Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Other security for Windows, Mac, Linux
NoVirusThanks OSArmor
Message
<blockquote data-quote="Andy Ful" data-source="post: 700807" data-attributes="member: 32260"><p>I installed both OSArmor and ReHIPS (Expert mode). Next, I ran several times the script :</p><p>[CODE]Set WshShell = CreateObject("WScript.Shell")</p><p>WshShell.Run("C:\Users\Public\Downloads\payload.exe")</p><p>WScript.Quit[/CODE]</p><p>.</p><p>The payload.exe , can be any <strong>not-signed</strong> executable.</p><p>The result on my machine (Windows 10 FCU 64-Bit) was always the same: ReHIPS was triggered first (every time) and OSArmor second. I had to press first 'allow' in ReHIPS to see the OSArmor alert. Sometimes OSArmor was not triggered at all.</p><p>I even installed OSArmor first and ReHIPS second, to be sure that the order of installation does not matter.</p><p>Next, I disabled ReHIPS protection and installed NVTERP 3.1.0.0. with option 'Do not check if a process is signed (save bandwidth)'. I repeated the test, and now OSArmor and NVTERP blocked execution from the script at the same moment (2 alerts visible).</p><p><strong>So, ReHIPS block feature works differently from NVT products, and can block execution at the earlier stage.</strong></p><p>In the end, I installed Sandboxie (forced to sandbox the payload.exe) and repeated the test. ReHIPS was triggered first, Sandboxie second and OSArmor was never triggered (payload.exe was sandboxed). But, OSArmor could miss blocking execution from the script. So, I tested another OSArmor feature: <span style="color: #0059b3">'Block execution of unsigned processes on Local AppData</span>'. I also set Sandboxie to block payload.exe because OSArmor can also block programs in the Sandboxie Sandbox. The result was always the same Sandboxie blocked execution and no alert from OSArmor. When I allowed running payload.exe in Sandboxie sandbox, then OSArmor immediately blocked it showing the alert.</p><p>So, my conclusion is that on my machine (the most left is triggered first):</p><p><strong>SmartScreen > ReHIPS > Sandboxie > <strong>OSArmor</strong></strong></p><p>I did not test other OSArmor features, so I cannot say for sure that the above is true for all OSArmor features.</p><p>.</p><p>Edit</p><p>The post was several times edited, because of the complex interactions between Sandboxie and OSArmor. I thought that OSArmor can be triggered first and Sandboxie second, because OSArmor blocked execution of payload.exe in the sandbox so quickly, that sandboxing were not visible. I realized that this can be a problem and changed Sandboxie settings to block payload.exe and then everything was finally clear to me.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 700807, member: 32260"] I installed both OSArmor and ReHIPS (Expert mode). Next, I ran several times the script : [CODE]Set WshShell = CreateObject("WScript.Shell") WshShell.Run("C:\Users\Public\Downloads\payload.exe") WScript.Quit[/CODE] . The payload.exe , can be any [B]not-signed[/B] executable. The result on my machine (Windows 10 FCU 64-Bit) was always the same: ReHIPS was triggered first (every time) and OSArmor second. I had to press first 'allow' in ReHIPS to see the OSArmor alert. Sometimes OSArmor was not triggered at all. I even installed OSArmor first and ReHIPS second, to be sure that the order of installation does not matter. Next, I disabled ReHIPS protection and installed NVTERP 3.1.0.0. with option 'Do not check if a process is signed (save bandwidth)'. I repeated the test, and now OSArmor and NVTERP blocked execution from the script at the same moment (2 alerts visible). [B]So, ReHIPS block feature works differently from NVT products, and can block execution at the earlier stage.[/B] In the end, I installed Sandboxie (forced to sandbox the payload.exe) and repeated the test. ReHIPS was triggered first, Sandboxie second and OSArmor was never triggered (payload.exe was sandboxed). But, OSArmor could miss blocking execution from the script. So, I tested another OSArmor feature: [COLOR=#0059b3]'Block execution of unsigned processes on Local AppData[/COLOR]'. I also set Sandboxie to block payload.exe because OSArmor can also block programs in the Sandboxie Sandbox. The result was always the same Sandboxie blocked execution and no alert from OSArmor. When I allowed running payload.exe in Sandboxie sandbox, then OSArmor immediately blocked it showing the alert. So, my conclusion is that on my machine (the most left is triggered first): [B]SmartScreen > ReHIPS > Sandboxie > [B]OSArmor[/B][/B] I did not test other OSArmor features, so I cannot say for sure that the above is true for all OSArmor features. . Edit The post was several times edited, because of the complex interactions between Sandboxie and OSArmor. I thought that OSArmor can be triggered first and Sandboxie second, because OSArmor blocked execution of payload.exe in the sandbox so quickly, that sandboxing were not visible. I realized that this can be a problem and changed Sandboxie settings to block payload.exe and then everything was finally clear to me. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
