D
Deleted member 178
both monitors executable,
1- OSA use a kind of hybrid "behavioral/SRP" approach.
2- ERP is strict anti-exe, what isn't whitelisted generates prompts/blocks.
yes
NoVirusThanks OSArmor
- Thread starter Evjl's Rain
- Start date
1- OSA use a kind of hybrid "behavioral/SRP" approach.
2- ERP is strict anti-exe, what isn't whitelisted generates prompts/blocks.
Hi @Umbra do you use OSA on default settings or have you tweaked it?
D
Deleted member 178
Umbra using default-settings? ummmmm...not going to happen ever ever ^^
More seriously, custom setiings, basically i left only 2-3 advanced options unticked.
Clearly I'm not Umbra, but for me all non-colored options are checked active.
The options you should leave unchecked depend on your specific security config. It is a question of what other security apps you are running, and how you have configured them.
You can tick all of the options, if you want, but then you might have stupid overkill.
You can tick all of the options, if you want, but then you might have stupid overkill.
I am a novice user of NVT OSA. Applying default rules and trying to learn.
I want a balance between safety and comfort, but I will learn little by little. At the moment I am impressed and grateful to @NoVirusThanks for the different software (and great) he is making
@NoVirusThanks
More FP's after installing updates on windows server 2016, the problem is that the probably dimhost tries to execute after the block under a different process so the manual whitelist after the alert is useless
LOG
Date/Time: 01/05/2018 9:12:13
Process: [5768]C:\Windows\Temp\B4D503C8-46CC-4A06-A131-EE5CBC5A041F\DismHost.exe
Process MD5 Hash: 418299F70B35752CB048ED773C59002E
Parent: [5104]C:\Windows\System32\wbem\WmiPrvSE.exe
Rule: AntiExploitWMIProviderHost
Rule Name: (Anti-Exploit) Protect WMI Provider Host
Command Line: C:\Windows\TEMP\B4D503C8-46CC-4A06-A131-EE5CBC5A041F\dismhost.exe {6CE46AC6-6F97-4CA2-B66C-91DE70838AC5}
Signer: Microsoft Corporation
Parent Signer:
User/Domain: SYSTEM/NT AUTHORITY
System File: False
Parent System File: True
Integrity Level: System
Parent Integrity Level: System
Date/Time: 01/05/2018 9:11:07
Process: [5328]C:\Windows\Temp\30B925C1-3E4C-48AB-9575-516DA1CD3800\DismHost.exe
Process MD5 Hash: 418299F70B35752CB048ED773C59002E
Parent: [5104]C:\Windows\System32\wbem\WmiPrvSE.exe
Rule: AntiExploitWMIProviderHost
Rule Name: (Anti-Exploit) Protect WMI Provider Host
Command Line: C:\Windows\TEMP\30B925C1-3E4C-48AB-9575-516DA1CD3800\dismhost.exe {16D0CE06-8F82-44F8-BE3D-20E05A5BE215}
Signer: Microsoft Corporation
Parent Signer:
User/Domain: SYSTEM/NT AUTHORITY
System File: False
Parent System File: True
Integrity Level: System
Parent Integrity Level: System
Date/Time: 01/05/2018 9:10:01
Process: [5944]C:\Windows\Temp\6F145D6E-B1DD-4E47-A7D5-92FCB44156A0\DismHost.exe
Process MD5 Hash: 418299F70B35752CB048ED773C59002E
Parent: [5104]C:\Windows\System32\wbem\WmiPrvSE.exe
Rule: AntiExploitWMIProviderHost
Rule Name: (Anti-Exploit) Protect WMI Provider Host
Command Line: C:\Windows\TEMP\6F145D6E-B1DD-4E47-A7D5-92FCB44156A0\dismhost.exe {4FE3045D-920E-4744-AC04-5C249525BDC7}
Signer: Microsoft Corporation
Parent Signer:
User/Domain: SYSTEM/NT AUTHORITY
System File: False
Parent System File: True
Integrity Level: System
Parent Integrity Level: System
Date/Time: 01/05/2018 9:08:56
Process: [4996]C:\Windows\Temp\D193A37C-C65A-464C-9F42-71B0F41A19E0\DismHost.exe
Process MD5 Hash: 418299F70B35752CB048ED773C59002E
Parent: [5104]C:\Windows\System32\wbem\WmiPrvSE.exe
Rule: AntiExploitWMIProviderHost
Rule Name: (Anti-Exploit) Protect WMI Provider Host
Command Line: C:\Windows\TEMP\D193A37C-C65A-464C-9F42-71B0F41A19E0\dismhost.exe {3F73A32F-2DFC-47B7-BEAA-CCECC5B980F5}
Signer: Microsoft Corporation
Parent Signer:
User/Domain: SYSTEM/NT AUTHORITY
System File: False
Parent System File: True
Integrity Level: System
Parent Integrity Level: System
More FP's after installing updates on windows server 2016, the problem is that the probably dimhost tries to execute after the block under a different process so the manual whitelist after the alert is useless
- [%PROCESS%: C:\Windows\Temp\F5FBA037-9593-4675-BCED-C26C7C05B870\DismHost.exe] [%PROCESSCMDLINE%: C:\Windows\TEMP\F5FBA037-9593-4675-BCED-C26C7C05B870\dismhost.exe {A5DA863C-DB44-4683-A77B-FE00167ED919}] [%FILESIGNER%: Microsoft Corporation] [%PARENTPROCESS%: C:\Windows\System32\wbem\WmiPrvSE.exe]
- [%PROCESS%: C:\Windows\Temp\F2FA2996-6B04-4B9C-AA7D-DF43F2CEBD83\DismHost.exe] [%PROCESSCMDLINE%: C:\Windows\TEMP\F2FA2996-6B04-4B9C-AA7D-DF43F2CEBD83\dismhost.exe {48BF688B-C04B-42F3-8578-0AB249F07E7E}] [%FILESIGNER%: Microsoft Corporation] [%PARENTPROCESS%: C:\Windows\System32\wbem\WmiPrvSE.exe]
- [%PROCESS%: C:\Windows\Temp\30B925C1-3E4C-48AB-9575-516DA1CD3800\DismHost.exe] [%PROCESSCMDLINE%: C:\Windows\TEMP\30B925C1-3E4C-48AB-9575-516DA1CD3800\dismhost.exe {16D0CE06-8F82-44F8-BE3D-20E05A5BE215}] [%FILESIGNER%: Microsoft Corporation] [%PARENTPROCESS%: C:\Windows\System32\wbem\WmiPrvSE.exe]
- [%PROCESS%: C:\Windows\Temp\B4D503C8-46CC-4A06-A131-EE5CBC5A041F\DismHost.exe] [%PROCESSCMDLINE%: C:\Windows\TEMP\B4D503C8-46CC-4A06-A131-EE5CBC5A041F\dismhost.exe {6CE46AC6-6F97-4CA2-B66C-91DE70838AC5}] [%FILESIGNER%: Microsoft Corporation] [%PARENTPROCESS%: C:\Windows\System32\wbem\WmiPrvSE.exe]
LOG
Date/Time: 01/05/2018 9:12:13
Process: [5768]C:\Windows\Temp\B4D503C8-46CC-4A06-A131-EE5CBC5A041F\DismHost.exe
Process MD5 Hash: 418299F70B35752CB048ED773C59002E
Parent: [5104]C:\Windows\System32\wbem\WmiPrvSE.exe
Rule: AntiExploitWMIProviderHost
Rule Name: (Anti-Exploit) Protect WMI Provider Host
Command Line: C:\Windows\TEMP\B4D503C8-46CC-4A06-A131-EE5CBC5A041F\dismhost.exe {6CE46AC6-6F97-4CA2-B66C-91DE70838AC5}
Signer: Microsoft Corporation
Parent Signer:
User/Domain: SYSTEM/NT AUTHORITY
System File: False
Parent System File: True
Integrity Level: System
Parent Integrity Level: System
Date/Time: 01/05/2018 9:11:07
Process: [5328]C:\Windows\Temp\30B925C1-3E4C-48AB-9575-516DA1CD3800\DismHost.exe
Process MD5 Hash: 418299F70B35752CB048ED773C59002E
Parent: [5104]C:\Windows\System32\wbem\WmiPrvSE.exe
Rule: AntiExploitWMIProviderHost
Rule Name: (Anti-Exploit) Protect WMI Provider Host
Command Line: C:\Windows\TEMP\30B925C1-3E4C-48AB-9575-516DA1CD3800\dismhost.exe {16D0CE06-8F82-44F8-BE3D-20E05A5BE215}
Signer: Microsoft Corporation
Parent Signer:
User/Domain: SYSTEM/NT AUTHORITY
System File: False
Parent System File: True
Integrity Level: System
Parent Integrity Level: System
Date/Time: 01/05/2018 9:10:01
Process: [5944]C:\Windows\Temp\6F145D6E-B1DD-4E47-A7D5-92FCB44156A0\DismHost.exe
Process MD5 Hash: 418299F70B35752CB048ED773C59002E
Parent: [5104]C:\Windows\System32\wbem\WmiPrvSE.exe
Rule: AntiExploitWMIProviderHost
Rule Name: (Anti-Exploit) Protect WMI Provider Host
Command Line: C:\Windows\TEMP\6F145D6E-B1DD-4E47-A7D5-92FCB44156A0\dismhost.exe {4FE3045D-920E-4744-AC04-5C249525BDC7}
Signer: Microsoft Corporation
Parent Signer:
User/Domain: SYSTEM/NT AUTHORITY
System File: False
Parent System File: True
Integrity Level: System
Parent Integrity Level: System
Date/Time: 01/05/2018 9:08:56
Process: [4996]C:\Windows\Temp\D193A37C-C65A-464C-9F42-71B0F41A19E0\DismHost.exe
Process MD5 Hash: 418299F70B35752CB048ED773C59002E
Parent: [5104]C:\Windows\System32\wbem\WmiPrvSE.exe
Rule: AntiExploitWMIProviderHost
Rule Name: (Anti-Exploit) Protect WMI Provider Host
Command Line: C:\Windows\TEMP\D193A37C-C65A-464C-9F42-71B0F41A19E0\dismhost.exe {3F73A32F-2DFC-47B7-BEAA-CCECC5B980F5}
Signer: Microsoft Corporation
Parent Signer:
User/Domain: SYSTEM/NT AUTHORITY
System File: False
Parent System File: True
Integrity Level: System
Parent Integrity Level: System
D
Deleted member 178
all are ticked except
- Edge
- schtasks.exe
- Taskkill.exe
- bitsadmin.exe
- regasm.exe
I saw this asked a couple times but never answered (or I just missed the answer).
Are OSA and MBAE, installed together, redundant/Would OSA replace MBAE in a security setup?
Are OSA and MBAE, installed together, redundant/Would OSA replace MBAE in a security setup?
D
Deleted member 65228
NoVirusThanks OSArmor will not replace Malwarebytes Anti-Exploit and vice-versa.
Malwarebytes Anti-Exploit supports enforcing Bottom-Up ASLR, DEP and a few other mitigation's. Furthermore, it performs Remote Code Execution (RCE) into monitored applications and uses this as an advantage to locally intervene with the behavior of the application to assist it in identifying and preventing exploitation attacks. Bear in mind, it also has specific mitigation's for some things and also supports protection with targets like Java.
NoVirusThanks OSArmor does not do the things Malwarebytes Anti-Exploit does, in the same way that Malwarebytes Anti-Exploit does not do what NoVirusThanks OSArmor does. In fact, they both work entirely differently and I would not even estimate that a conflict would be 30% probable.
If you already have Malwarebytes Anti-Exploit, fear not, NoVirusThanks OSArmor will NOT be useless (and vice-versa). If they work well when combined on your environment, and as long as they provide your requirements, then it should be really good.
NoVirusThanks OSArmor is actually extremely light and non-intrusive from my experience and as long as you set it up which is right for you, it can be incredibly helpful. It might not work the same way that other vendors approach their exploit mitigation techniques, but it doesn't mean that the product is lesser than another.
If you're looking for something lightweight, reliable and non-intrusive, then NVT OSArmor is the solution. Since it doesn't work like a majority of other Anti-Exploit components (e.g. it will not touch the memory of another running application nor the Windows Kernel aside from documented and Microsoft-approved techniques), it won't degrade performance of an applications general operations through interception and it'll neither break other applications through external manipulation (e.g. cause them to crash due to a bug in memory modification).
Last edited by a moderator:
The short answer is they are doing different things, so they don't replace one another.
D
Deleted member 178
@NoVirusThanks , I have a few question regarding NVT OS Armor(Non Beta, version 1.3). Why when I disabled NVT OS Armor to Install something by exiting it, it is still active... It is blocking the command lines and I need to end the NVT OS Armor's service to totally disable it. Does this normal?
Open Window's Services (services.msc) and stop NoVirusThanks OSArmorDevSvc.@NoVirusThanks , I have a few question regarding NVT OS Armor(Non Beta, version 1.3). Why when I disabled NVT OS Armor to Install something by exiting it, it is still active... It is blocking the command lines and I need to end the NVT OS Armor's service to totally disable it. Does this normal?
F
ForgottenSeer 58943
I like OSArmor in default mode. It's incredibly protective out of the box leaving it default and will cause less issues.
"Exiting" is not disabling protection, is it only disabling GUI.@NoVirusThanks , I have a few question regarding NVT OS Armor(Non Beta, version 1.3). Why when I disabled NVT OS Armor to Install something by exiting it, it is still active... It is blocking the command lines and I need to end the NVT OS Armor's service to totally disable it. Does this normal?
@shmu26 Thanks for the answer
Protection -> Disable Protection ...
I think the OSA 1.3 didn't have the options for disabling protection, should i update to the 1.4 beta ?
Definitely you should update. Take the latest build. It is best for most users, I see you are on Windows 10, no reason I can think of not to use the latest version.
You may also like...
-
-
-
Block Common Attacks: A Beginner's Guide to Windows Firewall- Started by Divergent
- Replies: 18
-
Windows 11 24H2/25H2 Flaw Keeps Task Manager Running After You Close It
- Started by Brownie2019
- Replies: 5
