|
|
本帖最后由 qftest 于 2019-1-12 10:25 编辑
ERP v4难产,test30了仍迟迟未能推出正式版,有同学就问我有没有类似软件可推荐,想拿来防止被偷偷安装流氓软件、后台静默滥用脚本以及利用系统程序做坏事,要求兼容性好+免费+操作简单+流畅轻巧+排除方便+......
当时我就说, OSArmor要不要!
Monitor and block suspicious processes behaviors to prevent infections by malware, ransomware, and other threats. This security application analyzes parent processes and prevents, for example, MS Word from running cmd.exe or powershell.exe, it prevents ransomware from deleting shadow copies of files via vssadmin.exe, it blocks processes with double file extensions (i.e invoice.pdf.exe), it blocks USB-spreading malware, and much more. It monitors commonly exploited processes (such as MS Office, Java, Web Browsers, Adobe PDF, Flash, etc) and blocks suspicious child processes, blocking the exploit payloads and thus preventing the malware infection.
———— NoVirusThanks
OSArmor(以下简称OSA)为系统添加了一个额外的保护层,作为一款免费的基于规则的安全辅助软件,与同宗的ERP不同的是,OSA内置了500多条规则以阻止恶意程序行为和提高系统安全,普通用户几乎无须修改默认设置,就象作者说的“You don't have to configure anything, just install it and forget about it.”(安装它,忘记它),如果对系统环境非常了解,还可以勾选启用高级规则甚至手动添加自定义规则给予系统更好的保护
OSA安装包8Mb,主进程和UI运行时仅占用四十几兆内存,而且兼容性好,可以与EMSI/BD/NS/KIS/ESET等大多数杀软同时运行,事实上还可以与SSP/HMPA/SBIE等安全辅助软件和谐共处,尽管如此LZ仍然习惯性建议互相排除一下
you should make sure that OSArmorDevSvc.exe, OSArmorDevUI.exe, OSArmorDevCfg.exe and OSArmorExcHlp.exe are allowed/excluded in the HIPS settings.
All OSArmor .EXE files are located in C:\Program Files\NoVirusThanks\OSArmorDevSvc\
(SHA256:B958CF6672436ABEB02BFD45B6E27091F7F285E77EF88FAC60DABDBD03DEBBC9)
官方下载:https://www.novirusthanks.org/products/osarmor/
更多的相关讨论在这里:
https://www.wilderssecurity.com/ ... -of-defense.398859/
https://malwaretips.com/threads/novirusthanks-osarmor.78195/
 在主界面或托盘图标右键点击“open configurator”都可以进入OSA设置
1、Main Protections 主要的保护项目
With default settings enabled you gain a good additional layer of defense, it blocks VBS/JS/VBE/WSF scripts, MS Word/Excel/PowerPoint/etc exploit payloads, COM/PIF processes, and much more.
This way you drastically reduce the possibility of getting infected by ransowmare, malware, trojans, etc spread via emails, scripts, maldocs, .pdf.exe, etc.
在默认设置中是全部启用的,无须修改,保持默认就行
2、Anti-Exploit 漏洞保护
With the "Anti-Exploit" module, OSArmor protects a process by monitoring the child processes using smart internal rules, thus blocking the exploit payload.
在默认设置中是全部启用的,无须修改,保持默认就行
3、Advanced 高级规则
By enabling some or most of the Advanced options (recommended only to experts) you can increase the protection layer.
考虑到兼容性,在默认设置中仅启用了寥寥数条高级规则,除非十分了解自己正在做什么,否则建议保持默认
4、Settings 设置
截图对默认设置做了些许改变
另,由于LZ不喜欢OSA自带提示音所以换了一个,可以覆盖为C:\Program Files\NoVirusThanks\OSArmorDevSvc\loon.wav
5、Exclude 白名单
OSA添加白名单很简单——系统运行过程中触发OSA规则、右下角弹窗报警,如果确认是误拦,直接点击Exclude按扭打开详情界面,然后点击Add to Exclusions即可
OSA完全可以做到“安装它,忘记它”,非常适合想拥有额外免费保护层的普通用户,推荐!
据说v1.5正在研发中,届时将有自动更新的功能,期待中~
关于实战,OSA作者有话要说:
This program does not block the ransomware when it is executed manually by double clicking the .exe file, it prevents the infection by a ransomware by blocking the payload of the exploit used to delivery the ransomware.
It works by preventing a malware or ransomware infection in real-world scenario.
You should test it with real-world scenarios:
- Opening a malicious .DOC\.PDF.\XLS.\etc. file used to exploit MSWord\MSExcel\PDF Reader\etc to drop\download and execute a payload (malware\ransomware\etc) in the system
- Visiting a malicious website that exploits a vulnerability (Java\Flash Player\PDF\etc) to download and execute a payload in the system
- And so on. Simply clicking on a .exe file or a .vbs file would not trigger any alert.
所以如果双击样本没有触发OSA拦截,可不要武断地认为OSA失效哦!
 本来帖子最后LZ还想弄点实战的,结果因为时间关系弄不了,感兴趣的同学还是去看OSA作者的相关实战视频吧https://www.youtube.com/user/novirusthanks/videos
|
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有帐号?快速注册
x
评分
-
查看全部评分
|
[复制链接]
发表于 2018-10-29 18:03:39
楼主
v1.42正式版经过test7终于发布了~
