NoVirusThanks OSArmor: An Additional Layer of Defense

I am seriously getting sick of this. Almost every other time I start Windows I'm getting this now. How to stop it, @novirusthanks ?

 

No, Now it is EVERY BLOODY time I start my PC. OSA has become the malware now.

 

Seriously, at this point, unless this can be resolved ASAP, I will uninstall all NVT programs and disable auto-renewals.

 

Hello, I don't know how much OSArmor's developers are active in this forum but as almost 10 days have passed since your post of July 31st, you could contact them at support@osarmor.com , if you haven't already done it.

 

Thanks. Yes, I have reached out by email.

Cheers.

 

@Krusty

Thanks for contacting us also via email, we reply faster there.

@bjm_

It looks like to be related to the Windows "Hot Patch":
https://learn.microsoft.com/en-us/w...tch/manage/windows-autopatch-hotpatch-updates

Thanks for sharing them, will see if these FPs can be fixed internally.

Meanwhile, you can ignore the alerts.

 

Hmm...my entry level W11 24H2 home machine...receives Windows "Hot Patch"?
I'm not aware.
My Windows Updates is paused via StopUpdates10 Free.

Thanks!

 

Hi Andreas,

I just got this from my old friend, MailWasher free:

Spoiler: Rule Name: Block execution of unsigned processes on Roaming AppData

Parent Process Size: 7.03 MB (7,367,440 bytes)
Rule: BlockUnsignedProcessesAppDataRoaming
Rule Name: Block execution of unsigned processes on Roaming AppData
Command Line: "C:\Users\David\AppData\Roaming\Firetrust\MailWasher\updater.exe" /checknow
Signer: <NULL>
Parent Signer: Firetrust Limited
User/Domain: David/DAVID-HP
System File: False
Parent System File: False
Integrity Level: Medium
Parent Integrity Level: Medium
Passive Logging: False


Date/Time: 2025-08-10 12:52:17
Date/Time UTC: 2025-08-10 02:52:17
Action: Process Blocked
OSArmor Version: 2.0.5.0
Process: [14644]C:\Users\David\AppData\Roaming\Firetrust\MailWasher\updater.exe
Process Size: 1.1 MB (1,156,608 bytes)
Process MD5 Hash: 09F26574ED73CA2DEA47B81D3D57E04F
Parent: [12692]C:\Program Files (x86)\Firetrust\MailWasher\MailWasher.exe
Parent Process Size: 7.03 MB (7,367,440 bytes)
Rule: BlockUnsignedProcessesAppDataRoaming
Rule Name: Block execution of unsigned processes on Roaming AppData
Command Line: "C:\Users\David\AppData\Roaming\Firetrust\MailWasher\updater.exe" /justcheck
Signer: <NULL>
Parent Signer: Firetrust Limited
User/Domain: David/DAVID-HP
System File: False
Parent System File: False
Integrity Level: Medium
Parent Integrity Level: Medium
Passive Logging: False

Oh, that's right. I uninstalled / reinstall OSA trying to solve my other recent bug, so lost my exclusion. D'oh!

 

Hi Andreas,

I think I need new exclusions for MailWasher.

Thanks,
Dave

 

MiailWasher logs from today.

 

Previous exclusions no longer work. Excluding from block does not work.

 

Date/Time: 2025-09-10 14:31:35
Date/Time UTC: 2025-09-10 18:31:35
Action: Process Blocked
OSArmor Version: 2.0.5.0
Process: [17960]C:\Windows\System32\eventvwr.exe
Process Size: 104 KB (106,496 bytes)
Process MD5 Hash: 2C1A1C0094DF8DF7C3E7FF4E580FD270
Parent: [9520]C:\Windows\System32\mmc.exe
Parent Process Size: 1.8 MB (1,892,352 bytes)
Rule: AntiExploitProtectSpecificSystemProcesses
Rule Name: Protect specific system processes with anti-exploit module
Command Line: "C:\Windows\System32\eventvwr.exe" /v:"C:\Users\xxxxx\AppData\Local\Temp\devmgr.xml"
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: xxxxx/xxxxx
System File: True
Parent System File: True
Integrity Level: High
Parent Integrity Level: High
Passive Logging: False

 

Probably related to Windows "Hot Patch":

Date/Time: 2025-09-30 19:43:21
Date/Time UTC: 2025-09-30 17:43:21
Action: Process Blocked
OSArmor Version: 2.0.5.0
Process: [2200]C:\Windows\System32\cmd.exe
Process Size: 336 KB (344.064 bytes)
Process MD5 Hash: 4C70711F79B6ADBCA108E4CD012AEAAC
Parent: [6404]C:\Windows\System32\cmd.exe
Parent Process Size: 336 KB (344.064 bytes)
Rule: BlockCmdExeExecution
Rule Name: Block execution of cmd.exe
Command Line: C:\WINDOWS\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\HotPatch" /s | findstr /r /c:"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\HotPatch*"
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: SYSTEM/NT-AUTORITÄT
System File: True
Parent System File: True
Integrity Level: System
Parent Integrity Level: System
Passive Logging: False


Date/Time: 2025-09-30 19:43:21
Date/Time UTC: 2025-09-30 17:43:21
Action: Process Blocked
OSArmor Version: 2.0.5.0
Process: [6764]C:\Windows\System32\reg.exe
Process Size: 108 KB (110.592 bytes)
Process MD5 Hash: F6E3559DDDDCCC843A12CFD50178C554
Parent: [6404]C:\Windows\System32\cmd.exe
Parent Process Size: 336 KB (344.064 bytes)
Rule: BlockRegExecution
Rule Name: Block execution of reg.exe
Command Line: reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\HotPatch"
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: SYSTEM/NT-AUTORITÄT
System File: True
Parent System File: True
Integrity Level: System
Parent Integrity Level: System
Passive Logging: False

 

Date/Time UTC: 2025-09-30 10:18:11
Action: Process Blocked
OSArmor Version: 2.0.5.0
Process: [22548]C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process Size: 445 KB (455,680 bytes)
Process MD5 Hash: 2E5A8590CF6848968FC23DE3FA1E25F1
Parent: [24192]C:\Windows\System32\cmd.exe
Parent Process Size: 283 KB (289,792 bytes)
Rule: PreventCmdFromExecutingPowerShell
Rule Name: Prevent cmd.exe from executing powershell.exe
Command Line: powershell -command "Get-AppxPackage"
Signer: <NULL>
Parent Signer: <NULL>
User/Domain: KrisTwo/DESKTOP-XXXXXXX
System File: True
Parent System File: True
Integrity Level: High
Parent Integrity Level: High
Passive Logging: False