NoVirusThanks OSArmor

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I am still seeing blocks from HP printer software:

Date/Time: 12/31/2017 9:02:38 AM
Process: [3608]C:\Windows\SysWOW64\mshta.exe
Parent: [14256]C:\Program Files\HP\HP Officejet Pro 6830\Bin\HP Officejet Pro 6830.exe
Rule: BlockHtaScripts
Rule Name: Block execution of .hta scripts
Command Line: "C:\Windows\SysWOW64\mshta.exe" "C:\Program Files\HP\HP Officejet Pro 6830\Bin\HPSPProgress.hta" -lang_id="1033"
Signer:
Parent Signer: Hewlett Packard

Date/Time: 12/31/2017 9:03:07 AM
Process: [764]C:\Windows\SysWOW64\mshta.exe
Parent: [14256]C:\Program Files\HP\HP Officejet Pro 6830\Bin\HP Officejet Pro 6830.exe
Rule: BlockHtaScripts
Rule Name: Block execution of .hta scripts
Command Line: "C:\Windows\SysWOW64\mshta.exe" "C:\Program Files\HP\HP Officejet Pro 6830\Bin\HPSolutionsPortal.hta" -data_folder="C:\ProgramData\HP\HP Officejet Pro 6830\HPUDC\HP Officejet Pro 6830 (Network)\"
Signer:
Parent Signer: Hewlett Packard
Also these:

Date/Time: 12/31/2017 12:06:10 PM
Process: [12696]C:\Windows\SysWOW64\cmd.exe
Parent: [6472]C:\Windows\SysWOW64\mshta.exe
Rule: BlockProcessesFromMshta
Rule Name: Block any process executed from mshta.exe
Command Line: "C:\Windows\System32\cmd.exe" /C "copy /Y "C:\ProgramData\HP\HP Officejet Pro 6830\HPUDC\HP Officejet Pro 6830 (Network)\UDC_device.json" "C:\ProgramData\HP\HP Officejet Pro 6830\HPUDC\HP Officejet Pro 6830 (Network)\UDC_device_2.json" "
Signer:
Parent Signer:

Date/Time: 12/31/2017 12:06:10 PM
Process: [108]C:\Windows\SysWOW64\cmd.exe
Parent: [6472]C:\Windows\SysWOW64\mshta.exe
Rule: BlockProcessesFromMshta
Rule Name: Block any process executed from mshta.exe
Command Line: "C:\Windows\System32\cmd.exe" /C "del /Q /F "C:\ProgramData\HP\HP Officejet Pro 6830\HPUDC\HP Officejet Pro 6830 (Network)\UDC_device.json""
Signer:
Parent Signer:
 
  • Like
Reactions: AtlBo and Andy Ful

tiktoshi

Level 5
Verified
Jan 19, 2015
205
How Exclusions Work


Code:
Date/Time: 12/31/2017 11:30:15 AM
Process: [6304]C:\Windows\System32\cmd.exe
Parent: [1436]C:\Windows\explorer.exe
Rule: BlockCmdScripts
Rule Name: Block execution of .cmd scripts
Command Line: cmd /c ""C:\GPG\b310 usbloader\hh.cmd" "
Signer:
Parent Signer:
 
  • Like
Reactions: AtlBo

bjm_

Level 14
Verified
Top Poster
Well-known
May 17, 2015
667
Edit
The post was several times edited, because of the complex interactions between Sandboxie and OSArmor. I thought that OSArmor can be triggered first and Sandboxie second, because OSArmor blocked execution of payload.exe in the sandbox so quickly, that sandboxing were not visible. I realized that this can be a problem and changed Sandboxie settings to block payload.exe and then everything was finally clear to me.
...are you reporting that OSA communicates in Sandboxie sandboxes?
 
  • Like
Reactions: Andy Ful and AtlBo
D

Deleted member 65228

...are you reporting that OSA communicates in Sandboxie sandboxes?
When Sandboxie "sandboxes" a process, the process is still on the Host environment. Sandboxie doesn't use virtualisation via the hyper-visor which uses processor-embedded technology such as Intel VT-x or AMD SVM. Therefore, the activities made by a program isolated by Sandboxie still passes through the Host environment's Windows Kernel. Due to this, when a program is isolated by Sandboxie, the Host environment receives the process creation notifications as it still passes through the Windows Kernel of the Host environment. The callbacks are dished out in an order where one callback routine registered by driver X will receive it at a time as far as I am aware, and thus NoVirusThanks OSArmor still becomes aware of when a program is started up regardless of whether it's going into the Sandboxie container or not.

Sandboxie pretty much start up a process under a different user account, inject a DLL into it which hooks a huge amount of APIs (user-mode run-time byte patching to be precise) and relies on kernel-mode callbacks to redirect activities from kernel-mode and not only from user-mode, which makes it a bit more secure than if it relied entirely on user-mode patching for interception and redirection.
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
292
Here is a new v1.4 (pre-release) (test6):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test6.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Prevent PowerShell from using Invoke-Expression via cmdline (unchecked by default)
+ Prevent wscript.exe from changing script engine via //E:
+ Prevent cscript.exe from changing script engine via //E:
+ Fixed all reported false positives
+ Added more than 100 internal rules
+ Minor fixes and optimizations

This pre-release version can be installed over the top of the previous one.

Please let me know if you find new FPs.

@tiktoshi

Try with this exlusion rule:

Code:
[%PROCESS%: C:\Windows\System32\cmd.exe] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PROCESSCMDLINE%: cmd /c ""C:\GPG\b310 usbloader\hh.cmd" "]

@shmu26

The FPs about the HP printer should be fixed now, please confirm.

@Stas

Great!
 
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Here is a new v1.4 (pre-release) (test6):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test6.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Prevent PowerShell from using Invoke-Expression via cmdline (unchecked by default)
+ Prevent wscript.exe from changing script engine via //E:
+ Prevent cscript.exe from changing script engine via //E:
+ Fixed all reported false positives
+ Added more than 100 internal rules
+ Minor fixes and optimizations

This pre-release version can be installed over the top of the previous one.

Please let me know if you find new FPs.

@tiktoshi

Try with this exlusion rule:

Code:
[%PROCESS%: C:\Windows\System32\cmd.exe] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PROCESSCMDLINE%: cmd /c ""C:\GPG\b310 usbloader\hh.cmd" "]

@shmu26

The FPs about the HP printer should be fixed now, please confirm.

@Stas

Great!
Yes, you fixed the FPs from HP printer software. Thanks!
 

bjm_

Level 14
Verified
Top Poster
Well-known
May 17, 2015
667
[..] and thus NoVirusThanks OSArmor still becomes aware of when a program is started up regardless of whether it's going into the Sandboxie container or not.

Sandboxie pretty much start up a process under a different user account, inject a DLL into it which hooks a huge amount of APIs (user-mode run-time byte patching to be precise) and relies on kernel-mode callbacks to redirect activities from kernel-mode and not only from user-mode, which makes it a bit more secure than if it relied entirely on user-mode patching for interception and redirection.
Okay, since Sandbox Settings has Full Access template for ERP. I was wondering regarding OSA communication. Thanks
 
Last edited:
  • Like
Reactions: AtlBo

CMLew

Level 23
Verified
Well-known
Oct 30, 2015
1,251
Installed OSArmor awhile ago.
When turn on Windscibe Pro, one process blocked. Tried a few times and it happens the same.
Details below:-

Date/Time: 12/31/2017 11:10:26 PM
Process: [5232]C:\Windows\System32\conhost.exe
Parent: [13124]C:\Windows\System32\wbem\WMIC.exe
Rule: BlockProcessesFromWMIC
Rule Name: Block any process executed from wmic.exe
Command Line: \??\C:\WINDOWS\system32\conhost.exe 0x4
Signer:
Parent Signer:

Any advice?
 

CMLew

Level 23
Verified
Well-known
Oct 30, 2015
1,251

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Thanks @NoVirusThanks !
I tried the v1.4 and now no more issue.

My previous one was from the main NVT webpage where I got the installer from. I guess it was the stable one but not updated?
The downloads posted here are temporary, experimental builds, leading toward the next version.. They do fix a lot of problems but they have not been tested extensively.
 

tiktoshi

Level 5
Verified
Jan 19, 2015
205
Thank you so much
another request


How Exclusions Work

Code:
Date/Time: 12/31/2017 7:21:04 PM
Process: [7284]C:\Windows\System32\wscript.exe
Parent: [7644]C:\Windows\explorer.exe
Rule: BlockVbsScripts
Rule Name: Block execution of .vbs scripts
Command Line: "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\slmgr.vbs"
 

bjm_

Level 14
Verified
Top Poster
Well-known
May 17, 2015
667
No. I only reported that OSArmor can block an application after that application is sandboxed by Sandboxie. That is not the same as communicating with an application.
Ahh!...maybe that helps explain ERP Full Access template.... *\mailslot\NVTInj\*.
Admitting, I do not fully understand (communicating with an application) the difference.
 
Last edited:
  • Like
Reactions: shmu26

l0rdraiden

Level 3
Verified
Jul 28, 2017
108
Here is a new v1.4 (pre-release) (test6):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test6.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Prevent PowerShell from using Invoke-Expression via cmdline (unchecked by default)
+ Prevent wscript.exe from changing script engine via //E:
+ Prevent cscript.exe from changing script engine via //E:
+ Fixed all reported false positives
+ Added more than 100 internal rules
+ Minor fixes and optimizations

This pre-release version can be installed over the top of the previous one.

Please let me know if you find new FPs.

@tiktoshi

Try with this exlusion rule:

Code:
[%PROCESS%: C:\Windows\System32\cmd.exe] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PROCESSCMDLINE%: cmd /c ""C:\GPG\b310 usbloader\hh.cmd" "]

@shmu26

The FPs about the HP printer should be fixed now, please confirm.

@Stas

Great!
What are all those internal rules you add?
 

tiktoshi

Level 5
Verified
Jan 19, 2015
205
@tiktoshi

Try with this exclusion rule:

Code:
[%PROCESS%: C:\Windows\System32\wscript.exe] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PROCESSCMDLINE%: "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\slmgr.vbs" ]

Did not work

2017-12-31_19-53-54.jpg
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top