NoVirusThanks OSArmor: An Additional Layer of Defense

Discussion in 'other anti-malware software' started by novirusthanks, Dec 17, 2017.

  1. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,577
    No, he did not go on vacation. He released a new version of WinUpdateStop only yesterday: https://www.winupdatestop.com/
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,398
    Location:
    U.S.A.
    Not yet. As best as I can determine, the current installed OSArmorDevDrv and osadevprotect drivers are the same as the original ver. 1.5.6 ones. Ditto for the prior version ones Win 10 is showing.

    Also interesting is I haven't detected any OSA dial-out activity from OSArmorDevSvc.exe or NVTHelperProcess.exe since the 3/9 incident. This is odd since they usually manifest after a system restart of which I have performed multiples of since that date.
     
  3. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    Maybe he is fixing stuff under the hood;)
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,398
    Location:
    U.S.A.
    I removed the Intel Microcode update, KB4589212, and can 100% confirm that OSA self-protection DevSvc drivers were removed and reinstalled as part of the Win Update processing. Ditto when KB4589212 reinstalled itself. Also these were the only drivers that this activity occurred for.

    All this is a bit disconcerting to me that a Win 10 Update could and would do such activity.
     
  5. novirusthanks

    novirusthanks Developer

    Joined:
    Nov 5, 2010
    Posts:
    1,125
    Location:
    Italy
    @itman

    The kernel-mode driver of OSArmor is auto-extracted in \drivers\ folder from OSArmorDevSvc everytime the service is started.

    This is done so that the driver file is not "abused" and also because OSArmor service will contain the latest driver in case it is updated.

    So the last modified/created file datetime of OSA driver may change everytime the service is started (e.g when PC is restarted).

    If you check the digital signature you will see on the Timestamp tab that is has been digitally signed on October 2018 -> this is the real date of when the driver was signed/created.

    About this event you reported:

    It looks strange yes, but it is a false positive - we noticed that behavior in other systems too and seems to be safe.

    It will be fixed on the next OSArmor version.

    About the issues you have about OSArmorDevSvc not starting are strange, I was not able to reproduce here but will take a deeper look on the next days.

    Only another user (@wat0114) has reported similar issues (OSArmorDevSvc not starting sometimes when the PC is restarted).

    About outbound connections of OSArmorDevSvc.exe or NVTHelperProcess.exe:

    Did you block them with your firewall?

    OSArmorDevSvc.exe may establish outbound connections with our servers if you have the option "Auto-update program" checked.

    NVTHelperProcess.exe may establish outbound connections with VeriSign servers to verify digital signatures.

    I highly recommend to allow them to connect on TCP port 443 (HTTPS) and 53 (DNS resolutions).

    Else if a malware is digitally signed with a revoked cert then it may not be blocked correctly.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,398
    Location:
    U.S.A.
    Never have observed this previously. Again, only time this occurred was as a result of the Win Update noted.

    Also, OSArmorDevDrv.sys was not the only driver modified. So was osadevprotect.sys, OSA self-protection, which is a device driver. Since this would load in the initial boot phase, it wouldn't be modified by its service startup as I see it.

    -EDIT- I just reinstalled OSA and am now seeing the update behavior described. Possible a previous OSA install on-top hosed something in this regard.
    I was more concerned about winlogon.exe starting from mspaint.exe. The only process I know of that should be starting winlogon.exe is smss.exe:
    https://nasbench.medium.com/windows-system-processes-an-overview-for-blue-teams-42fa7a617920
    Yes, I do monitor them with a firewall rule.

    Prior to this noted Win Update KB4589212, OSArmorDevSvc.exe would periodically try to dial-out in spite of OSA auto updating being disabled. Ditto for NVTHelperProcess.exe although I have not enabled any settings in the new Trusted Publisher feature. This network activity usually manifested as system startup time or as a result of a system restart. Since the KB4589212 update - 5 days, none of the above outbound network activity has been observed. This is perfectly fine with me and is how OSA should work in my opinion. I just find it odd that the ceasing of OSA network activity syncs with the update date/time changes of OSA self-protection and OSArmorDevDrv drivers.

    Here's a screenshot of OSA outbound network activity prior to it ceasing at approx. 6 PM on 3/9:

    OSA_Outbound.png
     
    Last edited: Mar 15, 2021
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,592
    Location:
    The Netherlands
    Can you perhaps take a look at these posts? Seems like all of the NVT tools including OSA have got DPI scaling issues. I can fix these issues by changing certain settings related to DPI scaling in Win 10, but users shouldn't have to do this if the app is designed in the right way.

    https://www.wilderssecurity.com/thr...layer-of-defense.398859/page-141#post-2992271
    https://www.wilderssecurity.com/thr...layer-of-defense.398859/page-143#post-2993160
     
  8. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,008
    Location:
    Among the gum trees
    Actually, I reported it one or two times too. I haven't noticed it happening lately, but I don't have the tray icon pinned and don't go looking at it every Windows session, so it could of happened more often and I just didn't notice.
     
  9. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,313
    Location:
    Canada
    @novirusthanks

    I just upgraded to Windows 10 v20H2 last Friday. It's still early of course, but no startup problems yet with OSArmorDevSvc.exe. Maybe the upgrade will make the difference? Hopefully.
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,398
    Location:
    U.S.A.
    I would advise keeping that icon pinned to the desktop toolbar. It's exclusion at system startup time is a visual clue that OSArmorDevSvc.exe hasn't started. In other words, OSA is not protecting you.
     
  11. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,008
    Location:
    Among the gum trees
    Done! Thanks.
     
  12. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,391
    Location:
    Under a bushel ...
    It has happened to me, but only once that I recall.
     
  13. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,313
    Location:
    Canada
    With me it's been very random and not too often. I've gone as long as a week without startup issues, then I'd get three failures in four days.
     
  14. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    1,975
    Location:
    Canada
    On my side I have OSArmor installed on two computers and I never experienced any problems so far. Just keep my fingers crossed...
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,398
    Location:
    U.S.A.
    In regards to OSArmorDevSvc.exe not running at system startup time; i.e. OSA missing desktop toolbar icon, this is the first security product I have used that does not alert that something is wrong with its real-time protection. Considering the product is being sold to commercial installations, this really needs to be addressed by @novirusthanks . OSA should be throwing an alert similar to that given for a blocked process which really can't be missed. I would imagine such alerting could be handled by its self-protection service/driver.
     
  16. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,313
    Location:
    Canada
    I agree. Not to come off as threatening, but if it's still happening at the end of my first year subscription, I won't be renewing it. I just can't accept a security program that randomly fails to startup automatically.

    Only speculating here, but I've been wondering if it's being caused by enabling one or more of the specific protections outside the loaded defaults, and it's not logging the failed OSArmorDevSvc startup because I have checked logs immediately after it's happened and there's nothing in there. On what I guess is an unrelated issue, twice before I had login issues where I had only a dark screen with a mouse pointer forcing me to reboot to recover - no alerts from OSArmor - but at least in this case the issue was logged, and in them I found that winlogon.exe required parent process WmiPrvSE.exe to launch it. I needed to manually create an exclusion to rectify this issue.
     
  17. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,008
    Location:
    Among the gum trees
    OK, for the first time since OSA has been pinned I see it has not started after a system restart.
     
  18. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,313
    Location:
    Canada
    @novirusthanks

    I'm convinced OSArmor needs a "Learning mode". Even just enabling: "Block any process executed from wmiprvse.exe" will break logins, as I alluded to in post 3591, not just cause FP's. Would it be possible to add this kind of feature in a future build?

    krusty,

    are you using the default protections, or have you enabled additional ones as well?
     
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,398
    Location:
    U.S.A.
    I have such an "ask" Eset HIPS rule and it has never been triggered.

    It is not normal to have processes spawned from wmiprvse.exe. By default in Win 10, no user based WMI command or consumer scripts exist. Existence of such scripts could indicate a malware presence.
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,398
    Location:
    U.S.A.
    My opinion is the problem with the OSA desktop toolbar icon is shown in the below screen shot. If you select "Exit GUI," it terminates the OSArmorDevSvc.exe via stopping its associated service. That is, OSA is no longer running.

    OSA_Icon.png

    This option also implies that OSA operation is tied to the initialization of this icon which really should not be the case.
     
  21. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,008
    Location:
    Among the gum trees
    The OSA tray icon didn't show up on the same machine with a cold start this morning (Fast Startup disabled).
    I'm using Medium Protection Profile with a handful of extra ones added. Block Remote Access, Block IE and Block Cortana.
    Yeah, that is not good.
     
  22. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,284
    Location:
    Hollow Earth - Telos
    I don't see any protection profiles that i can choose from.
     
  23. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,008
    Location:
    Among the gum trees
    Open Configurator and right click anywhere in the Protections section.
     
  24. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,398
    Location:
    U.S.A.
    It is a bit strange how this is hidden.

    Assuming you have ver. 1.5.6 installed, open OSA Configurator. Right mouse click on "Main Protections" per the below screen shot:

    Eset_Protections.png
     
  25. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,313
    Location:
    Canada
    Well it's definitely not malware, and here is the exclusion I needed to add:

    Code:
    [%PROCESS%: Process: C:\Windows\System32\winlogon.exe] [%PROCESSCMDLINE%: C:\Windows\System32\winlogon.exe] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\Windows\System32\wbem\WmiPrvSE.exe] [%PARENTSIGNER%: Microsoft Windows Publisher]
    EDIT

    a "dark screen of death" after logging out then trying to login again was what triggered the requirement to add that exclusion.

    Okay thanks. Then not really an over-aggressive Protections setup you're using, making it even more disconcerting that you are getting occasional failed OSArmorDevSvc startup failures.
     
    Last edited: Mar 18, 2021
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.