NoVirusThanks OSArmor

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
292
Here is a pre-release test 10 version of OSArmor PERSONAL v1.7.8:

Code:
https://downloads.osarmor.com/osarmor-personal-1-7-8-setup-test10.exe

Now when new signers are found while scanning for Trusted Vendors, the Configurator will show a new window showing which are the new signers added:

Immagine.png
 

Back3

Level 14
Verified
Top Poster
Apr 14, 2019
654
When I tried to open Softmaker Free Office, TextMaker help section, it was blocked by OSA. I had to make an exclusion. I have 1.78 test 10


Parent: [11208]C:\Program Files (x86)\SoftMaker FreeOffice 2021\TextMaker.exe
Parent Process Size: 24,3 MB (25 478 696 bytes)
Rule: AntiExploitProtectOfficeApplications
 
Last edited:

LittleDude

Level 2
Verified
Jun 17, 2014
60
When I tried to open Softmaker Free Office, TextMaker help section, it was blocked by OSA. I had to make an exclusion. I have 1.78 test 10


Parent: [11208]C:\Program Files (x86)\SoftMaker FreeOffice 2021\TextMaker.exe
Parent Process Size: 24,3 MB (25 478 696 bytes)
Rule: AntiExploitProtectOfficeApplications
Same for 1.77 and 1.78 test 10
 
  • Like
Reactions: Sorrento and Back3

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Here is a pre-release test 14 version of OSArmor PERSONAL v1.7.8:

You can install it "over-the-top" of the installed version, reboot is not needed.

Let me know if you find issues or FPs.

Here is what's new compared to previous test build:

+ Improved management of rules on Protections tab
+ Improved support for high-DPI
+ Fixed all reported false positives
+ Fixed search of rules when mouse cursor is moved below the searchbar
+ Minor improvements

Here is a screenshot of the new Protections tab:
osa.png
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Here is a pre-release test 16 version of OSArmor PERSONAL v1.7.8:
You can install it "over-the-top" of the installed version, reboot is not needed.

Let me know if you find issues or FPs.

Here is what's new compared to previous test build:

+ Font Segoe UI is now used on all UI elements
+ Show a notification if protection is disabled for more than 10 minutes
+ Fixed all reported false positives
+ Minor improvements

Here is a screenshot of the "protection disabled" notification:
reminder.png
The notification works only for the Protection -> Disable Protection, not for Disable Temporarily.

The notification will not auto-close, you can close it with the X button on top-right or by clicking the button "Enable Protection".
 

Back3

Level 14
Verified
Top Poster
Apr 14, 2019
654
I have OSA on my PC set at medium protection. In the last 2 weeks, I got 18 alerts.
5 for unsigned process. Ex Hibit Uninstaller, LibreWolf.
1 for .msc scripts outside system folder.
1 for expired certificate.
1 for invalid certificate.
2 to prevent important system modifications: false positives for F-Secure that were corrected
3 for blocked signers not present in Trusted Vendors: Q-Dir.
1 to protect office applications with anti-exploit module: SoftMaker FreeOffice.
4 to block execution of suspicious command-lines strings: SoftMaker FreeOffice

My take:I have checked everything in the Digital Code Signature: 7 alerts; 5 alerts For Softmaker which is in the Trusted vendors list ??
I think I'll go back to basic protection. I did that!
 
Last edited:

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
I have OSA on my PC set at medium protection. In the last 2 weeks, I got 18 alerts.
5 for unsigned process. Ex Hibit Uninstaller, LibreWolf.
1 for .msc scripts outside system folder.
1 for expired certificate.
1 for invalid certificate.
2 to prevent important system modifications: false positives for F-Secure that were corrected
3 for blocked signers not present in Trusted Vendors: Q-Dir.
1 to protect office applications with anti-exploit module: SoftMaker FreeOffice.
4 to block execution of suspicious command-lines strings: SoftMaker FreeOffice

My take:I have checked everything in the Digital Code Signature: 7 alerts; 5 alerts For Softmaker which is in the Trusted vendors list ??
I think I'll go back to basic protection. I did that!
Maybe you can use basic with with the following 4 additional protection options enabled:

Block signers not present in Trusted Vendors
Block processes signed with an expired certificate
Block unsigned processes on user space
Block execution of unsigned MSI installers ---> This is enabled by default on Basic Protection profile from OSArmor v1.7.7

Like in the video by @NoVirusThanks posted here:
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
292
We've released OSArmor v1.7.8:

Here is the changelog:

[16-Aug-2022] v1.7.8.0

+ Improved Block any process executed from web browsers
+ Added new internal rules to block suspicious behaviors
+ Added Block execution of Windows Terminal
+ Added Block processes executed from Microsoft Virtual DVD-ROM
+ Added Do not cache similar notifications
+ Added Automatically delete ANY file on Startup folder of ANY user
+ Added Protect original Registry Startup folder locations
+ Improved management of rules on Protections tab
+ Show which new Trusted Vendors have been added
+ Improved support for high-DPI
+ Font Segoe UI is now used on all UI elements
+ Show a notification if protection is disabled for more than 10 minutes
+ Merged some user-selectable protection options
+ Fixed all reported false positives
+ Minor improvements

If you have automatic updates enabled then OSArmor should auto-update in the next hours.

Else you can install it "over-the-top" of the installed version, reboot is not needed.

If you find false positives or issues please let me know.

@Back3

Regarding these alerts:

5 for unsigned process. Ex Hibit Uninstaller, LibreWolf.
3 for blocked signers not present in Trusted Vendors: Q-Dir.
1 for expired certificate.
1 for invalid certificate.

Based on the options you enabled, you should make sure to use only apps that are digitally signed.

And you may need to add new signers to the Trusted Vendors list if you use apps signed by a signer/vendor that is not present in the list.

Regarding the expired or invalid certificate, these issues should be addressed by the application developer.

The other reported FPs have all been fixed on the latest version 1.7.8 (final release).

Thank you a lot for reporting them.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Here is a pre-release test 1 version of OSArmor PERSONAL v1.7.9:
You can install it "over-the-top" of the installed version, reboot is not needed.

Let me know if you find issues or FPs.

Here is the changelog so far:

+ Added option to disable the notification when protection is disabled
+ Improved auto-resize of GUI windows on small screen resolutions
+ Improved display of notifications on bottom-right area
+ Various improvements on notification windows
+ Fixed all reported false positives
+ Minor improvements
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
292
We've released OSArmor v1.7.9:

Here is the changelog:

[18-Aug-2022] v1.7.9.0

+ Added option to disable the notification when protection is disabled
+ Improved auto-resize of GUI windows on small screen resolutions
+ Improved display of notifications on bottom-right area
+ Various improvements on notification windows
+ Fixed all reported false positives
+ Minor improvements

If you have automatic updates enabled then OSArmor should auto-update in the next hours.

Else you can install it "over-the-top" of the installed version, reboot is not needed.

* If you used test builds you should manually update to this final version (install over-the-top is fine).

If you find false positives or issues please let me know.
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
292
@Back3

I tried to install Peazip 8.80 with Basic Protection enabled and no alerts here.

But since it is unsigned (both the setup file and the .tmp setup file) with Extreme Protection I got these alerts:

Code:
Date/Time: 8/21/2022 4:47:57 AM
Process: [7172]C:\Users\Dev\AppData\Local\Temp\is-68BA3.tmp\peazip-8.8.0.WIN64(1).tmp
Process Size: 1.15 MB (1,209,856 bytes)
Process MD5 Hash: 889C8EF91AC310544D1539AC3CDC0F07
Parent: [6524]C:\Users\Dev\Desktop\peazip-8.8.0.WIN64(1).exe
Parent Process Size: 9.15 MB (9,591,996 bytes)
Rule: BlockUnsignedProcessesAppDataLocal
Rule Name: Block execution of unsigned processes on Local AppData
Command Line: "C:\Users\Dev\AppData\Local\Temp\is-68BA3.tmp\peazip-8.8.0.WIN64(1).tmp" /SL5="$7031A,9122534,151552,C:\Users\Dev\Desktop\peazip-8.8.0.WIN64(1).exe" /SPAWNWND=$702F0 /NOTIFYWND=$702D2
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: XXX/XXX
System File: False
Parent System File: False
Integrity Level: High
Parent Integrity Level: High

Date/Time: 8/21/2022 4:47:53 AM
Process: [7680]C:\Users\Dev\Desktop\peazip-8.8.0.WIN64(1).exe
Process Size: 9.15 MB (9,591,996 bytes)
Process MD5 Hash: BDECB3A0F57D652BE39014FEF26B875E
Parent: [4412]C:\Windows\explorer.exe
Parent Process Size: 4.8 MB (5,028,992 bytes)
Rule: BlockUnsignedProcessesOnDesktop
Rule Name: Block execution of unsigned processes on Desktop folder
Command Line: "C:\Users\Dev\Desktop\peazip-8.8.0.WIN64(1).exe"
Signer: <NULL>
Parent Signer: Microsoft Windows
User/Domain: XXX/XXX
System File: False
Parent System File: True
Integrity Level: Medium
Parent Integrity Level: Medium

//Edit

I see you have the option to block unsigned processes on user space enabled (checked the PM).

Unfortunately we can't do much about these alerts because Peazip is unsigned (both the .exe setup file and the .tmp setup file).

In these cases you may need to disable OSA temporarily (you can use right click on tray icon -> Protection -> Disable Temporarily -> 10 Minutes) before installing the unsigned application or you may find alternatives that are signed.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Here is a pre-release test 1 version of OSArmor PERSONAL v1.8.0:
https://downloads.osarmor.com/osa-1-8-0-personal-setup-test1.exe
You can install it "over-the-top" of the installed version, reboot is not needed.

Let me know if you find issues or FPs.

Here is what's new:

+ Improved display of notifications on bottom-right area
+ Fixed all reported false positives
+ Minor improvements
//Everyone

There is one issue that is related to the "Reminder: Protection Disabled" notification window that unfortunately I can't reproduce:

#4379 and #4335 and #4358

If possible, it would be very useful if you can try this:

1) Install this new build v1.8.0 test 1
2) Then disable OSArmor protection via right-click on tray icon -> Protection -> Disable Protection
3) Now wait around 10/12 minutes (do not open applications in full-screen mode meanwhile)
4) And then you should get the "Protection Disabled" notification on the bottom-right area

If you get the notification on the top-left area (that is wrong) please let me know, and then check if this file exists:

C:\Users\<USER>\AppData\Local\Temp\OSArmorDevUI_Debug.log

If it is present, please send it to me via email.

Thank you everyone!
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
Here is a pre-release test 2 version of OSArmor PERSONAL v1.8.0:
You can install it "over-the-top" of the installed version, reboot is not needed.

I've mainly changed one parameter related to how the notification dialog is displayed on bottom right.

If possible, it would be very useful if you can try this again:

1) Install this new build v1.8.0 test 2
2) Then disable OSArmor protection via right-click on tray icon -> Protection -> Disable Protection
3) Now wait around 10/12 minutes (do not open applications in full-screen mode meanwhile)
4) And then you should get the "Protection Disabled" notification on the bottom-right area

If you get the notification on the top-left area (that is wrong) please let me know.

I'm particularly interested in @Buddel @plat1098 and @bjm_ results since you could reproduce the issue.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top