NoVirusThanks OSArmor

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I think this combination is a recipe for disaster. Especially with HMPA which already can cause issues on a clean system.
+1
When a person piles up security softs like that, he might actually be weakening his protection, rather than strengthening it. "Too many cooks spoil the soup."
 
P

plat1098

Just curious, is it Malwarebytes Anti-exploit free? Even if not, what does this offer in addition to Alert? There are always risks of "silent" conflicts, even with exclusions in place. I would not underestimate Alert's capabilities; for example, on here, occasionally it is still squabbling with Sandboxie for control over Firefox plugins and .dll, etc but is very calm with OSArmor, no problems.

HitmanPro.ALERT Support and Discussion Thread
 
D

Deleted member 65228

Malwarebytes Anti-Exploit offers forcing of protection features like Address Space Layout Randomisation (ASLR), Data Execution Prevention (DEP) and can help mitigate exploits for various software. However, Windows 10 now has EMET features built-in and HitmanPro.Alert covers a whole lot more in my opinion.

However, with more functionality provides more system slow-down and more potential problems. I don't know about the performance with HitmanPro.Alert on a regular basis, however I do know it breaks an awful lot of software depending on the configuration, and also after updates to various software. I see a lot of break reports... So I'd say it is probably better for a business who update software/their OS software after check-ups and X amount of time.

Both are good though; don't use both at the same time though.
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
292
Here is a new v1.4 (pre-release) (test10):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test10.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block any process executed from javaw.exe (except java.exe)
+ Block any process executed from java.exe
+ Fixed display of GUI and Configurator on multi-monitors
+ Minor fixes and optimizations

This pre-release version can be installed over the top of the previous one.

We're now working on the driver to support Secure Boot.

@shmu26

Some of the HP blocks came back

Should be fixed in this test10.
 
F

ForgottenSeer 58943

Here is a new v1.4 (pre-release) (test10):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test10.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block any process executed from javaw.exe (except java.exe)
+ Block any process executed from java.exe
+ Fixed display of GUI and Configurator on multi-monitors
+ Minor fixes and optimizations

This pre-release version can be installed over the top of the previous one.

We're now working on the driver to support Secure Boot.

@shmu26



Should be fixed in this test10.

The most important fix in this was the ability to use the mouse wheel to scroll through the rules.
 

71Hemi

Level 2
Verified
Dec 12, 2015
82
@ NoVirusThanks

Just a FP you should be aware of...

Date/Time: 1/1/2018 1:05:18 AM
Process: [10156]C:\ProgramData\Panda Security\Panda Devices Agent\Downloads\94f8cda3e22ca03b64f714f92fb73415\PSExpCampaign.exe
Parent: [2124]C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe
Rule: BlockSuspiciousProcesses
Rule Name: Block execution of suspicious processes
Command Line: "C:\ProgramData\Panda Security\Panda Devices Agent\Downloads\94f8cda3e22ca03b64f714f92fb73415\PSExpCampaign.exe"
Signer: Panda Security S.L
Parent Signer: Panda Security S.L

and... Thank You for this Excellent program
 

l0rdraiden

Level 3
Verified
Jul 28, 2017
108
Here is a new v1.4 (pre-release) (test10):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test10.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block any process executed from javaw.exe (except java.exe)
+ Block any process executed from java.exe
+ Fixed display of GUI and Configurator on multi-monitors
+ Minor fixes and optimizations

This pre-release version can be installed over the top of the previous one.

We're now working on the driver to support Secure Boot.

@shmu26



Should be fixed in this test10.
You already offer it for free that is a lot but I am just wondering what do you think about making the rules open source, so more people can contribute and you could review them before each release.

Does Osarmor have popups when something is detected? I think it would be useful to have additional information of the file, like a direct link to VT or anything else
 
  • Like
Reactions: AtlBo and Andy Ful

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Edit the the CustomBlock.db and Exclusions.db

See ObjectBlcoker explanation of attached file (add a few general block rules and exceptions and you basically have the new and improvend NVT V4) ;)(y)
 

Attachments

  • Variables.txt
    8.7 KB · Views: 461
Last edited:

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
EDIT: IT IS EVEN SIMPLER TO ALLOW ONLY SIGNED PROCESS EXECUTION FROM NORMAL USER FOLDERS

OPEN CONFIGURATOR: CHECK WHETHER THESE SETTINGS ARE ENABLED
Block suspicious Explorer.exe process behaviors
Block processes located in suspicious folders
Block execution of unsigned processes on Local AppData
Block execution of unsigned processes on Roaming AppData
Block execution of unsigned processes on Common AppData

ADD A CUSTOM BLOCK-RULES (change Kees to your name)
; Block executables from data partition D (documents) on main drive and and Q (quick backup) on second harddisk
[%PROCESS%: D:\*]
[%PROCESS%: Q:\*]

; Block executables from public folders on C drive
[%PROCESS%: C:\Users\Public\*]

; Block executables from my user folders on C drive
[%PROCESS%: C:\Users\Kees\Contacts\*]
[%PROCESS%: C:\Users\Kees\Downloads\*]
[%PROCESS%: C:\Users\Kees\Desktop\*]
[%PROCESS%: C:\Users\Kees\Documents\*]
[%PROCESS%: C:\Users\Kees\Music\*]
[%PROCESS%: C:\Users\Kees\Videos\*]
[%PROCESS%: C:\Users\Kees\Saved Games\*]
[%PROCESS%: C:\Users\Kees\Searches\*]

ONLY DOWNSIDE IS THAT YOU HAVE TO INSTALL AND UPDATE FROM YOUR TEMP FOLDER

@NoVirusThanks would it be possible to add a ALLOW SIGNED EXECUTION FROM DESKTOP rule and block execution in other user folders?

--------------------------- Tested with unsigned (AppTimer) and signed (ProcessExplorer) see log below
NOTE PROCESS EXPLORER (SIGNED) WAS ALLOWED TO EXECUTE FROM TEMP AND OTHER APPDATA LOCATIONS

Date/Time: 3-1-2018 12:04:41
Process: [2204]C:\Users\Kees\AppData\Local\Temp\AppTimer.exe
Parent: [2496]C:\Windows\explorer.exe
Rule: BlockSuspiciousExplorerBehaviors
Rule Name: Block suspicious Explorer.exe process behaviors
Command Line: "C:\Users\Kees\AppData\Local\Temp\AppTimer.exe"
Signer:
Parent Signer:

Date/Time: 3-1-2018 12:04:59
Process: [768]C:\Users\Kees\AppTimer.exe
Parent: [2496]C:\Windows\explorer.exe
Rule: BlockProcessesOnSuspiciousFolders
Rule Name: Block processes located in suspicious folders
Command Line: "C:\Users\Kees\AppTimer.exe"
Signer:
Parent Signer:

Date/Time: 3-1-2018 12:05:35
Process: [824]C:\Users\Kees\Documents\AppTimer.exe
Parent: [2496]C:\Windows\explorer.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: "C:\Users\Kees\Documents\AppTimer.exe"
Signer:
Parent Signer:

Date/Time: 3-1-2018 12:06:20
Process: [3232]C:\Users\Kees\Documents\procexp.exe
Parent: [2496]C:\Windows\explorer.exe
Rule: CustomBlockRule
Rule Name: Custom process-block rule via CustomBlock.db
Command Line: "C:\Users\Kees\Documents\procexp.exe"
Signer: Microsoft Corporation
Parent Signer:

WITH ABOVE SETTING OS-ARMOR IS NICE FREE REPLACEMENT FOR APPGUARD (DEFAULT MODE, NOT LOCKDOWN).
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
The rule:
Edit the the CustomBlock.db and Exclusions.db

See ObjectBlcoker explanation of attached file (add a few general block rules and exceptions and you basically have the new and improvend NVT V4) ;)(y)
Thanks for the useful command summary. :)
I noticed that only variables: %PROCESS%, %PARENTPROCESS% and %PROCESSCMDLINE% can be used for OSArmor (Andreas mentioned this in CustomBlock.db). The other variables (from SOB) are probably not supported. So, one cannot block DLL files.:(

But anyway, the variables %PROCESS%, %PARENTPROCESS% and %PROCESSCMDLINE% are very useful.(y)
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
292
Just a quick update, new v1.4 (pre-release) (test11):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test11.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Added buttons to save\load protection options to\from a file
+ Some improvements on internal rules
+ Fixed all reported false positives

@Darrin

Thanks for reporting it, should be fixed in this test 11.

I've also fine-tuned some internal rules related to that FP.

@l0rdraiden

what do you think about making the rules open source

We have not plan for that about OSArmor, but you may use the "Custom Block-Rules" to create customized or specific block-rules.

It works the same way as SOB but supports only 3 variables.

However, if you have some ideas about new rules, just let me know via PM or posting there and we'll discuss if add them to OSArmor "Configurator".

Does Osarmor have popups when something is detected?

Yes, it shows a popup dialog when something is blocked.

I think it would be useful to have additional information of the file, like a direct link to VT or anything else

A link to VT would not help much, since many exploits run system processes like cmd.exe, etc, the VT link would show the file as clean.

@Windows_Security

would it be possible to add a ALLOW SIGNED EXECUTION FROM DESKTOP rule and block execution in other user folders?

You mean like adding "Block unsigned processes on Desktop folder" on Configurator right?

We can add it and make it unchecked by default (can create some FPs to regular users).

@Andy Ful

Yes, OSArmor supports only 3 variables for now, but I can add support for %SIGNER% and %PARENTSIGNER% in case.

Then you have all that you need to create very fine-tuned custom process-block rules.
 
D

Deleted member 65228

Would be viable to offer MBR protection?
Just use MBRFilter, it's free. Use it alongside NVT OSArmor. The developer signed up here recently to respond to me, not sure if they are still active here but the developer is smart and experienced and MBRFilter does work quite well (they just need to improve the uninstallation process I think so its more user friendly).
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top