Bug? ekrn.exe can be terminated by users!

Discussion in 'ESET Smart Security' started by rahx, Nov 13, 2007.

Thread Status:
Not open for further replies.
  1. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    The self-protection will certainly be improved in the future. Some of you have referred to products that do not allow renaming their executables. Though this is actually quite strong protection, we assume it intervenes to the system in a manner that may cause serious problems.
     
  2. bluesprite

    bluesprite Registered Member

    Joined:
    Apr 11, 2007
    Posts:
    71

    Your assumption is unsupported by evidence. I believe that malware disabling security may cause way more serious problems. I hope that you will make implementing an adequate self-protection a priority, because obviously it's a serious issue to many users. :)



    Too bad this didn't draw sufficient attention back then.
     
  3. _Rupert_

    _Rupert_ Registered Member

    Joined:
    Jan 3, 2006
    Posts:
    61
    Location:
    United Kingdom
    Thank you for posting Marcos.

    I've actually reverted back to NOD 2.7 due to other problems with 3.0, but it seems that 2.7 can also be easily terminated, using the same method by renaming nod32krn.exe. Something that I assumed NOD would have resisted in the years I've been using V2 :(
     
  4. soulstace

    soulstace Registered Member

    Joined:
    Nov 14, 2007
    Posts:
    5
    ZoneAlarm seemed to have decent protection. i.e. Try to terminate vsmon, Access Denied. ZA actually protects it's own startup registry keys as well.

    This is what I meant by anti-rootkit technology. You hook operating system functions and prevent termination.

    ProcessGuard can help prevent shut down of ekrn. At least on Windows XP.
     
  5. demonio

    demonio Registered Member

    Joined:
    Oct 21, 2007
    Posts:
    48
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
  7. demonio

    demonio Registered Member

    Joined:
    Oct 21, 2007
    Posts:
    48
    I have already sent new beagle infected files (Win32/Bagle.KT (3), Win32/Bagle.KU (2)) but before you upgrade signatures Ekrn.exe is killed :'(
     
  8. crummock

    crummock Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    198
    This seems to proove the point that a modern security suite should have first rate self-defense built in. After all once the suite is shut down then you are open to whatever is coming your way.

    I know that with sensible browsing habits etc. most malware can be avoided but security software like ESS is supposed to guard against the mistakes we make.

    I've been a NOD32 supporter for years but this lake of self-defense in a product designed for 2008 does concern me.

    It should be pretty much impossible to shut down your security suite except in safe mode these days.
     
  9. rahx

    rahx Registered Member

    Joined:
    Nov 13, 2007
    Posts:
    22

    Actually I think I know the guy who posted that one. He told me that post was closed for some reason and that's why I posted mine.

    Plus, that was in October, ESS/EAV was still in beta back then and now it still persists in the official release.
     
  10. SteveBlanchard

    SteveBlanchard Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    312
    Location:
    ENGLAND
    You've probably answered my question, should I go to 3.0
    But if 3.0 has the same kernel renaming error, then TBH I'll be going elsewhere, or like Rupert use 2.7 and an external Firewall.
     
  11. Palombaro

    Palombaro Registered Member

    Joined:
    May 13, 2005
    Posts:
    77
    Location:
    UK
    Does anybody know of any developments on this bug? Have ESET acknowledged it as a problem?
     
  12. ASpace

    ASpace Guest

    This isn't a bug , very important to be noted . This is design and there are no known threats to exploit it . Moreover , each and every threat that tries to kill Eset protects is detected by ESET Smart Security , ESET NOD32 Antivirus
     
  13. Palombaro

    Palombaro Registered Member

    Joined:
    May 13, 2005
    Posts:
    77
    Location:
    UK
    Ok Thanks for info. Is your view generally accepted?
     
  14. ASpace

    ASpace Guest

    I don't know but who cares ?
     
  15. Zkal

    Zkal Registered Member

    Joined:
    May 20, 2007
    Posts:
    5
    Just fyi, if you have installed ESS to Program Files in Vista you cannot rename or delete the ekrn.exe without elevation. Just tried with both CMD and Explorer. CMD gives access is denied and Explorer gives me the possibility to elevate. Of course, this only applies to the Program Files that is located in the same logical partition as your Vista. If you install anywhere else you will have to manually restrict access to that location so that you won't be able to rename or delete ekrn.exe.
     
  16. stueycaster

    stueycaster Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    293
    Location:
    Indianapolis
    I'm so glad you people are on top of this. I've been so wrapped up in my own little problem that I didn't pay attention to this at all.

    It seems like one shouldn't be able to kill the process no matter what doesn't it? The only way of killing it should be to uninstall it.

    Good job guys. :thumb:
     
  17. Palombaro

    Palombaro Registered Member

    Joined:
    May 13, 2005
    Posts:
    77
    Location:
    UK
    Probably anybody who is thinking about installing ESS is the rather obvious answer
     
  18. ASpace

    ASpace Guest


    Who cares about my opinion , my view ... ;)


    You talk about this like it is something wide spread . Have any of you every had a problem with this ? I don't think so :)
     
  19. stueycaster

    stueycaster Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    293
    Location:
    Indianapolis
    It's just a little scary (in some people's minds really scary) to think that your security software could stop working and you not be aware. The administrator being a newby, your children playing around or malware being written to purposefully do this could conceivably shut it down.

    A lot of us (myself included) probably don't know as much about computers as you do. You have to allow us to feel the way that we can't help but feel.
     
  20. OMEGA_RAZER

    OMEGA_RAZER Registered Member

    Joined:
    Apr 11, 2007
    Posts:
    94
    Location:
    24.24.2.2147
    I thought about installing it and still installed it ;)
     
  21. stueycaster

    stueycaster Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    293
    Location:
    Indianapolis
    I think it should be protected from anything that anybody might do to it short of uninstalling but I'm really not very concerned. I'm sure it will be taken care of. Like Hitech said, anything that might try to kill it will probably be blocked from getting in anyway. I'm going to continue using ESS without worry.
     
  22. bluesprite

    bluesprite Registered Member

    Joined:
    Apr 11, 2007
    Posts:
    71
    ESS doesn't block a BAT file containing the commands to disable ESS, however unlikely it is that you'd ever encounter such a file on the internet or in an email. Just pointing out that it doesn't take an executable virus to disable it.
     
  23. nodHead

    nodHead Registered Member

    Joined:
    Sep 23, 2007
    Posts:
    85
    Customers care. Actually. :cautious:

    ~Off topic comment removed. - Ron~ ESET has only just flagged this as something to be looked into in the future.

    :ouch:
     
    Last edited by a moderator: Nov 18, 2007
  24. stueycaster

    stueycaster Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    293
    Location:
    Indianapolis
    Ok. I stand corrected. I'm sure they'll fix it.
     
  25. crummock

    crummock Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    198
    Hi,

    I think ESET have fixed this issue and not told us.

    I had reason to want to stop ESS completely today but found I could not rename ekrn.exe and it reported that file was in use and could not be altered.

    This seems to be a significant improvement.

    Unless I'm wrong then.... well done ESET.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.