NoVirusThanks OSArmor

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Will those variables recognize only files with a faithful digital signatures?

As far as I know, it just checks the values of the executable meta-data, Andreas should answer this question. Malware has forged signatures, still only 5-10 percent of the malware is signed with forged signatures, so even a simple check on signature meta already reduces the chance of infection substantially. When OS_armor would perform a signature validity check the attack surface would be further reduced to 2-5% of the (PC) malware.
 
Last edited:

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
292
Uploaded another video on YouTube (4 mins):
Prevent Emotet Infection by Blocking Office Maldoc Payload with OSArmor

@Andy Ful @Windows_Security

OSArmor also checks if the signature is valid.

@l0rdraiden

The program already has many powerful and smart rules, I believe we'll add just a few more on the next versions.

Here is a screenshot of OSArmor popup:

osarmor-notify.png
 

l0rdraiden

Level 3
Verified
Jul 28, 2017
108
Uploaded another video on YouTube (4 mins):
Prevent Emotet Infection by Blocking Office Maldoc Payload with OSArmor

@Andy Ful @Windows_Security

OSArmor also checks if the signature is valid.

@l0rdraiden

The program already has many powerful and smart rules, I believe we'll add just a few more on the next versions.

Here is a screenshot of OSArmor popup:

View attachment 177373

I see, so the popups are not the standard hips popups like ERP, allow/block/(Sandbox), the detections are blocked by default.
The problem I see with this, for example, you are installing a complex software lets say Autocad and during the installation something legit is blocked automatically you will need to add it to the white-list manually and reinstall the software, this is an inconvenience for many.
Do you plan to release standard popups with allow, block options, and information about what is suspicious (file, location, process, script code,...) and why (rule/s triggered)
Something like this:
https://malwaretips.com/attachments/spyshelter-firewall-anti-exe-png.71658/
http://www.tystechtalk.com/wp-content/uploads/2015/10/WarningScreen.png

BTW I have read here Whitelist Applications, Allow & Block Processes with EXE Radar Pro | NoVirusThanks that you are about to release ERP v4, what new features it will have? will OSArmor be merged with ERP?
 
D

Deleted member 65228

So I have to remember and do a manual operation every time I want to install a new software? yes, very operative.
It's a lock-down sort of utility. It hardens your security configuration by blocking specific activity on the OS environment and you can lower/harden the configuration to your own needs. As long as there is a button to temporarily disable then there isn't an issue IMO just one click & one click after.

Wasn't this added recently? I am not sure as I don't have it installed right now but if not it probably will be.

Traditional AV might be easier to use in terms of expectations for FPs but this utility covers a lot a traditional AV doesn't either so it goes both ways
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
So I have to remember and do a manual operation every time I want to install a new software? yes, very operative.
You won't get a block with most software. If you are installing security software, then yes, temporarily disable it. Remember, only geeks install security software a lot.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
The whole object here is for inexperienced users to have a set and forget setup. More options only defeat that purpose
Good point.

Me and other users sure hope they will add a GUI for making exceptions. This is a different point, I am just mentioning it here for no good reason.
 

l0rdraiden

Level 3
Verified
Jul 28, 2017
108
The whole object here is for inexperienced users to have a set and forget setup. More options only defeat that purpose
The object of the product is set by the product owner.
Inexperienced users that can not properly handle FP's...

that is a contradiction, "set a forget", "inexperience users", and a BB that may produce easily FP's without a proper work around or an easy way to whitelist.
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
The whole object here is for inexperienced users to have a set and forget setup. More options only defeat that purpose
OSArmor can be set and forget setup in default settings. But it can be also used to restrict the system more tightly when using prompt-type alerts (user settings). Inexperienced users will not use the prompt-type option.
 

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
People should not intend to use this program as a HIPS with block-ask-allow functionality. There is a lot of knowledge put into the block rules. Remember one configuration option could well be sixty block rules. This makes the action-response nontransparent for all people not knowing what the internal rules are. Without cause-effect knowledge every response to a pop-up is an educated guess.

The brilliance of OS Armor is that you het Andreas knowledge to harden your system. When you start to experiment with own rules and enabling optional rules, there are two cooks working on the same meal. One is a chef with Michelin star (Andreas) and the other (most members on this forum including me) are wannabee amateur cooks dreaming of a master chef title. You know what they say about to many cooks (spoiling the broth). So I agree with Peter

The whole object here is for inexperienced users to have a set and forget setup. More options only defeat that purpose
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I am afraid that in the present form OSArmor is not only for inexperienced users. We have 24 options unticked by default (there will be more for sure), <Manage Exclusions> and <Custom Block-Rules> buttons. So in fact, OSArmor is rather for MalwareTips members, than for inexperienced users. Maybe after creating the final version of OSArmor, it would be possible to create OSArmor_Lite, as a one-click setup and forget program. Creating the functional BB program for the inexperienced users is much harder than for more experienced ones.:)
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Well an inexperienced user isn't going to be looking for a BB anyway. If they are, they aren't "inexperienced". A true inexperienced user probably won't even know what BB stands for let alone what a Behavior Blocker really is and how it works
Yes, we should differentiate between looking/installing a security program and using a 'setup & forget' one.
OSArmor_Lite could be used by an inexperienced user, probably after finding/installing it by the more experienced one.
I think that inexperienced user would have the same problem with EAM.
.
Edit.
Anyway, EAM has a big advantage of using a reputation cloud.
 
Last edited:
D

Deleted member 65228

I think that inexperienced user would have the same problem with EAM.
Well it's completely different and I'd say it's actually adapted like a proper BB. I consider NVT OSArmor a BB but a different type because it works differently.

NVT OSArmor is more like a HIPS using OS abuses to block malware. For example, monitoring behaviors for Temp folders, bcdedit usage, etc. Whereas the Emsisoft BB is more automatic resolving and has checks in place to help it determine good from bad, as well as a monitoring scope for behavior which is more used in genuine malicious software (e.g. attacking of the MBR, file encryption, etc.).

NVT OSArmor FPs can be lowered with a custom configuration but NVT OSArmor is currently completely unknown in its mind to how accurate the detection is, like a HIPS which just monitors and alerts/blocks based on configuration. Unlike the Emsisoft BB which won't necessarily block, has a cloud network which is damn huge to not monitor known and reputable software, built-in characteristic checks, etc.

Both of them work completely differently but at the same time both of them are great. I'm a big fan of this application but I really cannot see a true average inexperienced user using it. It just won't work well.

Emsisoft dropped Mamutu because they had hardly any users, not enough to cover costings. EAM is popular with inexperienced as well because it isn't just a BB, it's a full AM suite which makes it appropriate. People can install and forget and be protected by real-time protection, web protection, and zero-day dynamic protection which is tuned for auto-resolving more and designed to be less intrusive now (thanks to their cloud and other factors). If you take the Emsisoft BB without the cloud network integration, built-in checks to decide on decisions/monitoring and make it standalone, only geeks will use it.

People can say that inexperienced users rely on anti-executable like VoodooShield, NVT ERP, etc. But it just really is hard for me to believe because I have never even heard any inexperienced user, or any person who is not on this or one other maximum 2 forums even reference to such software. Not those specifically, but those types of software in general.

This is why AV software isn't dead yet, despite it not being the best always with up to date techniques. It explains why vendors like Panda are still selling and making a mint, or why Avira did fine with sales with mainly signatures for so long. Why Bitdefender still makes a mint from their SDK.... Etc.... Because despite all these free great apps from NVT and other developers, an inexperienced user won't even know of them, let alone what they are or how they work.

Comodo make most their money from their other services like certificates for SSL and kernel-mode software signing, they even made their auto-sandbox free with the Firewall. Inexperienced average users won't install that and answer alerts or learn how to use the sandbox... They will go straight to Avast Free, probably upgrade after seeing the ads about improved security on the UI (Avast marketing), or purchase Norton/McAfee which came with their PC as a trial. They don't bother making it premium only because they know it won't do that much for income and they already make enough income from other higher priority services

It's been like this since the start and I doubt it'll change anytime soon because people who need to learn don't find the time to do so or have interest in doing so. And you find these awesome software like OSArmor by learning and wanting to learn, and using software like this really will strengthen your OS and keep you safer, but it isn't everyone's cup of tea. Certainly not an average user who wants to be click happy, but still wants to be protected (which can't happen and it'll be a hit and miss scenario each time they are click happy)

Look at HitmanPro.Alert. How many average inexperienced users do you think are using it, and are using Wilders to submit logs with details like a call stack? They won't understand any of it. SOPHOS bought out Surf-right and added the tech to their end-point protection, knowing that businesses tend to delay updates or don't even bother until checks are made to prevent breakages - and do have admins to manage it. The rest of the constant user base are mostly forum users who already know a lot or at least think they do and are willing to communicate online about bugs. A true inexperienced home user? Yeah they won't even know they can send the reports on a forum like this.
 
Last edited by a moderator:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top