NoVirusThanks OSArmor

[Gandalf_The_Grey]

Have installed OSA 1.80 test 8: no problem here. The notification issue seems to be fixed.

https://downloads.osarmor.com/osa-1-8-0-personal-setup-test8.exe

Yes, it seems that the only fix in test 8 is for the notification issue

The announcement on Wilders:

Here is a pre-release test 8 version of OSArmor PERSONAL v1.8.0:

https://downloads.osarmor.com/osa-1-8-0-personal-setup-test8.exe

You can install it "over-the-top" of the installed version, reboot is not needed.

Let me know if you find issues or FPs.

After many tests I was finally able to reproduce the top left notification window.

With this new build the issue should be fixed.

If possible, @Buddel @plat1098 and @bjm_ try to run some occasional tests on these days.

Thanks to all users that tested the previous builds.

@Buddel

Seems that the .log file is not saved in the Temp folder because nothing "strange" is detected in the screen dimensions, no need anymore to look for it.

This information was very useful:

So far, the notification was NOT displayed correctly after disabling OSA for the first time after booting my machine. Second, third, fourth attempts could not reproduce this issue.

According also to the other users that reproduced the issue, and same for me today, it happened only the first time I tried to disable OSA protection, all the next attempts correctly showed the notification on bottom right.

@bellgamin

That is a good idea and we thought about it some time ago, but according to users needs and preferences, we decided to keep the option to disable the protection without a time limit.

NoVirusThanks OSArmor: An Additional Layer of Defense

Because I have long believed that the option to Disable Permanently should, itself, be deleted. This is a short-sighted view, to say the least. I need...

www.wilderssecurity.com

 

[Back3]

Have installed OSA 1.80 test 10: no problem here.
Still using basic protection. Added Block unsigned process on user space (Lockdown) and Block processes signed with an expired certificate (Digital Code Signature). Very few alerts.

https://downloads.osarmor.com/osa-1-8-0-personal-setup-test10.exe

Before the installation of OSA, I did not know I had so many unsigned , invalid or not trusted programs on my PC: Hibit Uninstaller, SSD Booster,Email Stripper,Firewall App Blocker,Librewolf,Q-Dir, Peazip and Burnaware Free.

 

[Gandalf_The_Grey]

Changelog from test 10 at Wilders:
Here is a pre-release test 10 version of OSArmor PERSONAL v1.8.0:

https://downloads.osarmor.com/osa-1-8-0-personal-setup-test10.exe

You can install it "over-the-top" of the installed version, reboot is not needed.

Let me know if you find issues or FPs.

Here is what's new compared to the previous test build:

+ Added new internal rules to block suspicious behaviors
+ Renamed Manage Exclusions into Add / Manage Exclusions
+ The WAV file is not anymore overwritten during installation
+ Show protection status on tray icon hint message

@plat1098

Is there any way to preserve the custom WAV file instead of automatically replacing it with the default "loon" one every time a new build is installed?

Sure, now it is not overwritten during installation, so your custom loon.wav file will not be overwritten with the default one.

It will be deleted only during uninstallation.

NoVirusThanks OSArmor: An Additional Layer of Defense

Because I have long believed that the option to Disable Permanently should, itself, be deleted. This is a short-sighted view, to say the least. I need...

www.wilderssecurity.com

 

[NoVirusThanks]

We've released OSArmor v1.8.0:

Download OSArmor for Windows 7, 8, 10, 11 (32 & 64-bit) | OSArmor

Download the setup file for OSArmor Personal, Business and Enterprise version for Windows 7, 8, 10, 11 (32 & 64-bit). All executable files are digitally signed and free from adware.

www.osarmor.com

Here is the changelog:

[30-Aug-2022] v1.8.0.0

+ Improved display of notifications on bottom-right
+ Added new internal rules to block suspicious behaviors
+ Added Block processes with uncommon chars (e.g ;#!@%[]) on file path
+ Renamed Manage Exclusions into Add / Manage Exclusions
+ The WAV file is not anymore overwritten during installation
+ Show protection status on tray icon hint message
+ Improved matching of Exclusions and Custom Block rules
+ Added more signers to Trusted Vendors list
+ Important improvement in how internal rules are matched
+ Fixed all reported false positives
+ Minor improvements

If you have automatic updates enabled then OSArmor should auto-update in the next hours.

Else you can install it "over-the-top" of the installed version, reboot is not needed.

* If you used test builds you should manually update to this final version (install over-the-top is fine).

If you find false positives or issues please let me know.

If you want to enable the new option:

"Block processes with uncommon chars (e.g ;#!@%[]) on file path"

You need to do it from the Configurator manually.

 

[Back3]

Got it and have enabled the new option: "Block processes with uncommon chars (e.g ;#!@%[]) on file path"
Thanks

 

[Sorrento]

Probably best software I've bought for some time

 

[Back3]

Did a manual update to Macrium Reflect 8.0.6979. Had to make an exclusion. False Positive?

[%PROCESS%: C:\Users\rene3\AppData\Local\Temp\_ir_vp2_temp_0\vpatch.exe] [%PROCESSCMDLINE%: "__IRAFN:C:\Users\rene3\AppData\Local\Temp\reflectPatch.exe"] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\Users\rene3\AppData\Local\Temp\reflectPatch.exe] [%PARENTSIGNER%: PARAMOUNT SOFTWARE UK LIMITED]

 

[blackice]

Got an interesting block today with just Microsoft Edge open sitting idle for a few minutes. I have basic medium protection turned on with no tweaks. Not sure what to make of it.

Spoiler: Log

Date/Time: 9/9/2022 9:59:53 AM
Process: [14564]C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe
Process Size: 40.9 KB (41,880 bytes)
Process MD5 Hash: 169271A10EBCD60D97EE87DE7522012E
Parent: [22668]C:\Windows\System32\msiexec.exe
Parent Process Size: 176 KB (180,224 bytes)
Rule: BlockAddInUtilExecution
Rule Name: Block execution of addinutil.exe
Command Line: "c:\WINDOWS\Microsoft.NET\Framework64\v3.5\addinutil.exe" -AddInRoot:"c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\." -Rebuild
Signer: Microsoft Corporation
Parent Signer: <NULL>
User/Domain: SYSTEM/NT AUTHORITY
System File: True
Parent System File: True
Integrity Level: System
Parent Integrity Level: System

 

[wat0114]

Did a manual update to Macrium Reflect 8.0.6979. Had to make an exclusion. False Positive?

Yes I would say FP's. I've created three similar but slightly different Exclusions for MR Free update routines:

[%PROCESS%: C:\Users\*\AppData\Local\Temp\*temp*\vpatch.exe] [%PROCESSCMDLINE%: "*:C:\Users\*\AppData\Local\Temp\reflectPatch.exe"] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\Users\*\AppData\Local\Temp\reflectPatch.exe] [%PARENTSIGNER%: PARAMOUNT SOFTWARE UK LIMITED]

[%PROCESS%: C:\Users\*\AppData\Local\Temp\*temp*\map.exe] [%PROCESSCMDLINE%: C:\Users\*\AppData\Local\Temp\*temp*\map.exe] [%SIGNER%: Paramount Software UK Ltd] [%PARENTPROCESS%: C:\Users\*\AppData\Local\Temp\*temp*\vpatch.exe] [%PARENTSIGNER%: <NULL>]

[%PROCESS%: C:\Users\*\AppData\Local\Temp\*temp*\BcdCheck.exe] [%PROCESSCMDLINE%: C:\Users\*\AppData\Local\Temp\*temp*\BcdCheck.exe] [%SIGNER%: Paramount Software UK Ltd] [%PARENTPROCESS%: C:\Users\*\AppData\Local\Temp\*temp*\vpatch.exe] [%PARENTSIGNER%: <NULL>]

 

[blackice]

Got an interesting block today with just Microsoft Edge open sitting idle for a few minutes. I have basic medium protection turned on with no tweaks. Not sure what to make of it.

Spoiler: Log

Date/Time: 9/9/2022 9:59:53 AM
Process: [14564]C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe
Process Size: 40.9 KB (41,880 bytes)
Process MD5 Hash: 169271A10EBCD60D97EE87DE7522012E
Parent: [22668]C:\Windows\System32\msiexec.exe
Parent Process Size: 176 KB (180,224 bytes)
Rule: BlockAddInUtilExecution
Rule Name: Block execution of addinutil.exe
Command Line: "c:\WINDOWS\Microsoft.NET\Framework64\v3.5\addinutil.exe" -AddInRoot:"c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\." -Rebuild
Signer: Microsoft Corporation
Parent Signer: <NULL>
User/Domain: SYSTEM/NT AUTHORITY
System File: True
Parent System File: True
Integrity Level: System
Parent Integrity Level: System

@NoVirusThanks to follow up there was actually another block when this was attempted. It looks like .NET was trying to update. But I am not sure this was legitimate.

Spoiler: Other Block

Date/Time: 9/9/2022 9:59:53 AM
Process: [16192]C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe
Process Size: 40.9 KB (41,880 bytes)
Process MD5 Hash: 169271A10EBCD60D97EE87DE7522012E
Parent: [22668]C:\Windows\System32\msiexec.exe
Parent Process Size: 176 KB (180,224 bytes)
Rule: BlockAddInUtilExecution
Rule Name: Block execution of addinutil.exe
Command Line: "c:\WINDOWS\Microsoft.NET\Framework64\v3.5\addinutil.exe" -PipelineRoot:"c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\." -Rebuild
Signer: Microsoft Corporation
Parent Signer: <NULL>
User/Domain: SYSTEM/NT AUTHORITY
System File: True
Parent System File: True
Integrity Level: System
Parent Integrity Level: System

 

[NoVirusThanks]

Here is a pre-release test 1 version of OSArmor PERSONAL v1.8.1:

https://downloads.osarmor.com/osa-personal-1-8-1-setup-test1.exe

Here is what's new so far:

+ Added more signers to Trusted Vendors list
+ Added new internal rules to block suspicious behaviors
+ Added Protect other popular applications with anti-exploit module
+ Added Block execution of .msp scripts <--- Disabled in all profiles
+ Added Block execution of .msu scripts <--- Disabled in all profiles
+ Added Block execution of .msrcincident scripts
+ Added Block execution of .mhtml\mht scripts
+ Added Block execution of .nfo scripts
+ Added Block execution of .chm scripts
+ Added Block execution of .hlp scripts
+ Fixed all reported false positives
+ Minor improvements

** The new protection options need to be enabled manually from the Configurator
** Blocking of .msp and .msu scripts may create issues with Windows updates (alerts level is set to "High" and they are disabled in all profiles)

You can install it "over-the-top" of the installed version, reboot is not needed.

Let me know if you find issues or FPs.

@blackice @wat0114 @Back3

Thanks for reporting the FPs, they are all fixed in this new build.

Regarding Macrium Reflect FP, I contacted Macrium asking them to sign also vpatch.exe

 

[wat0114]

Thank you for the test release @NoVirusThanks

 

[Gandalf_The_Grey]

Here is a pre-release test 4 version of OSArmor PERSONAL v1.8.1:

https://downloads.osarmor.com/osa-personal-1-8-1-setup-test4.exe

Here is what's new compared to previous test build:
+ Added more signers to Trusted Vendors list
+ Added new internal rules to block suspicious behaviors
+ Fixed all reported false positives

You can install it "over-the-top" of the installed version, reboot is not needed.

Let me know if you find issues or FPs.

 

[Guilhermesene]

@Gandalf_The_Grey Do you use this application? I was in the trial period and I like it a lot, mainly because of the vendor list that blocks programs that are not on my list. I was combining it with SysHardener, but I don't know which is better: Kaspersky in default deny mode or the two apps mentioned

 

[Gandalf_The_Grey]

@Gandalf_The_Grey Do you use this application? I was in the trial period and I like it a lot, mainly because of the vendor list that blocks programs that are not on my list. I was combining it with SysHardener, but I don't know which is better: Kaspersky in default deny mode or the two apps mentioned

No, I don't use it anymore since it became a paid application.
It never blocked something (bad) on my system, so I probably don't need it.

Liked it when it was free, same as SysHardner, then went to Andy's tools (ConfigureDefender and Simple Windows Hardening) and now I'm using Dan's tools (DefenderUI and VoodooShield).
Since you are already paying for Kaspersky I would go with its default deny mode.

Like all this hardening, but not sure if it is worth paying for when you also use a full AV suite, like Kaspersky.

 

[Guilhermesene]

No, I don't use it anymore since it became a paid application.
It never blocked something (bad) on my system, so I probably don't need it.

Liked it when it was free, same as SysHardner, then went to Andy's tools (ConfigureDefender and Simple Windows Hardening) and now I'm using Dan's tools (DefenderUI and VoodooShield).
Since you are already paying for Kaspersky I would go with its default deny mode.

Like all this hardening, but not sure if it is worth paying for when you also use a full AV suite, like Kaspersky.

Thanks for the tips noble master @Gandalf_The_Grey

 

[Jan Willy]

now I'm using Dan's tools (DefenderUI and VoodooShield).

You said that free OSArmor never blocked something bad on your system. I know it's OT but did VoodooShield block bad stuff?

 

[Gandalf_The_Grey]

You said that free OSArmor never blocked something bad on your system. I know it's OT but did VoodooShield block bad stuff?

No, you are absolutely right, probably I just need an AV.
I currently use DefenderUI Pro (= DefenderUI + VS lite in one tool), but sometimes I miss the editable whitelist and user log of the full VS and go back to DefenderUI and VS.

 

[Guilhermesene]

When the system is upgraded, for example as now to version 22H2, does OSarmor still work normally? Taking advantage of the question, I would also like to know for the SysHardener thanks to whoever answers me

 

[Back3]

Tried to update Garmin Express to version 7.14 version 1.8.1 test 4

Date/Time: 2022-09-21 03:15:30
Process: [5288]C:\ProgramData\Package Cache\988E476F9C725092B008E9A8E6A0437E07C02427\LegacyApplicationsUninstaller.exe
Process Size: 187 KB (191 488 bytes)
Process MD5 Hash: B3890A7ED9C5D538B7901B7C9AAB0658
Parent: [2816]C:\Users\*****\AppData\Local\Temp\{3E410583-B76A-4006-8001-E8B04DBE9D6F}\.be\GarminExpressInstaller.exe
Parent Process Size: 1,03 MB (1 081 928 bytes)
Rule: BlockUnsignedProcsOnUserSpace
Rule Name: Block unsigned processes on user space
Command Line: "C:\ProgramData\Package Cache\988E476F9C725092B008E9A8E6A0437E07C02427\LegacyApplicationsUninstaller.exe" /q
Signer: <NULL>
Parent Signer: Garmin International, Inc.
User/Domain: *****/DESKTOP-RVRBA7M
System File: False
Parent System File: False
Integrity Level: High
Parent Integrity Level: High