NoVirusThanks OSArmor

[Daniel Keller]

NoVirusThanks Any new release ?are you sleeping?omg,wake up boy

Last update was on Friday. How fast do you expect updates? OSA is a free tool and many developers have family. At least I hope they use their weekend having some nice time in the real world.

Of course we are all happy about every peace of progress, though

 

[shmu26]

Here is a new v1.4 (pre-release) (test27):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test27.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Improved support for Fast User Switching and Logouts
+ Many internal improvements
+ Integrated a smart caching mechanism
+ Prevent flooding of the notification dialog
+ Fixed opening of the Configurator in certain situations
+ Fixed some false positives
+ Block execution of unsigned processes on Downloads folder
+ Added Tor Brower, Comodo Dragon and MSPub on Anti-Exploit tab
+ Block execution of Sysprep.exe (UAC Bypass)
+ The alert icon on Configurator is red for some options

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install test 27

Thanks to the new caching mechanism, CPU usage should be lower now when executing many processes. All issues related to "timeout 30000 on the service", "Configurator doesn't show up", "when switching users icon is not present", etc should also be fixed.

@Evjl's Rain

FP is fixed now.

I can confirm that the issues with switching back and forth between user accounts seems to be fixed.
I haven't seen any issues with test27-28 (but I also haven't tried it with Avast)

 

[Sunshine-boy]

But I used to see a new release every day

 

[Mr.X]

But I used to see a new release every day

For sure development has reached a point of high stability/compatibility then further tests and to find more stuff to polish and coding take more time, hence you don't see more frequent updates.

Yet rest assured @NoVirusThanks and team are working hard in this new baby, lol.

 

[HarborFront]

Does the latest version still requires user to turn off Secure Boot or is it that the use of OSA requires Secure Boot to be turned off?

Thanks

 

[shmu26]

Does the latest version still requires user to turn off Secure Boot or is it that the use of OSA requires Secure Boot to be turned off?

Thanks

In theory, OSA is compatible with secure boot. But in practice, the dev didn't update the driver yet. So the latest version is still incompatible with secure boot on certain systems.

 

[shmu26]

But I used to see a new release every day

Dude, find a few bugs, and then he will have to give us a new version...

 

[NoVirusThanks]

Here is a new v1.4 (pre-release) (test29):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test29.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Categorized options in Anti-Exploit tab and sorted them alphabetically (per category)
+ When on Passive Logging, the text on the notification window is "Passive Logging Enabled"
+ On Configurator -> Settings -> Passive Logging changed the text to "You will still receive notification dialogs while in Passive Logging."
+ Added Thunderbird on Anti-Exploit tab
+ Removed "Process Path" and "Parent Process Path" from Exclusions Helper GUI
+ Option to disable protection temporarily, for 10 minutes, 30 minutes, 1 hour
+ Option to not display alerts when an application is in full-screen mode
+ Improved "Block execution of .vbs scripts"
+ Improved "Block execution of .js scripts"
+ Tray icon becomes red when Passive Logging is enabled
+ Option to play beep sound when notification is displayed
+ Fixed a false positive with "Block processes executed from javaw.exe"
+ Improved detection of PowerShell encoded commands
+ Improved detection of PowerShell malformed commands
+ Improved detection of suspicious processes
+ Block processes executed from USB
+ Block processes executed from RAM Disk
+ Block processes executed from Network Drive
+ Block processes executed from CD-ROM
+ Block execution of Internet Explorer
+ Block execution of Microsoft Edge
+ OSArmor 64-bit now supports Secure Boot
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install test 29.

We are waiting for the 32-bit driver to be co-signed (should not take much).

@Sunshine-boy

Here you go

@HarborFront

This new build 29 supports Secure Boot (only the 64-bit version for now).

@Evjl's Rain

I'll test OSArmor with Avast on W10 VM asap.

I would recommend you to do this to test build 29:

Uninstall the previous OSArmor version, reboot, delete the folder C:\Program Files\NoVirusThanks\OSArmorDevSvc\ and then install the new build 29.

Let me know if that works.

 

[ForgottenSeer 58943]

Here is a new v1.4 (pre-release) (test29):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test29.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Categorized options in Anti-Exploit tab and sorted them alphabetically (per category)
+ When on Passive Logging, the text on the notification window is "Passive Logging Enabled"
+ On Configurator -> Settings -> Passive Logging changed the text to "You will still receive notification dialogs while in Passive Logging."
+ Added Thunderbird on Anti-Exploit tab
+ Removed "Process Path" and "Parent Process Path" from Exclusions Helper GUI
+ Option to disable protection temporarily, for 10 minutes, 30 minutes, 1 hour
+ Option to not display alerts when an application is in full-screen mode
+ Improved "Block execution of .vbs scripts"
+ Improved "Block execution of .js scripts"
+ Tray icon becomes red when Passive Logging is enabled
+ Option to play beep sound when notification is displayed
+ Fixed a false positive with "Block processes executed from javaw.exe"
+ Improved detection of PowerShell encoded commands
+ Improved detection of PowerShell malformed commands
+ Improved detection of suspicious processes
+ Block processes executed from USB
+ Block processes executed from RAM Disk
+ Block processes executed from Network Drive
+ Block processes executed from CD-ROM
+ Block execution of Internet Explorer
+ Block execution of Microsoft Edge
+ OSArmor 64-bit now supports Secure Boot
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install test 29.

We are waiting for the 32-bit driver to be co-signed (should not take much).

@Sunshine-boy

Here you go

@HarborFront

This new build 29 supports Secure Boot (only the 64-bit version for now).

@Evjl's Rain

I'll test OSArmor with Avast on W10 VM asap.

I would recommend you to do this to test build 29:

Uninstall the previous OSArmor version, reboot, delete the folder C:\Program Files\NoVirusThanks\OSArmorDevSvc\ and then install the new build 29.

Let me know if that works.

This no longer works with FortiClient. Specifically, if FortiClient has exploit protection enabled you can't do simple stuff, like launch Chrome. If you disable exploit protection in FortiClient for Chrome, it launches again. I suspect this is the case for the majority of applications protected by FortiClient exploit guard.

 

[NoVirusThanks]

@ForgottenSeer 58943

Are you using FortiClient 5.6 for Windows?

I can try to download it and see what happens.

 

[Sunshine-boy]

Thanks for the new version and your work. can you pls add a rule like this: Block DLL loading from removable drives

 

[Evjl's Rain]

@NoVirusThanks hi, I did what you said but it still doesn't work

 

[NoVirusThanks]

Here is a new v1.4 (pre-release) (test30):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test30.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Both 32-bit and 64-bit drivers are now co-signed by Microsoft
+ Removed option "Set notification window always on top" (it is done by default now)
+ Fixed CPU spikes when the notification dialog disappears
+ Fixed "can't open menu in OSArmorDevUI because it loses focus"

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

Secure Boot should be now fully supported in both 32 & 64-bit W10 OS.

@Evjl's Rain

I loaded a clean VM with W10 X64 Pro 1709 with Secure Boot enabled.

Then I installed Avast (default settings) and rebooted.

Then I installed OSA build 30 and so far it worked fine, I didn't add exclusions to Avast.

I tested also a few reboots, here is a screenshot:

@l0rdraiden

I tested OSArmor with Windows Server 2016 and seems to work fine:

 

[ForgottenSeer 58943]

@ForgottenSeer 58943

Are you using FortiClient 5.6 for Windows?

I can try to download it and see what happens.

Yes. It's free to download at Forticlient.com

 

[Evjl's Rain]

@Evjl's Rain

I loaded a clean VM with W10 X64 Pro 1709 with Secure Boot enabled.

Then I installed Avast (default settings) and rebooted.

Then I installed OSA build 30 and so far it worked fine, I didn't add exclusions to Avast.

I tested also a few reboots, here is a screenshot:

I don't why but it still doesn't work for me
I'm on windows 8.1,not sure if there is any more conflict between avast, OSA and another app

I may have to consider dropping avast for another AV

 

[NoVirusThanks]

Here is a new v1.4 (pre-release) (test31):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test31.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block processes executed from Shared Folder
+ Improved detection of malformed PowerShell commands
+ Improved detection of suspicious processes
+ Improved detection of suspicious scripts
+ Hint text for red icon (on Configurator) is changed to "Can create many false positives"
+ Block ShellExecute\Start-Process in PowerShell cmdline
+ Fixed false positive on "Block processes located in suspicious folders" related to SUA users
+ Prevent schtasks.exe from creating tasks

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

 

[tuneraider]

Has anyone had problems with a USB DAC? I tried test 29 & 30 but no sound comes from my DAC. It work the last time I tried it before I installed NVT/OS ARMOUR. After uninstalling DAC still doesn't work. Computer soundcard works. Win 10 Home 64. Vers. 1709 Build 16299.192
Thanks

 

[Antimalware18]

Finally got it on my system (test 31)

I can say, so far so good. No false positives yet, and no system slowdown.

I haven't really selected anything from the "Advanced" tab yet except for "Unsigned processes from roaming appdata and local" will this make me highly
likely to have false positives?

 

[NoVirusThanks]

Here is a new v1.4 (pre-release) (test32):
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test32.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Fixed an issue on Windows XP
+ Fixed all reported false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

This new build should fix an issue on 32-bit OSes.

@Antimalware18

I can say, so far so good. No false positives yet, and no system slowdown.

That's good

"Unsigned processes from roaming appdata and local" will this make me highly likely to have false positives?

If you don't have many programs that run on \Temp\ folder their unsigned installers\uninstallers\updaters you should not get any.

@tuneraider

If OSA didn't block anything, the issue may not be related to OSA.

 

[Antimalware18]

Are there any tools to test OSArmor with besides spyshelter and CLT? I tried those both and It didn't block any of either.
Not sure if my installation is broken or most likely the mechanisms are just different. Any safe test tools to try this out?