Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Other security for Windows, Mac, Linux
NoVirusThanks OSArmor
Message
<blockquote data-quote="NoVirusThanks" data-source="post: 719558" data-attributes="member: 68429"><p>Here is a new v1.4 (pre-release) test43:</p><p><a href="http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test43.exe" target="_blank">http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test43.exe</a></p><p></p><p>*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***</p><p></p><p>So far this is what's new compared to the previous pre-release:</p><p></p><p>+ Improved detection of system processes</p><p>+ Improved detection of suspicious processes</p><p>+ Block known UAC-bypass attempts</p><p>+ Block new and unknown UAC-bypass attempts (experimental)</p><p>+ Block known system processes used for UAC-bypass</p><p>+ Block ALL "autoelevate" system processes</p><p>+ Merged "Block execution of sdctl.exe\sysprep.exe\etc" with "Block known system processes used for UAC-bypass"</p><p>+ Block execution of Logoff.exe</p><p>+ Block execution of Vssadmin.exe</p><p>+ Block execution of Makecab.exe</p><p>+ Block execution of LxRun.exe</p><p>+ Block execution of Bash.exe</p><p>+ Block execution of Sdbinst.exe</p><p>+ Minor fixes and optimizations</p><p>+ Fixed some false positives</p><p></p><p>To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.</p><p></p><p>Since the issue "protection disabled at startup" seems fixed, we may officially release OSA v1.4 with the next build.</p><p></p><p>With this build 43 there is a new section dedicated to UAC-bypass mitigations:</p><p></p><p>[ATTACH=full]182672[/ATTACH]</p><p></p><p><strong>"Block known UAC-bypass attempts"</strong></p><p></p><p>This option should not generate FPs (even if I added the orange icon).</p><p></p><p>It should block known (public) UAC-bypass attempts.</p><p></p><p>The other 3 options, may generate FPs:</p><p></p><p><strong>"Block new and unknown UAC-bypass attempts (experimental)"</strong></p><p></p><p>This experimental option should mitigate new and unknown UAC-bypass attempts that exploit system processes to elevate the malware payload. In my tests it performed well with very low FPs (on the work-PC, with just a few programs installed).</p><p></p><p><strong>"Block known system processes used for UAC-bypass"</strong></p><p></p><p>This option blocks the execution of known system processes used to bypass UAC, for example slui.exe, sdctl.exe, fodhelper.exe, wusa.exe, mmc.exe, dccw.exe, BitlockerWizardElev.exe, and some more. By preventing their execution we mitigate entirely the UAC bypass attempt, but in exchange we may get a few alerts (FPs) when they are legitimately executed by the OS.</p><p></p><p><strong>"Block ALL "autoelevate" system processes"</strong></p><p></p><p>This option blocks ALL autoelevate system processes and may be particularly useful for companies or officies to mitigate new and unknown UAC bypass attempts that exploit "autoelevate" system processes (generally used in targeted attacks against companies). This option may generate alerts (FPs) depending on the PC usage, i.e if the office PC is used to print\edit documents, read emails, open the web browser, open a few programs and such (doing the same routine all days), you may even get no alerts.</p><p></p><p>Would be nice if some of you could test these new options (mainly the first two) and share here if you get FPs.</p><p></p><p>Please include also the blocked event so I can fix it in case.</p><p></p><p>[USER=37647]@shmu26[/USER]</p><p></p><p>Will check it and will see.</p></blockquote><p></p>
[QUOTE="NoVirusThanks, post: 719558, member: 68429"] Here is a new v1.4 (pre-release) test43: [URL]http://downloads.novirusthanks.org/files/osarmor_setup_1.4_test43.exe[/URL] *** Please do not share the download link, we will delete it when we'll release the official v1.4 *** So far this is what's new compared to the previous pre-release: + Improved detection of system processes + Improved detection of suspicious processes + Block known UAC-bypass attempts + Block new and unknown UAC-bypass attempts (experimental) + Block known system processes used for UAC-bypass + Block ALL "autoelevate" system processes + Merged "Block execution of sdctl.exe\sysprep.exe\etc" with "Block known system processes used for UAC-bypass" + Block execution of Logoff.exe + Block execution of Vssadmin.exe + Block execution of Makecab.exe + Block execution of LxRun.exe + Block execution of Bash.exe + Block execution of Sdbinst.exe + Minor fixes and optimizations + Fixed some false positives To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build. Since the issue "protection disabled at startup" seems fixed, we may officially release OSA v1.4 with the next build. With this build 43 there is a new section dedicated to UAC-bypass mitigations: [ATTACH=full]182672[/ATTACH] [B]"Block known UAC-bypass attempts"[/B] This option should not generate FPs (even if I added the orange icon). It should block known (public) UAC-bypass attempts. The other 3 options, may generate FPs: [B]"Block new and unknown UAC-bypass attempts (experimental)"[/B] This experimental option should mitigate new and unknown UAC-bypass attempts that exploit system processes to elevate the malware payload. In my tests it performed well with very low FPs (on the work-PC, with just a few programs installed). [B]"Block known system processes used for UAC-bypass"[/B] This option blocks the execution of known system processes used to bypass UAC, for example slui.exe, sdctl.exe, fodhelper.exe, wusa.exe, mmc.exe, dccw.exe, BitlockerWizardElev.exe, and some more. By preventing their execution we mitigate entirely the UAC bypass attempt, but in exchange we may get a few alerts (FPs) when they are legitimately executed by the OS. [B]"Block ALL "autoelevate" system processes"[/B] This option blocks ALL autoelevate system processes and may be particularly useful for companies or officies to mitigate new and unknown UAC bypass attempts that exploit "autoelevate" system processes (generally used in targeted attacks against companies). This option may generate alerts (FPs) depending on the PC usage, i.e if the office PC is used to print\edit documents, read emails, open the web browser, open a few programs and such (doing the same routine all days), you may even get no alerts. Would be nice if some of you could test these new options (mainly the first two) and share here if you get FPs. Please include also the blocked event so I can fix it in case. [USER=37647]@shmu26[/USER] Will check it and will see. [/QUOTE]
Insert quotes…
Verification
Post reply
Top