NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    InstalledDriversList (Nirsoft) lists all device
    drivers that are currently installed on your Windows system.

    You are correct. Both OSA drivers are listed, are Kernel drivers
    and boot startup type.

    What's confusing is I thought ServiWin utility (another Nirsoft program)
    works similar in that it displays the list of "INSTALLED" drivers and services
    on your system. Like you, I don't see OSA system drivers listed.
     
  2. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    My record has ended at eighteen straight days. This morning OSArmorDevSvc failed to start :(

    Now I wonder if it has anything to do with installing kb5000842 last night :thumbd:
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Actually, I also installed that Win Update yesterday prior to my power failure incident and subsequent OSA non-startup upon next cold boot. Of note is I did not have any issues w/OSA startup after system startup immediately after installation of this Win Update.
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Assumed this utility works like Autoruns and DriverQuery in that it will only show drivers formally installed by the OS.
     
  5. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    The KB5000842 Windows 10 cumulative update is considered optional, and it will not be
    deployed automatically given that it is a preview update.

    Windows 10 is getting OEMDRIVERS, a folder for third-party drivers.

    Windows hacker Albacore has discovered a hidden feature in the Windows 10 21H2
    preview build 21343 that creates a dedicated folder for third-party drivers.

    This folder is located under C:\Windows\OEMDRIVERS rather than the C\Windows\System32
    folder where the current DriverStore is located.

    OSArmor installs it's 2 system drivers currently in System32 driver folder.

    osadevprotect.sys
    OSArmorDevDrv.sys
     
  6. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    I guess the "Success Counter" has started for me again; two successful startups since the failed one this morning.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes but shouldn't it work in a different way? Let's say I trial OSA for one week, then I decide to uninstall and reinstall it a week later. This should mean I still have about 24 days to test OSA.
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    The "clock ticking" on all licenses; trial or otherwise, start the minute the software is installed/activated. In fact for many, it starts when the software is purchased.

    Whether the software is installed or not has no bearing on license duration. You should know this.
     
    Last edited: Apr 4, 2021
  9. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    This rule here:
    osasyrest.PNG
    I was pleased to find it b/c lately something on here keeps enabling System Restore after I've repeatedly disabled it. :cautious: Does anyone have experience with this rule--does it successfully prevent a Restore Point from being created? Hopefully, it doesn't generate a notification every time or does it?

    NoVirusThanks: can one generate one's own WAV now or is this still not possible?
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I assume all this rule does is prevent the GUI screen from being displayed. Can't see how it would affect any System Restore setting:

    SR.png
     
  11. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    OK, well here's the deal, I think. It doesn't prevent the actual creation of a restore point (bummer), it blocks this specific exe when you click this tab that enables you to use a prev. restore point. Shoot, I was hoping it would block the entire process. OK, mystery solved. :'(

    osarestore.png
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I guess I haven't trialed software that much lately. But I still think it's weird. If I have a month to trial software I should be able to do so the full let's say 31 days no matter if I uninstall and reinstall in this period. You would think that license managers are smart enough.
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I am fairly confident I know the reason for these intermittent OSA startup failures. In reference to this incident: https://www.wilderssecurity.com/thr...layer-of-defense.398859/page-147#post-2998145 , I checked my Win Event logs and shown was an unscheduled; i.e. dirty, Win 10 shutdown that same evening. The next morning when I booted the PC for the first time, OSA did not start. This finding also parallels previous OSA startup issues.

    For me, this explains the intermittent nature of this issue and why it is so hard to diagnose. I also believe the real culprit is how OSA is loading its drivers. @novirusthanks I advise you do some reverse code engineering on Process Explorer code which also loads a kernel mode driver "on the fly" at process startup time if not previous loaded and does so properly. It will also do the same for its .sys driver file if it doesn't previously exist in C:\Windows\System32\drivers directory.

    -EDIT- Discussion on how PE loads its driver on the fly is here: https://community.osr.com/discussio...monitor-loads-it-driver-withou-registry-entry
     
    Last edited: Apr 6, 2021
  14. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,359
    Location:
    Italy
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    So far, so good.

    Powered down PC via power button to create unscheduled shutdown and OSA started up w/o issue. Next test is to pull power plug when PC is in standby mode to simulate power failure while in that power down state.
     
  16. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I completed my test of ver. 1.5.7 pre-release with both good and strange results.

    The Win 10 tests were:

    1. PC powered down in stand-by mode.
    2. PC powered down in shutdown mode.

    Note: Win 10 fast startup enabled on this device.

    In both the above cases, OSA startup up at desktop initialization w/o issue.

    The strange result is in both the above cases, it really appeared that fast startup was being employed. Yes, the BIOS splash screen appeared indicating a system restart. However, the time to desktop initialization was a couple secs. at most. Also in the case of startup after test no. 1, my network adapter settings were not reset and showed a DHCP lease time at first system startup this morning. Also OSA .sys file modification times were not changed. I have never seen this type of behavior before. A power loss in either of the two test cases always resulted a full system restart occurring which is Win 10 default behavior. It really appears to me these recent OSA changes are somehow saving system memory data used in resume from stand-by or fast startup processing and restoring that data.
     
  18. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    Great, yes I just now re-instated my custom WAV, renamed it to "loon" and it works fine. :thumb:
     
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Major problem with pre-release ver. 1.5.7

    Last night I had an unexpected Win 10 shutdown. No clue why since this was a normal system shutdown via System Settings like option. This morning at first cold boot, my system hung at logon display screen. Background was muted but no password window appeared. However, it appears Win 10 did startup based on audio I received indicating Eset had a sig. update. -EDIT- Confirmed system start occurred after further review of Win system Event log. Further when I went to restart the system via muted screen option, I received a popup alert that some system activity might be lost.

    All the above confirms my suspicious that OSA is saving system state data to get around this OSA startup issue. That is a no-no in my book. It's back to ver. 1.5.6 for me. Also @novirusthanks please abandon this approach taken in the pre-release ver. or I will be forced to stop using this product.
     
    Last edited: Apr 10, 2021
  20. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Nothing showing in OSArmor or ESET logs @itman ?

    No problems for me yet, knock on wood, and I've noticed OSArmor icon is the first to display in the Taskbar Notification area.
     
    Last edited: Apr 10, 2021
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    As usual, only the unscheduled shutdown from the previous evening.

    What I definitely didn't like was that Windows started without entering my admin password. If I ever see anything remotely like this again, its forever bye-bye to OSA. I am pretty much at this point now. I don't need "security" software that doesn't adhere to Windows basic security principles such as loading kernel drivers in the proper fashion.
     
  22. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    4,208
    terrible. :eek: how could that be possible?
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    There is also another possible culprit to this OSA startup issue after unscheduled system shutdown. I noticed that OSA monitors shutdown.exe. What I am starting to suspect is that this rule may be interfering with OS shutdown activities under certain unknown conditions. If the OS initiated shutdown fails, it just performs a forced shutdown. Note that at system shutdown time, it usually takes a while for the system to power down. During this time, the desktop is no longer visible and I assume OSA might also not be able to write to its block log file and the like.
     
  24. plat

    plat Registered Member

    Joined:
    Dec 19, 2018
    Posts:
    2,233
    Location:
    Brooklyn, NY
    Well, this is still a test build so hopefully your issue, itman, is continued to be studied (I'm guessing). Is it to where you would want to go back to the previous build b/c you didn't describe this problem at that time.

    Don't have shutdown or startup issues but then again, I run a batch file to automatically terminate all processes when shutdown is initiated. That would include OSArmor. Shutdown then takes maybe 2-3 seconds.
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    The OSA "saga" continues.

    Last night after the previous ver. 1.5.6 install on top of the 1.5.7 pre-release version during the day, my PC would not power down at shutdown for the night time.

    One thing I forgot to mention about the 1.5.6 on top re-installation. I was prompted by OSA to restart my system; something I have never seen in previous OSA installations; clean or on top. Did so and system rebooted w/o issue. More on this later.

    When my system wouldn't power down at shutdown time, I restarted the system via tower case button reserved for this purpose versus doing a tower case power button shutdown. The case restart button in effect is a "hard" shutdown/restart mimicking a cold boot. System rebooted w/o issue and interestingly, OSA started w/o issue. Note this also a unscheduled shutdown per Win Event log confirmation. A short time later, successfully did a Win shutdown w/o issue.

    This morning I did some further analysis and on a hunch, checked out OSA .sys driver files in the Win driver directory. Creation date and time corresponded to above system restart activity; an expected finding. Of most interest is when I checked for prior versions, there were none. This was not the case in the past when I had versions going back to my original OSA installation in Jan..

    Putting everything together. I really don't expect further OSA startup issues. I believe the issue is OSA was/is not properly replacing its .sys driver files upon on top installation and/or system restart time.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.