
+ Added more signers to Trusted Vendors list
+ Added Block execution of any process related to Python
+ Improved internal rules to block suspicious behaviors
+ Improved detection of malformed/obfuscated command-lines
+ Minor improvements

If you find issues or FPs please let me know.

@plat1098

FPs you have reported should be fixed now.
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
293
Here is a pre-release test 5 for OSArmor Personal v1.6.8:

Code:
https://downloads.osarmor.com/osa_v1.6.8_personal_setup_test5.exe

This is what's new compared to the previous test build:

+ Fixed some false positives on Windows Server 2016
+ Added Block any process related to Jernej Simončič (wget & netcat signed)
+ Added Block execution of wget.exe
+ Include process and parent process file size in blocked-process events
+ Improved monitoring of processes with large file size (e.g 50+ MB)

If you find issues or FPs please let me know.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top