NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    @itman

    Have you checked your Event Viewer for any errors or warnings?

    You may see a Service failed to start with Windows, but was likely started
    on a subsequent attempt.

    NOTE: You may see some errors and warnings in Event Viewer, even if your computer
    is working fine.

    Also I noticed when uninstalling NVT OSArmor not all registry entries are removed.
    Older versions like 1.4.3 according to OSA dev have to be uninstalled before
    installing the newer 1.5+ versions. After that you can install automatically
    over-the-top of existing 1.5x versions or do everything manually.
     
    Last edited: Mar 23, 2021
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Yes. It was the first area I checked - zip entries in this regard. Also if there was something inherently wrong with the OSArmorDevSvc service itself, you would not be able to start the service manually after Win desktop initialization completes.

    My best guess at this point is whatever the error is in this service Automatic startup at boot time which causes it to fail, it is not occurring after Windows fully initializes. Proof being as demonstrated, the service starts w/o issue under Automatic - Delayed criteria. And again, I strongly suspect WOW64 use is the culprit.
    The first version of OSA I installed was 1.5+. In other words, the paid version.
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Here's something someone else can try having issues with OSArmorDevSvc service startup at system restart time. As I previously noted, my posted fix is working for me.

    Below is a screen of Eset's kernel service recovery options. Duplicate these for the OSArmorDevSvc service. Of note is the setting I highlighted. This means that the service will continually try to start itself until it succeeds in doing so. Note: This might interfere with the intentional pausing/stopping OSA from running

    Eset_Service.png
     
  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Hi Andreas,

    correct, still no OSA startup issues for eleven straight days now after upgrading to v20H2, and it was not a clean install, but rather an upgrade from a Microsoft update. Thank you again for your help!
     
  5. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    @novirusthanks

    The OSArmor EULA states,

    This software uses the following components:
    MD5 Hash Algorithm - Copyright © 1990-1992 RSA Data Security, Inc.

    NOTE: This Algorithm is insecure and no longer considered safe. Why use it?

    SHA Hash Algorithm - Copyright © National Security Agency (NSA)

    NOTE: What version of "SHA" are you using?
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    All OSA .exe's are both SHA1 and SHA256 signed.

    You can't use SHA-1 anymore on anything SSL/TLS based anymore on Win 7,8,10.
     
  7. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    Yes, correct because of weaknesses in the SHA-1 hashing algorithm and to align
    to industry standards. Windows Update discontinued/deprecate its SHA-1 based endpoints.

    Collisions, where different files can actually end up with the same hash like with
    MD5 and SHA1.

    Did you use Explorer in Windows to verify the signature and check certificate?

    Isn't there no “Digital Signatures” tab in the properties of a file when using W10
    or the "Digital Signatures" tab only appears if the signature is in the file itself?
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Yes.
    Digital Signature tab exists. Open it show the digital signatures. Note: Only OSA .exe's and drivers are signed; .dlls are not.

    OSA_Sigs.png
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Infosec has a great article of how to load a hidden kernel mode driver here: https://resources.infosecinstitute.com/topic/loading-the-windows-kernel-driver/ . One thing the author did not like is the following:
    Note that OSA is not loading its drivers this way; i.e. using OSR Driver utility via SCM, but rather programaticatically as noted later in the article:
    This also leaves a trail in the registry:
    All this leads me to believe that OSArmorDevSvc service startup failure at system startup time is due OSArmorDevDrv.sys driver loading failure. It also might be a "timing" issue caused by recreation of the OSArmorDevDrv.sys. Something along the line the AV has the created file locked while performing scanning activities.

    Try to exclude OSArmorDevDrv.sys in System32\Drivers directory from AV real-time scanning and see if that resolves the issue.
     
  10. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411

    If the Start DWORD is set to anything other than 2 (Automatic), then the
    DelayedAutoStart value is ignored, even if it’s set to 1.

    The DelayedAutostart value data of 1 means the service is set to delayed start.
    If the value is missing or is set to 0, then it’s not set to delayed start.

    NOTE: Arbitrarily changing the service startup types can cause problems to the system.
    It’s advisable to leave the services configuration in the Windows default setting in
    most cases.
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    All the above was previously noted by me in this thread: https://www.wilderssecurity.com/thr...layer-of-defense.398859/page-145#post-2996611

    All I can state is after setting OSArmorDevSvc service to Automatic -Delayed, then resetting it back to Automatic while retaining DelayedAutostart value data of 0 has solved all my OSArmorDevSvc service startup issues after system restart time. Yes, documentation exists that states that DelayedAutostart with a value data of 0 is the same as not having the value at all in the registry key.

    Appears to me I have found an undocumented feature of DelayedAutostart value data of 0. That is if present, it is in someway affecting service startup processing. It is also entirely possible that creating this parameter must be done exactly as described above. Just adding it stand-alone to the OSArmorDevSvc service startup reg. key might not have the same effect.
     
    Last edited: Mar 26, 2021
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    @novirusthanks here's something to check out.

    I am using this filter driver described below as a workaround to the existing Windows chkdsk bug:
    https://www.bleepingcomputer.com/ne...corruption-bug-gets-unofficial-temporary-fix/

    If you are creating your driver files using such access, this could be the source of OSArmorDevSvc service startup failures at system startup time.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    OK thanks, I hope you can fix this. And there is also something wrong with the NVT License Manager, I only used OSA for about 3 days but when I reinstalled OSA a few weeks later, it said that my trial period has ended.
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I ran one last test. This one was what happens when I remove the DelayedAutostart parameter from the OSArmorDevSvc service?

    After removing the parameter, I rebooted. Win 10 froze at initial Win 10 black screen with Windows logo. No twirling dots, etc.. Complete system freeze. Oh no .....:eek: No worry which I will get to later. Powered down PC via case power button. Restarted PC via power button and Win 10 booted fine and OSA also started up w/o issue.

    So what is happening here? Only thing present in Win Event logs was that the shutdown after removal of DelayedAutostart parameter was dirty. Assumed upon system restart, chkdsk -f attempted to run and i30Flt driver described above blocked it resulting in the boot halting.

    Now a few details I didn't disclose previously. After the automatic - delayed startup of OSArmorDevSvc service and resultant creation of the DelayedAutostart parameter, I used Process Explorer to check out OSArmorDevSvc.exe process. I could access Stack and Module data w/o issue. Such is not the case presently. A clear indication that OSA self-protection driver was not functioning properly when the drivers were loaded via automatic - delayed startup and thereafter when startup type was changed back to automatic. So I guess we have found an OSA self-protection bypass.

    In any case, all the above gyrations have fixed OSA startup issue after system restart. I have my fingers crossed that this will hold true in the future.
     
    Last edited: Mar 28, 2021
  15. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    In my case all I did was update to 20H2 two weeks ago using the Update Assistant and I've had no OSArmorDevSvc startup issues since. I've made no other changes at all.
     
  16. JNicoll23

    JNicoll23 Registered Member

    Joined:
    Oct 24, 2009
    Posts:
    48
    Location:
    Scotland
    That's probably intentional. The trial period is likely to be a number of days since you /first/ installed the product, to avoid scoundrels from abusing trial periods to get much longer overall periods of use (eg by being 'creative' about uninstalling and reinstalling a product).
     
  17. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    Here's what I've read about ESET.

    ESET HIPS Advanced setup:
    Deep Behavioral Inspection - Exclusions — You can exclude processes from analysis.
    To ensure that all processes are scanned for possible threats, we recommend
    only creating exclusions when absolutely necessary.

    With Antivirus/HIPS & including Windows/Microsoft Defender was anyone having
    to exclude any .exe's and system driver(s) on earlier versions of OSA 1.4x?

    NVT Activator.exe (v.1.5x)
    NVT LicenseManager.exe (v.1.5x)
    NVT HelperProcess.exe (v.1.5x)
    OSArmorDevCfg.exe
    OSArmorDevUI.exe
    OSArmorDevSvc.exe
    OSArmorExcHlp.exe

    NVT OSA System drivers:
    osadevprotect.sys
    OSArmorDevDrv.sys

    Why does OSArmorDevDrv.sys mode driver load so late and where's that in relation
    to osadevprotect.sys? (mode order #)

    NOTE: Assuming OSA protection driver would load before dev driver.
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Refer to the below screen shot. OSA self-protection driver loads after OSArmorDevDrv.sys. This makes sense since OSArmorDevSvc.exe is loading both drivers.

    OSA_Drivers.png

    An amusing side note is NVT's Driver utility doesn't consider its drivers as hidden. However, it is the only driver utility I have used that shows their existence.

    NirSoft's Driver utility doesn't show OSA drivers:

    Nirsoft_Drivers.png

    Win's DriverQuery utility doesn't show OSA drivers:

    DriverQuery_Drivers.png
     
    Last edited: Mar 29, 2021
  19. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    Thanks itman.
     
  20. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    When installing OSArmor looks like OSArmorDevDrv.sys driver is installed BEFORE
    osadevprotect.sys driver.

    DriverView (Nirsoft) utility displays the list of all device drivers currently loaded
    on your system.
    OSArmorDevDry.sys is the only driver listed in DriverView.

    At boot of Windows though, shouldn't osadevprotect driver also load?
    Actually I think it's listed at boot load IIRC.

    Also OSArmorDevDrv.sys is running on Windows kernel, but
    what about the osadevprotect driver?

    Autoruns (Sysinternals) utility also does not list OSA drivers.

    Wonder why some of these tools/utilities are not listing OSA drivers?

    NOTE: Both OSA system drivers are listed in SigCheck utility.
     
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    No. Both show on my build. It is interesting this utility shows the OSA drivers, but the other NirSoft utility does not. -EDIT- This utility shows "installed" drivers; not loaded drivers. Therefore, no discrepancy between the two utilities.

    Also file modification times are identical. As such, which one loads first doesn't really matter:

    OSA_Drivers.png

    They are both kernel drivers. See above screen shot.
     
    Last edited: Mar 30, 2021
  22. Compu KTed

    Compu KTed Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,411
    @itman

    Were talking 2 different nirsoft utilities. DriverView and InstalledDriversList.
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    OK ........ See below screen shot. Both OSA drivers present on my build. Appears "Index" column denotes load order. It syncs with what was shown on NVT's Driver utility.

    OSA_DriverView.png
     
  24. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    I believe Autoruns only shows drivers actually installed on the OS. Note that OSA drivers don't have .ini and .cat files associated with them.
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Well, it happened again. OSA not running at system startup. However, this instance was a bit different. I had a power failure while the PC was in standby mode. Of course, this resulted in a full system startup to occur at PC power up time. Also to dispel any ambiguity here that OSA service is stopped, I tried to access it via its desktop icon which resulted in the following per screen shot:

    OSA_Stopped.png

    My complaint about this product is this popup should be automatically be displayed when this status occurs. This means that NVT needs to monitor for this status via another process that is running. This means via its license manager process that interestingly, never fails to start.
     
    Last edited: Mar 30, 2021
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.