RoboMan

Level 31
Verified
Content Creator
Malware Tester
This is a very basic test. I tested OSArmor as a standalone solution, which should never be the case. It's not meant to replace anything or be your first layer defense.

OSArmor reaction to:

1. Scripts and general docs
2. Executable applications


Tested without network monitoring tools and testing only the local symptoms and consequences. This no way represents your system or an actual scenario. Take with a grain of salt. I didn't throw thousands of files, nevertheless 20 consecutive files do not represent a real scenario. Results on your systems may vary.

Please feel free to criticize any method used or thing you disliked, but take into account I'm not planning on releasing more videos or being a youtuber.


 

Slyguy

Level 44
UPLOAD.EE - OSArmor.rules - Download

Two different products for two different needs, totally compatible :)

I think redundant might be a better word.

The reason I say this is pure logic. If you take a stack of malware and test it on OSArmor. Some get through, some don't. Then you repeat the test with the same stack of malware, and VS totally protects you then what possible benefit would OSArmor be adding to the equation if VS totally protected you? I suppose if someone can show a threat that bypasses VS but is caught by OSArmor then there may be some validity to stacking them. Until then, I would simply use the better of the two tools - which I believe is VS. (IMO)
 

imuade

Level 11
Verified
I think redundant might be a better word.

The reason I say this is pure logic. If you take a stack of malware and test it on OSArmor. Some get through, some don't. Then you repeat the test with the same stack of malware, and VS totally protects you then what possible benefit would OSArmor be adding to the equation if VS totally protected you? I suppose if someone can show a threat that bypasses VS but is caught by OSArmor then there may be some validity to stacking them. Until then, I would simply use the better of the two tools - which I believe is VS. (IMO)
I agree, OSA could help only if a user mistakenly allows somethink when VS popups an alert
 

RoboMan

Level 31
Verified
Content Creator
Malware Tester
I think redundant might be a better word.

The reason I say this is pure logic. If you take a stack of malware and test it on OSArmor. Some get through, some don't. Then you repeat the test with the same stack of malware, and VS totally protects you then what possible benefit would OSArmor be adding to the equation if VS totally protected you? I suppose if someone can show a threat that bypasses VS but is caught by OSArmor then there may be some validity to stacking them. Until then, I would simply use the better of the two tools - which I believe is VS. (IMO)
It depends upon the case. To start with, VS will allow by parent process by default. So, many malware could abuse this in order to infect you. OSA can intercept such abuse. If this VS option is disabled, then remember VS needs to be turned off every time an installation takes place. In such cases, you cannot be 100% protected, even if you only download known software from reputable sites. I highlight CCleaner's case. There's no way VoodooShield could have intercepted that since it had to be disabled to install CCleaner. I'm not saying OSA would have blocked it, i'm just mentioning VoodooShield has limits.

Plus, VS includes no own signatures, only VirusTotal, which only work online and compare the executable with VT av's, still not the intructions the executable includes, so if it's a zero day and VirusTotal doesn't throw a proper alert, and you choose to install the software, you're fked. OSArmor may detect the use of specific processes by that file given the case.
 

askmark

Level 12
Verified
It depends upon the case. To start with, VS will allow by parent process by default. So, many malware could abuse this in order to infect you. OSA can intercept such abuse. If this VS option is disabled, then remember VS needs to be turned off every time an installation takes place.
This is simply not true. I have allow by parent process disabled and have never had to disable VS to install any software. In fact the only time I disable VS is when I update Windows 10 to the next major release.

Voodooshield is not perfect. No software is, but your comments do it a great disservice in my opinion.
 

Evjl's Rain

Level 45
Verified
Trusted
Content Creator
Malware Hunter
I tested something similar in the past in my VM and got the exact same result
OSArmor is never good against exe malwares unless we tweak it to block unsigned applications => better
I know it's unfair to test OSA like this because it's not designed to block exe malwares

if an exe malware bypass our AVs, it's unlikely for OSA to block it
 

silversurfer

Level 65
Verified
Trusted
Content Creator
Malware Hunter
if an exe malware bypass our AVs, it's unlikely for OSA to block it
I think we need to mention, SysHardner gets the same (poor) results against EXE-malware

To stay on the topic, here are my settings to prevent the execution of unsigned EXE-files:
 

Attachments

  • OSA.png
    OSA.png
    20.5 KB · Views: 373

Andy Ful

Level 64
Verified
Trusted
Content Creator
Both VoodooShield and OSA are based on the good ideas. One can simply use OSA + Avast (Hardened Mode Aggressive) to get the decent protection for the true 0-day malware, maybe better in theory, than with VoodooShield. But, the chance to catch a true 0-day malware is so small, that in the real world scenario it will not be the significant difference between both solutions.
OSA is configurable, but VoodooShield free is not. On the other side, Avast has its own cons and VoodooShield can automatically switch to locked mode (default-deny) when the web app (web browser, email client) is running.
So, every one can choose what he/she likes more.
 
I

illumination

But, the chance to catch a true 0-day malware is so small, that in the real world scenario it will not be the significant difference between both solutions.
Best damn sentence i have seen in this forum in the last couple weeks. Makes one wonder why those that are perceive as professionals here, push to pile loads of security software inducing extreme paranoia with many, which in the end, introduce more bugs and issues to the users systems, thus making the chance of infection even greater. I certainly hope users do see this post and learn something from it.
 
Top