NoVirusThanks OSArmor

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
We've released OSArmor v1.7.7:

Here is the changelog:

[23-Jul-2022] v1.7.7.0

+ Merged some user-selectable protection options
+ Improved internal rules to block suspicious behaviors
+ Removed Block execution of popular web browsers
+ Improved detection of invalid signatures on signed processes
+ Minor improvements
If you have automatic updates enabled then OSArmor should auto-update in the next hours.

Else you can install it "over-the-top" of the installed version, reboot is not needed.

If you find false positives or issues please let me know.
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
292
@Back3

There is no official documentation on differences between the 4 protection profiles, however here are some info:

Basic Protection (Default): we tried to balance false positives and protection, it blocks mostly all malware delivery methods (e.g it protects MS Office apps, it blocks scripts like JS/JSE/VBE/VBS/HTA/etc, it blocks encoded/malformed powershell commands, and much more). It provides a great protection for Home users by blocking malware delivery methods and by blocking the malware delivery during the first stages, and has very low false positives.

Then from Medium Protection to Extreme protection we gradually enable specific protection options that may also gradually generate more false positives.

The Extreme Protection is the best protection you can get from OSArmor and enables mostly all protection options. It is mostly used by companies/businesses and it restricts a lot the usage of commonly abused system processes like powershell/cmd/regsvr32/rundll32/schtasks/etc.

Depending on how you use the PC, you can try Extreme Protection also at home: if you use the PC for common tasks such as browse websites, open/edit/create documents, print documents, play games, watch videos, listen music and similar then you should be fine.

Generally for Extreme Protection it is needed that:

[1] you use all applications that are digitally signed
[2] the vendors that signed these applications are present on Trusted Vendors (you can add them if they are missing)
[3] these applications do not execute unsigned processes on user space
[4] these applications or you do not execute commonly abused system processes (powershell/cmd/regsvr32/etc)
[5] you do not install/uninstall new applications frequently

An useful tip when trying one of the other protection profiles would be to also enable Passive Logging (right-click on OSArmor trayicon) for one week. This way when something gets blocked, OSArmor will only log the event to the .log file without blocking the process. This is useful because during these 7 days you can see what has been blocked and why by checking the .log file. Then you can write custom exclusion rules for blocked processes and after the one week of testing you can disable the Passive Logging.

Recently we uploaded this video where we tested OSArmor with recent malware samples:



You can see that we used Basic Protection profile with the following 4 additional protection options enabled:

Block signers not present in Trusted Vendors
Block processes signed with an expired certificate
Block unsigned processes on user space
Block execution of unsigned MSI installers ---> This is enabled by default on Basic Protection profile from OSArmor v1.7.7

And OSArmor blocked all malware payloads.

Hope that helps.
 

Back3

Level 14
Verified
Top Poster
Apr 14, 2019
654
I've been using OSArmor for a week. For the first 3 days, I used the Basic Protection. No issues. I'm now trying OSA with Medium Protection. I had an issue with many portable apps that are in my Documents folder. At first, I tried to solve that issue by managing exclusions. It was easier to simply uncheck a protection option.
Three of your additional protection options were already checked: I had checked everything in Digital Code Signature. I have added block unsigned processes on user space. So far, so good.

I have another question. If I export my protection settings, reinstall OSA, are my exclusions included in the backup I want to restore?
 
Last edited:

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
292
Here is a pre-release test 1 version of OSArmor PERSONAL v1.7.8:

Code:
https://downloads.osarmor.com/osarmor-personal-1-7-8-setup-test1.exe

You can install it "over-the-top" of the installed version, reboot is not needed.

Let me know if you find issues or FPs.

This is the changelog so far:

+ Improved Block any process executed from web browsers
+ Added new internal rules to block suspicious behaviors
+ Added Block execution of Windows Terminal
+ Added Do not cache similar notifications
+ Minor improvements

The new Windows Terminal app can be abused to proxy execution of other processes:



May be used soon on Qakbot or maldocs so if you don't use it you may want to block it with the new OSA option.

@Back3

The export option will only export settings and protections (it is an INI file).

If you install OSA "over-the-top" of an already installed OSA version then the exclusions and custom rules are never overwritten.

If you uninstall OSA then it will ask you if you want to delete also all .db files and the log files (if you choose No then they will not be deleted).

A good recommendation when you export settings/protection would be to also backup manually the Exclusions.db and the CustomBlock.db file.

So in any case you can restore your OSA setup completely.

@Shadowra

Sure you can do that :)

A few things to take into consideration:

- You may want to use OSA 1.7.8 and enable the new option "Do not cache similar notifications" on Configurator -> Settings

This option will not cache the notification windows so you will always get an alert even when the same event is blocked after 1 second, else they are cached for a few seconds to avoid sending to the user too many similar notifications (the event is always blocked and logged to the .log file).

- You may want to test the Extreme Protection and/or the Basic Protection with the 4 additional options enabled since you will test also the execution of .exe files directly.

- Processes/scripts blocked by OSA are not deleted, so if you scan the system with an AV at the end of the test it will find the malware remnants in the disk and simply remove them.

They are innocuous since they failed to execute in the system because they were blocked by OSA.
 
Last edited:

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
292
@Back3 @Harputlu

Here is a 30% OFF coupon code for this summer:

SUMMER2022

The discount is applied also for next renewals and is valid for a total of 25 orders (hurry up 😄).

Have a great weekend everyone!

@Shadowra

Maybe you can test both Basic Protection profile and Extreme Protection profile?

May be useful for users to see differences.
 

Back3

Level 14
Verified
Top Poster
Apr 14, 2019
654
I have a question about those tests: if OSA is an additional layer of defence which can block threats not detected by my antivirus, should the test be done with an antivirus like Microsoft Defender. If MD blocks 80% of the threats and OSA the other 20%, wow, that's good. But if they block the same 80%, then OSA is not very useful! If OSA is tested alone and blocks 100% of the threats, I know it's good. But if it blocks less than 100%, it becomes difficult to make a judgment about OSA as an additional layer of defence.

What I really want to know: can OSA block the threats that my antivirus misses ?
 
Last edited:

Back3

Level 14
Verified
Top Poster
Apr 14, 2019
654
Did a manual upgrade to F-Secure 18.4. Had to make an exclusion in OSArmor.

C:\Windows\SysWOW64\icacls.exe] [%PROCESSCMDLINE%: "C:\WINDOWS\SysWOW64\icacls.exe" "C:\ProgramData\F-Secure\NS\default\latebound\*" /reset /t /c] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\Windows\SysWOW64\msiexec.exe] [%PARENTSIGNER%: <NULL>]
 
Last edited:

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
292
Here is a pre-release test 6 version of OSArmor PERSONAL v1.7.8:

Code:
https://downloads.osarmor.com/osarmor-personal-1-7-8-setup-test6.exe

You can install it "over-the-top" of the installed version, reboot is not needed.

Let me know if you find issues or FPs.

This is the changelog so far:

+ Improved Block any process executed from web browsers
+ Added new internal rules to block suspicious behaviors
+ Added Block execution of Windows Terminal
+ Added Block processes executed from Microsoft Virtual DVD-ROM
+ Added Do not cache similar notifications
+ Added Automatically delete ANY file on Startup folder of ANY user
+ Added Protect original Registry Startup folder locations
+ Fixed all reported false positives
+ Minor improvements

Some details:

- The option "Block processes executed from Microsoft Virtual DVD-ROM":

Will block any process started from an ISO/IMG mounted as virtual drive, it is auto-enabled on Extreme protection.

test1.png


- The option "Automatically delete ANY file on Startup folder of ANY user"

Will automatically delete any file located in the StartUp folder of ANY user, e.g:

Code:
C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

* This is a sort of "system hardening" rule and doesn't involve blocking of processes.

- The option "Protect original Registry Startup folder locations"

Will protect Registry locations of StartUp folder, e.g:

Code:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup

* This is a sort of "system hardening" rule and doesn't involve blocking of processes.

With the above two additional protection options we wanted to provide a simple way to protect the Windows StartUp folder. So for example, if a maldoc or an application drop a file on the user StartUp folder, it is automatically deleted. We wanted to specifically provide these options to keep the StartUp folder "clean" and empty.

@Back3

Thank you for reporting the FP, it is fixed now.
 
Last edited:

Mops21

Level 34
Verified
Honorary Member
Content Creator
Oct 25, 2014
2,351
Here is a pre-release test 8 version of OSArmor PERSONAL v1.7.8:

Wilders Security Forum Post Link


Code:

Only added logging to file of Startup folder rules:

Date/Time: 09/08/2022 12:55:46
StartUp Folder File Deleted: C:\Users\Dev\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Malware.lnk
Rule: AutoDeleteFilesOnStartupFolder
Rule Name: Automatically delete ANY file on Startup folder of ANY user

Date/Time: 09/08/2022 12:54:46
StartUp Folder Registry Key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
StartUp Folder Registry Value: Startup
StartUp Folder Registry Data Modified: %TEMP%\09402901\
StartUp Folder Registry Data Restored: %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Rule: ProtectStartupFolderRegistryData
Rule Name: Protect original Registry Startup folder locations

@bjm_

The two options are not auto-enabled on Extreme protection.

They need to be enabled manually.

@moredhelfinland

We have users that use OSA on Enterprise LTSC and reported no issues so far.

OSA uses a kernel-mode driver to monitor processes executions and OSArmorDevSvc is a Windows Service.

OSA doesn't monitor registry keys or such, it monitors and blocks suspicious processes.

A malware to be able to edit registry or perform other tasks needs to be executed in the system, if the process is blocked or if the infection chain is stopped then the system is not altered.

That is the point of OSA: prevent malware/ransomware infection by blocking malware delivery methods and suspicious processes.

With Extreme protection you can "lockdown" the system (it blocks unsigned processes and processes signed by unknown vendors).

Here is OSA in action with recent malware samples and file types (LNK/ISO/IMG/etc):


@itman

OSA protects from suspicious processes started from LNK shortcuts, here is the chapter were we test malicious LNK files:


Also, the most malware will drop a malicious .lnk file to this directory.
A malware could drop any file there, such as vbs/js/vbe/wsf/hta/exe/scr/pif/com/bat/lnk/url/etc.

Better to delete any file type since if a file is dropped here it is done with the objective to execute the file when the PC starts.

OSA already blocks malware delivery methods so the Startup folder is not an issue (if the process/infection chain is stopped no file will be dropped there).

Additionally, OSA starts before Windows runs the files on Startup folder, so again no issues here:

But we wanted to add options to keep the Startup folder empty (we don't allow for exclusions there).

With best Regards
Mops21
 

Attachments

  • 107068-51b05cb8b9a9ad75e78eb7f1a27b345f.png
    107068-51b05cb8b9a9ad75e78eb7f1a27b345f.png
    56 KB · Views: 78
  • Like
Reactions: Back3

plat

Level 29
Top Poster
Sep 13, 2018
1,793
I haven't installed the latest test build yet yet but I would imagine it's likely the same. A very small and obscure anomaly and not sure it's important but if one is a perfectionist, then OK.




Very briefly, if an app that's allowed to run in the background via Settings is also pinned to taskbar and OSA is set to block it, the interface will launch incompletely, then disappear and take the taskbar icon with it. Doesn't happen if the app is disabled from running in the background (the icon stays pinned). I used Windows Security as an example.

I will delete this video in a few days as it's just for demo in this context. I like that OSA is now able to block apps that are enabled to run in the background.

Edit: just checked the video, it's buffering endlessly on this page but plays fine on the YouTube site. If it's buffering for you, just click the title and view it on YouTube. :mad:

Re-edit: Tried with the Microsoft Store app, no problems with running in the background vs. disabled from running in the b/g.
 
Last edited:

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
292
@plat

Thank you for reporting that.

I took a look at the video and made some tests, it looks like it is a normal behavior when you block some Windows Apps (doesn't happen with all).

Noticed that it may happen when you block MS Edge, Windows Security UI, Cortana (partially), and a few others.
 
  • Like
  • Thanks
Reactions: harlan4096 and plat

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top