NoVirusThanks OSArmor

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
OS Armor is a strong layer of defense. Andreas is constantly adding recognition strings to commands used to bypass PC defenses (antivirus solutions).

Most fileless malware and ransomware use remote access and build-in shells like Windows Management Instrumentation, powershell and dotNet which can't be turned of like old command shells as wscript and cmd.

The changes of running into these type of malware is not that big when you apply safe HEX and have decent security in place. But the price (free) and low performance impact make OS Armor something to consider for any setup.

Now with latest option to allow only signed processes in user space, one only needs to add addtional partitions/drives to your custom block rules, it is as easy as this, where X is the drive letter: [%PROCESSFILEPATH%: X:\*]

So when you split your harddisk into C for programs and D for files it would look like: [%PROCESSFILEPATH%: D:\*]

Great job Andreas @NoVirusThanks thanks (y)
 

codswollip

Level 23
Content Creator
Well-known
Jan 29, 2017
1,201
Now with latest option to allow only signed processes in user space, one only needs to add addtional partitions/drives to your custom block rules, it is as easy as this, where X is the drive letter: [%PROCESSFILEPATH%: X:\*]

So when you split your harddisk into C for programs and D for files it would look like: [%PROCESSFILEPATH%: D:\*]
I want to block writing to "G" partition by all except Signer: Microsoft.

So I entered a block... simply....
[%PROCESSFILEPATH%: G:\*]

and ran a program that normally writes to "G" and there was no interception. What am I doing wrong?
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
292
Here is a new v1.4 (pre-release) test57:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test57.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Improved Block download of remote URLs via command-lines
+ Block unsigned processes outside system partition (e.g. C:\)
+ Block ALL processes outside system partition (e.g. C:\)
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

If you find any false positive or issue please let me know.

With the new rules you can now block any (or only unsigned) processes executed outside system partition (e.g. C:\).

So a process executed, e.g., from F:\ or G:\ will be blocked, see this screenshot:

osa3.png


@128BPM

That FP shoud be fixed now, please confirm.

@Windows_Security

1. Is starting other programs covered by the anti-exploit option of Word?

Yes.

2. Do you have made allow exceptions for print spool and touch keyboard?

Yes.

I am asking because for wscript.exe you have:

The option to block any process from wscript.exe was specifically asked by a company and to be separate from the anti-exploit tab.

So when you split your harddisk into C for programs and D for files it would look like: [%PROCESSFILEPATH%: D:\*]

You may find these new options useful:

+ Block unsigned processes outside system partition (e.g. C:\)
+ Block ALL processes outside system partition (e.g. C:\)

:)

@Telos

With the block-rule:

[%PROCESSFILEPATH%: G:\*]

OSA would block any process located on G:\

It doesn't block a process from writing to that path (OSA doesn't monitor writing of files).

To exclude Microsoft-signed processes just add this to Exclusion rules:

[%PROCESSFILEPATH%: G:\*] [%FILESIGNER%: Microsoft Windows]
[%PROCESSFILEPATH%: G:\*] [%FILESIGNER%: Microsoft Corporation]
 

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
You may find these new options useful:

+ Block unsigned processes outside system partition (e.g. C:\)
+ Block ALL processes outside system partition (e.g. C:\)

:)

Andreas,

Does the rule BLOCK ALL PROCESSES OUTSIDE also includes USB and RAM disk (other options)?

I would prefer it to apply the rule "block all" on harddisks only, so user has granular control on others (USB, CD Rom, Ram etc) with other options.
 
  • Like
Reactions: Garzaman and AtlBo
D

Deleted member 178

Andreas,

Does the rule BLOCK ALL PROCESSES OUTSIDE also includes USB and RAM disk (other options)?

I would prefer it to apply the rule "block all" on harddisks only, so user has granular control on others (USB, CD Rom, Ram etc) with other options.
You can just make exclusions then, it is what i do.
 
  • Like
Reactions: Garzaman

128BPM

Level 2
Verified
Feb 21, 2018
90
@NoVirusThanks


When entering in option "change calendar settings", the previous FP (Block execution of suspicious command-line strings) was corrected. But now this appears:


Date/Time: 12/04/2018 08:18:38 p.m.
Process: [3208]C:\Windows\System32\control.exe
Process MD5 Hash: FD3F34830C39F4B554106ADA19924F4E
Parent: [3132]C:\Windows\System32\rundll32.exe
Rule: BlockSuspiciousProcessesFromRundll32
Rule Name: Block suspicious processes executed from Rundll32
Command Line: "C:\Windows\System32\control.exe" "C:\Windows\system32\intl.cpl",,/p:"date"
Signer:
Parent Signer:
User/Domain: PC/PC
Integrity Level: Medium
Parent Integrity Level: Medium
 

codswollip

Level 23
Content Creator
Well-known
Jan 29, 2017
1,201
Tried to reboot to Safe Mode (Shift-Restart) and got this...

Date/Time: 4/13/2018 1:35:37 PM
Process: [8608]C:\WINDOWS\System32\shutdown.exe
Process MD5 Hash: 0AA80010E37F8F8546CDD6D725D79A28
Parent: [3088]C:\WINDOWS\explorer.exe
Rule: BlockShutdownExeExecution
Rule Name: Block execution of shutdown.exe
Command Line: shutdown.exe /r /o /t 0
Signer:
Parent Signer: Microsoft Windows
User/Domain: Telos/Domain
Integrity Level: Medium
Parent Integrity Level: Medium


Still I was able to Restart without the Shift-key ... so I'm a bit perlexed.

That all said, I must have scanned the rules list 3 times before I could locate this one. I'm guessing it would be too much to ask for a rule search feature.
 
Last edited:
  • Like
Reactions: Andy Ful and AtlBo

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
292
Here is a new v1.4 (pre-release) test58:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test58.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Show System File: True\False on log file
+ Show Parent System File: True\False on log file
+ Improved detection of parent processes
+ Improved detection of UAC-bypass attempts
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

If you find any false positive or issue please let me know.
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
292
Here is a new v1.4 (pre-release) test59:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test59.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Added "Windows Live Mail" on Anti-Exploit tab
+ Added "PotPlayer" on Anti-Exploit tab
+ Added an Help\FAQs file (tray-icon -> Help\FAQs, Main menu -> Help -> Help\FAQs, GUI "?" top-right border icon)
+ Renamed Block system processes from cleaning Windows Eventlog
+ Minor fixes and optimizations

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

If you find any false positive or issue please let me know.
 

128BPM

Level 2
Verified
Feb 21, 2018
90
@NoVirusThanks


In System Properties/Hardware/Device Installation Settings. I have this log:


Date/Time: 17/04/2018 03:15:45 p.m.
Process: [1188]C:\Windows\System32\rundll32.exe
Process MD5 Hash: C36BB659F08F046B139C8D1B980BF1AC
Parent: [4756]C:\Windows\System32\SystemPropertiesComputerName.exe
Rule: BlockKnownUACBypassAttempts
Rule Name: Block known and possible UAC-bypass attempts
Command Line: "C:\Windows\System32\rundll32.exe" newdev.dll,DeviceInternetSettingUi 3
Signer:
Parent Signer:
User/Domain: PC/PC
System File: True
Parent System File: False
Integrity Level: High
Parent Integrity Level: High
 

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
@NoVirusThanks

OS_Armor (and other NVT products as well probably) still does not recognize CATALOG signatures. Therefor most Windows executables look unsigned to OS_Armor, see for info : Catalog Files and Digital Signatures

Any progress .. . ...?

ADVICE TO USERS WITH NO IMAGE BACKUP/RECOVERY IN PLACE: DON'T USE SETTINGS OF OS_ARMOR WHICH RELATE TO PROGRAM SIGNING UNTIL THIS ISSUE IS SOLVED.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top