OroStat

OroStat — Rootkit-Resistant Exam Monitoring

Catch the exam-centre cheating that hides from the operating system — by watching beneath it.

A below-OS network monitoring appliance for examination centres. When an insider hides a remote-desktop session with a kernel rootkit, every tool that trusts the operating system goes blind. OroStat watches from a layer the rootkit cannot reach — so hidden remote sessions stay visible at the network.

Computer-based exams assume the candidate is working alone at the terminal. A class of insider cheating breaks that assumption: an exam-centre employee conceals a remote-desktop session on the exam machine, an accomplice elsewhere watches the screen, and answers are relayed back in real time. Because the concealment lives in the host operating system, anything that asks the OS what is running gets the answer the attacker wants — process scans, connection checks, host firewalls and local recording all come back clean. OroStat removes that blind spot by relocating monitoring below the host OS entirely: a minimal, read-only virtual machine sits between the physical network card and the host and inspects every packet before the host — and the rootkit confined to it — can touch it. The host runs normally and the exam is unchanged; the difference is invisible to the candidate and to the rootkit. It is open at the core, so the examination bodies and regulators who have to trust it can audit exactly what runs, with a commercial dashboard for organisations operating many centres at once.

What you get

Hidden remote-desktop cheating becomes visible even when the host OS is compromised
A rootkit-resistant integrity layer at a fraction of hardware-tap cost
Fast, scriptable rollout across hundreds of centres by non-experts
Auditable, open-core detection that examination bodies and regulators can verify

Discuss This Solution All Solutions

Solution

At a glance

Below OS Monitoring layer

< 5 min Deploy per machine

Open core Auditable detection

Below-OS Network Visibility
Remote-Session Detection
Exam-Window Awareness
Tamper-Resistant by Design

What We Build

The capabilities behind this solution

Each engagement is assembled from these building blocks, scoped to your platform, your risk, and your regulatory context.

Below-OS Network Visibility

A minimal VM captures all traffic at the network layer, before it reaches the host. A rootkit confined to the host operating system has no way to see, intercept, or conceal what the VM observes.

Remote-Session Detection

Flags known remote-access protocols during an active exam window, and applies heuristics — session timing, sustained connections, and the lopsided traffic shape of a screen streamed out while only keystrokes return — to catch custom or encrypted tools.

Exam-Window Awareness

Detection sensitivity follows the exam schedule: remote access is flagged immediately during a test, while legitimate maintenance outside exam hours is logged without raising noise.

Tamper-Resistant by Design

The appliance is a tiny, read-only static image with no package manager and no unnecessary services — almost nothing to inject into or modify, and unwritable from the host even if it tries.

Fail-Open Continuity

If the VM ever stops, host connectivity falls back to the physical card so the examination is never interrupted — and the central dashboard flags that centre for inspection immediately.

Multi-Centre Dashboard

Real-time visibility across every connected centre: live VM status, active sessions, an alert feed, and searchable, exportable session logs for incident handling and reporting.

How We Deliver

A scoped, low-risk path to production

No big-bang cutovers. We move in deliberate phases, with rollback-safe checkpoints and clear ownership at every step.

Map the centre network, define exam windows, and set alert policy
Deploy the VM appliance per machine in minutes — no networking expertise on site
Baseline normal traffic, then run in exam mode with real-time alerting
Operate the central dashboard for monitoring, incident response, and reporting

Outcomes

What this changes for you

Hidden remote-desktop cheating becomes visible even when the host OS is compromised
A rootkit-resistant integrity layer at a fraction of hardware-tap cost
Fast, scriptable rollout across hundreds of centres by non-experts
Auditable, open-core detection that examination bodies and regulators can verify

Technology & Standards

What we typically work with

Below-OS VM appliance Packet capture OVA image Network bridge / NAT Heuristic detection Central dashboard GPL v2 core

Final tooling is selected during discovery to fit your existing estate, compliance posture, and team.

FAQ

Common questions

How is this different from endpoint security or a lockdown browser?

Those run on the same machine as the rootkit and rely on what the operating system reports — so a kernel-level rootkit can hide from them. OroStat monitors from below the OS, at the network layer, where that concealment does not apply.

Does it slow down or change the exam experience?

No. The host machine keeps normal internet access and the exam software behaves identically. Monitoring happens in a separate VM the candidate never interacts with.

What does it not catch?

OroStat detects network-based cheating. It is not designed to catch earpieces, hidden phones, memorised answers, or collusion that never touches the network. It is one layer of an integrity programme, alongside identity verification, physical security, and delivery tools like OroLink.

Why is the core open source?

Putting a monitoring tool on an exam machine raises a fair question about what it collects. An auditable, open-source core lets examination bodies, researchers, and regulators verify exactly what runs — a claim you can check beats one you are asked to believe.

Keep Exploring

Bring this to your platform

Tell us where orostat is a challenge today. We respond with a concrete, scoped plan — not a sales deck.

Partner With Us All Solutions