NoVirusThanks OSArmor beta

[Elvis]

Here is a new v1.4 (pre-release) (test33):

Zaloguj lub Zarejestruj się aby zobaczyć!

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block execution of Java
+ Fixed cosmetic GUI issue (Anti-Exploit listbox aligned)
+ Improved detection of suspicious folders
+ Improved detection of suspicious processes
+ Improved detection of suspicious command-lines
+ Improved detection of commands used to download remote files
+ Improved detection of PowerShell encoded commands
+ Improved detection of PowerShell malformed commands
+ Improved detection of PowerShell ExecutionPolicy Bypass
+ Improved detection of PowerShell WindowStyle Hidden
+ Configurator can have only a single instance running
+ Removed "Enable Passive Logging" option from the Configurator
+ Passive Logging can be enabled\disabled via tray icon
+ Block execution of any process related to Sysinternals
+ New method to detect suspicious processes
+ Prevent cmd.exe from executing powershell.exe
+ Categorized options in Advanced tab
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

 

[Elvis]

Here is a new v1.4 (pre-release) (test34):

Zaloguj lub Zarejestruj się aby zobaczyć!

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Added SoftMaker Office to Anti-Exploit tab
+ Block execution of PsExec.exe from Sysinternals
+ Added Media Player Classic Black Edition to Anti-Exploit tab
+ Improved detection of suspicious processes
+ Updated the Anti-Exploit module
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

 

[Elvis]

Here is a new v1.4 (pre-release) (test35):

Zaloguj lub Zarejestruj się aby zobaczyć!

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Fixed detection of SoftMaker Office 2012
+ Improved detection of suspicious processes
+ Fixed an issue on Windows 10 32-bit OSs
+ Prevent reg.exe from hijacking OSArmor settings (on Main Protections, enabled by default)
+ Improved "Block processes named like *keygen* or *crack*"
+ Updated some text on Configurator
+ Minor fixes and optimizations
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

 

[OXYGEN THIEF]

Bety OSArmor można spokojnie instalować na żywej maszynie

 

[Ircus]

Here is a new v1.4 (pre-release) (test36):

Zaloguj lub Zarejestruj się aby zobaczyć!

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Improved detection of suspicious folders
+ Improved detection of suspicious command-lines
+ Block execution of processes on All Users folder
+ Prevent attrib.exe from setting +h or +s attributes
+ Exclude "/a" execution for "Block execution of Shutdown.exe"
+ Renamed "Block execution of PsExec.exe from Sysinternals" to "Block execution of PsTools Suite from Sysinternals"
+ Block execution of PsTools Suite from Sysinternals
+ Renamed "Prevent reg.exe from hijacking OSArmor settings" to "Enable OSArmor self defense (basic)"
+ Enable OSArmor self defense (basic) -> Moved on Settings
+ Improved detection of known fake file extensions
+ User must be in the Administrators Group to change protection (Configurator -> Settings, disabled by default)
+ Block execution of taskkill.exe
+ Minor fixes and optimizations
To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

The basic self defense now blocks net.exe, net1.exe, taskkill.exe, sc.exe, reg.exe, pskill.exe, etc from terminating\hijacking OSArmorDevSvc.

It also prevents silent uninstallation via /VERYSILENT and /SILENT (unins000.exe).

 

[Ircus]

Here is a new v1.4 (pre-release) (test37):

Zaloguj lub Zarejestruj się aby zobaczyć!

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Improved detection of suspicious folders
+ Improved detection of suspicious command-lines
+ Improved detection of PowerShell encoded commands
+ Improved OSArmor self defense (basic)
+ Exclude "-a" execution for "Block execution of Shutdown.exe"
+ Improved detection of PsTools from Sysinternals
+ Improved detection of Nirsoft programs
+ Prevent regedit.exe from silently loading .reg scripts
+ Fixed "When uninstalled it disables: Block execution of cmd.exe\powershell.exe"
+ Fixed detection of SoftMaker Office 2012 *** Big thanks to @Andy Ful
+ Block execution of tskill.exe
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

 

[Elvis]

Here is a new v1.4 (pre-release) test38:

Zaloguj lub Zarejestruj się aby zobaczyć!

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Block execution of cacls\icacls\xcacls.exe
+ Block execution of takeown.exe
+ By default "Block execution of taskkill.exe" is disabled
+ Improved detection of suspicious processes
+ Improved detection of suspicious command-lines
+ Improved detection of Bitcoin miner command-lines
+ Improved detection of PowerShell malformed commands
+ Improved OSArmor self defense (basic)
+ Self-protection (basic) is enabled by default and can't be disabled
+ Prevent wevtutil.exe from cleaning Windows Eventlog
+ Prevent Windows Firewall from being disabled via command-line
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

 

[Ircus]

Here is a new v1.4 (pre-release) test39:

Zaloguj lub Zarejestruj się aby zobaczyć!

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Prevent Base Filtering Engine (BSE) from being disabled via cmdline
+ Improved detection of suspicious command-lines
+ Improved OSArmor self defense (basic)
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

 

[Elvis]

Here is a new v1.4 (pre-release) test40:

Zaloguj lub Zarejestruj się aby zobaczyć!

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Joined "Prevent Base Filtering Engine (BSE) from being disabled via cmdline" and "Prevent Windows Firewall from being disabled via command-line" in "Prevent important Windows Services from being disabled"
+ Added Windows Defender, Security Essentials, Windows Update, Security Center to "Prevent important Windows Services from being disabled"
+ Block cmstp.exe from loading .inf files (AppLocker bypass)
+ Improved detection of PowerShell malformed commands
+ Advanced -> Block execution of processes on Public Folder (C:\Users\Public) -> Enabled by default
+ Advanced -> Block execution of processes on All Users folder -> Enabled by default
+ Advanced -> Block execution of .msc scripts outside System folder -> Enabled by default
+ Advanced -> Block reg.exe from hijacking Registry startup entries -> Enabled by default
+ Advanced -> Prevent attrib.exe from setting +h or +s attributes -> Enabled by default
+ Advanced -> Prevent wevtutil.exe from cleaning Windows Eventlog -> Enabled by default
+ Advanced -> Prevent important Windows Services from being disabled -> Enabled by default
+ Advanced -> Block reg.exe from disabling UAC (User Access Control) -> Enabled by default
+ Improved "Prevent important Windows Services from being disabled"
+ Block execution of regini.exe

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

 

[Elvis]

Here is a new v1.4 (pre-release) test41:

Zaloguj lub Zarejestruj się aby zobaczyć!

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Improved OSArmor self defense (basic)
+ Improved detection of suspicious processes
+ Improved detection of fake system processes
+ Added Event Log Service on "Prevent important Windows Services from being disabled"
+ Improved Block processes named like *keygen* or *crack*
+ Block execution of sc.exe
+ Block execution of net\net1.exe
+ Block execution of wmic.exe
+ Block execution of netsh.exe
+ Block execution of bitsadmin.exe
+ Block execution of reg.exe
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

 

[Elvis]

Here is a new v1.4 (pre-release) test42:

Zaloguj lub Zarejestruj się aby zobaczyć!

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Improved detection of PowerShell malformed commands
+ Change Registry value ServicesPipeTimeout to 180000 via setup file
+ Modified the service to fix a rare crash on session change
+ Improved detection of fake system processes
+ Improved Block command-lines that match *\Start Menu\Programs\Startup\*
+ Added BitLocker Service on "Prevent important Windows Services from being disabled"
+ Improved Block unknown processes on Windows folder
+ Improved Block execution of .reg scripts
+ Block execution of xcopy\robocopy.exe
+ Block execution of diskpart.exe
+ Block execution of format.com
+ Block execution of tasklist.exe
+ Block execution of systeminfo.exe
+ Block execution of whoami.exe
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

 

[Ircus]

Here is a new v1.4 (pre-release) test43:

Zaloguj lub Zarejestruj się aby zobaczyć!

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Improved detection of system processes
+ Improved detection of suspicious processes
+ Block known UAC-bypass attempts
+ Block new and unknown UAC-bypass attempts (experimental)
+ Block known system processes used for UAC-bypass
+ Block ALL "autoelevate" system processes
+ Merged "Block execution of sdctl.exe\sysprep.exe\etc" with "Block known system processes used for UAC-bypass"
+ Block execution of Logoff.exe
+ Block execution of Vssadmin.exe
+ Block execution of Makecab.exe
+ Block execution of LxRun.exe
+ Block execution of Bash.exe
+ Block execution of Sdbinst.exe
+ Minor fixes and optimizations
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build

With this build 43 there is a new section dedicated to UAC-bypass mitigations:

"Block known UAC-bypass attempts"

This option should not generate FPs (even if I added the orange icon).

It should block known (public) UAC-bypass attempts.

The other 3 options, may generate FPs:

"Block new and unknown UAC-bypass attempts (experimental)"

This experimental option should mitigate new and unknown UAC-bypass attempts that exploit system processes to elevate the malware payload. In my tests it performed well with very low FPs (on the work-PC, with just a few programs installed).

"Block known system processes used for UAC-bypass"

This option blocks the execution of known system processes used to bypass UAC, for example slui.exe, sdctl.exe, fodhelper.exe, wusa.exe, mmc.exe, dccw.exe, BitlockerWizardElev.exe, and some more. By preventing their execution we mitigate entirely the UAC bypass attempt, but in exchange we may get a few alerts (FPs) when they are legitimately executed by the OS.

"Block ALL "autoelevate" system processes"

This option blocks ALL autoelevate system processes and may be particularly useful for companies or officies to mitigate new and unknown UAC bypass attempts that exploit "autoelevate" system processes (generally used in targeted attacks against companies). This option may generate alerts (FPs) depending on the PC usage, i.e if the office PC is used to print\edit documents, read emails, open the web browser, open a few programs and such (doing the same routine all days), you may even get no alerts.

Would be nice if some of you could test these new options (mainly the first two) and share here if you get FPs.

 

[Elvis]

Here is a new v1.4 (pre-release) test44:

Zaloguj lub Zarejestruj się aby zobaczyć!

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Fixed blocking of .cpl applets
+ Block execution of wscript\cscript.exe
+ Improved blocking of vbs\js\vbe\etc scripts
+ Block execution of .cpl applets outside System folder
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

 

[Elvis]

Here is a new v1.4 (pre-release) test45:

Zaloguj lub Zarejestruj się aby zobaczyć!

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Improved Block suspicious command-lines
+ Show process username/domain and integrity level on the log file of blocked processes
+ Improved Block execution of syskey.exe\cipher.exe
+ Improved Block execution of .vbs\.vbe\.js\.jse\etc scripts
+ Improved Block execution of .hta scripts
+ Improved Block suspicious processes
+ Improved rules related to blocking UAC-bypass behaviors
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.

 

[Ircus]

Here is a new v1.4 (pre-release) test46:

Zaloguj lub Zarejestruj się aby zobaczyć!

*** Please do not share the download link, we will delete it when we'll release the official v1.4 ***

So far this is what's new compared to the previous pre-release:

+ Improved Block suspicious processes
+ Improved Block suspicious command-lines
+ Improved Block execution of .hta scripts (2)
+ Fixed some false positives

To install it, first uninstall the previous build, then reboot (not really needed but may help), and install the new build.