OSArmor: When Antivirus Isn’t Enough and You Still Want Control
Traditional AVs look for known threats. EDRs generate logs for security teams to sift through. But what if you just want to block shady behavior — like cmd.exe launching from a Word doc — without paying for a full-blown enterprise suite? That’s where OSArmor fits in.
It’s a lightweight behavioral blocker for Windows that focuses on preventing exploitation paths, not reacting after compromise. No cloud engine. No telemetry. No background noise. Just a tight set of rules, designed to say “no” when something obviously wrong tries to happen.
What It Watches For
| Trigger Type | What It Tries to Stop |
| LOLBins and scripting abuse | PowerShell, wscript, rundll32 launched in unsafe contexts |
| Office macro exploits | Blocks suspicious actions from Word/Excel-based payloads |
| Process injection attempts | Detects memory tampering and remote thread creation |
| Unusual parent-child chains | Flags uncommon process origins (e.g. PDF reader launching cmd) |
| Executables in temp folders | Stops payloads dropped in %TEMP% or %APPDATA% |
| Signed malware techniques | Flags abuse of signed-but-malicious binaries |
| Suspicious auto-starts | Monitors registry keys and scheduled tasks |
| Custom rules support | Admins can write their own JSON-based block rules |
Where It Belongs
OSArmor shines in environments like:
– Admin workstations with elevated privileges
– Jump boxes and bastion hosts exposed to external input
– IT-managed desktops where users have too much freedom
– SMB setups that can’t afford full EDR stacks
– Malware analysis VMs where controlled restrictions are helpful
It’s not meant for full network visibility — it lives on endpoints and acts fast when patterns go wrong.
Installation and Configuration
Runs on Windows 7 through 11. Provided as a standalone installer by NoVirusThanks. Once installed, it runs as a system service with a companion tray UI for log review and quick toggles.
Rules can be edited as plaintext JSON, and profiles can be switched based on use case (e.g., strict mode for jump hosts, relaxed for dev environments). No driver installation required. Logs are stored locally.
Configuration is portable — can be backed up, audited, or deployed via GPO.
What It Gets Right
– Extremely low footprint — barely uses CPU/RAM
– Doesn’t rely on internet connection or signature updates
– Blocks many real-world threats before they start
– Transparent logging — see exactly what was blocked and why
– Easy to test and tune — false positives are manageable
– Can work alongside AV, EDR, or nothing at all
Known Limitations
– Not a full HIPS — no kernel-level hooks or integrity checking
– Rule-based — attackers with novel techniques may bypass
– Requires tuning in noisy environments (e.g. dev machines)
– UI is minimal — not built for centralized logging or fleet-wide control
– Some advanced features require paid version (but free version is solid)
Final Notes
OSArmor doesn’t try to replace antivirus — it hardens what’s already there. It’s not flashy, but it stops a surprising number of tricks that make it past AV. If you’re running critical systems on Windows and want to cut down on living-off-the-land exploitation and scripting nonsense, it’s worth deploying — quietly, in the background, doing its job.
