I noticed it can be easily putoff just by changing date back to 1986...

can an AV be so stupid? I can't believe it...Any malware can bypass it, just need to bind it with an exe which sets date back to 1986...

unbelievable

which proactive module??

kav's

{QUOTE-> I noticed it can be easily putoff just by changing date back to 1986...

can an AV be so stupid? I can't believe it...Any malware can bypass it, just need to bind it with an exe which sets date back to 1986...

unbelievable <-QUOTE}
Unbelievable as it is, ALL VERSIONS OF KAV are COMPLETELY DISABLED and rendered 100% HELPLESS by this stupid trick. Not just the Proactive Defense Module (PDM), but the resident scanner as well.

I've raised this issue before here on Wilders, and apparently after being reposted on the Kaspersky fan forums, Eugene Kaspersky's personal opinion is that this "isn't a big problem". I wonder if he knows that this is the #1 method that commercially-manufactured malware use to defeat KAV in China, where it holds a considerable percentage of the market share. In fact, the very reason that EQSecure, ProSecurity and Micropoint (made-in-China HIPS/behavior blocker programs) added the feature to detect and block changes to system time is because of the wide proliferation of this type of malware. Change the system time = invalid license file = COMPLETELY DISABLED KAV.

lol...omg....not a big problem...lol...

The KAV analysts must be aware of the extent of this problem. The numbers of such malware they receive every day have to tell them something (if not, they completely deserve to be fired). As it is, Kaspersky has yet to do anything about this problem, opting to rely solely on their unbelievably insane (fast) response times to bottle up this issue.

I must admit, I'm kind of puzzled as to what they're thinking.

I haven't seen this first hand (never used KAV) but that is just plain freaky!
I wonder if any other security programs have that problem.

{QUOTE->

I must admit, I'm kind of puzzled as to what they're thinking. <-QUOTE}

Pretty obvious to me what they are thinking...

{QUOTE-> Pretty obvious to me what they are thinking... <-QUOTE}

and to you what are they thinking?

i posted this on the kaspersky fan forum a few months ago.
i think it is due to be changed in kav/kis8.0 if you look at the kis/kav8.0 beta section on the kav forums.
lodore

{QUOTE-> and to you what are they thinking? <-QUOTE}

Hint 1 : Protecting their users is secondary to making money.

Hint 2 : Now think about what this date change effect is meant to do....

{QUOTE-> Hint 1 : Protecting their users is secondary to making money. <-QUOTE}

It is a serious business not a charity org, offcourse money should be there main object trough securing their customers but i guess they could sellout to comodo and go into the fashon industry. Darn shame of their hard work and high education but change can be refreshing.

Any av that issues you with a licence for a set time(1yr 2yr whatever)and allows you to backdate your PC at the end of its "term" should auto disable if you try and do this(in my opinion)otherwise you could extend any licence,even a trial one,indefinately

However this makes it really simple to malware writers to bypass the security if it isn't detected at the time of the infection what lead the AV useless since it won't even update to detect it later.

not really because any malware would have to get past Kav and alter your system clock:-if it was "that simple" why hasn't it been done already?

{QUOTE-> not really because any malware would have to get past Kav and alter your system clock:-if it was "that simple" why hasn't it been done already? <-QUOTE}
LMAO, and what makes you think it hasn't.

think it would be all over the forums if it had!doubt this "vulnerability" hasn't gone unoticed until now,and have you tried killing Kav on a system without admin priviledges,and can you adjust system clock without admin priviledges?I don't know never tried it

{QUOTE-> think it would be all over the forums if it had!doubt this "vulnerability" hasn't gone unoticed until now,and have you tried killing Kav on a system without admin priviledges,and can you adjust system clock without admin priviledges?I don't know never tried it <-QUOTE}
So why don't you try it and see for yourself, instead of claiming it can't be true because it "isn't all over the forums"?

when i posted in the kaspersky fanclub forum someone said it kav has been bypasted before because of the clock.
lodore

wow, i really didnt know kaspersky did this.

infact, if kaspersky completly shuts down just by doing this, what is the point of kaspersky?

Do you not think if one of the best regarded AV products was so simple to bypass and had been successfully done it would be in every AV forum on the net,especially here with nod users gloating over it?
If you have proof that this has been done please post proof instead of claiming that this is a "simple way to bypass kav" or perhaps try writing some code or batch file to execute altering the sytem time,after all you claim it is simple/easy(batch file would'nt do to infect other pc's as bit too difficult to disguise and are written in such a way as to be easily understood)
as for altering my system clock with out admin priviledges:-I'm not really bothered if you can or cannot do it,its not me that feels this is a big prob with Kav:-I bet most concerns are due to fact that once somebody hastried this to extend their licence you cannot get Kav working again without a new key,so they are probably a bit pissed off that it works the way it does

{QUOTE-> wow, i really didnt know kaspersky did this.

infact, if kaspersky completly shuts down just by doing this, what is the point of kaspersky? <-QUOTE}
The "point" of Kaspersky is that if KAV has a signature for that malware, it can still kill said malware before it executes and modifies the system time.

However, the amount of zero-day malware in China that bypass and disable KAV is staggering. Most are tweaked specifically to evade KAV and Rising, two of the biggest players in the Chinese antivirus market. KAV's PDM is supposed to shore up its signature scanner, but what happens in reality is that malware bypasses KAV's signature scanner, executes, resets the date to 1986, and then gets to work unimpeded by the PDM because the PDM just killed itself.

So to sum up, you'd still need malicious code that KAV cannot detect so it can reset the system date. However, bypassing any single AV is a trivial matter, and KAV is not an exception. In fact, as previously mentioned, it gets targeted all the more in China due to its market share. The number of anti-KAV zero-day variants that pop up on an hourly basis is nothing short of amazing, when you first see it.

@steve, I don't need to demonstrate what groups of hackers have been demonstrating IN BULK all this while. There's even a simple method to experiment it for yourself, if you're really interested in the truth, but if you prefer to just stick your fingers in your ears and go "lalala", so be it, I have no obligation to convince you.

why do you think this is so stupid?
by turning the clock back you could fool the license to make your license last longer.
am i right in saying only an administator can change the date anyway?
i belive this question has been asked at wilders before as well.
i have found my thread in the kaspersky lab fan forum.
link (http://forum.kasperskyclub.com/index.php?showtopic=1006&hl=)
read the response from Eugine himself.
lodore

{QUOTE-> @steve, I don't need to demonstrate what groups of hackers have been demonstrating IN BULK all this while. There's even a simple method to experiment it for yourself, if you're really interested in the truth, but if you prefer to just stick your fingers in your ears and go "lalala", so be it, I have no obligation to convince you. <-QUOTE}no you haven't and you haven't
strange my friend out in china has never wrned me off this!

{QUOTE-> no you haven't and you haven't
strange my friend out in china has never wrned me off this! <-QUOTE}
Again, in case you were incapable of understanding the first two times, there's an exceedingly simple and convenient method to verify this for yourself.

If, for whatever insecurities you have you're not willing to try that, then I'm afraid your skepticism is quite meaningless.

{QUOTE-> Again, in case you were incapable of understanding the first two times, there's an exceedingly simple and convenient method to verify this for yourself.

If, for whatever insecurities you have you're not willing to try that, then I'm afraid your skepticism is quite meaningless. <-QUOTE}

I know altering my system clock will disable Kav,is that what you mean to verify(don't need to!)have you bothered checking Lodores link and the reply from a cetain Mr Kaspersky??:-think he probably knows more about malware than me an even a faint possibility he may know even more than you!

{QUOTE-> I know altering my system clock will disable Kav,is that what you mean to verify(don't need to!)have you bothered checking Lodores link and the reply from a cetain Mr Kaspersky??:-think he probably knows more about malware than me an even a faint possibility he may know even more than you! <-QUOTE}
Agreed. Doesn't mean he's right this time, though.

{QUOTE-> Agreed. Doesn't mean he's right this time, though. <-QUOTE}

Sage words...

Hey man, you have to think also WHY he said this...A friend of mine is a hacker, and he's known between hackers...

Guess what, he uses date change to bypass kav's PDM ;D

{QUOTE-> Sage words...

Hey man, you have to think also WHY he said this...A friend of mine is a hacker, and he's known between hackers...

Guess what, he uses date change to bypass kav's PDM ;D <-QUOTE}

would love to see code that your "friend" uses to bypass kav in this way!
as mentioned earlier it wouldn't just disable pdm

either way, for such a good antivirus and self protection too, i wouldnt dare use this , when this error is there.

{QUOTE-> either way, for such a good antivirus and self protection too, i wouldnt dare use this , when this error is there. <-QUOTE}
I second Chris in this. I would love nothing better then to buy Kaspersky, once and for all. But the Chkdsk issues along with it and Sandboxie with Vista not getting along, are the only things. Sorry, Kas, Sandboxie doesnt like you trying to load those drivers everytime you open your web browser. It really kills me. This is one company that has the potential to rocket to the top. But their dishonesty is what is killing them. Just admit to the issue, state when it will be corrected, and it is just good old human nature who will forgive you, and go on with you.

{QUOTE-> Do you not think if one of the best regarded AV products was so simple to bypass and had been successfully done it would be in every AV forum on the net,especially here with nod users gloating over it?
If you have proof that this has been done please post proof instead of claiming that this is a "simple way to bypass kav" or perhaps try writing some code or batch file to execute altering the sytem time,after all you claim it is simple/easy(batch file would'nt do to infect other pc's as bit too difficult to disguise and are written in such a way as to be easily understood)
as for altering my system clock with out admin priviledges:-I'm not really bothered if you can or cannot do it,its not me that feels this is a big prob with Kav:-I bet most concerns are due to fact that once somebody hastried this to extend their licence you cannot get Kav working again without a new key,so they are probably a bit pissed off that it works the way it does <-QUOTE}

I don't know if trying to extend your license disables the key, but if you have a current key and goes back in time it disables kav. However, returning system time to present re-enables kav.

{QUOTE-> would love to see code that your "friend" uses to bypass kav in this way!
as mentioned earlier it wouldn't just disable pdm <-QUOTE}
Yeah, like you'd be able to understand it. ::)
Nope, it wouldn't just disable the PDM, the realtime scanner would go kapoot as well. So just include downloader or dropper functionality in the code, and that malware could invite a gang of its buddies that would ALSO go undetected, even if KAV does have the signatures to detect them. ;)

{QUOTE-> Yeah, like you'd be able to understand it. ::)
Nope, it wouldn't just disable the PDM, the realtime scanner would go kapoot as well. So just include downloader or dropper functionality in the code, and that malware could invite a gang of its buddies that would ALSO go undetected, even if KAV does have the signatures to detect them. ;) <-QUOTE}

don't equate your computer knowledge with everybody elses,send me the code,and lets see if I understand it!
Your friend is prob of same ilk as one of mine:-says he could beat ali and tyson when ali and tyson were at their prime,he's a dreamer as well!
Put in language i hope you understand:-I don't believe you have a "hacker friend" who bypasses kav in this way!

We ask that this thread return back to the discussion contained in the title Please. All the other off comments\general chit chat is best handled via PM.

Thanks,
Bubba

~snipped off topic comments....Bubba~

In any case, it does seem that LUSHER is right, at least partially. Kaspersky intends to protect their profits first before their customers, and as long as people don't notice this system date flaw and raise any public outcry, they seem to be perfectly content to lie low about it, seeing as how it's been there for quite some time and several versions now.

If you're running from a limited user account, how could malware change the system clock? If that were true, it would be a vulnerability in XP as well.

If you install malware through your admin account, any software is potentially susceptible.

{QUOTE-> If you install malware through your admin account, any software is susceptible. <-QUOTE}
As far as I'm aware of, KAV is the only AV that gets disabled this way.

Well, many software have their weakes. Just for an example, NOD32 V2 you just need to delete it's dll's. So it will also be gone.

{QUOTE-> Well, many software have their weakes. Just for an example, NOD32 V2 you just need to delete it's dll's. So it will also be gone. <-QUOTE}
Not when they're loaded in memory and locked by the OS, sorry.

if its done on boot before they are loaded into memory??

Yes, that's another good method to kill KAV. ;)

{QUOTE->
by turning the clock back you could fool the license to make your license last longer. <-QUOTE}

Therein lies Kaspersky's motivation.

{QUOTE-> Yes, that's another good method to kill KAV. ;) <-QUOTE}
Judging by the blinkers you're wearing I can only assume you're very anti-kav and very pro-nod:-thats your view and you're welcome to it
Of the two the hardest to kill is Kav(a lot harder!),sorry to upset you delusions!:- it seems anybodythat doesn't agree with your ideas is wrong,so best I leave it there!(I don't like being "wrong all the time")

{QUOTE-> Judging by the blinkers you're wearing I can only assume you're very anti-kav and very pro-nod:-thats your view and you're welcome to it
Of the two the hardest to kill is Kav(a lot harder!),sorry to upset you delusions!:- it seems anybodythat doesn't agree with your ideas is wrong,so best I leave it there!(I don't like being "wrong all the time") <-QUOTE}
I'm sorry that the mere stating of simple, easily verifiable facts can actually instill the notion of this against that in your mind. Of course, you're always welcome to provide evidence that the issues raised in this thread are wrong.

{QUOTE-> I'm sorry that the mere stating of simple, easily verifiable facts can actually instill the notion of this against that in your mind. Of course, you're always welcome to provide evidence that the issues raised in this thread are wrong. <-QUOTE}
There is evidence in another thread on this forum,but no doubt that will be wrong as well,buy some smaller blinkers!

http://www.wilderssecurity.com/showthread.php?t=186002

{QUOTE-> There is evidence in another thread on this forum,but no doubt that will be wrong as well,buy some smaller blinkers!

http://www.wilderssecurity.com/showthread.php?t=186002 <-QUOTE}
I see nothing in that thread that contradicts the issues raised in this one in any way.

{QUOTE-> I second Chris in this. I would love nothing better then to buy Kaspersky, once and for all. But the Chkdsk issues along with it and Sandboxie with Vista not getting along, are the only things. Sorry, Kas, Sandboxie doesnt like you trying to load those drivers everytime you open your web browser. It really kills me. This is one company that has the potential to rocket to the top. But their dishonesty is what is killing them. Just admit to the issue, state when it will be corrected, and it is just good old human nature who will forgive you, and go on with you. <-QUOTE}
In short time you will get your chance to use Kaspersky without these known issues ;)

{QUOTE-> I see nothing in that thread that contradicts the issues raised in this one in any way. <-QUOTE}
obviously wearing a blindfold,not blinkers(my mistake!):-you actually brought up Nod not being easy to kill!then adjusted my reply to suit your blinkered view on the world!

Nod is a good AV but has it weaknesses,at the moment Kav is a better AV(IN MY OPINION!) with far less weaknesses,accept it!:-that position may change when Eset release next version,but at the moment that is the state of play,I'm not saying Nod is a bad AV(I like and have used it in the past:-replaced it with Kav on all machines since Kav now runs very light)and when some issues about it,mainly re-self protection,have been addressed might start using it again:-I use the product which best suits what it is designed for and don't dogmatically stick with a product(making excuses for its failings along the way!)if I feel something else is better

{QUOTE-> obviously wearing a blindfold,not blinkers(my mistake!):-you actually brought up Nod not being easy to kill!then adjusted my reply to suit your blinkered view on the world!

~snip pointless rant~ <-QUOTE}
Again, despite your pointless rhetoric, I would like to point out the simple fact that the thread you specified does nothing to prove that KAV isn't killed by something as simple as a system time change.

I really don't understand why you're arguing yourself blue in the face and indignantly defending Kaspersky when that very simple fact is there for everyone to see (except for the people who deliberately choose to not see it). For all of KAV's much-touted self-protection, just modify the system date, and KAV dies. Is that really such a complicated concept for you?

{QUOTE-> I use the product which best suits what it is designed for and don't dogmatically stick with a product(making excuses for its failings along the way!)if I feel something else is better <-QUOTE}
;)

{QUOTE-> In short time you will get your chance to use Kaspersky without these known issues ;) <-QUOTE}
Unlike some of its more "dedicated" fans, it's good to see that Kaspersky knows how and when to acknowledge problems, and that it's moving to fix them. :thumb:

I think the thread alludes to the fact that KAV protects itself better than most of it's competition, if I read it correctly...

{QUOTE-> I think the thread alludes to the fact that KAV protects itself better than most of it's competition, if I read it correctly... <-QUOTE}
means nothing if the date can be changed though :wacko:

im not a kaspersky user, but it annoys me that this could be done, if i used kaspersky, i would be constantly wanting some answers regarding this issue.

{QUOTE-> means nothing if the date can be changed though :wacko: <-QUOTE}
It's less of a self-protection issue, it's just that KAV commits hara-kiri all by itself when the system date is changed with no further intervention on the malware's part.

{QUOTE-> It's less of a self-protection issue, it's just that KAV commits hara-kiri all by itself when the system date is changed with no further intervention on the malware's part. <-QUOTE}
Ok I give in:-Kav's crap and there's loads of malware about that changes your system time/date to disable it,be back in a bit when i've uninstalled it from PC's,can I have your learned recommendation as to what i should install??

"can I have your learned recommendation as to what i should install??"

I'd also like to learn what should be installed. But I have not removed KIS7, and will wait to see what should be substituted.

Thanks,
Jerry

{QUOTE-> I'd also like to learn what should be installed. But I have not removed KIS7, and will wait to see what should be substituted. <-QUOTE}It's probably been said thousands of times here, but that call is really dependent on you and how you use your computer. If we strip away the preliminaries and assume that you've already determined having an installed AV is appropriate, think about the issues that are important: Do you avail yourself of the vendor support system or rely on forums like Wilders and fellow users? If it's the latter, give live vendor support a relatively low weighting
Do you plan on covering more than one computer and is total cost of ownership a significant factor? If total cost is an issue, look at free options, products such as F-Prot which have good home licensing terms, vendors who provide steep multi-machine/multi-year discounts or competitive upgrades, have boxed versions in retailers that are often available at steep discount through liquidators at year end, and so on.
Are you using an AV in conjunction with other approaches (HIPS, virtualization, image restoration, etc.)? It may be quite suited to reduce the emphasis on detection levels (within reason, of course)
The fundamental requirement for someone who uses their machine for banking, p2p, and surfing crack sites is fundamentally different than a casual user who likes to get news from CNN and other commercial news organizations. If your usage style is the latter, you may actually need only sparse coverage while the former will require a more hardened system
What type of information is retained on the machine? Is it confidential and/or difficult to readily replicate? In other words, look at the worst downside potential and how easily you could recover from that type of event.
and so on. There are many ways to look at the question, but it ends with putting potential approaches and (possibly) products on the table for assessment/trialing, it doesn't start there.

Blue

{QUOTE-> Ok I give in:-Kav's crap and there's loads of malware about that changes your system time/date to disable it,be back in a bit when i've uninstalled it from PC's,can I have your learned recommendation as to what i should install?? <-QUOTE}

was meant as a joke lads and lasses!

{QUOTE-> It's less of a self-protection issue, it's just that KAV commits hara-kiri all by itself when the system date is changed with no further intervention on the malware's part. <-QUOTE}
Maybe I'm missing something but, if you use LUA, the system date can't be rolled back. And if you run under admin., using HIPS or such, would prevent the rollback. (Hell, I don't even let Windows synchronize the time) It's no different than the "exit-mode" provided to users. Should KAV prevent it's users from that option too??? I don't use KAV, but I also don't expect my AV to guard my calendar. I just don't see the issue, other than "bashing"...

{QUOTE-> Maybe I'm missing something but, if you use LUA, the system date can't be rolled back. And if you run under admin., using HIPS or such, would prevent the rollback. (Hell, I don't even let Windows synchronize the time) It's no different than the "exit-mode" provided to users. Should KAV prevent it's users from that option too??? I don't use KAV, but I also don't expect my AV to guard my calendar. I just don't see the issue, other than "bashing"... <-QUOTE}
In any layered setup, the antivirus is often the least-impact factor in security. If you know how to shore up your system sufficiently, you can do away with an antivirus entirely, as I've done for the last six months. If you're going to throw an AV into such a setup, HIPS and all, then yes, Kaspersky's flaws aren't an issue, but only because the whole Kaspersky program itself is no longer an issue.

As for "bashing", I believe it's just stating a simple fact. One which some people who claim to not make excuses for the failings of their pet product seem to have taken quite some time to grasp. No, there's no reason for your AV to guard your calender, just like there should be no reason for your AV to refuse to work just because the calender changed.

EDIT: When you say you use your HIPS to guard your system time, I'll assume you're using EQSecure or ProSecurity. Now take a moment to remember which country those programs came from, and why do you think they included such a function.

{QUOTE-> When you say you use your HIPS to guard your system time, <-QUOTE} No, I said... {QUOTE-> if you use LUA, the system date can't be rolled back. And if you run under admin., using HIPS or such, would prevent the rollback. <-QUOTE} meaning that guarding the system time isn't to be given a 2nd thought... {QUOTE-> I'll assume you're using EQSecure or ProSecurity. Now take a moment to remember which country those programs came from, and why do you think they included such a function. <-QUOTE} There's wa-a-a-a-ay too many cracks available to worry about "rolling back the odometer", but what exactly does coming from China have to do with this???

{QUOTE-> No, I said... meaning that guarding the system time isn't to be given a 2nd thought... There's wa-a-a-a-ay too many cracks available to worry about "rolling back the odometer", but what exactly does coming from China have to do with this??? <-QUOTE}
Hi
He seems to forget that most forms of malware become global very quickly,due to something called the internet I believe(well I think its called that but I could be wrong!)

{QUOTE-> meaning that guarding the system time isn't to be given a 2nd thought... <-QUOTE}
True. There are also special utilities created specifically to lock the system time. This is that big of a problem in China, where KAV holds a sizable portion of the market share and gets targeted on a daily basis.

A lot of vulnerabilities in other software are also covered under LUA, like nicM's kernel unhooking test for HIPS programs demonstrated. However, that doesn't mean they aren't a problem and don't need to be fixed.

{QUOTE-> There's wa-a-a-a-ay too many cracks available to worry about "rolling back the odometer", but what exactly does coming from China have to do with this??? <-QUOTE}
Because that's where this "change the date to kill KAV" trick is the most rampant. It's a quick and easy way to kill one of the leading AV software in the market. EQSecure, ProSecurity and Micropoint added the feature to block date changes due to how common this function is in malware, and companies like Qihoo released tools to lock the system time as well, all because too many malware were targeting one of the top heavyweights in the Chinese AV scene in terms of market share.

{QUOTE-> True. There are also special utilities created specifically to lock the system time. This is that big of a problem in China, where KAV holds a sizable portion of the market share and gets targeted on a daily basis. <-QUOTE}
So KAV has a critical vulnerability that needs to be patched, so everyone is doing that for KAV and giving it away for free???
But really, all AV's have their weaknesses... http://www.wilderssecurity.com/showthread.php?t=186002 ...so are you criticizing KAV's weaknesses, or AV's in general???

{QUOTE-> actually its you that has(or hasn't depends on your point of view!)
can I ask you something presonal:-how old are you? because you seem to argue your points the same way as my 14yr old daughter when she's hormonal!
You write things then seem to forget what you have written when things are disputed,and/or bend any reply to suit how you feel ,this thread is useless and should be closed

<-QUOTE}

The chances of this thread being open much longer is very low. Flaming and off topic posts don't do this thread any good.

{QUOTE-> So KAV has a critical vulnerability that needs to be patched, so everyone is doing that for KAV and giving it away for free???
But really, all AV's have their weaknesses... http://www.wilderssecurity.com/showthread.php?t=186002 ...so are you criticizing KAV's weaknesses, or AV's in general??? <-QUOTE}
I suppose an analogy would be third-party companies writing programs to patch up a disclosed and widely-attacked Windows flaw because Microsoft has yet to release a patch. In the case of EQSecure/PS/MP, it's not exactly solely a patch, it's probably product innovation as well, because this type of attack was annoying even for people who don't use KAV.

All AVs have weaknesses, but in this case Kaspersky has let a widely-publicized and easily-exploited flaw, with staggering amounts of ITW attacks released to date, to go unfixed for too long. Even the automatic virus creation kits include the option to change the system date. There would be no reason for malware to include this functionality at all, were it not for KAV and its market share.

{QUOTE-> I suppose an analogy would be third-party companies writing programs to patch up a disclosed and widely-attacked Windows flaw because Microsoft has yet to release a patch. In the case of EQSecure/PS/MP, it's not exactly solely a patch, it's probably product innovation as well, because this type of attack was annoying even for people who don't use KAV. <-QUOTE}
So obviously it's not just a KAV problem...
{QUOTE-> All AVs have weaknesses, but in this case Kaspersky has let a widely-publicized and easily-exploited flaw, with staggering amounts of ITW attacks released to date, to go unfixed for too long. Even the automatic virus creation kits include the option to change the system date. There would be no reason for malware to include this functionality at all, were it not for KAV and its market share. <-QUOTE}
So with all these free solutions, why bother changing? They are protecting their interests (against piracy), while other companies benefit (from product innovation).

{QUOTE-> The chances of this thread being open much longer is very low. <-QUOTE}They're "low" but there is a chance We can attempt to not let it sink any lower :-\

{QUOTE-> Flaming and off topic posts don't do this thread any good. <-QUOTE}It never does any thread any good....however by removing some of the posts We hope the focus can return to the thread title and those that wish to have a tit for tat will take their childish attitude in this thread to another venue other than our threads.

Latitude was given in hopes that it would die out and if it continues the only choice is to bring it to a close.

Regards,
Bubba

{QUOTE-> Not when they're loaded in memory and locked by the OS, sorry. <-QUOTE}

Not really. You can delete almost everything, including it's updates and engine files, leading it useless next boot. Also, if some tools can unlock locked files malwares also can.

{QUOTE-> So obviously it's not just a KAV problem... <-QUOTE}
I'm sorry, but how did that get implied?

The only reason such attacks exist is because of KAV. For KAV users, their AV gets shut down. But even if one doesn't use KAV, it's still annoying to have the system date reset to 01-01-2000, especially if I'm a user of a HIPS program, which are judged on their ability to control every aspect of process activity and should be able to block everything a malware tries to do.

{QUOTE-> So with all these free solutions, why bother changing? They are protecting their interests (against piracy), while other companies benefit (from product innovation). <-QUOTE}
You're effectively saying a company doesn't need to patch their software because it should be the user's job to figure out how to mitigate vulnerabilities by themselves. Er... hello?

{QUOTE-> Not really. You can delete almost everything, including it's updates and engine files, leading it useless next boot. Also, if some tools can unlock locked files malwares also can. <-QUOTE}
True. But then, this is (a) not product-specific, as it applies to every other product, and there is little individual software vendors can do to remedy this, and (b) nowhere near how widely-exploited the Kaspersky date bug is.

Again, the problem isn't that Kaspersky can be circumvented. It's that it can be easily done, has been easily done, and continues to be easily done on a wide scale. Kaspersky obviously knows about this, yet chooses to stay silent for I'm not sure how long, since I only learned of this problem during November last year. And besides, while some may claim that this date bug is Kaspersky's effort to combat piracy, part of KAV's market share in China is, indeed, due to its tolerance towards pirated copies of its software.

{QUOTE->
True. But then, this is (a) not product-specific, as it applies to every other product, and there is little individual software vendors can do to remedy this, and (b) nowhere near how widely-exploited the Kaspersky date bug is.

Again, the problem isn't that Kaspersky can be circumvented. It's that it can be easily done, has been easily done, and continues to be easily done on a wide scale. Kaspersky obviously knows about this, yet chooses to stay silent for I'm not sure how long, since I only learned of this problem during November last year. And besides, while some may claim that this date bug is Kaspersky's effort to combat piracy, part of KAV's market share in China is, indeed, due to its tolerance towards pirated copies of its software.
<-QUOTE}

I can't really argue abouty how much it is exploited, but the easyness is the same. And it doesn't apply to every program. With self protection enabled, KAV files can't be deleted. Neither can NAV's or BitDefender 2008 (don't know about previous versions). And ESS seems to be able to protect it self this way too. Bit it won't be develop to NOD v2.

{QUOTE-> I can't really argue abouty how much it is exploited, but the easyness is the same. And it doesn't apply to every program. With self protection enabled, KAV files can't be deleted. Neither can NAV's or BitDefender 2008 (don't know about previous versions). And ESS seems to be able to protect it self this way too. Bit it won't be develop to NOD v2. <-QUOTE}
Do they watch the PendingFileRenameOperations and/or BootExecute registry keys so their files don't get wiped out upon reboot? You mentioned this method of bypassing protection yourself. Again, also like you mentioned, programs that bypass the normal Windows API have no problems deleting such locked files. I'd be surprised if IceSword didn't work on them.

Just for the record, ESS still gets wiped out by three lines of code in a batch file. Its "self-protection" is really non-existent, it's just that its service is set to automatically restart every time ekrn.exe gets terminated. I have never used BD and haven't touched Symantec for years, so I can't comment about them. But my point remains - Kaspersky has ignored a widely-attacked exploit for a hell lot longer than necessary. Claiming that all software have weaknesses is not a good defense in this case, and according to Sjoeii it seems that Kaspersky is finally acknowledging this issue.

{QUOTE-> Do they watch the PendingFileRenameOperations and/or BootExecute registry keys so their files don't get wiped out upon reboot? You mentioned this method of bypassing protection yourself. Again, also like you mentioned, programs that bypass the normal Windows API have no problems deleting such locked files. I'd be surprised if IceSword didn't work on them.

Just for the record, ESS still gets wiped out by three lines of code in a batch file. Its "self-protection" is really non-existent, it's just that its service is set to automatically restart every time ekrn.exe gets terminated. I have never used BD and haven't touched Symantec for years, so I can't comment about them. But my point remains - Kaspersky has ignored a widely-attacked exploit for a hell lot longer than necessary. Claiming that all software have weaknesses is not a good defense in this case, and according to Sjoeii it seems that Kaspersky is finally acknowledging this issue. <-QUOTE}
who is daft enough to allow a batch file to run without knowing what it contains:-these things are OK in theory or when your experimenting on your own PC but to get a batch file to run on a remote PC with no user input??

{QUOTE-> who is daft enough to allow a batch file to run without knowing what it contains:-these things are OK in theory or when your experimenting on your own PC but to get a batch file to run on a remote PC with no user input?? <-QUOTE}
Trojans and other malware that use exploits typically run without user input, but of course you probably didn't know that. ;)

It doesn't have to be a batch file. An exe that contains instructions to delete the ekrn service will do the same trick, it's just that a batch file is the easiest method to do it and can be written by virtually anyone with minimal programming knowledge.

This thread is done. Too many off-topic excursions and personal comments.

Later.

Blue