Bakken Hood

OA blocked OAwatch.dll, or so it claims

Recommended Posts

I can't make sense out of this one. Out of some quixtotic sense of honor, I'm moderating a bankrupt, spammer-infested web forum that hardly anyone goes to anymore. I have an unproven suspicion that this forum gave me a bug last year that forced me to reformat, so now I'm only visiting it using Chrome with plugins disabled. Still, when doing my spam check earlier today, I got a popup from OA urging me to block OAwatch.dll and identifying Chrome as the parent program or something to that effect (OA apparently doesn't log these details, so I can't check). Figuring that OA knows how to keep track of its own processes, I assumed it was an impostor and blocked it. Now, though, I look at the "Programs" section in OA and it claims to be blocking one of its own components. At least, the file is in the OA program folder and EAM's scanner doesn't think it's harmful. Am I crippling my firewall by stopping OAwatch, or am I rightfully subduing something dangerous?

Share this post


Link to post
Share on other sites

The digital signature seems ok, though I'm not nearly savvy enough to know how to spot a fake one. I do remember than when I got the prompt, it didn't show a digital signature in green, like it does for googleupdate.exe and whatnot, although it did identify it as an Emsisoft product. It looked like a well-done fake at the time. It doesn't look like I'm alone in this. Via my right mouse button, Windows seems to think the signature is valid, but I don't trust anything that guy says.

Share this post


Link to post
Share on other sites

I can't make sense out of this one. Out of some quixtotic sense of honor, I'm moderating a bankrupt, spammer-infested web forum that hardly anyone goes to anymore. I have an unproven suspicion that this forum gave me a bug last year that forced me to reformat, so now I'm only visiting it using Chrome with plugins disabled. Still, when doing my spam check earlier today, I got a popup from OA urging me to block OAwatch.dll and identifying Chrome as the parent program or something to that effect (OA apparently doesn't log these details, so I can't check). Figuring that OA knows how to keep track of its own processes, I assumed it was an impostor and blocked it. Now, though, I look at the "Programs" section in OA and it claims to be blocking one of its own components. At least, the file is in the OA program folder and EAM's scanner doesn't think it's harmful. Am I crippling my firewall by stopping OAwatch, or am I rightfully subduing something dangerous?

This is strange.

After a few months of being installed, and never having done it before, on the 11th (2 days after you), I also had OA block OAwatch.dll.

However, I understand this forum has a problem with "thread hijacking" and I don't want to muddy the waters. With that in mind, can I ask you to report back on a couple of things to confirm whether we are having exactly the same problem, or just similar? (If they're not identical I think it is forum policy that I start a new thread, but it might still be worth us keeping an eye on each other's threads.)

If you look at your History section, does the entry say "OAwatch.dll" or "OAwatch.dl", also, is there anything in the lower, "information" pane (such as file location), or is it completely blank? Finally, if you find OAwatch.dll in the "Programs" section, is it's status "Allowed" or "Blocked"?

Thank you and good luck in finding some answers.

Share this post


Link to post
Share on other sites

Hey, it's good to hear from someone else with the same experience. I wouldn't call it a thread hijack.

Good eye; my History only has one "l" in oawatch.dl, but after I clicked "block" (with "create rule" checked) when the prompt came up, oawatch.dll (located in the OA program folder) turned up in the Programs tab with a rule to block it automatically. Not wanting to cripple my firewall, I changed "block" to "ask" in the rule, but it hasn't raised its head again.

What I really find disturbing about all this is that the OASIS database knows that OA has been blocking the file, and I'd think by now Emsisoft would have 1) identified a bug in its software that caused OA to stymie its own components, or 2) realized that there's a hack out there that specifically targets OA users. I'm assuming it's either a minor software bug or a hack, but Emsi doesn't seem to have addressed it.

Share this post


Link to post
Share on other sites

Hey, it's good to hear from someone else with the same experience. I wouldn't call it a thread hijack.

Good eye; my History only has one "l" in oawatch.dl, but after I clicked "block" (with "create rule" checked) when the prompt came up, oawatch.dll (located in the OA program folder) turned up in the Programs tab with a rule to block it automatically. Not wanting to cripple my firewall, I changed "block" to "ask" in the rule, but it hasn't raised its head again.

It seems that we are having a very similar experience, the difference being that I am not given the option to answer (that may be related to different settings, or the fact that you are using v5, while I am using v4.5).

Oddly enough, when checking my History for this reply, I notice that it has done the same thing again today. "Program Guard: OAwatch.dl" and under Action it says "Blocked". The information pane is empty. It seems to have happened at startup. If I check my Programs list, there are 2 entries for OAwatch.dll (no OAwatch.dl), both with the same MD5. One is set to "Allowed", the other is set to "Ask" and both have a "First Detected" time identical to the "Blocked" History entry for today.

What I really find disturbing about all this is that the OASIS database knows that OA has been blocking the file, and I'd think by now Emsisoft would have 1) identified a bug in its software that caused OA to stymie its own components, or 2) realized that there's a hack out there that specifically targets OA users. I'm assuming it's either a minor software bug or a hack, but Emsi doesn't seem to have addressed it.

I agree.

I was assuming that it was merely a bug, but now that you mention it, it is odd that this same bug would run through v4.5 and on into v5 without anybody (user, beta tester or developer) noticing it, and then having never occured in the previous few months that it was installed on this machine (I don't know how long on yours), that it would happen to occur on two completely unrelated machines within two days of each other.

I don't use OASIS, but I've just followed your link. I notice it says that 11% blocked the file and 5% allowed it, but what about the other 84%? Also, when I searched for oawatch and oawatch.dll, your file didn't turn up, but there were two other files of the same name (but different file sizes) that were detected as malware.

Share this post


Link to post
Share on other sites

This is strange.

I totally agree qwerty! Especially after so long without a peep... and the double entry "block" and "ask". Happened while using Iron (a form of Chromium). Using older version 5.0.0.1097. I deleted the "block" and left "ask" to see what will happen.

Seems like a bug - nothing to lose any sleep over ;)

Share this post


Link to post
Share on other sites

I totally agree qwerty! Especially after so long without a peep... and the double entry "block" and "ask". Happened while using Iron (a form of Chromium). Using older version 5.0.0.1097. I deleted the "block" and left "ask" to see what will happen.

Seems like a bug - nothing to lose any sleep over ;)

Hello,

Are you aware that OA v6.0 has been released already?:)

If not - please see the changelog:

http://changeblog.emsisoft.com/2012/10/03/emsisoft-online-armor-6-0-0-1736-released/

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.