NoVirusThanks OSArmor

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,417
Have installed OSA 1.80 test 8: no problem here. The notification issue seems to be fixed.

Yes, it seems that the only fix in test 8 is for the notification issue

The announcement on Wilders:

Here is a pre-release test 8 version of OSArmor PERSONAL v1.8.0:
You can install it "over-the-top" of the installed version, reboot is not needed.

Let me know if you find issues or FPs.

After many tests I was finally able to reproduce the top left notification window.

With this new build the issue should be fixed.

If possible, @Buddel @plat1098 and @bjm_ try to run some occasional tests on these days.

Thanks to all users that tested the previous builds.

@Buddel

Seems that the .log file is not saved in the Temp folder because nothing "strange" is detected in the screen dimensions, no need anymore to look for it.

This information was very useful:

So far, the notification was NOT displayed correctly after disabling OSA for the first time after booting my machine. Second, third, fourth attempts could not reproduce this issue.

According also to the other users that reproduced the issue, and same for me today, it happened only the first time I tried to disable OSA protection, all the next attempts correctly showed the notification on bottom right.

@bellgamin

That is a good idea and we thought about it some time ago, but according to users needs and preferences, we decided to keep the option to disable the protection without a time limit.
 

Back3

Level 14
Verified
Top Poster
Apr 14, 2019
674
Have installed OSA 1.80 test 10: no problem here.
Still using basic protection. Added Block unsigned process on user space (Lockdown) and Block processes signed with an expired certificate (Digital Code Signature). Very few alerts.

Before the installation of OSA, I did not know I had so many unsigned , invalid or not trusted programs on my PC: Hibit Uninstaller, SSD Booster,Email Stripper,Firewall App Blocker,Librewolf,Q-Dir, Peazip and Burnaware Free.
 
Last edited:

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,417
Changelog from test 10 at Wilders:
Here is a pre-release test 10 version of OSArmor PERSONAL v1.8.0:
You can install it "over-the-top" of the installed version, reboot is not needed.

Let me know if you find issues or FPs.

Here is what's new compared to the previous test build:

+ Added new internal rules to block suspicious behaviors
+ Renamed Manage Exclusions into Add / Manage Exclusions
+ The WAV file is not anymore overwritten during installation
+ Show protection status on tray icon hint message

@plat1098

Is there any way to preserve the custom WAV file instead of automatically replacing it with the default "loon" one every time a new build is installed?

Sure, now it is not overwritten during installation, so your custom loon.wav file will not be overwritten with the default one.

It will be deleted only during uninstallation.
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
293
We've released OSArmor v1.8.0:

Here is the changelog:

[30-Aug-2022] v1.8.0.0

+ Improved display of notifications on bottom-right
+ Added new internal rules to block suspicious behaviors
+ Added Block processes with uncommon chars (e.g ;#!@%[]) on file path
+ Renamed Manage Exclusions into Add / Manage Exclusions
+ The WAV file is not anymore overwritten during installation
+ Show protection status on tray icon hint message
+ Improved matching of Exclusions and Custom Block rules
+ Added more signers to Trusted Vendors list
+ Important improvement in how internal rules are matched
+ Fixed all reported false positives
+ Minor improvements

If you have automatic updates enabled then OSArmor should auto-update in the next hours.

Else you can install it "over-the-top" of the installed version, reboot is not needed.

* If you used test builds you should manually update to this final version (install over-the-top is fine).

If you find false positives or issues please let me know.

If you want to enable the new option:

"Block processes with uncommon chars (e.g ;#!@%[]) on file path"

You need to do it from the Configurator manually.
 

Back3

Level 14
Verified
Top Poster
Apr 14, 2019
674
Did a manual update to Macrium Reflect 8.0.6979. Had to make an exclusion. False Positive?

[%PROCESS%: C:\Users\rene3\AppData\Local\Temp\_ir_vp2_temp_0\vpatch.exe] [%PROCESSCMDLINE%: "__IRAFN:C:\Users\rene3\AppData\Local\Temp\reflectPatch.exe"] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\Users\rene3\AppData\Local\Temp\reflectPatch.exe] [%PARENTSIGNER%: PARAMOUNT SOFTWARE UK LIMITED]
 

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,868
Got an interesting block today with just Microsoft Edge open sitting idle for a few minutes. I have basic medium protection turned on with no tweaks. Not sure what to make of it.

Date/Time: 9/9/2022 9:59:53 AM
Process: [14564]C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe
Process Size: 40.9 KB (41,880 bytes)
Process MD5 Hash: 169271A10EBCD60D97EE87DE7522012E
Parent: [22668]C:\Windows\System32\msiexec.exe
Parent Process Size: 176 KB (180,224 bytes)
Rule: BlockAddInUtilExecution
Rule Name: Block execution of addinutil.exe
Command Line: "c:\WINDOWS\Microsoft.NET\Framework64\v3.5\addinutil.exe" -AddInRoot:"c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\." -Rebuild
Signer: Microsoft Corporation
Parent Signer: <NULL>
User/Domain: SYSTEM/NT AUTHORITY
System File: True
Parent System File: True
Integrity Level: System
Parent Integrity Level: System
 

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
621
Did a manual update to Macrium Reflect 8.0.6979. Had to make an exclusion. False Positive?

Yes I would say FP's. I've created three similar but slightly different Exclusions for MR Free update routines:

Code:
[%PROCESS%: C:\Users\*\AppData\Local\Temp\*temp*\vpatch.exe] [%PROCESSCMDLINE%: "*:C:\Users\*\AppData\Local\Temp\reflectPatch.exe"] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\Users\*\AppData\Local\Temp\reflectPatch.exe] [%PARENTSIGNER%: PARAMOUNT SOFTWARE UK LIMITED]

[%PROCESS%: C:\Users\*\AppData\Local\Temp\*temp*\map.exe] [%PROCESSCMDLINE%: C:\Users\*\AppData\Local\Temp\*temp*\map.exe] [%SIGNER%: Paramount Software UK Ltd] [%PARENTPROCESS%: C:\Users\*\AppData\Local\Temp\*temp*\vpatch.exe] [%PARENTSIGNER%: <NULL>]

[%PROCESS%: C:\Users\*\AppData\Local\Temp\*temp*\BcdCheck.exe] [%PROCESSCMDLINE%: C:\Users\*\AppData\Local\Temp\*temp*\BcdCheck.exe] [%SIGNER%: Paramount Software UK Ltd] [%PARENTPROCESS%: C:\Users\*\AppData\Local\Temp\*temp*\vpatch.exe] [%PARENTSIGNER%: <NULL>]
 

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,868
Got an interesting block today with just Microsoft Edge open sitting idle for a few minutes. I have basic medium protection turned on with no tweaks. Not sure what to make of it.

Date/Time: 9/9/2022 9:59:53 AM
Process: [14564]C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe
Process Size: 40.9 KB (41,880 bytes)
Process MD5 Hash: 169271A10EBCD60D97EE87DE7522012E
Parent: [22668]C:\Windows\System32\msiexec.exe
Parent Process Size: 176 KB (180,224 bytes)
Rule: BlockAddInUtilExecution
Rule Name: Block execution of addinutil.exe
Command Line: "c:\WINDOWS\Microsoft.NET\Framework64\v3.5\addinutil.exe" -AddInRoot:"c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\." -Rebuild
Signer: Microsoft Corporation
Parent Signer: <NULL>
User/Domain: SYSTEM/NT AUTHORITY
System File: True
Parent System File: True
Integrity Level: System
Parent Integrity Level: System
@NoVirusThanks to follow up there was actually another block when this was attempted. It looks like .NET was trying to update. But I am not sure this was legitimate.
Date/Time: 9/9/2022 9:59:53 AM
Process: [16192]C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe
Process Size: 40.9 KB (41,880 bytes)
Process MD5 Hash: 169271A10EBCD60D97EE87DE7522012E
Parent: [22668]C:\Windows\System32\msiexec.exe
Parent Process Size: 176 KB (180,224 bytes)
Rule: BlockAddInUtilExecution
Rule Name: Block execution of addinutil.exe
Command Line: "c:\WINDOWS\Microsoft.NET\Framework64\v3.5\addinutil.exe" -PipelineRoot:"c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\." -Rebuild
Signer: Microsoft Corporation
Parent Signer: <NULL>
User/Domain: SYSTEM/NT AUTHORITY
System File: True
Parent System File: True
Integrity Level: System
Parent Integrity Level: System
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
293
Here is a pre-release test 1 version of OSArmor PERSONAL v1.8.1:

Code:
https://downloads.osarmor.com/osa-personal-1-8-1-setup-test1.exe

Here is what's new so far:

+ Added more signers to Trusted Vendors list
+ Added new internal rules to block suspicious behaviors
+ Added Protect other popular applications with anti-exploit module
+ Added Block execution of .msp scripts <--- Disabled in all profiles
+ Added Block execution of .msu scripts <--- Disabled in all profiles
+ Added Block execution of .msrcincident scripts
+ Added Block execution of .mhtml\mht scripts
+ Added Block execution of .nfo scripts
+ Added Block execution of .chm scripts
+ Added Block execution of .hlp scripts
+ Fixed all reported false positives
+ Minor improvements

** The new protection options need to be enabled manually from the Configurator
** Blocking of .msp and .msu scripts may create issues with Windows updates (alerts level is set to "High" and they are disabled in all profiles)

You can install it "over-the-top" of the installed version, reboot is not needed.

Let me know if you find issues or FPs.

@blackice @wat0114 @Back3

Thanks for reporting the FPs, they are all fixed in this new build.

Regarding Macrium Reflect FP, I contacted Macrium asking them to sign also vpatch.exe
 

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,417
G

Guilhermesene

@Gandalf_The_Grey Do you use this application? I was in the trial period and I like it a lot, mainly because of the vendor list that blocks programs that are not on my list. I was combining it with SysHardener, but I don't know which is better: Kaspersky in default deny mode or the two apps mentioned
 
  • +Reputation
Reactions: Gandalf_The_Grey

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,417
@Gandalf_The_Grey Do you use this application? I was in the trial period and I like it a lot, mainly because of the vendor list that blocks programs that are not on my list. I was combining it with SysHardener, but I don't know which is better: Kaspersky in default deny mode or the two apps mentioned
No, I don't use it anymore since it became a paid application.
It never blocked something (bad) on my system, so I probably don't need it.

Liked it when it was free, same as SysHardner, then went to Andy's tools (ConfigureDefender and Simple Windows Hardening) and now I'm using Dan's tools (DefenderUI and VoodooShield).
Since you are already paying for Kaspersky I would go with its default deny mode.

Like all this hardening, but not sure if it is worth paying for when you also use a full AV suite, like Kaspersky.
 
G

Guilhermesene

No, I don't use it anymore since it became a paid application.
It never blocked something (bad) on my system, so I probably don't need it.

Liked it when it was free, same as SysHardner, then went to Andy's tools (ConfigureDefender and Simple Windows Hardening) and now I'm using Dan's tools (DefenderUI and VoodooShield).
Since you are already paying for Kaspersky I would go with its default deny mode.

Like all this hardening, but not sure if it is worth paying for when you also use a full AV suite, like Kaspersky.
Thanks for the tips noble master @Gandalf_The_Grey 🙂👏🏻
 

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,417
You said that free OSArmor never blocked something bad on your system. I know it's OT but did VoodooShield block bad stuff?
No, you are absolutely right, probably I just need an AV.
I currently use DefenderUI Pro (= DefenderUI + VS lite in one tool), but sometimes I miss the editable whitelist and user log of the full VS and go back to DefenderUI and VS.
 
G

Guilhermesene

When the system is upgraded, for example as now to version 22H2, does OSarmor still work normally? Taking advantage of the question, I would also like to know for the SysHardener 🙂 thanks to whoever answers me
 

Back3

Level 14
Verified
Top Poster
Apr 14, 2019
674
Tried to update Garmin Express to version 7.14 version 1.8.1 test 4

Date/Time: 2022-09-21 03:15:30
Process: [5288]C:\ProgramData\Package Cache\988E476F9C725092B008E9A8E6A0437E07C02427\LegacyApplicationsUninstaller.exe
Process Size: 187 KB (191 488 bytes)
Process MD5 Hash: B3890A7ED9C5D538B7901B7C9AAB0658
Parent: [2816]C:\Users\*****\AppData\Local\Temp\{3E410583-B76A-4006-8001-E8B04DBE9D6F}\.be\GarminExpressInstaller.exe
Parent Process Size: 1,03 MB (1 081 928 bytes)
Rule: BlockUnsignedProcsOnUserSpace
Rule Name: Block unsigned processes on user space
Command Line: "C:\ProgramData\Package Cache\988E476F9C725092B008E9A8E6A0437E07C02427\LegacyApplicationsUninstaller.exe" /q
Signer: <NULL>
Parent Signer: Garmin International, Inc.
User/Domain: *****/DESKTOP-RVRBA7M
System File: False
Parent System File: False
Integrity Level: High
Parent Integrity Level: High
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top