NoVirusThanks OSArmor: An Additional Layer of Defense

I am seriously getting sick of this. Almost every other time I start Windows I'm getting this now. How to stop it, @novirusthanks ?

 

No, Now it is EVERY BLOODY time I start my PC. OSA has become the malware now.

 

Seriously, at this point, unless this can be resolved ASAP, I will uninstall all NVT programs and disable auto-renewals.

 

Hello, I don't know how much OSArmor's developers are active in this forum but as almost 10 days have passed since your post of July 31st, you could contact them at support@osarmor.com , if you haven't already done it.

 

Thanks. Yes, I have reached out by email.

Cheers.

 

@Krusty

Thanks for contacting us also via email, we reply faster there.

@bjm_

It looks like to be related to the Windows "Hot Patch":
https://learn.microsoft.com/en-us/w...tch/manage/windows-autopatch-hotpatch-updates

Thanks for sharing them, will see if these FPs can be fixed internally.

Meanwhile, you can ignore the alerts.

 

Hmm...my entry level W11 24H2 home machine...receives Windows "Hot Patch"?
I'm not aware.
My Windows Updates is paused via StopUpdates10 Free.

Thanks!

 

Hi Andreas,

I just got this from my old friend, MailWasher free:

Spoiler: Rule Name: Block execution of unsigned processes on Roaming AppData

Parent Process Size: 7.03 MB (7,367,440 bytes)
Rule: BlockUnsignedProcessesAppDataRoaming
Rule Name: Block execution of unsigned processes on Roaming AppData
Command Line: "C:\Users\David\AppData\Roaming\Firetrust\MailWasher\updater.exe" /checknow
Signer: <NULL>
Parent Signer: Firetrust Limited
User/Domain: David/DAVID-HP
System File: False
Parent System File: False
Integrity Level: Medium
Parent Integrity Level: Medium
Passive Logging: False


Date/Time: 2025-08-10 12:52:17
Date/Time UTC: 2025-08-10 02:52:17
Action: Process Blocked
OSArmor Version: 2.0.5.0
Process: [14644]C:\Users\David\AppData\Roaming\Firetrust\MailWasher\updater.exe
Process Size: 1.1 MB (1,156,608 bytes)
Process MD5 Hash: 09F26574ED73CA2DEA47B81D3D57E04F
Parent: [12692]C:\Program Files (x86)\Firetrust\MailWasher\MailWasher.exe
Parent Process Size: 7.03 MB (7,367,440 bytes)
Rule: BlockUnsignedProcessesAppDataRoaming
Rule Name: Block execution of unsigned processes on Roaming AppData
Command Line: "C:\Users\David\AppData\Roaming\Firetrust\MailWasher\updater.exe" /justcheck
Signer: <NULL>
Parent Signer: Firetrust Limited
User/Domain: David/DAVID-HP
System File: False
Parent System File: False
Integrity Level: Medium
Parent Integrity Level: Medium
Passive Logging: False

Oh, that's right. I uninstalled / reinstall OSA trying to solve my other recent bug, so lost my exclusion. D'oh!

 

Hi Andreas,

I think I need new exclusions for MailWasher.

Thanks,
Dave

 

MiailWasher logs from today.

 

Previous exclusions no longer work. Excluding from block does not work.

 

Date/Time: 2025-09-10 14:31:35
Date/Time UTC: 2025-09-10 18:31:35
Action: Process Blocked
OSArmor Version: 2.0.5.0
Process: [17960]C:\Windows\System32\eventvwr.exe
Process Size: 104 KB (106,496 bytes)
Process MD5 Hash: 2C1A1C0094DF8DF7C3E7FF4E580FD270
Parent: [9520]C:\Windows\System32\mmc.exe
Parent Process Size: 1.8 MB (1,892,352 bytes)
Rule: AntiExploitProtectSpecificSystemProcesses
Rule Name: Protect specific system processes with anti-exploit module
Command Line: "C:\Windows\System32\eventvwr.exe" /v:"C:\Users\xxxxx\AppData\Local\Temp\devmgr.xml"
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: xxxxx/xxxxx
System File: True
Parent System File: True
Integrity Level: High
Parent Integrity Level: High
Passive Logging: False

 

Probably related to Windows "Hot Patch":

Date/Time: 2025-09-30 19:43:21
Date/Time UTC: 2025-09-30 17:43:21
Action: Process Blocked
OSArmor Version: 2.0.5.0
Process: [2200]C:\Windows\System32\cmd.exe
Process Size: 336 KB (344.064 bytes)
Process MD5 Hash: 4C70711F79B6ADBCA108E4CD012AEAAC
Parent: [6404]C:\Windows\System32\cmd.exe
Parent Process Size: 336 KB (344.064 bytes)
Rule: BlockCmdExeExecution
Rule Name: Block execution of cmd.exe
Command Line: C:\WINDOWS\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\HotPatch" /s | findstr /r /c:"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\HotPatch*"
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: SYSTEM/NT-AUTORITÄT
System File: True
Parent System File: True
Integrity Level: System
Parent Integrity Level: System
Passive Logging: False


Date/Time: 2025-09-30 19:43:21
Date/Time UTC: 2025-09-30 17:43:21
Action: Process Blocked
OSArmor Version: 2.0.5.0
Process: [6764]C:\Windows\System32\reg.exe
Process Size: 108 KB (110.592 bytes)
Process MD5 Hash: F6E3559DDDDCCC843A12CFD50178C554
Parent: [6404]C:\Windows\System32\cmd.exe
Parent Process Size: 336 KB (344.064 bytes)
Rule: BlockRegExecution
Rule Name: Block execution of reg.exe
Command Line: reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\HotPatch"
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: SYSTEM/NT-AUTORITÄT
System File: True
Parent System File: True
Integrity Level: System
Parent Integrity Level: System
Passive Logging: False

 

Date/Time UTC: 2025-09-30 10:18:11
Action: Process Blocked
OSArmor Version: 2.0.5.0
Process: [22548]C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process Size: 445 KB (455,680 bytes)
Process MD5 Hash: 2E5A8590CF6848968FC23DE3FA1E25F1
Parent: [24192]C:\Windows\System32\cmd.exe
Parent Process Size: 283 KB (289,792 bytes)
Rule: PreventCmdFromExecutingPowerShell
Rule Name: Prevent cmd.exe from executing powershell.exe
Command Line: powershell -command "Get-AppxPackage"
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: KrisTwo/DESKTOP-XXXXXXX
System File: True
Parent System File: True
Integrity Level: High
Parent Integrity Level: High
Passive Logging: False

 

Date/Time: 2025-10-01 19:52:42
Date/Time UTC: 2025-10-01 17:52:42
Action: Process Blocked
OSArmor Version: 2.0.5.0
Process: [11036]C:\Windows\System32\reg.exe
Process Size: 108 KB (110.592 bytes)
Process MD5 Hash: F6E3559DDDDCCC843A12CFD50178C554
Parent: [6268]C:\Windows\System32\cmd.exe
Parent Process Size: 336 KB (344.064 bytes)
Rule: BlockRegExecution
Rule Name: Block execution of reg.exe
Command Line: reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\HotPatch" /s
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: SYSTEM/NT-AUTORITÄT
System File: True
Parent System File: True
Integrity Level: System
Parent Integrity Level: System
Passive Logging: False


Date/Time: 2025-10-01 19:52:42
Date/Time UTC: 2025-10-01 17:52:42
Action: Process Blocked
OSArmor Version: 2.0.5.0
Process: [5888]C:\Windows\System32\reg.exe
Process Size: 108 KB (110.592 bytes)
Process MD5 Hash: F6E3559DDDDCCC843A12CFD50178C554
Parent: [7680]C:\Windows\System32\cmd.exe
Parent Process Size: 336 KB (344.064 bytes)
Rule: BlockRegExecution
Rule Name: Block execution of reg.exe
Command Line: reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\HotPatch"
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: SYSTEM/NT-AUTORITÄT
System File: True
Parent System File: True
Integrity Level: System
Parent Integrity Level: System
Passive Logging: False

 

Spoiler: Patch My PC

Date/Time: 2025-10-03 16:20:35
Date/Time UTC: 2025-10-03 06:20:35
Action: Process Blocked
OSArmor Version: 2.0.5.0
Process: [68]C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Process Size: 425.5 KB (435,712 bytes)
Process MD5 Hash: 6BB54B2D7A3D63578559239A79700EA3
Parent: [16104]C:\Users\David\AppData\Local\Temp\2d20c907e1aef7dca6db4aed69664c90\updater.exe
Parent Process Size: 2.04 MB (2,141,320 bytes)
Rule: BlockSuspiciousUncommonPowerShellCommands
Rule Name: Block suspicious and uncommon PowerShell commands
Command Line: powershell.exe -NonInteractive -NoLogo -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command "$host.UI.RawUI.BufferSize = new-object System.Management.Automation.Host.Size(1024,50);" "&""C:\Users\David\AppData\Local\Temp\ps1568E.ps1""" 2> "C:\Users\David\AppData\Local\Temp\ps1568F.txt"
Signer: <NULL>
Parent Signer: Patch My PC, LLC
User/Domain: David/DAVID-HP
System File: True
Parent System File: False
Integrity Level: High
Parent Integrity Level: High
Passive Logging: False

 

This happened when i was installing a CCleaner update.
Date/Time: 2025-10-06 10:13:02
Date/Time UTC: 2025-10-06 14:13:02
Action: Process Blocked
OSArmor Version: 2.0.5.0
Process: [7260]C:\Windows\SysWOW64\schtasks.exe
Process Size: 225.5 KB (230,912 bytes)
Process MD5 Hash: C84145B4B8473CF2740779AE9908E0A9
Parent: [9460]C:\Windows\SysWOW64\cmd.exe
Parent Process Size: 279.5 KB (286,208 bytes)
Rule: BlockSchtasksExe
Rule Name: Block execution of schtasks.exe
Command Line: C:\Windows\system32\schtasks /query /fo list
Signer: <NULL>
Parent Signer: <NULL>
User/Domain:
System File: True
Parent System File: True
Integrity Level: High
Parent Integrity Level: High
Passive Logging: False

 

OSArmor is one of the best i've used, still using it. Only enable "suspious" and dll sideloading feature. Combine it with Fort Firewall ability to add some lolbins to kill chilren processes to not connectin outside (or not kill). And Fort Firewall does not use windows own crappy firewall.
But...you have to add to Fort Firewall, for example, when i was testing some malware samples, explorer.exe, even control.exe(control panel) and "opentwith.exe" wants to connect outside...
Just change a bit or two of Lockbit 5.0 and your system prolly encrypted.
Sophos is the best, however Sophos HOME version, Lacks a lot behind newest hmpa alert component, which is sad, very sad.

 

https://www.wilderssecurity.com/thr...layer-of-defense.398859/page-205#post-3250883

Again:

Date/Time: 2025-10-14 23:32:12
Date/Time UTC: 2025-10-14 13:32:12
Action: Process Blocked
OSArmor Version: 2.0.5.0
Process: [22672]C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process Size: 445 KB (455,680 bytes)
Process MD5 Hash: 2E5A8590CF6848968FC23DE3FA1E25F1
Parent: [26696]C:\Windows\System32\cmd.exe
Parent Process Size: 283 KB (289,792 bytes)
Rule: PreventCmdFromExecutingPowerShell
Rule Name: Prevent cmd.exe from executing powershell.exe
Command Line: powershell -command "Get-AppxPackage"
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: KrisTwo/DESKTOP-XXXXXXX
System File: True
Parent System File: True
Integrity Level: High
Parent Integrity Level: High
Passive Logging: False

 

Today:

Spoiler: Rule Name: Block execution of suspicious command-line strings

Date/Time: 2025-10-17 12:54:02
Date/Time UTC: 2025-10-17 01:54:02
Action: Process Blocked
OSArmor Version: 2.0.5.0
Process: [12788]C:\Program Files\VideoLAN\VLC\vlc.exe
Process Size: 969.38 KB (992,648 bytes)
Process MD5 Hash: F9538485432D3EC640F89096BA2D4D00
Parent: [8764]C:\Windows\explorer.exe
Parent Process Size: 5.81 MB (6,089,584 bytes)
Rule: BlockSuspiciousCmdlines
Rule Name: Block execution of suspicious command-line strings
Command Line: "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file cdda:///E:\
Signer: VideoLAN
Parent Signer: Microsoft Windows
User/Domain: David/DAVID-HP
System File: False
Parent System File: True
Integrity Level: Medium
Parent Integrity Level: Medium
Passive Logging: False

 

Date/Time: 2025-10-23 18:29:30
Date/Time UTC: 2025-10-23 22:29:30
Action: Process Blocked
OSArmor Version: 2.0.5.0
Process: [18928]C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Process Size: 413.5 KB (423,424 bytes)
Process MD5 Hash: 0CB6529404FAEF431547CFF590744553
Parent: [20924]C:\Windows\Temp\{1398D84C-02D9-4E7D-9C0E-7F464C07DFBD}\Setup.exe
Parent Process Size: 944.89 KB (967,568 bytes)
Rule: BlockSuspiciousUncommonPowerShellCommands
Rule Name: Block suspicious and uncommon PowerShell commands
Command Line: powershell.exe -noprofile -executionpolicy bypass -Command "Get-ChildItem -Recurse *.* | Unblock-File"
Signer: <NULL>
Parent Signer: Realtek Semiconductor Corp.
User/Domain: SYSTEM/NT AUTHORITY
System File: True
Parent System File: False
Integrity Level: System
Parent Integrity Level: System
Passive Logging: False

 

Date/Time: 2025-10-25 19:57:38
Date/Time UTC: 2025-10-25 09:57:38
Action: Process Blocked
OSArmor Version: 2.0.5.0
Process: [672]C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process Size: 445 KB (455,680 bytes)
Process MD5 Hash: 2E5A8590CF6848968FC23DE3FA1E25F1
Parent: [8272]C:\Windows\System32\cmd.exe
Parent Process Size: 283 KB (289,792 bytes)
Rule: PreventCmdFromExecutingPowerShell
Rule Name: Prevent cmd.exe from executing powershell.exe
Command Line: powershell -command "Get-AppxPackage"
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: KrisTwo/DESKTOP-XXXXXXX
System File: True
Parent System File: True
Integrity Level: High
Parent Integrity Level: High
Passive Logging: False

Date/Time: 2025-10-25 19:49:57
Date/Time UTC: 2025-10-25 09:49:57
Action: Process Blocked
OSArmor Version: 2.0.5.0
Process: [1580]C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process Size: 445 KB (455,680 bytes)
Process MD5 Hash: 2E5A8590CF6848968FC23DE3FA1E25F1
Parent: [6884]C:\Windows\System32\cmd.exe
Parent Process Size: 283 KB (289,792 bytes)
Rule: PreventCmdFromExecutingPowerShell
Rule Name: Prevent cmd.exe from executing powershell.exe
Command Line: powershell -command "Get-AppxPackage"
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: KrisTwo/DESKTOP-XXXXXXX
System File: True
Parent System File: True
Integrity Level: High
Parent Integrity Level: High
Passive Logging: False

Date/Time: 2025-10-25 13:03:36
Date/Time UTC: 2025-10-25 03:03:36
Action: Process Blocked
OSArmor Version: 2.0.5.0
Process: [12664]C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process Size: 445 KB (455,680 bytes)
Process MD5 Hash: 2E5A8590CF6848968FC23DE3FA1E25F1
Parent: [16764]C:\Windows\System32\cmd.exe
Parent Process Size: 283 KB (289,792 bytes)
Rule: PreventCmdFromExecutingPowerShell
Rule Name: Prevent cmd.exe from executing powershell.exe
Command Line: powershell -command "Get-AppxPackage"
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: KrisTwo/DESKTOP-XXXXXXX
System File: True
Parent System File: True
Integrity Level: High
Parent Integrity Level: High
Passive Logging: False

Date/Time: 2025-10-25 05:13:32
Date/Time UTC: 2025-10-24 19:13:32
Action: Process Blocked
OSArmor Version: 2.0.5.0
Process: [19184]C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process Size: 445 KB (455,680 bytes)
Process MD5 Hash: 2E5A8590CF6848968FC23DE3FA1E25F1
Parent: [19076]C:\Windows\System32\cmd.exe
Parent Process Size: 283 KB (289,792 bytes)
Rule: PreventCmdFromExecutingPowerShell
Rule Name: Prevent cmd.exe from executing powershell.exe
Command Line: powershell -command "Get-AppxPackage"
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: KrisTwo/DESKTOP-XXXXXXX
System File: True
Parent System File: True
Integrity Level: High
Parent Integrity Level: High
Passive Logging: False

Date/Time: 2025-10-25 04:28:35
Date/Time UTC: 2025-10-24 18:28:35
Action: Process Blocked
OSArmor Version: 2.0.5.0
Process: [17128]C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process Size: 445 KB (455,680 bytes)
Process MD5 Hash: 2E5A8590CF6848968FC23DE3FA1E25F1
Parent: [17432]C:\Windows\System32\cmd.exe
Parent Process Size: 283 KB (289,792 bytes)
Rule: PreventCmdFromExecutingPowerShell
Rule Name: Prevent cmd.exe from executing powershell.exe
Command Line: powershell -command "Get-AppxPackage"
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: KrisTwo/DESKTOP-XXXXXXX
System File: True
Parent System File: True
Integrity Level: High
Parent Integrity Level: High
Passive Logging: False