App Review OSArmor vs malware - RoboMan

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.

RoboMan

Level 34
Thread author
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,399
This is a very basic test. I tested OSArmor as a standalone solution, which should never be the case. It's not meant to replace anything or be your first layer defense.

OSArmor reaction to:

1. Scripts and general docs
2. Executable applications


Tested without network monitoring tools and testing only the local symptoms and consequences. This no way represents your system or an actual scenario. Take with a grain of salt. I didn't throw thousands of files, nevertheless 20 consecutive files do not represent a real scenario. Results on your systems may vary.

Please feel free to criticize any method used or thing you disliked, but take into account I'm not planning on releasing more videos or being a youtuber.


 

RoboMan

Level 34
Thread author
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,399
F

ForgottenSeer 58943

UPLOAD.EE - OSArmor.rules - Download

Two different products for two different needs, totally compatible :)

I think redundant might be a better word.

The reason I say this is pure logic. If you take a stack of malware and test it on OSArmor. Some get through, some don't. Then you repeat the test with the same stack of malware, and VS totally protects you then what possible benefit would OSArmor be adding to the equation if VS totally protected you? I suppose if someone can show a threat that bypasses VS but is caught by OSArmor then there may be some validity to stacking them. Until then, I would simply use the better of the two tools - which I believe is VS. (IMO)
 

imuade

Level 12
Verified
Top Poster
Well-known
Jul 29, 2018
566
I think redundant might be a better word.

The reason I say this is pure logic. If you take a stack of malware and test it on OSArmor. Some get through, some don't. Then you repeat the test with the same stack of malware, and VS totally protects you then what possible benefit would OSArmor be adding to the equation if VS totally protected you? I suppose if someone can show a threat that bypasses VS but is caught by OSArmor then there may be some validity to stacking them. Until then, I would simply use the better of the two tools - which I believe is VS. (IMO)
I agree, OSA could help only if a user mistakenly allows somethink when VS popups an alert
 

RoboMan

Level 34
Thread author
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,399
I think redundant might be a better word.

The reason I say this is pure logic. If you take a stack of malware and test it on OSArmor. Some get through, some don't. Then you repeat the test with the same stack of malware, and VS totally protects you then what possible benefit would OSArmor be adding to the equation if VS totally protected you? I suppose if someone can show a threat that bypasses VS but is caught by OSArmor then there may be some validity to stacking them. Until then, I would simply use the better of the two tools - which I believe is VS. (IMO)
It depends upon the case. To start with, VS will allow by parent process by default. So, many malware could abuse this in order to infect you. OSA can intercept such abuse. If this VS option is disabled, then remember VS needs to be turned off every time an installation takes place. In such cases, you cannot be 100% protected, even if you only download known software from reputable sites. I highlight CCleaner's case. There's no way VoodooShield could have intercepted that since it had to be disabled to install CCleaner. I'm not saying OSA would have blocked it, i'm just mentioning VoodooShield has limits.

Plus, VS includes no own signatures, only VirusTotal, which only work online and compare the executable with VT av's, still not the intructions the executable includes, so if it's a zero day and VirusTotal doesn't throw a proper alert, and you choose to install the software, you're fked. OSArmor may detect the use of specific processes by that file given the case.
 

askmark

Level 12
Verified
Top Poster
Well-known
Aug 31, 2016
578
It depends upon the case. To start with, VS will allow by parent process by default. So, many malware could abuse this in order to infect you. OSA can intercept such abuse. If this VS option is disabled, then remember VS needs to be turned off every time an installation takes place.
This is simply not true. I have allow by parent process disabled and have never had to disable VS to install any software. In fact the only time I disable VS is when I update Windows 10 to the next major release.

Voodooshield is not perfect. No software is, but your comments do it a great disservice in my opinion.
 

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
I tested something similar in the past in my VM and got the exact same result
OSArmor is never good against exe malwares unless we tweak it to block unsigned applications => better
I know it's unfair to test OSA like this because it's not designed to block exe malwares

if an exe malware bypass our AVs, it's unlikely for OSA to block it
 

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
if an exe malware bypass our AVs, it's unlikely for OSA to block it
I think we need to mention, SysHardner gets the same (poor) results against EXE-malware

To stay on the topic, here are my settings to prevent the execution of unsigned EXE-files:
 

Attachments

  • OSA.png
    OSA.png
    20.5 KB · Views: 495

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Both VoodooShield and OSA are based on the good ideas. One can simply use OSA + Avast (Hardened Mode Aggressive) to get the decent protection for the true 0-day malware, maybe better in theory, than with VoodooShield. But, the chance to catch a true 0-day malware is so small, that in the real world scenario it will not be the significant difference between both solutions.
OSA is configurable, but VoodooShield free is not. On the other side, Avast has its own cons and VoodooShield can automatically switch to locked mode (default-deny) when the web app (web browser, email client) is running.
So, every one can choose what he/she likes more.
 
I

illumination

But, the chance to catch a true 0-day malware is so small, that in the real world scenario it will not be the significant difference between both solutions.
Best damn sentence i have seen in this forum in the last couple weeks. Makes one wonder why those that are perceive as professionals here, push to pile loads of security software inducing extreme paranoia with many, which in the end, introduce more bugs and issues to the users systems, thus making the chance of infection even greater. I certainly hope users do see this post and learn something from it.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top