NoVirusThanks OSArmor: An Additional Layer of Defense

Thank you, @novirusthanks .

 

Just got this a short time ago:

Date/Time: 11/2/2023 4:19:32 AM
Process: [25380]C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Process Size: 2.45 MB (2,569,688 bytes)
Process MD5 Hash: CC2A6C4D0A1DCEF67EB64AEB8806B537
Parent: [7136]C:\Windows\System32\sdiagnhost.exe
Parent Process Size: 39.5 KB (40,448 bytes)
Rule: AntiExploitProtectSpecificSystemProcesses
Rule Name: Protect specific system processes with anti-exploit module
Command Line: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Krisone\AppData\Local\Temp\gonwzynr.cmdline"
Signer: Microsoft Corporation
Parent Signer: <NULL>
User/Domain: Krisone/LAPTOP-GSOXXXX
System File: True
Parent System File: True
Integrity Level: Medium
Parent Integrity Level: Medium

Date/Time: 11/2/2023 4:19:30 AM
Process: [2968]C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Process Size: 2.45 MB (2,569,688 bytes)
Process MD5 Hash: CC2A6C4D0A1DCEF67EB64AEB8806B537
Parent: [7136]C:\Windows\System32\sdiagnhost.exe
Parent Process Size: 39.5 KB (40,448 bytes)
Rule: AntiExploitProtectSpecificSystemProcesses
Rule Name: Protect specific system processes with anti-exploit module
Command Line: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Krisone\AppData\Local\Temp\wuy2isxv.cmdline"
Signer: Microsoft Corporation
Parent Signer: <NULL>
User/Domain: Krisone/LAPTOP-GSOOXXXX
System File: True
Parent System File: True
Integrity Level: Medium
Parent Integrity Level: Medium

Date/Time: 11/2/2023 4:19:13 AM
Process: [15356]C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Process Size: 2.45 MB (2,569,688 bytes)
Process MD5 Hash: CC2A6C4D0A1DCEF67EB64AEB8806B537
Parent: [7136]C:\Windows\System32\sdiagnhost.exe
Parent Process Size: 39.5 KB (40,448 bytes)
Rule: AntiExploitProtectSpecificSystemProcesses
Rule Name: Protect specific system processes with anti-exploit module
Command Line: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Krisone\AppData\Local\Temp\vxhl5upo.cmdline"
Signer: Microsoft Corporation
Parent Signer: <NULL>
User/Domain: Krisone/LAPTOP-GSOOXXXX
System File: True
Parent System File: True
Integrity Level: Medium
Parent Integrity Level: Medium

Date/Time: 11/2/2023 4:19:11 AM
Process: [21400]C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Process Size: 2.45 MB (2,569,688 bytes)
Process MD5 Hash: CC2A6C4D0A1DCEF67EB64AEB8806B537
Parent: [7136]C:\Windows\System32\sdiagnhost.exe
Parent Process Size: 39.5 KB (40,448 bytes)
Rule: AntiExploitProtectSpecificSystemProcesses
Rule Name: Protect specific system processes with anti-exploit module
Command Line: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Krisone\AppData\Local\Temp\m3sqq13t.cmdline"
Signer: Microsoft Corporation
Parent Signer: <NULL>
User/Domain: Krisone/LAPTOP-GSOOXXXX
System File: True
Parent System File: True
Integrity Level: Medium
Parent Integrity Level: Medium

Date/Time: 11/2/2023 4:19:09 AM
Process: [11328]C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Process Size: 2.45 MB (2,569,688 bytes)
Process MD5 Hash: CC2A6C4D0A1DCEF67EB64AEB8806B537
Parent: [7136]C:\Windows\System32\sdiagnhost.exe
Parent Process Size: 39.5 KB (40,448 bytes)
Rule: AntiExploitProtectSpecificSystemProcesses
Rule Name: Protect specific system processes with anti-exploit module
Command Line: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Krisone\AppData\Local\Temp\qq01nz35.cmdline"
Signer: Microsoft Corporation
Parent Signer: <NULL>
User/Domain: Krisone/LAPTOP-GSOOXXXX
System File: True
Parent System File: True
Integrity Level: Medium
Parent Integrity Level: Medium

 

We have released OSArmor v1.8.8:
https://www.osarmor.com/download/

Here is the changelog:

If you have automatic updates enabled then OSArmor should auto-update in the next hours.

Else you can install it "over-the-top" of the installed version, reboot is not needed.

If you find false positives or issues please let me know.

@Tarnak

Thanks for reporting them.

 

You're welcome. BTW, I couldn't wait for the auto- update to come through, so I downloaded from the link, and installed. The new v1.8.8.0 is running and no problems.

 

Thanks very much for the update. Got it via internal updater a couple of minutes ago.

 

I got this warning while Macrium Reflect was building WinPE. (With the Automatically unlock BitLocker Volumes setting selected)

Code:

Process: [pid]C:\Windows\System32\manage-bde.exe
Process Size: 222 KB (227.328 bytes)
Process MD5 Hash: 84021D418863A3E530D2E3F65F5D154C
Parent: [pid]C:\Program Files\Macrium\Reflect\RMBuilder.exe
Parent Process Size: 35,16 MB (36.867.568 bytes)
Rule: BlockSuspiciousCmdlines
Rule Name: Block execution of suspicious command-line strings
Command Line: manage-bde -protectors -add \\?\Volume{GUID}\ -RecoveryKey C:\ProgramData\Macrium\Reflect\\BitLocker\\\
Signer: <NULL>
Parent Signer: PARAMOUNT SOFTWARE UK LIMITED
User/Domain: user/DOMAIN
System File: True
Parent System File: False
Integrity Level: High
Parent Integrity Level: High

 

@busy

Thanks for sharing it, will be fixed on the next test build.

Meanwhile you can use this exclusion rule:

Code:

[%PROCESS%: C:\Windows\System32\manage-bde.exe] [%PARENTPROCESS%: C:\Program Files\Macrium\Reflect\RMBuilder.exe] [%PARENTSIGNER%: PARAMOUNT SOFTWARE UK LIMITED] [%PROCESSCMDLINE%: manage-bde -protectors -add \\?\Volume*\ -RecoveryKey C:\ProgramData\Macrium\Reflect\*]

@Buddel

Have not added the feature to open the .db files with the default app used to open them (instead of using the built-in Notepad as is done now) because some users may not have configured a default app for that purpose.

Will discuss probably if can be added an option like "Use Notepad++ to open OSArmor .db files", will keep you updated in case it will be added.

 

Adding an option like the one you mentioned above would be great, but I still think users should be able to use their default apps for opening .db files. Anyway, looking forward to hearing from you.

 

New version v1.8.9 should have a new more modern UI, here is a preview:




And dark theme (that can be selected also if you are not using Windows Dark mode):



A test build should be ready in a few days.

 

It looks good.

One suggestion: Can we get the Test Build number somewhere on the GUI?

Thanks.

 

Looks very good Andrea. Looking forward to test it.

 

Here is a pre-release test 1 version of OSArmor PERSONAL v1.8.9:

Code:

https://downloads.osarmor.com/osa-1-8-9-personal-test1.exe

+ Fixed all reported false positives
+ Updated main UI with a more modern style
+ Minor improvements

If you find issues or FPs please let me know.

Here is a screenshot of the new UI (light and dark):



Alert dialog (light and dark):



To change the UI settings click on the top-right gear icon:



Let me know your thought

@Krusty

Will add it on the changelog on the next build.

@busy

Alert about Macrium Reflect is fixed now.

 

Just installed... Looks good...

 

Installed and running fine here so far.

Nice! Thank you.

 

Have just installed the preview and the new UI is a real improvement...congratulation, nice one. Now testing.

 

Just installed and running fine so far. Nice job

 

I would have preferred an actual black theme, one that matches the popup notification, as opposed to the blue-ish gray one. Other than that, it seems to be running fine. No issues to report yet.

 

Thanks for the feedbacks everyone!

Here is a pre-release test 2 version of OSArmor PERSONAL v1.8.9:

Code:

https://downloads.osarmor.com/osa-1-8-9-personal-test2.exe

Some small fixes on the UI and other minor improvements.

If you find issues or FPs please let me know.

 

Date/Time: 11/9/2023 11:03:19 PM
Process: [22076]C:\Windows\SysWOW64\cmd.exe
Process Size: 231 KB (236,544 bytes)
Process MD5 Hash: 55A23673E8B0BC408FA13FC1E01652EB
Parent: [21304]C:\Windows\SysWOW64\cmd.exe
Parent Process Size: 231 KB (236,544 bytes)
Rule: BlockCmdExeExecution
Rule Name: Block execution of Windows Command Prompt (cmd.exe)
Command Line: C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Program Files (x86)\Google\GoogleUpdater\120.0.6077.0" "
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: SYSTEM/NT AUTHORITY
System File: True
Parent System File: True
Integrity Level: System
Parent Integrity Level: System

 

@novirusthanks
The title of the main window appears as Form1.

 

Here is a pre-release test 3 version of OSArmor PERSONAL v1.8.9:

Code:

https://downloads.osarmor.com/osa-1-8-9-personal-test3.exe

Some small fixes on the UI and other minor improvements.

If you find issues or FPs please let me know.

@Dragon1952 @busy

Fixed, thanks for reporting.

 

It would be nice if the passive logging functionality could be set per protection/rule. This would make it possible to test new protections/rules for a long time without disabling other protections/rules.

[%PROCESSFILEPATH%: C:\ExamplePath\*] [%PASSIVE%: True] [%RULENAME%: Block processes executed from C:\ExamplePath]

 

Here is a pre-release test 4 version of OSArmor PERSONAL v1.8.9:

Code:

https://downloads.osarmor.com/osa-1-8-9-personal-test4.exe

+ Added new variable [%PASSIVELOGGING%: True] on Custom Block rules
+ Save "Passive Logging: True/False" on log files

If you find issues or FPs please let me know.

@busy

Let me know if it works as expected.

Tried this test custom block rule:

Code:

[%PROCESS%: *\notepad++.exe] [%PASSIVELOGGING%: True] [%RULENAME%: Block Notepad++ (Passive Logging)]

And it logged the event without blocking the process (see "Passive Logging: True"):

Code:

Date/Time: 11/11/2023 12:55:51 AM
Process: [1756]C:\Program Files\Notepad++\notepad++.exe
Process Size: 6.8 MB (7,128,408 bytes)
Process MD5 Hash: FE341DC1732B4BA290E1C37766DD36DC
Parent: [884]C:\Windows\explorer.exe
Parent Process Size: 3.08 MB (3,229,696 bytes)
Rule: CustomBlockRule
Rule Name: Block Notepad++ (Passive Logging)
Command Line: "C:\Program Files\Notepad++\notepad++.exe"
Signer: Notepad++
Parent Signer: <NULL>
User/Domain: User/Domain
System File: False
Parent System File: True
Integrity Level: Medium
Parent Integrity Level: Medium
Passive Logging: True

 

Can you add a "Always ignore" function? Currently, there is an ignore function in the blocked popup. But that blocked keeps repeating every time. I understand why, and it's working as intended, but it would be nice to not see that popup every time. An always ignore function would allow for this.

 

@novirusthanks
Thank you, works like a charm.