With OSArmor you can write custom block rules to block specific processes behaviors.
By using simple variables like %PROCESS% you can match many process fields, including process, parent
process, command-line, signer, MD5 hash, process integrity, and much more.
This allows you to create complex and smart rules to block new malicious processes (LOLBins, etc)
or processes you don't want
to allow in your system.
; Block processes located in C:\Example\* and subfolders [%PROCESS%: C:\Example\*] ; Block processes located in C:\Example\ but not in subfolders [%PROCESSFILEPATH%: C:\Example\] ; Block processes named test.exe and also test123.exe [%PROCESSFILENAME%: test*.exe] ; Only log the event without blocking the process (passive logging) [%PROCESSFILENAME%: test*.exe] [%PASSIVELOGGING%: True] ; Block execution of unsigned MSI installers [%MSISIGNER%: <NULL>] ; Block execution of MSI installers located in Desktop folder [%MSIFILE%: C:\Users\*\Desktop\*.msi] ; Block abc123.exe and assign a name to the rule [%PROCESSFILENAME%: abc123.exe] [%RULENAME%: Block process abc123.exe] ; Block command-lines that contain */testing* [%PROCESSCMDLINE%: */testing*] ; Block unsigned processes executed with System privilege (Windows services) [%SIGNER%: <NULL>] [%PROCESSINTEGRITY%: System] ; Block processes that request Admin (High) privilege located in Desktop folder [%PROCESS%: C:\Users\*\Desktop\*] [%PROCESSINTEGRITY%: High] ; Block unsigned processes that require Admin (High) privilege [%SIGNER%: <NULL>] [%PROCESSINTEGRITY%: High] ; Prevent cmd.exe (parent process) to execute notepad.exe (child process) [%PARENTPROCESS%: *\cmd.exe] [%PROCESS%: *\notepad.exe] ; Block unsigned processes executed from Desktop folder [%PROCESS%: C:\Users\*\Desktop\*] [%SIGNER%: <NULL>] ; Block processes using regular expressions (PCRE) -> abc123.exe [REGEX:%PROCESSFILENAME%: ^abc[0-9]*\.exe] ; Block processes located in C:\Test\* executed by user John [%PROCESS%: C:\Test\*] [%USER%: John] ; Block processes that match a MD5 hash [%PROCESSMD5HASH%: 16E6C0412562419ADB462CA9018262F1] ; Block processes signed by Company Name LLC [%SIGNER%: Company Name LLC]
%RULENAME% : Assign a name to your rule %PROCESS% : C:\WINDOWS\system32\notepad.exe %PROCESSMD5HASH% : 16E6C0412562419ADB462CA9018262F1 %PROCESSFILENAME% : notepad.exe %PROCESSFILEPATH% : C:\WINDOWS\system32\ %PROCESSCMDLINE% : "C:\WINDOWS\system32\notepad.exe" /testing %SIGNER% : <NULL> %SYSTEMFILE% : True %PROCESSINTEGRITY% : Medium %USER% : John %DOMAIN% : DESKTOP-ROH2DAZ %PARENTPROCESS% : C:\Windows\explorer.exe %PARENTMD5HASH% : 23E6C0412562419ADB462CA9018262F2 %PARENTFILENAME% : explorer.exe %PARENTFILEPATH% : C:\Windows\ %PARENTSIGNER% : Microsoft Windows %PARENTSYSTEMFILE% : True %PARENTINTEGRITY% : Medium %MSIFILE% : C:\Users\Admin\Desktop\winzip25-installer.msi %MSISIGNER% : Corel Corporation %PASSIVELOGGING% : True
You can use the variable %RULENAME% to assign a name to your rule.
It will be displayed in the notification window when the process
is blocked and will be present in
the event sent in the Windows Event Viewer.
This is useful to know which
custom block rule blocked the process.
%PROCESSINTEGRITY% & %PARENTINTEGRITY% can be the following:
Untrusted, Low, Medium, Medium Plus, High, System, Protected, Unknown.
%SYSTEMFILE% & %PARENTSYSTEMFILE% (BOOL type) can be the following: False, True.
To match a unsigned
process or parent process just use <NULL>, example: [%SIGNER%: <NULL>]
or [%PARENTSIGNER%: <NULL>]
%PASSIVELOGGING% can be used to only log the event without blocking the process:
[%PROCESS%: *\something.exe] [%PASSIVELOGGING%: True]
Don't forget that you can try OSArmor application for 30-days
(no credit card is required). Just download and install the software on your computer,
you can use it and test it for 1 entire month.