NoVirusThanks OSArmor: An Additional Layer of Defense

@busy

Great, thanks for confirming.

@n8chavez

If you click the "Ignore" button on the alert window then you should not get other alerts about that process.

What is the process being blocked?

You can check ignored notifications from the Configurator on Settings -> Notifications:

 

Here is a pre-release test 5 version of OSArmor PERSONAL v1.8.9:

Code:

https://downloads.osarmor.com/osa-1-8-9-personal-test5.exe

+ Improved internal rules to detect suspicious behaviors
+ Some internal improvements.

If you find issues or FPs please let me know.

 

Installed this morning without any problem, as usual Will test it and report if I find anything...

 

We have released OSArmor v1.8.9:
https://www.osarmor.com/download/

Here is the changelog:

If you have automatic updates enabled then OSArmor should auto-update in the next hours.

Else you can install it "over-the-top" of the installed version, reboot is not needed.

If you used test builds you need to install this final release "over-the-top".

If you find false positives or issues please let me know.

 

Thank you Andrea, I like the new look very much

 

Thank you very much for the new version. I also like the new look very much. Now I'm waiting for the next SysHardener update.

 

OSA currently shows two blocked processes on the main UI. How do I reset the counter to zero?

 

Sadly, my old nemesis has returned. Tried checking for updates from within MailWasher .187 (a work-around build for an issue they are having) and I got this:

Spoiler: Rule: BlockUnsignedProcessesAppDataRoaming

Date/Time: 14/11/2023 9:04:25 AM
Process: [12192]C:\Users\David\AppData\Roaming\Firetrust\MailWasher\updater.exe
Process Size: 1.1 MB (1,156,608 bytes)
Process MD5 Hash: 09F26574ED73CA2DEA47B81D3D57E04F
Parent: [9932]C:\Program Files (x86)\Firetrust\MailWasher\MailWasher.exe
Parent Process Size: 6.93 MB (7,270,400 bytes)
Rule: BlockUnsignedProcessesAppDataRoaming
Rule Name: Block execution of unsigned processes on Roaming AppData
Command Line: "C:\Users\David\AppData\Roaming\Firetrust\MailWasher\updater.exe" /checknow
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: David/DAVID-HP
System File: False
Parent System File: False
Integrity Level: Medium
Parent Integrity Level: Medium
Passive Logging: False

The previous exclusions are still in place, so I'm running out of ideas.

 

And now with their new release:

Spoiler: MailWasher .188

Date/Time: 14/11/2023 9:26:47 AM
Process: [11020]C:\Users\David\AppData\Roaming\Firetrust\MailWasher\updater.exe
Process Size: 1.1 MB (1,156,608 bytes)
Process MD5 Hash: 09F26574ED73CA2DEA47B81D3D57E04F
Parent: [4260]C:\Program Files (x86)\Firetrust\MailWasher\MailWasher.exe
Parent Process Size: 6.93 MB (7,270,400 bytes)
Rule: BlockUnsignedProcessesAppDataRoaming
Rule Name: Block execution of unsigned processes on Roaming AppData
Command Line: "C:\Users\David\AppData\Roaming\Firetrust\MailWasher\updater.exe" /checknow
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: David/DAVID-HP
System File: False
Parent System File: False
Integrity Level: High
Parent Integrity Level: High
Passive Logging: False

 

@Krusty
What happens if you add [%PROCESS%: C:\Users\David\AppData\Roaming\Firetrust\MailWasher\updater.exe] to exclusions?

 

I'm going to have to uninstall MW as there is a new updaer.exe that is digitally signed. I tried uninstalling before but chose to keep my data and the new install did not overwrite the old updater.exe.

Just running an MR backup first as I have run into some weirdness the last few days with MailWasher.

 

Date/Time: 11/13/2023 5:41:27 PM
Process: [9200]C:\Windows\SysWOW64\cmd.exe
Process Size: 231 KB (236,544 bytes)
Process MD5 Hash: 55A23673E8B0BC408FA13FC1E01652EB
Parent: [11240]C:\Windows\SysWOW64\cmd.exe
Parent Process Size: 231 KB (236,544 bytes)
Rule: BlockCmdExeExecution
Rule Name: Block execution of Windows Command Prompt (cmd.exe)
Command Line: C:\Windows\system32\cmd.exe /S /D /c" echo "C:\Program Files (x86)\Google\GoogleUpdater\121.0.6102.0" "
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: SYSTEM/NT AUTHORITY
System File: True
Parent System File: True
Integrity Level: System
Parent Integrity Level: System
Passive Logging: False

 

@Antarctica @Buddel

Thanks for the feedbacks!

Will add a link to reset the counter in the next build.

@Dragon1952

That FP was fixed in a previous test build and also on final v1.8.9

Can you confirm you got that alert in the latest released v1.8.9?

Thank you.

 

When i got the alert i looked at the GUI and i was on 1.8.9. We will see if it happens again.

 

Thank you, Andreas.

 

@novirusthanks

I got this warning while ProtonVPN (3.2.6->3.2.7) was updating.

ProtonVPN_v3.2.7.tmp (unins000.exe) has a valid signature. [MD5: D428D8807DF4B267B601AA1AE751F045]

ProtonVPN_v3.2.7.exe has a valid signature. [MD5: BBAC0227B9EB01BCD8BC43F2F8B674BB]

Spoiler: LOG

Code:

Date/Time: 14.11.2023 12:12:12
Process: [pid]C:\Windows\Temp\is-TU5S5.tmp\ProtonVPN_v3.2.7.tmp
Process Size: 3,28 MB (3.435.864 bytes)
Process MD5 Hash: D428D8807DF4B267B601AA1AE751F045
Parent: [pid]C:\ProgramData\ProtonVPN\Updates\ProtonVPN_v3.2.7.exe
Parent Process Size: 76,75 MB (80.475.920 bytes)
Rule: BlockProcessesSignedWithInvalidCert
Rule Name: Block processes signed with an invalid certificate
Command Line: "C:\Windows\TEMP\is-TU5S5.tmp\ProtonVPN_v3.2.7.tmp" /SL5="$25000E7,89482657,2089537,C:\ProgramData\ProtonVPN\Updates\ProtonVPN_v3.2.7.exe" /VERYSILENT /SUPPRESSMSGBOXES
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: SYSTEM/NT AUTHORITY
System File: False
Parent System File: False
Integrity Level: System
Parent Integrity Level: System
Passive Logging: False

 

@busy

Interesting, I ran some tests:

1) I downloaded ProtonVPN v3.2.7 from their website (MD5 BBAC0227B9EB01BCD8BC43F2F8B674BB) and disconnected the Inet

2) I checked the file with signtool.exe and also via File Properties -> Digital Signature but it showed an error:







3) I enabled Inet again and then I checked the file again with File Properties -> Digital Signature:





PS: Point 3 still showed a cert error on another W10 VM.

Will run some additional tests and will update here asap.

//EDIT:

Added some more screenshots.

 

I've been having problems getting Winget and sonarr to work without prompting me all the time. The below doesn't seem to work for sonarr exclusions because I still get prompted repeatedly, why I don't know:

[%PROCESS%: C:\ProgramData\Sonarr\bin\ffprobe.exe] [%PROCESSCMDLINE%: "C:\ProgramData\Sonarr\bin\ffprobe.exe" *] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\ProgramData\Sonarr\bin\Sonarr.Console.exe] [%PARENTSIGNER%: <NULL>] [%PROCESSINTEGRITY%: System] [%PARENTINTEGRITY%: System]

Same with winget and the below command line, where wildcards seem to have no value. That's odd because with winget everything is supposed to be signed.

[%PROCESS%: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.21.2771.0_x64__8wekyb3d8bbwe\winget.exe] [%PROCESSCMDLINE%: "C:\Users\n8chavez\AppData\Local\Microsoft\WindowsApps\winget.exe" upgrade *] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe] [%PARENTSIGNER%: <NULL>] [%PROCESSINTEGRITY%: High] [%PARENTINTEGRITY%: High]

I wish OSA had the ability to select a log entry and make an exclusion from it. That would prevent the user from having to be looking at their screen during the few seconds that the alert is present. Of course, doing that would require a rewrite of the logging system.

 

@n8chavez

Can you share the log files of the blocked events?

That is doable, we'll discuss about something to better view last blocked events and exclude them with right-click -> Exclude.

 

@novirusthanks Unlike @busy, I got notification of an update for Proton VPN. However, I didn't get any any warning by OSA. I just clicked on Restart > Continue.

The update went without a hitch.

 

@Tarnak
Have you enabled the "Block processes signed with an invalid certificate" setting?

 

Apparently, yes.

 

Interesting

@novirusthanks

On host machine: (Windows 10 Pro 22H2)
ProtonVPN_v3.2.7.exe file opens from the C: drive root without warning.
ProtonVPN_v3.2.7.exe file gives a warning when run under Program Files and Windows\Temp.
ProtonVPN_v3.2.7.exe file opens without warning when run from other disks.

On VM machine: (Windows 10 Pro 22H2) [Only OSAmor installed]
ProtonVPN_v3.2.7.exe file gives a warning when run from any location.

On VM machine: (Windows 11 Pro 22H2) [Only OSAmor installed]
ProtonVPN_v3.2.7.exe file opens without warning when run from any location.

Previous versions of ProtonVPN open without warning on all systems.

On New (Reset+Cloud download) VM machine: (Windows 10 Pro 22H2) [Only OSAmor installed]
ProtonVPN_v3.2.7.exe file gives a warning when run from any location.

 

Just updated my other laptop with Proton VPN. No problem there, too. However, I don't use/run VM's. I guess that was the difference.

 

See, easy-peasy...