NoVirusThanks OSArmor beta

[OXYGEN THIEF]

Here is a new v1.4 (pre-release) (test15):

Zaloguj lub Zarejestruj się aby zobaczyć!

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block execution of .jar scripts (unchecked by default)
+ Block execution of netsh.exe from specific processes (unchecked by default)
+ Block specific processes from self-executing (unchecked by default) *** Experimental ***
+ Exclusions.db and CustomBlock.db are now in UTF-8 format
+ Improved detection of suspicious Explorer behaviors
+ Minor fixes and optimizations

To install this pre-release, first uninstall the old one.
For final release we miss:

* Driver co-signed with MS for Secure Boot
* Some more days of testing to find out if there are other FPs to fix
* Probably enable "Block execution of .vbs scripts" by default
* Fix issues reported by @stas (and others) on XP OS

I recommend all OSA users to change the .db file format to UTF-8:

1) Open Notepad as Admin
2) Click File -> Open and select "C:\Program Files\NoVirusThanks\OSArmorDevSvc\Exclusions.db"
3) Click File -> Save As... and choose UTF-8 under "Encoding:", then click on Save and overwrite the existing file
4) Do the same for CustomBlock.db

@Andy Ful

Yes, with the *filepath vars you can allow all processes located in a folder (not subfolders) like this:

[%PROCESSFILEPATH%: C:\MyPrograms\]

Then all .exe files located in C:\MyPrograms\ (not subfolders) are matched.

@Prorootect

Added Cent Browser, and Opera is already present.

Registry protection is not available.

@DavidLMO

Clarification - this includes "derived from" products? E.G. Palemoon, Waterfox, Cliqz, and so on?
No, "Protect Mozilla Firefox" works only for Firefox and Firefox ESR.

I added support for Palemoon and Waterfox with their respective options.

Leci z tymi aktualizacjami jak burza, ale to dobrze że słucha użytkowników i dodaje to co chcą.
Jak tak dalej pójdzie to z tego programu zrobi się pakiet

 

[Ircus]

Here is a new v1.4 (pre-release) (test16):

Zaloguj lub Zarejestruj się aby zobaczyć!

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block execution of .msc scripts (unchecked by default)
+ Block execution of .bat scripts (unchecked by default)
+ Improved some internal rules related to the options added on test15
+ Updated Configurator and "Exclusions Helper" GUI
+ Minor fixes and optimizations
+ Fixed some false positives

To install this pre-release, first uninstall the old one.

so would you use this cfoc.org list to block all these file types?
The .vb and .ws extensions do not work (are unassigned).

The other important ones, like .pif, .com, .scr, .hta, .jar, .cpl, .cmd, .js, .jse, .wsf, .vbs, .vbe, .ps1 are already covered.

I added .msc and .bat in this test16 build, but be aware that blocking .bat scripts may generate many FPs.

@DavidLMO

Yeah, as @shmu26 said, it is because the uninstaller does not remove the .db files.

If you do not have saved exclusions or custom-block rules, you can uninstall it, remove the folder "C:\Program Files\NoVirusThanks\OSArmorDevSvc\" and install the new build.

@ozone

Does it protect portable versions of apps in anti-exploit tab?
Yes, here is a screenshot with LibreOffice portable (the exploit payload has been blocked):

 

[Ircus]

Here is a new v1.4 (pre-release) (test17):

Zaloguj lub Zarejestruj się aby zobaczyć!

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block execution of .wsh scripts
+ Block execution of .reg scripts (unchecked by default)
+ Enabled by default "Block execution of .vbs scripts"
+ Improved internal rules
+ Fixed false positives

To install this pre-release, first uninstall the old one.

 

[Ircus]

Here is a new v1.4 (pre-release) (test18):

Zaloguj lub Zarejestruj się aby zobaczyć!

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Fixed "black background" issue on Windows XP
+ Fixed "tray icon not shown" issue on Windows XP
+ Fixed startup issues on Windows XP
+ Improved internal rules
+ Fixed false positives

To install this pre-release, first uninstall the old one.

 

[Ircus]

Here is a new v1.4 (pre-release) (test22 ):

Zaloguj lub Zarejestruj się aby zobaczyć!

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ We have now 150+ protection options on Configurator GUI
+ Improved support for Windows XP OS (2)
+ Added an exclamation icon on left of protection options that can create FPs
+ Block execution of .msc scripts outside System folder
+ A lot of internal rules have been improved
+ Fixed all reported false positives

New protection options to mitigate specific attacks and UAC\DeviceGuard\AppLocker\etc bypasses:

+ Prevent winword.exe from loading DLLs with /L switch
+ Prevent DLL\Exe execution via Tracker.exe
+ Prevent ieexec.exe from loading remote files
+ Prevent msiexec.exe from loading MSI files masked as PNG files
+ Block execution of .msi installer scripts (*can create many FPs*)
+ Prevent MavInject32.exe from loading DLLs in running processes
+ Prevent AtBroker.exe from using /start switch to run processes
+ Block processes executed from AtBroker.exe
+ Prevent msxsl.exe from loading .xsl scripts
+ Prevent MSBuild.exe from loading .csproj scripts
+ Prevent odbcconf.exe from loading .rsp scripts
+ Block F# Interactive (fsi.exe) from executing F# scripts
+ And many more, see screenshot:

To install this pre-release, first uninstall the old one (important).

 

[Ircus]

Here is a new v1.4 (pre-release) (test23):

Zaloguj lub Zarejestruj się aby zobaczyć!

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Now calc.exe is blocked via the Anti-Exploit module
+ Block execution of unsigned processes on Temp Folder (unchecked by default)
+ Block execution of unsigned processes on Windows Temp (unchecked by default)
+ Minor fixes and optimizations

To install this pre-release, first uninstall the old one.

Here is a new video where I tested OSArmor (test23) with HitmanPro.Alert Exploit Test Tool:

 

[al]

Here is a new v1.4 (pre-release) (test24):

Zaloguj lub Zarejestruj się aby zobaczyć!

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block reg.exe from hijacking Registry startup entries
+ Block execution of unsigned processes on Desktop folder
+ Block execution of processes on Documents folder
+ Moved Block ExecutionPolicy Bypass and WindowStyle Hidden to Advanced tab
+ Added PhantomPDF on Anti-Exploit tab
+ Added many new internal rules
+ Improved handling of false positives
+ Added new tab "Settings" on Configurator
+ New option: Enable Passive Logging (do not block the process, just log the event)
+ New option: Show a notification window when something is blocked
+ New option: Automatically close the notification window
+ You can exclude more easily the events via the "Exclude" button
+ The "Exclude" button opens the "Exclusions Helper" GUI with pre-filled fields
+ You can open the logs folder via the "Open Logs" button
+ You can set the notification dialog to not auto-close and keep it open
+ You can manually close the notification dialog via the "X" button on top-right
+ Minor fixes and optimizations

 

[Ircus]

Here is a new v1.4 (pre-release) (test25):

Zaloguj lub Zarejestruj się aby zobaczyć!

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ On Configurator -> Settings -> Enable internal rules for allowing safe behaviors (checked)
** The above option was requested by a company so they can disable it and use only their exclusions **
** We highly recommend to any user to keep the above option always checked **
+ On Configurator -> Settings -> Set notification window always on top (checked)
+ On Configurator -> Advanced -> Block reg.exe from disabling UAC (unchecked)
+ On Configurator -> Advanced -> Block execution of processes on Public Folder (unchecked)
+ On Configurator -> Advanced -> Block processes executed from RuntimeBroker (unchecked)
+ On Configurator -> Advanced -> Block execution of SubInACL.exe (unchecked)
+ On Configurator -> Advanced -> Block execution of Shutdown.exe (unchecked)
+ On Configurator -> Advanced -> Block execution of At.exe (unchecked)
+ Added new internal rules to block suspicious processes
+ Many fixes and improvements

Here are two new videos:

Zaloguj lub Zarejestruj się aby zobaczyć!

Zaloguj lub Zarejestruj się aby zobaczyć!

@Evjl's Rain

We improved a few things on test 25 and it should use less CPU when checking a process.

But please note that sometimes (i.e when processes are executed) it may use from 1 to max 10% of CPU for 1 second (or similar).

That is because it makes some internal checks to validate the process signature, etc.

As long as the CPU goes back to 0% there are no issues (nothing to worry about).

However, we may further improve this in the next version by implementing a caching system.

@l0rdraiden

Not yet, we've just remained to co-sign the driver with MS and then v1.4 should mostly be ready for the release.

@AtlBo

Adding firewall is not in the plan, but we may add DLL and Registry protection (from SOB and Registry Guard technology).

However, what will then be hard, would be to maintain things easy, so we'll need to discuss about that.

@Telos

It is done on purpose because since we release frequent builds an user may forget to backup the .db files or settings.

it's possible your exclusions from past releases are no longer required, but you wouldn't see that.
Yes, we already incorporated some whitelist rules internally, i.e Sandboxie now doesn't require you to exclude the cmd.exe command-line to delete the Sandbox folder.

@Lockdown

I would personally categorize OSArmor as an hybrid, both a BB-like and SRP-like with toggable protection options and with the possibility to create custom block\exclusion rules. On a few options we use BB-like rules, i.e on "Block suspicious processes" or "Block suspicious Explorer.exe behaviors" (based on multiple checks + process activity\behavior analysis) and in other rules we use SRP-like rules, i.e "Block execution of AT.exe" (do just that action: restrict At.exe from being executed). We could have made it without options and ready-to-use using only internal rules, but we wanted to offer the user the possibility to choose what to enable\disable (this was also a request by a few users and businesses).

//Everyone

We noticed an issue when switching from Admin->LUA->Admin:

- Power on the PC and select the Admin account (OSArmor icon is present)
- Switch to a LUA user (OSArmor icon is present)
- Switch back to Admin user (OSArmor icon is not present)

We'll fix this on the next build.

 

[Elvis]

Here is a new v1.4 (pre-release) (test26):

Zaloguj lub Zarejestruj się aby zobaczyć!

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ On Configurator -> Advanced -> Block unknown processes on Windows folder (unchecked)
+ Minor fixes and optimizations

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install test 26.

 

[Ircus]

Here is a new v1.4 (pre-release) (test27):

Zaloguj lub Zarejestruj się aby zobaczyć!

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Improved support for Fast User Switching and Logouts
+ Many internal improvements
+ Integrated a smart caching mechanism
+ Prevent flooding of the notification dialog
+ Fixed opening of the Configurator in certain situations
+ Fixed some false positives
+ Block execution of unsigned processes on Downloads folder
+ Added Tor Brower, Comodo Dragon and MSPub on Anti-Exploit tab
+ Block execution of Sysprep.exe (UAC Bypass)
+ The alert icon on Configurator is red for some options

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install test 27

Thanks to the new caching mechanism, CPU usage should be lower now when executing many processes. All issues related to "timeout 30000 on the service", "Configurator doesn't show up", "when switching users icon is not present", etc should also be fixed

 

[Ircus]

Here is a new v1.4 (pre-release) test28:

Zaloguj lub Zarejestruj się aby zobaczyć!

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Fixed false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install test 28

 

[Elvis]

Here is a new v1.4 (pre-release) (test29):

Zaloguj lub Zarejestruj się aby zobaczyć!

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Categorized options in Anti-Exploit tab and sorted them alphabetically (per category)
+ When on Passive Logging, the text on the notification window is "Passive Logging Enabled"
+ On Configurator -> Settings -> Passive Logging changed the text to "You will still receive notification dialogs while in Passive Logging."
+ Added Thunderbird on Anti-Exploit tab
+ Removed "Process Path" and "Parent Process Path" from Exclusions Helper GUI
+ Option to disable protection temporarily, for 10 minutes, 30 minutes, 1 hour
+ Option to not display alerts when an application is in full-screen mode
+ Improved "Block execution of .vbs scripts"
+ Improved "Block execution of .js scripts"
+ Tray icon becomes red when Passive Logging is enabled
+ Option to play beep sound when notification is displayed
+ Fixed a false positive with "Block processes executed from javaw.exe"
+ Improved detection of PowerShell encoded commands
+ Improved detection of PowerShell malformed commands
+ Improved detection of suspicious processes
+ Block processes executed from USB
+ Block processes executed from RAM Disk
+ Block processes executed from Network Drive
+ Block processes executed from CD-ROM
+ Block execution of Internet Explorer
+ Block execution of Microsoft Edge
+ OSArmor 64-bit now supports Secure Boot
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install test 29.

 

[Elvis]

Here is a new v1.4 (pre-release) (test30):

Zaloguj lub Zarejestruj się aby zobaczyć!

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Both 32-bit and 64-bit drivers are now co-signed by Microsoft
+ Removed option "Set notification window always on top" (it is done by default now)
+ Fixed CPU spikes when the notification dialog disappears
+ Fixed "can't open menu in OSArmorDevUI because it loses focus"

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

Secure Boot should be now fully supported in both 32 & 64-bit W10 OS.

 

[Elvis]

Here is a new v1.4 (pre-release) (test31):

Zaloguj lub Zarejestruj się aby zobaczyć!

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block processes executed from Shared Folder
+ Improved detection of malformed PowerShell commands
+ Improved detection of suspicious processes
+ Improved detection of suspicious scripts
+ Hint text for red icon (on Configurator) is changed to "Can create many false positives"
+ Block ShellExecute\Start-Process in PowerShell cmdline
+ Fixed false positive on "Block processes located in suspicious folders" related to SUA users
+ Prevent schtasks.exe from creating tasks

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

 

[Ircus]

Here is a new v1.4 (pre-release) (test32):

Zaloguj lub Zarejestruj się aby zobaczyć!

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Fixed an issue on Windows XP
+ Fixed all reported false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

This new build should fix an issue on 32-bit OSes.