A couple of months ago I was hit by the "Klez" virus because a family member opened an attachement in Outlook. I had F-Prot 3.12 running, but "Klez" simply shut it down, and ruined the executable. Which antivirus programs can handle attempts by virii to shut them down ('cause F-Prot certainly cannot)? I mean, they are not to much use if that can happen. Furthermore, is it possible to use Windows 2000 permissions to protect Antivirus applications? Suggestions are welcome.

Theorectically there is no way to protect AV (or AT software) against attacks from running malware. The princip is simple: what runs first, strikes first.

wizard

There is a way ;o). ANTS 3.0 can block process manipulations ;o).

-{ Quote: " quoting: Andreas Haak link=board=24;threadid=2793;start=0#18870 date=1028374829]
There is a way ;o). ANTS 3.0 can block process manipulations ;o).
" }-

Andreas, correction: there will be a way - as soon as ANTS v3.0 is out of RC1 and ready for use 8)

regards.

paul

I think there's an option to password protect processes in AVP as well but I kind of hate the newer versions so I haven't tried it. What is ANTS 3.0 ??

Hi cpf999,

-{ Quote: "I think there's an option to password protect processes in AVP as well" }-

Most good AVs do have this option implemented nowadays. I would not rely on these blindly, though.

-{ Quote: "What is ANTS 3.0 ??" }-

Have a look over on the "other anti-trojan software" forum. You'll find the info needed over there.

regards.

paul

Thanks!

My pleasure ;)

regards.

paul

>Andreas, correction: there will be a way - as soon as ANTS v3.0 is out of RC1 and
>ready for use 8)

The current beta is able to block process manipulations, too ;o).

-{ Quote: "The current beta is able to block process manipulations, too" }-

Good to hear so. Nevertheless, a fully tested RC1, followed by the Official release, will prevent "common users" from using an app that's not completely "ironed-out" as far as possibly bugs and incompabilities is concerned. There are Beta's and RC's for good reasons, don't you agree? ;)

regards.

paul

of cause i agree.

-{ Quote: " quoting: Andreas Haak link=board=24;threadid=2793;start=0#18889 date=1028385040]
of cause i agree.
" }-

Seems we have an understanding; I do agree with your statement above as well ;D ;D

regards.

paul

;D How many does it take to make a quorum again? Pete

Spy 1 did you get your copy of ANTS 3.0 RC1 yet?
I tried the scan engine and then never saw anymore updates to it. All I got it the scan engine , not a full RC1.
When running the update all I get is the same Sig file.

Hey, controler! Nope, not yet! Pete

Sophos AV is almost impossible to shut down from memory process. Virii (if trying from MP)won't be able to shut it down unless sophos directory is completely deleted!


Technodrome

put the thread into debug mode and terminate it - where is the problem? *fg*

RegRun is a nice little program that will keep processes from being terminated, or at least warn you if it is. ;)

does it prevent the termination or does it only warn and restart the process?

Hi Andreas. You know, I really haven't dug into that yet. I have several files that are watched, but have never had any of them messed with.
I do know that with watchdog enabled, whenever certain changes are made to the registry, I get a popup notifying me and asking if I want to keep the change.
Regrun has a forum at Beckys.

ok - but warns it if your kav was kicked out of your memory? ;o) ANTS 3.0 does it - and it doesn't only warn, it PREVENTS it. Only if you say, yes, its ok if this process will be modified/terminated you can get access ;o).

TDS4 products will include process protection

For now, JUST RENAME all your AV products' EXE files and their reg keys and you wont have a problem :)

No - thats partly wrong. Do you know Next Generation Killer? If not i will send you. It detects the process using class and window names :-). It won't help if you simply "rename" the file.