Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Other security for Windows, Mac, Linux
NoVirusThanks OSArmor
Message
<blockquote data-quote="NoVirusThanks" data-source="post: 709555" data-attributes="member: 68429"><p>Here is a new v1.4 (pre-release) (test33):</p><p><a href="http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test33.exe" target="_blank">http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test33.exe</a></p><p></p><p>*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***</p><p></p><p>So far this is what's new compared to the previous pre-release:</p><p></p><p>+ Block execution of Java</p><p>+ Fixed cosmetic GUI issue (Anti-Exploit listbox aligned)</p><p>+ Improved detection of suspicious folders</p><p>+ Improved detection of suspicious processes</p><p>+ Improved detection of suspicious command-lines</p><p>+ Improved detection of commands used to download remote files</p><p>+ Improved detection of PowerShell encoded commands</p><p>+ Improved detection of PowerShell malformed commands</p><p>+ Improved detection of PowerShell ExecutionPolicy Bypass</p><p>+ Improved detection of PowerShell WindowStyle Hidden</p><p>+ Configurator can have only a single instance running</p><p>+ Removed "Enable Passive Logging" option from the Configurator</p><p>+ Passive Logging can be enabled\disabled via tray icon</p><p>+ Block execution of any process related to Sysinternals</p><p>+ New method to detect suspicious processes</p><p>+ Prevent cmd.exe from executing powershell.exe</p><p>+ Categorized options in Advanced tab</p><p>+ Fixed some false positives</p><p></p><p>To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.</p><p></p><p>We're very near to the official v1.4 release, if you find any FP or issue please share them.</p><p></p><p>*** Notice ***</p><p></p><p>Actually the rule "Block any process executed from Sysinternals" is blocking mainly only psexec tools (I'll update the name).</p><p></p><p>The company that asked for this rule (block psexec.exe from Sysinternals) shared these links:</p><p></p><p><a href="https://forum.sysinternals.com/psexec-flagged-as-malware-by-sophos_topic28252.html" target="_blank">Psexec flagged as malware by Sophos</a></p><p></p><p></p><p></p><p><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-fileless-code-injecting-sorebrect-ransomware/" target="_blank">Analyzing the Fileless, Code-injecting SOREBRECT Ransomware</a></p><p></p><p></p><p></p><p><a href="https://www.bleepingcomputer.com/news/security/hc7-gotya-ransomware-installed-via-remote-desktop-services-spread-with-psexec/" target="_blank">HC7 GOTYA Ransomware Installed via Remote Desktop Services. Spread with PsExec</a></p><p></p><p></p><p></p><p>Would anyone benefit from blocking ALL Sysinternals tools?</p><p></p><p>Else we can just update and rename the rule to "Block execution of psexec.exe from Sysinternals".</p><p></p><p>[USER=46633]@Darrin[/USER] </p><p></p><p>Try to add this exclusion rule in Registry Guard:</p><p></p><p>[code]</p><p>[%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet*\Services\OSArmorDevSvc] [%VAL%: ImagePath]</p><p>[/code]</p></blockquote><p></p>
[QUOTE="NoVirusThanks, post: 709555, member: 68429"] Here is a new v1.4 (pre-release) (test33): [URL]http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test33.exe[/URL] *** Please do not share the download link, we will delete it when we'll release the official v1.4 *** So far this is what's new compared to the previous pre-release: + Block execution of Java + Fixed cosmetic GUI issue (Anti-Exploit listbox aligned) + Improved detection of suspicious folders + Improved detection of suspicious processes + Improved detection of suspicious command-lines + Improved detection of commands used to download remote files + Improved detection of PowerShell encoded commands + Improved detection of PowerShell malformed commands + Improved detection of PowerShell ExecutionPolicy Bypass + Improved detection of PowerShell WindowStyle Hidden + Configurator can have only a single instance running + Removed "Enable Passive Logging" option from the Configurator + Passive Logging can be enabled\disabled via tray icon + Block execution of any process related to Sysinternals + New method to detect suspicious processes + Prevent cmd.exe from executing powershell.exe + Categorized options in Advanced tab + Fixed some false positives To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build. We're very near to the official v1.4 release, if you find any FP or issue please share them. *** Notice *** Actually the rule "Block any process executed from Sysinternals" is blocking mainly only psexec tools (I'll update the name). The company that asked for this rule (block psexec.exe from Sysinternals) shared these links: [URL='https://forum.sysinternals.com/psexec-flagged-as-malware-by-sophos_topic28252.html']Psexec flagged as malware by Sophos[/URL] [URL='https://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-fileless-code-injecting-sorebrect-ransomware/']Analyzing the Fileless, Code-injecting SOREBRECT Ransomware[/URL] [URL='https://www.bleepingcomputer.com/news/security/hc7-gotya-ransomware-installed-via-remote-desktop-services-spread-with-psexec/']HC7 GOTYA Ransomware Installed via Remote Desktop Services. Spread with PsExec[/URL] Would anyone benefit from blocking ALL Sysinternals tools? Else we can just update and rename the rule to "Block execution of psexec.exe from Sysinternals". [USER=46633]@Darrin[/USER] Try to add this exclusion rule in Registry Guard: [code] [%OPR%: WRITE_VALUE] [%EXE%: *:\Windows\System32\services.exe] [%KEY%: *\SYSTEM\ControlSet*\Services\OSArmorDevSvc] [%VAL%: ImagePath] [/code] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
