NoVirusThanks OSArmor

plat

Level 29
Top Poster
Sep 13, 2018
1,793
Here is the first blog from OSArmor. It is a good one! Always a helpful reminder not to click away at every little thing. Thanks, a nice (and very short) read. (y)


Mostly all fake installers we have found were in .ZIP, .RAR, .EXE or .MSI file extensions.

Of course, it seems crucial to have a content blocker also or the browser configured accordingly.
 

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,415
Here is a pre-release test 7 version of OSArmor PERSONAL v1.8.2:

Here is what's new compared to previous build:

+ Improved Password-protect power options with Windows Admin Credentials

You can install over-the-top, reboot is not needed.

Let me know if you find issues or FPs.
 

Victor M

Level 13
Verified
Top Poster
Well-known
Oct 3, 2022
646
@NoVirusThanks

I have a problem. OSArmor refuses the password to disable protection or access configurator when I am joined to a domain. I have done image restores and tried both account based password as well as plain password. In both cases it refuses to acknowledge the password. I will try test7 and see how it goes. I am still on test6.

EDIT: Just tried out test7. Thanks for the fixes. Now domain accounts work. I can disable protection. However I cannot open configurator from domain standard account. Is that deliberate?
 
Last edited:
G

Guilhermesene

@NoVirusThanks

I have a question about the product: I use Total Commander as the operating system's file manager, however, when I use OSarmor (activating the list of trusted suppliers), even with this option active, I can run any executable through TCMD normally. that is from an off-list vendor. The question is, does OSarmor (trusted vendor list) only work if you are using Windows Explorer?
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
293
We've released OSArmor v1.8.2:

Here is the changelog:

[13-Jan-2023] v1.8.2.0

+ Added option to manually check for updates
+ Added new internal rules to block suspicious behaviors
+ Added more signers to Trusted Vendors list
+ Improved support for high-DPI
+ Do not ask for password when Enable Protection is clicked
+ Added option Allow known safe third-party processes behaviors
+ Added option Do not monitor non critical programs
+ Improved Block execution of Group Policy Editor
+ Improved Password-protect power options with Windows Admin Credentials
+ Fixed all reported false positives
+ Updated NVT License Manager with latest version
+ Renamed Extreme Protection profile in Maximum Protection
+ Updated Help/FAQs file
+ Minor improvements

If you have automatic updates enabled then OSArmor should auto-update in the next hours.

Else you can install it "over-the-top" of the installed version, reboot is not needed.

* If you used test builds you should manually update to this final version (install over-the-top is fine).

If you find false positives or issues please let me know.

A few information:

We added this new option "Allow known safe third-party processes behaviors" so users/companies have the option, if required, to disable the internal rules to allow known and safe third-party software behaviors (can be used to create personalized exclusion rules only for the third party software you have installed).

We also added this new option "Do not monitor non critical programs" (may be renamed in future) so users can choose to monitor any program (such as third-party file managers, etc) instead of monitoring only critical programs.

The above two options (enabled by default, at the moment) will help in reducing false positives, especially the first one.

The option "Enable internal rules to allow safe behaviors" now handles only system-related known and safe processes behaviors (highly recommended to have it enabled).

@Victor M

This new version fixed the issue you reported, mainly to make it work:

1) Create two new users in the AD server, e.g Dev-SUA and Dev-Admin

2) On the W10 PC go on Account -> Access work or school -> click on Connect

3) Click on the link "Join this device to a local Active Directory domain"

4) Enter the domain and then enter the username and password for the user that will be SUA (e.g Dev-SUA)

5) Select the account type as Standard User Account

6) Then restart the PC.

Repeat steps from 2 to 6 but for Administrator account (basically, enter username Dev-Admin and set it as Administrator)

Then on OSArmor enable the option "Password-protect power options with Windows Admin Credentials"

From the SUA account, when you are prompted to enter the credentials to unlock OSArmor window/right-click menu/etc, select the username (Administrator account) e.g DOMAIN\Dev-Admin and enter its password.

That will work fine (tested here on a Windows Server 2022 and a Windows 10 and Windows 11 VM).

It is important that you connect both SUA and Admin accounts because OSArmor option "Password-protect power options with Windows Admin Credentials" requires that you enter credentials for an Administrator account (and in this case it must be connected to the AD domain).

@Guilhermesene @Zero Knowledge

We're running some tests with multi-year subscription in these days (2 years plan), if all goes well we should add them very soon.

We're also discussing about discounts for multi-products purchased in a bundle (e.g OSArmor + SysHardener).

Will update here as soon as I can share more details.

@Guilhermesene

The behavior you described is correct for OSArmor <= 1.8.1, now with the final release of OSArmor v1.8.2 we introduced this new option:

"Do not monitor non critical programs" -> If you uncheck it, all programs (also non critical like Total Commander and any other third-party file manager) will be monitored.

At the moment it is enabled by default.
 
Last edited:

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
293
Here is a pre-release test 2 version of OSArmor PERSONAL v1.8.3:

Code:
https://downloads.osarmor.com/osa-personal-1-8-3-test2.exe

What's new so far:

+ Added more signers to Trusted Vendors list
+ Added popup menu option "Copy to Clipboard" on Protections List
+ Added Process Integrity and Parent Process Integrity on Exclusions Helper
+ Added new internal rules to block suspicious behaviors
+ Improved installer and uninstaller scripts
+ Fixed all reported false positives
+ Minor improvements

You can install over-the-top, reboot is not needed.

Let me know if you find issues or FPs.
 

Andrezj

Level 6
Verified
Well-known
Nov 21, 2022
248
@NoVirusThanks

currently osarmor has only 3 options for user to respond to alert:
allow always
block always
ignore always

need option to allow and block once
provides more flexibility for advanced, knowledgeable user to control and manage processes on their system

ps - i know advanced, knowledgeable user can write custom rules in osarmor to permit execution by parent, (for process execution monitoring by disallowed parent) but most users will not do that
 
Last edited:

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
293
@wat0114

Here is a screenshot (mainly added these two fields to be matched in Exclusions Helper GUI):

exclusions-new.png


@Andrezj

OSArmor by default blocks the process behavior and shows the alert to the user after it has been already blocked.

If we add an "Allow Once" option it would allow the event once but only on the next time the process behavior is detected.

We may discuss about add an option like "Exclude for N minutes" probably, like a temporary exclusion that is not written to Exclusions.db file.

The quick way to handle this scenario at the moment is to like disable protection when installing a safe and trusted application and re-enable protection once done (just an example).

Or can be enabled the option "Passive Logging" so all process blocked events are only logged and not blocked.
 

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
621
@wat0114

Here is a screenshot (mainly added these two fields to be matched in Exclusions Helper GUI):
Oh wow, so it is for Mandatory Integrity Control. I just took a look, which I should have done earlier 😬 at Add/Manage exclusions and saw this:

%PROCESSINTEGRITY%,
%PROCESSINTEGRITY% & %PARENTINTEGRITY% can be the following: Untrusted, Low, Medium, Medium Plus, High, System, Protected, Unknown

EDIT

This Parent/Process Integrity option works as I thought it would. Very nice :) As a test I changed the Process Integrity of C:\WINDOWS\system32\eventvwr.msc" /s from Medium to High, with Parent Process C:\Windows\System32\mmc.exe kept at Medium and OSA blocked the attempt to launch event viewer (y) I even tried High/High on both Parent/Process respectively with successful block.
 
Last edited:

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,415
OSArmor v1.8.3 released:
Download OSArmor for Windows 7, 8, 10, 11 (32 & 64-bit) | OSArmor

Here is the changelog:

+ Added more signers to Trusted Vendors list
+ Added popup menu option "Copy to Clipboard" on Protections tab
+ Added Process Integrity and Parent Process Integrity on Exclusions Helper
+ Added new internal rules to block suspicious behaviors
+ Improved installer and uninstaller scripts
+ Added Block execution of Winget (Windows Package Manager)
+ Updated FAQs (Help.txt) with new questions and answers
+ Fixed all reported false positives
+ Minor improvements

If you have automatic updates enabled then OSArmor should auto-update in the next hours.

Else you can install it "over-the-top" of the installed version, reboot is not needed.

* If you used test builds you should manually update to this final version (install over-the-top is fine).

If you find false positives or issues please let me know.
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
293
Here is a pre-release test 1 version of OSArmor PERSONAL v1.8.4:

Code:
https://downloads.osarmor.com/osarmor-personal-1-8-4-test1.exe

What's new so far:

+ Added more signers to Trusted Vendors list
+ Added option Show a notification when product has been updated
+ Added new internal rules to block suspicious behaviors
+ Fixed all reported false positives
+ Minor improvements

You can install over-the-top, reboot is not needed.

Let me know if you find issues or FPs.

@LDogg

We've not discussed about it yet, but it is not in the current roadmap.
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
293
We've released OSArmor v1.8.4:

Here is the changelog:

[15-Feb-2023] v1.8.4.0

+ Added more signers to Trusted Vendors list
+ Added option Show a notification when product has been updated
+ Added new internal rules to block suspicious behaviors
+ Fixed all reported false positives
+ Minor improvements

If you have automatic updates enabled then OSArmor should auto-update in the next hours.

Else you can install it "over-the-top" of the installed version, reboot is not needed.

* If you used test builds you should manually update to this final version (install over-the-top is fine).

If you find false positives or issues please let me know.
 

Mark484

Level 1
Mar 8, 2023
27
Hello. I have a question about version 1.4.3.
Is it possible in version 1.4.3 to prohibit unsigned programs from direct access to the disk?
If so, how to do it (what rule should I write for this)?
Direct access to the disk is usually needed by encryption programs and programs for low-level disk formatting.
 
  • Like
Reactions: Sorrento

Thales

Level 15
Verified
Top Poster
Well-known
Nov 26, 2017
732
Hello. I have a question about version 1.4.3.
Is it possible in version 1.4.3 to prohibit unsigned programs from direct access to the disk?
If so, how to do it (what rule should I write for this)?
Direct access to the disk is usually needed by encryption programs and programs for low-level disk formatting.
I have no idea if this works but...

Here are the steps to create a rule to restrict disk access for unsigned programs in OSArmor:
  1. Open OSArmor and click on the "Rules" tab.
  2. Click on the "Add" button to create a new rule.
  3. In the "Add Rule" window, select "Disk Access" as the rule type.
  4. Under the "Process" section, select "Unsigned" from the drop-down menu.
  5. Under the "File/Folder" section, select the drive or folder that you want to restrict access to.
  6. Under the "Action" section, select "Block" or "Log" depending on how you want OSArmor to respond when an unsigned program tries to access the disk.
  7. Click on the "Save" button to create the new rule.
By creating this rule, OSArmor will restrict disk access for any program that is not digitally signed, including programs that require low-level disk formatting or encryption. However, keep in mind that this could potentially cause issues with certain programs, so it is important to test thoroughly before implementing this rule.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top