NoVirusThanks OSArmor: An Additional Layer of Defense

I got this while updating MalwareNytes:

Spoiler: Rule: BlockParticularProcessesPreventDLLSideload

Date/Time: 2025-04-18 06:33:31
Date/Time UTC: 2025-04-17 20:33:31
Action: Process Blocked
OSArmor Version: 2.0.3.0
Process: [12540]C:\ProgramData\Malwarebytes\MBAMService\ctlrupdate\MBUpdateDlg.exe
Process Size: 384.55 KB (393,784 bytes)
Process MD5 Hash: 05C4054BB9249EF9ED229A0095428A4D
Parent: [12344]C:\ProgramData\Malwarebytes\MBAMService\ctlrupdate\mbupdatr.exe
Parent Process Size: 5.87 MB (6,151,184 bytes)
Rule: BlockParticularProcessesPreventDLLSideload
Rule Name: Block particular processes to prevent DLL sideload
Command Line: "C:\ProgramData\Malwarebytes\MBAMService\ctlrupdate\MBUpdateDlg.exe"
Signer: Malwarebytes Inc.
Parent Signer: Malwarebytes Inc
User/Domain: David/DAVID-HP
System File: False
Parent System File: False
Integrity Level: Medium
Parent Integrity Level: System
Passive Logging: False

 

Date/Time: 2025-04-21 19:02:08
Date/Time UTC: 2025-04-21 23:02:08
Action: Process Blocked
OSArmor Version: 2.0.3.0
Process: [3648]C:\Program Files\Windows Sidebar\sidebar.exe
Process Size: 1.38 MB (1,448,448 bytes)
Process MD5 Hash: 133385D0B4C452D8F1ACB9068419831B
Parent: [2056]C:\Windows\System32\svchost.exe
Parent Process Size: 86.09 KB (88,152 bytes)
Rule: BlockSystemProcessesOnUserSpace
Rule Name: Block system processes on user space
Command Line: "C:\Program Files\Windows Sidebar\sidebar.exe" /autorun2
Signer: <NULL>
Parent Signer: Microsoft Windows Publisher
User/Domain:
System File: False
Parent System File: True
Integrity Level: Medium
Parent Integrity Level: System
Passive Logging: False

 

Date/Time: 2025-04-25 10:50:42
Date/Time UTC: 2025-04-25 14:50:42
Action: Process Blocked
OSArmor Version: 2.0.3.0
Process: [22496]C:\Windows\System32\pnputil.exe
Process Size: 264 KB (270,336 bytes)
Process MD5 Hash: BE160F9384270BE15C08835011586C9D
Parent: [22060]C:\Windows\System32\rundll32.exe
Parent Process Size: 88 KB (90,112 bytes)
Rule: BlockInfLoadingViaLaunchINFSection
Rule Name: Block loading of .inf files via InstallHinfSection\LaunchINFSection\etc
Command Line: "pnputil.exe" /add-driver "C:\Program Files\Dell\DTP\IGCLIPFDrivers\igcl_IPF_provider_sw.inf" /install
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: SYSTEM/NT AUTHORITY
System File: True
Parent System File: True
Integrity Level: System
Parent Integrity Level: System
Passive Logging: False

 

Date/Time: 2025-04-25 11:44:50
Date/Time UTC: 2025-04-25 15:44:50
Action: Process Blocked
OSArmor Version: 2.0.3.0
Process: [8472]C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Process Size: 41.01 KB (41,992 bytes)
Process MD5 Hash: 44B91F024D116BDAD06F236C8EEDCB42
Parent: [14472]C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Parent Process Size: 2.06 MB (2,154,992 bytes)
Rule: BlockProcessesExecutedFromCSC
Rule Name: Block processes executed from C Sharp compiler (csc.exe)
Command Line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Windows\SystemTemp\RES2E78.tmp" "c:\Windows\SystemTemp\zpv1go2x\CSC1A803AEE67C64F53BA2E9B931A16787D.TMP"
Signer: Microsoft Corporation
Parent Signer: Microsoft Corporation
User/Domain: SYSTEM/NT AUTHORITY
System File: True
Parent System File: True
Integrity Level: System
Parent Integrity Level: System
Passive Logging: False

 

Date/Time: 2025-04-25 11:44:12
Date/Time UTC: 2025-04-25 15:44:12
Action: Process Blocked
OSArmor Version: 2.0.3.0
Process: [9752]C:\Windows\SysWOW64\reg.exe
Process Size: 63 KB (64,512 bytes)
Process MD5 Hash: 5463489622EB68D6407C5760360E4C15
Parent: [12300]C:\Windows\Temp\{D27FF6D3-1776-442F-B1E4-24FBE6878328}\_isC4C8.exe
Parent Process Size: 329.27 MB (345,260,992 bytes)
Rule: BlockLOLBinsAndOtherSophisticatedAttacks
Rule Name: Block LOLBins and other sophisticated attacks
Command Line: "C:\Windows\system32\reg.exe" import C:\Windows\TEMP\delloptimizer.reg /reg:64
Signer: <NULL>
Parent Signer: Dell Technologies Inc.
User/Domain: SYSTEM/NT AUTHORITY
System File: True
Parent System File: False
Integrity Level: System
Parent Integrity Level: System
Passive Logging: False

 

We have released OSArmor v2.0.4:
https://www.osarmor.com/download/

Here is the changelog:

If you have automatic updates enabled then OSArmor should auto-update in the next hours.

Else you can install it "over-the-top" of the installed version, reboot is not needed.

If you find false positives or issues please let me know.

 

I haven't a clue what this means.

 

SirCleaner loads the dlls and ocx files inside the folder with it, thats how it can be portable. Since the loading of those files was blocked is why you see the side by side error as the manifest file in the program tells windows to use those files. Never seen an antivirus block that before. Its a false positive but still odd they would block that to begin with.

I wrote SirCleaner, are you able to submit it to them as a false positive? Then they can test it and then whitelist it.

 

@bjm_ , I've been seeing that for a while now off and on. Thinking about it, I haven't seen that lately, maybe since the latest version was released.

A system restart always works for me.

 

This error message looks familiar. I saw it a couple of weeks ago, but only once so far. And yes, a system restart worked for me, too.

 

Hello,
I also got that message some time ago. If I remember correctly I started the service without rebooting PC:

- Go to Start, Run.
- Type services.msc in the Run command.
- Right-click on NoVirusThanks OSArmorDevSvc
- Select Start (or Restart if needed)

 

@Tarnak @SirShane

Are the DLLs and OCX files digitally signed?

That protection option is suggested to businesses and may create false positives in a home PC e.g with portable apps.

Anyway I will take a look at it to see if it can be fixed internally for that app.

@bjm_ @Krusty @Buddel @Serphis

Thanks for reporting that, I will take a look at it and should be fixed within the next release.

And yes as Serphis wrote, a reboot is not needed, just restart NoVirusThanks OSArmorDevSvc via Services app.

 

Date/Time: 2025-05-19 13:00:06
Date/Time UTC: 2025-05-19 17:00:06
Action: Process Blocked
OSArmor Version: 2.0.4.0
Process: [21820]C:\Windows\System32\reg.exe
Process Size: 108 KB (110,592 bytes)
Process MD5 Hash: 47FC2471604EB7D760938BF31456B12D
Parent: [14016]C:\Windows\System32\cmd.exe
Parent Process Size: 368 KB (376,832 bytes)
Rule: BlockRegExecution
Rule Name: Block execution of reg.exe
Command Line: reg query HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0 /v "Update Revision"
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: SYSTEM/NT AUTHORITY
System File: True
Parent System File: True
Integrity Level: System
Parent Integrity Level: System
Passive Logging: False

 

Date/Time: 2025-05-21 11:34:31
Date/Time UTC: 2025-05-21 15:34:31
Action: Process Blocked
OSArmor Version: 2.0.4.0
Process: [11964]C:\Windows\System32\pnputil.exe
Process Size: 264 KB (270,336 bytes)
Process MD5 Hash: 41C2F41EC5EA5A3BD56BC54EEF1BEBDF
Parent: [14440]C:\ProgramData\Package Cache\45E13F008FBD360E87B38EA4347C3045CAD1EBDD\PnPInstaller.exe
Parent Process Size: 39.04 KB (39,976 bytes)
Rule: BlockInfLoadingViaLaunchINFSection
Rule Name: Block loading of .inf files via InstallHinfSection\LaunchINFSection\etc
Command Line: "C:\Windows\system32\pnputil.exe" /add-driver "Components\WiFiDriver\Netwtw6e.INF" /install
Signer: <NULL>
Parent Signer: Intel Corporation
User/Domain: SYSTEM/NT AUTHORITY
System File: True
Parent System File: False
Integrity Level: System
Parent Integrity Level: System
Passive Logging: False

 

Some of them are not as they arent made by me but I can sign them if that would help

 

I just had the same message and manually starting the service did save me from having to restart the PC.

Thanks.