NoVirusThanks OSArmor

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
@NoVirusThanks

OS_Armor (and other NVT products as well probably) still does not recognize CATALAG signatures. Therefor most Windows executables look unsigned to OS_Armor, but yhey are signed by catalog. See for info : Catalog Files and Digital Signatures

Any progress .. . ...?

ADVICE TO USERS WITH NO IMAGE BACKUP/RECOVERY IN PLACE: DON'T USE SETTINGS OF OS_ARMOR WHICH RELATE TO PROGRAM SIGNING UNTIL THIS ISSUE IS SOLVED.
Have you seen critical files without embedded signatures, that run from user space?
Almost all of the program signing rules in OSA apply to user space, AFAIK.
 

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
WHY USE OS_ARMOR?

Malware writers only use a limited number of hacking techniques (when we exclude user errors like phishing and social engineering). They always try to gain access to Windows build in shells to acquire higher priveledges, drop code, survice re-boot and connect/redirect internet traffic to a controlled server.

Some say it is impossible to fight exploits, because exploits are based on progam errors of which the vendors did not know their software had them. But with the improvemenst in Memory hardening, code control and (C++) compilers Windows 10 is a tough cookie to beat. Windows 10 with all Windows Defender features enabled is pretty hard to break in.

Luckily (for malware writers) Microsoft thought of a way to nullify all these security improvements by providing (new or enhanced) command and script interpretators in Windows itself. When old dynamic code platforms were abondanned (Active-X, HTML application, NTVDM) new ones are quickly introduced (dotNet, Powershell, Windows Management Instrumentation) to give hackers access to your PC.

Malware tend to use what is already there (from exploit-kits to windows build-in shells), so OS-Armor blocking access to command shells and script interpretors and filtering command lines on known exploit tricks reduces the chances of being victim of malware using an exploit to near zero. The beauty of OS_Armor is that it does not try to prevent exploits, but limits gaining access to Windows build-in shell after an exploit is applied.

That is why I recommend using OS_Armor in default settings
 
Last edited:

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Have you seen critical files without embedded signatures, that run from user space?
Almost all of the program signing rules in OSA apply to user space, AFAIK.

Yes, with updates (BSOD on Windows 7) that is why advice not using them to avoid problems. The default rules are good to go (see previous post).
 
Last edited:

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
So no protection is better? Hmmmmm.....

Is that what you read in the post? IMO I am telling that OS_Armor does not recognise catalog signed executables, so it is better to leave OS-Armor at default settings, because it could treat siged executables in user folders as unsigned and block them.
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
292
Here is a new v1.4 (pre-release) test60:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test60.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Improved Block suspicious processes
+ Improved Block suspicious command-line strings
+ Improved Block processes located in suspicious folders
+ Added self-protection against process termination via kernel-mode driver
+ Kernel-mode drivers for self-protection are co-signed by Microsoft
+ Only Task Manager can terminate OSArmorDevSvc.exe and OSArmorDevUI.exe
+ Save and restore window size of Configurator GUI
+ Instead of playing the beep sound it now plays a WAV sound when something is blocked
+ Events are now saved as topmost on the log file
+ Minor fixes and optimizations
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

If you find any false positive or issue please let me know.

@128BPM

Please try this new build, it should fix that FP.

@Windows_Security

Do you still have the log file with the blocked events during the Windows 7 updates?

The internal whitelisting rules should take care of them.
 

ZeroDay

Level 30
Verified
Top Poster
Well-known
Aug 17, 2013
1,905
Here is a new v1.4 (pre-release) test60:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test60.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Improved Block suspicious processes
+ Improved Block suspicious command-line strings
+ Improved Block processes located in suspicious folders
+ Added self-protection against process termination via kernel-mode driver
+ Kernel-mode drivers for self-protection are co-signed by Microsoft
+ Only Task Manager can terminate OSArmorDevSvc.exe and OSArmorDevUI.exe
+ Save and restore window size of Configurator GUI
+ Instead of playing the beep sound it now plays a WAV sound when something is blocked
+ Events are now saved as topmost on the log file
+ Minor fixes and optimizations
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

If you find any false positive or issue please let me know.

@128BPM

Please try this new build, it should fix that FP.

@Windows_Security

Do you still have the log file with the blocked events during the Windows 7 updates?

The internal whitelisting rules should take care of them.
I haven't commented until now, but thank you for all your hard work with OSA it really is appreciated.
 
D

Deleted member 65228

I haven't commented until now, but thank you for all your hard work with OSA it really is appreciated.
He works hard to produce quality software for people (most of which are free or he will give free licenses to those ones which aren't on occasions allegedly) and has very ethical business practices (regular updates for patching any reported bugs and improvement of protection, lack of want for data collection/telemetry, etc.).

The guy actually wants to help keep people protected, there's real passion and motivation for it. His focus isn't 100% on money, it's primarily on keeping people safe from cyber-attacks and that makes ALL the difference.
 

ZeroDay

Level 30
Verified
Top Poster
Well-known
Aug 17, 2013
1,905
He works hard to produce quality software for people (most of which are free or he will give free licenses to those ones which aren't on occasions allegedly) and has very ethical business practices (regular updates for patching any reported bugs and improvement of protection, lack of want for data collection/telemetry, etc.).

The guy actually wants to help keep people protected, there's real passion and motivation for it. His focus isn't 100% on money, it's primarily on keeping people safe from cyber-attacks and that makes ALL the difference.
indeed. Very rare qualities these days.
 

erreale

Level 9
Verified
Content Creator
Malware Hunter
Well-known
Oct 22, 2016
409
He works hard to produce quality software for people (most of which are free or he will give free licenses to those ones which aren't on occasions allegedly) and has very ethical business practices (regular updates for patching any reported bugs and improvement of protection, lack of want for data collection/telemetry, etc.).

The guy actually wants to help keep people protected, there's real passion and motivation for it. His focus isn't 100% on money, it's primarily on keeping people safe from cyber-attacks and that makes ALL the difference.


Honestly, I would buy OSArmor without thinking twice if it does not remain free. It's a brilliant software! The work of the developer is exemplary and deserves no doubt to be reimbursed in some way.
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
292
Thanks for all the feedbacks guys! Really much appreciated, they fuel our motivation and passion!

Have just uploaded two new videos:

Testing OSArmor with UACME on Windows 7 64-bit



In this video we test OSArmor v1.4 b60 with UACME (2.8.7) on Windows 7 64-bit. All attempts to elevate payload.exe got blocked by OSArmor with the rule "Block known and possible UAC-bypass attempts". UACME number 35 got blocked with the rule "Block suspicious process elevation attempts".

Testing OSArmor with UACME on Windows 10 SCU 1803 64-bit



In this video we test OSArmor v1.4 b60 with UACME (2.8.7) on Windows 10 SCU 1803 64-bit. All (unpatched) attempts to elevate payload.exe got blocked by OSArmor with the rule "Block known and possible UAC-bypass attempts". UACME number 35 got blocked with the rule "Block suspicious process elevation attempts".

@Windows_Security

Ok, I'll take a look at that issue (catalog sigs) asap.
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
292
Here is a new v1.4 (pre-release) test61:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test61.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Fixed a typo in the Help\FAQs file
+ Fixed detection of parent processes in particular situations
+ Improved Block suspicious command-lines
+ Improved Block suspicious processes
+ Minor fixes and optimizations
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

If you find any false positive or issue please let me know.
 

MeltdownEnemy

Level 7
Verified
Well-known
Jan 25, 2018
300
Here is a new v1.4 (pre-release) test54:
http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test54.exe

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Improved Block suspicious command-lines
+ Improved Block suspicious processes
+ Improved Block suspicious Svchost.exe process behaviors
+ Block execution of unsigned processes on user space
+ Block unsigned processes to run with high or system privileges
+ Block processes executed from netsh.exe
+ Block possible UAC bypass attempts [method 1]
+ Block possible UAC bypass attempts [method 2] (disabled at the moment, need to complete this)
+ Block execution of ftp\tftp\telnet.exe
+ Block suspicious process elevation attempts
+ Block InfDefaultInstall.exe if executed by unknown processes
+ Some rules have been moved to their appropriate section
+ Added text-link to reset statistics on Main GUI
+ Configurator GUI can be maximized and is resizeable
+ Added a dark-gray frame on the notification window
+ Removed Block ALL autoelevate system processes
+ Removed Block known system files used for UAC-bypass
+ Show parent process integrity level on log file
+ Show process md5 hash on log file
+ Minor fixes and optimizations
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

If you find any false positive or issue please let me know (official release will be postponed of some days).

Here is a screenshot:

View attachment 185763

@128BPM

Should be fixed now.

@MeltdownEnemy

Done.


Unbelievable!, i can see the new changes. Thank you so much my friend. count with me for all future beta's. awesome list views!
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top