How do Security Products protect them self

[Ranget]

i was Playing with some tools

and i was able to Delete
Antivirus Product
Antimalware Product
Firewalls

i'm not going to Say How i killed Them in Public
before i'm sure that this is a Vulnerbility

i manged To Disable The Product to un Working condition
but before it's a very simple way

anyway just wanted to be sure that's the Problem exisit and i'm not infected
with some virus that makes product Less PowerFull


so How Do product protect them self ??
Note : it's a very simple way no invention in it
i don't want to say it out Loud for obvious Reason

AV Employee PM to tell you how i manged to do it

[EASTER]

Timely topic!

The very reason why as part of my secuirty makeup that i take a page straight from malware maker's own devious designs themselves and field hidden drivers that BLOCK loading their wares by virtue of their own rootkits & securely nested in an alternate data stream. Only my AV knows for sure.

[Ranget]

But it's a simple way using a free Tool
tried more than one

i managed to Disable the Software Inculding MBAM

[3x0gR13N]

Quote:

But it's a simple way using a free Tool

Let me guess, you used an anti-rootkit tool to disable security programs...

[Ranget]

I don't know if the Program i used Has a Driver installed
it's very simple program not used to Delete Malware

[3x0gR13N]

Before we go further in any sort of discussion, we need to know the name of the tool. If it's widely available and not some specialized code created for the sole purpose of terminating AVs it's not forbidden to state which tool is it.

[Ranget]

well MBAM Process can be terminated by using any Process manager
even the normal Task manager

As for comodo i was able to Delete the Config Password using Regedit (admin ) in Normal Mode while Comodo was running

[Ranget]

Tried UltraVirusKiller UVK

Killed everything Deleted Everything and i was able to terminate Most of the
Programs

[Technical]

If a program load a driver, i.e. has admin rights, it can do almost everything in terms of killing.
There is not a solution in terms of Windows architecture.
You need to do anything to avoid this situation: autosandbox the malware, reduce its rights, detect him first.

It's simple a fact that, of course, we do not want to recognize and ask for the antivirus companies a miracle...

[Cudni]

As mention already, if something is allowed to execute and that something is with bad intent then what it can do is only limited by the ability of whoever created it.

[Sordid]

Quote:

Originally Posted by Ranget

Tried UltraVirusKiller UVK

Killed everything Deleted Everything and i was able to terminate Most of the
Programs

If you can get an exploit to run that and direct it against the AV executable, you probably could just right-click quit the prog remotely

So unless you use some other protection like a password, exploits of this sort could take place in theory. Your AV should protect itself to some degree. You should get an access denied pop-up when trying to kill your engine. Also pushing UAC to max could help.

& curious, does it actually kill the engine or just the UI. Killing MSE is hard even cutting it by startup.

[Technical]

Quote:

Originally Posted by Sordid

So unless you use some other protection like a password, exploits of this sort could take place in theory. Your AV should protect itself to some degree. You should get an access denied pop-up when trying to kill your engine. Also pushing UAC to max could help.

IF the driver is already loaded, a password or further UAC will be too late...

[trismegistos]

That's why social engineering is very powerful. Without any need for exploit, by blindly trusting an application, which could be an obfuscated malware for e.g, and allowed the latter's driver/s to load, it can just unhook those AV/AM protections very easily. AV/AM won't even noticed it.

For that reason, kernel driver loading should be on the top list to take due notice when executing an application.

[STV0726]

Quote:

Originally Posted by Sordid

& curious, does it actually kill the engine or just the UI. Killing MSE is hard even cutting it by startup.

Is MSE really hard to kill? That is sort of contrary to what was being discussed in another thread a week ago, over concerns that Rob Koch (MCC at MS Answers forum) stated that MSE basically doesn't believe in self-protection other than LUA and file permissions.

[blacknight]

Quote:

Originally Posted by Ranget

i was Playing with some tools

and i was able to Delete
Antivirus Product
Antimalware Product
Firewalls

HIPSs too ?

[Sordid]

Quote:

Originally Posted by Technical

IF the driver is already loaded, a password or further UAC will be too late...

Sure, unless there's some other prevention outside of that. But in the end, it's a hitters game. There is nothing that would perfectly defend such a hypothetical attack considering one could never guarantee stability of all critical system parts and the AV etc etc.

The good news. If you have come this far, your AV proactively failed already and shutting it down probably would make the attack apparent. Poor man's IDS.

[Sordid]

Quote:

Originally Posted by STV0726

Is MSE really hard to kill? That is sort of contrary to what was being discussed in another thread a week ago, over concerns that Rob Koch (MCC at MS Answers forum) stated that MSE basically doesn't believe in self-protection other than LUA and file permissions.

Was just suggesting that "killing" what seems to be major parts of the service actually doesn't always affect the actual engine. MSE doesn't reveal its main engine to a lot of common "startup" tools (CCleaner for one). And access should be denied and require UAC to access the process if on max. Gear like Hitman/Mbam OD is killed without any policy denial and also why Mbam has Chameleon tech instead.

So IMO, MSE does a pretty good job in not sticking its head out towards malware and assume any real swing at it will be successful for the previous reasons above. If you're hacked, you're hacked anyhow, and killing stuff makes the intrusion obvious. I agree with Koch

[kupo]

Quote:

Originally Posted by Cudni

As mention already, if something is allowed to execute and that something is with bad intent then what it can do is only limited by the ability of whoever created it.

It's one of the rules in computer security right? If the bad guy gets you to install his software, it's not your computer anymore, or something like that. LOL

[Victek123]

Quote:

Originally Posted by Ranget

Tried UltraVirusKiller UVK

Killed everything Deleted Everything and i was able to terminate Most of the
Programs

While this can be done it's not a real world scenario. History buffs will remember that in WW1 there was something called the Maginot Line which was defeated by the enemy just walking around it. Basically that's what you're doing by using UVK to kill the resident security apps. What actually happens is malware comes up against the active protection of AV/AM and most of it is neutralized (at least by the better products). The malware that successfully penetrate the system are either unrecognized (inadequate signatures/heuristics), circumvent the protection (rootkit) or are given permission to execute by the user (clicking "yes" to UAC and security app prompts).

The fact that self-protection isn't perfect doesn't invalidate it IMHO. It is desirable to harden the apps as much as possible. There is always going to be a contest between malware creators and app writers.

[Ranget]

Quote:

HIPSs too ?

yes hips too they alert you to the Running process if it run
the HIPS like comodo / even MD won't tell you that the Process is tampring
with it's files it will tell the Process is running or trying to do something

but will fail to notice that it Deleting the Program file

but what interest me that some malware won't be deleted in Normal mode
you need to run in SafeMode with the security Tool to delete it
or even to run a Live disk

why security product won't use this technique ??
why won't the security product use for an example MBR Rootkit technique

i said above that i managed to Delete CIS Config Password without the need
to boot in safe mode using just the Registry editor

Quote:

As mention already, if something is allowed to execute and that something is with bad intent then what it can do is only limited by the ability of whoever created it.

i agree 100% but Don't forget that modern day malware it won't ask for your
premision to Run it will use some kind of UAC bypass or Browser exploit
even it can minpulate the AV
most user won't even know that the machine is infected
i think if a malware was able to run even your Antivirus is not trusted anymore
i think malware to bypass firewall it need to inject it's code in a Legit process
such as a Download manager or an Antivirus it self

so your antivirus will be the Trojan that delivering stuff to the Hacker
so for that i think anti viruses should be more powerful protecting it self

Quote:

The good news. If you have come this far, your AV proactively failed already and shutting it down probably would make the attack apparent. Poor man's IDS

Mostly it won't kill the av for that reason
but it can minpulate it


BTW i now understand why expert users Like EPx0f,xylitol ,....etc won't use AV

[blacknight]

Quote:

Originally Posted by Ranget

yes hips too they alert you to the Running process if it run
the HIPS like comodo / even MD won't tell you that the Process is tampring
with it's files it will tell the Process is running or trying to do something

but will fail to notice that it Deleting the Program file

Ok, let me understand: you tried and you was able to delete CIS file in Programs also if is listed in Defense+ < Computer Security Policy < Protected folders and files as it effectively is ?

[Ranget]

yes Using Revo Uninstaller
"without the Official uninstaller of comodo of course "

[blacknight]

Ok, but it sounds strange to me. I can't reproduce the trial now, hope someone here could. Did you try with Defense+ < Computer Security Policy < Defense+Rules setted either Ask either Block ?

[Ranget]

yup yup

also Spyshelter free Got killed

[ellison64]

Quote:

Originally Posted by Victek123

While this can be done it's not a real world scenario. History buffs will remember that in WW1 there was something called the Maginot Line which was defeated by the enemy just walking around it. Basically that's what you're doing by using UVK to kill the resident security apps. What actually happens is malware comes up against the active protection of AV/AM and most of it is neutralized (at least by the better products). The malware that successfully penetrate the system are either unrecognized (inadequate signatures/heuristics), circumvent the protection (rootkit) or are given permission to execute by the user (clicking "yes" to UAC and security app prompts).

The fact that self-protection isn't perfect doesn't invalidate it IMHO. It is desirable to harden the apps as much as possible. There is always going to be a contest between malware creators and app writers.

That would be WW11