NoVirusThanks OSArmor

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
292
@tiktoshi

Can you try one of these new exclusions:

Code:
[%PROCESS%: C:\Windows\System32\wscript.exe] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PROCESSCMDLINE%: "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\slmgr.vbs"]

Code:
[%PROCESS%: C:\Windows\System32\wscript.exe] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PROCESSCMDLINE%: "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\slmgr.vbs"?]

Code:
[%PROCESS%: C:\Windows\System32\wscript.exe] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PROCESSCMDLINE%: "C:\Windows\System32\WScript.exe" "C:\Windows\SysWOW64\slmgr.vbs"*]

Let me know which one work.

Other problems can not retrieve settings

The "Reset to Default" button just unchecks the options that are unchecked by default.

I'll make sure it also checks all the other options.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I only reported that OSArmor can block an application after that application is sandboxed by Sandboxie. .
I think that is basically what people want, though. They want their malware to be both sandboxed and blocked. They don't want keyloggers living inside their browser's sandboxed environment, for instance.
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
292
Here is a new v1.4 (pre-release) (test7):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test7.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block execution of any process related to Radmin (unchecked by default)
+ Scroll the list of protections using the mouse wheel
+ Fixed button to reset protection options to the default values
+ Many improvements in the internal rules
+ Fixed all reported false positives

This pre-release version can be installed over the top of the previous one.

Please let me know if you find new FPs.

@tiktoshi

Other problems can not retrieve settings

It is fixed now (test7).

@l0rdraiden

What are all those internal rules you add?

Rules to identify bad process behaviors.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I got a couple error messages from my logitech mouse (in addition to the appguard license issue that was reported on the other forum)

Capture.PNG
Capture2.PNG
 
D

Deleted member 65228

@shmu26 0xC0000142 (NTSTATUS) is STATUS_DLL_INIT_FAILED. Probably interception was done via PsSetLoadImageNotifyRoutine/Ex for process start-up monitoring (once NTDLL.DLL load triggered the callback) and it was blocked, unless PsSetCreateProcessNotifyRoutine/Ex or FltRegisterFilter was used for blocking and specified that specific NTSTATUS error code when the operation was blocked. Disable all security software you have temporary and slowly re-enable each one one-by-one to identify which specific one is causing the problem, of course assuming it is indeed related to security software on your machine.
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
292
Here is a new v1.4 (pre-release) (test8 ):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test8.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Fixed an issue on test 7

This pre-release version can be installed over the top of the previous one.

@shmu26

Should work fine now, thanks for reporting the issue.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
@shmu26 0xC0000142 (NTSTATUS) is STATUS_DLL_INIT_FAILED. Probably interception was done via PsSetLoadImageNotifyRoutine/Ex for process start-up monitoring (once NTDLL.DLL load triggered the callback) and it was blocked, unless PsSetCreateProcessNotifyRoutine/Ex or FltRegisterFilter was used for blocking and specified that specific NTSTATUS error code when the operation was blocked. Disable all security software you have temporary and slowly re-enable each one one-by-one to identify which specific one is causing the problem, of course assuming it is indeed related to security software on your machine.
Thanks, but the new OSA build fixed it. This issue arose immediately after installing test 7, and the folks over on the other forum were reporting lots of error messages from it, so it really was a no-brainer that OSA test 7 was the culprit.
 

l0rdraiden

Level 3
Verified
Jul 28, 2017
108
Here is a new v1.4 (pre-release) (test7):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test7.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block execution of any process related to Radmin (unchecked by default)
+ Scroll the list of protections using the mouse wheel
+ Fixed button to reset protection options to the default values
+ Many improvements in the internal rules
+ Fixed all reported false positives

This pre-release version can be installed over the top of the previous one.

Please let me know if you find new FPs.

@tiktoshi



It is fixed now (test7).

@l0rdraiden



Rules to identify bad process behaviors.
But those are not part of the list we can see.0
How the behaviour blocker detections are presented to they users If there is no rule linked to them? Are the popups different?
 
Last edited:
  • Like
Reactions: AtlBo

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
292
But those are not part of the list we can see.

Basic anti-exploit protection
Block execution of suspicious processes
Block processes located in suspicious folders
Block suspicious Svchost.exe process behaviors
Block direct execution of JavaScript and VBscript code
Block command-lines that match shellcode-like patterns
Block execution of suspicious scripts
Block malformed PowerShell commands
And so on...

All these protection options (and many more) use a lot of internal rules.

For example, to identify a malformed PowerShell command we use 50+ internal rules (and we will add more).

All the internal rules that we add ("Added N+ internal rules") are associated with the protection options listed.
 
Last edited:

tiktoshi

Level 5
Verified
Jan 19, 2015
205
Here is a new v1.4 (pre-release) (test7):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test7.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block execution of any process related to Radmin (unchecked by default)
+ Scroll the list of protections using the mouse wheel
+ Fixed button to reset protection options to the default values
+ Many improvements in the internal rules
+ Fixed all reported false positives

This pre-release version can be installed over the top of the previous one.

Please let me know if you find new FPs.

@tiktoshi



It is fixed now (test7).

@l0rdraiden



Rules to identify bad process behaviors.


+ Fixed button to reset protection options to the default values

Problem solved
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
292
Here is a new v1.4 (pre-release) (test9 ):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test9.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Fixed blocking of processes executed from mmc.exe
+ Minor fixes and optimizations

This pre-release version can be installed over the top of the previous one.
 

DavidLMO

Level 4
Verified
Dec 25, 2017
158
( maybe ) a stupid question : can nvt os armor run alongside nvt exe radar pro and mbae? Thanks!

I have all 3 running on Win 7 box and also Hitmanpro.alert (beta). After a few initial set up problems (over 2 weeks ago) everything has been stable since. Also running Malwarebytes with thinks unticked so I use it as a scanner.
 
  • Like
Reactions: AtlBo and FrFc1908

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Here is a new v1.4 (pre-release) (test9 ):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test9.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Fixed blocking of processes executed from mmc.exe
+ Minor fixes and optimizations

This pre-release version can be installed over the top of the previous one.
Some of the HP blocks came back:

Date/Time: 1/2/2018 7:04:00 PM
Process: [8476]C:\Windows\SysWOW64\mshta.exe
Parent: [8472]C:\Program Files\HP\HP Officejet Pro 6830\Bin\HP Officejet Pro 6830.exe
Rule: BlockHtaScripts
Rule Name: Block execution of .hta scripts
Command Line: "C:\WINDOWS\SysWOW64\mshta.exe" "C:\Program Files\HP\HP Officejet Pro 6830\Bin\HPSPProgress.hta" -lang_id="1033"
Signer:
Parent Signer: Hewlett Packard

Date/Time: 1/2/2018 7:04:22 PM
Process: [2148]C:\Windows\SysWOW64\mshta.exe
Parent: [8472]C:\Program Files\HP\HP Officejet Pro 6830\Bin\HP Officejet Pro 6830.exe
Rule: BlockHtaScripts
Rule Name: Block execution of .hta scripts
Command Line: "C:\WINDOWS\SysWOW64\mshta.exe" "C:\Program Files\HP\HP Officejet Pro 6830\Bin\HPSolutionsPortal.hta" -data_folder="C:\ProgramData\HP\HP Officejet Pro 6830\HPUDC\HP Officejet Pro 6830 (Network)\"
Signer:
Parent Signer: Hewlett Packard
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top