How do Security Products protect them self

[trismegistos]

Quote:

Originally Posted by Ranget

i agree 100% but Don't forget that modern day malware it won't ask for your
premision to Run it will use some kind of UAC bypass or Browser exploit
even it can minpulate the AV
most user won't even know that the machine is infected
i think if a malware was able to run even your Antivirus is not trusted anymore
i think malware to bypass firewall it need to inject it's code in a Legit process
such as a Download manager or an Antivirus it self

so your antivirus will be the Trojan that delivering stuff to the Hacker
so for that i think anti viruses should be more powerful protecting it self


Mostly it won't kill the av for that reason
but it can minpulate it


BTW i now understand why expert users Like EPx0f,xylitol ,....etc won't use AV

That would be your common drive by malware pushed by exploits. I agree that AVs would mostly be bypassed if they don't have the signature for that malware and it escaped heuristic detection. But as for HIPS/SRP/AE/Applocker, our guru, Rmus has elucidated, that these droppers are executables, so it won't execute under those. HIPS/AE/Applocker can also prevent dll loading and therefore stop most dll injections. HIPS in addition can also be configured to be prompted for any driver loading. As I said earlier, once kernel drivers are loaded, which is what rootkits do, it's definitely game over. It can just unhook the AVs, the AV will still be up and running and won't even notice the unhooking but it's definitely useless after that. But generally, malware do code injections into trusted processes to evade detections from Avs. I am not yet aware of a malware trojanising the AV but it's quite possible. But if your firewall can catch any outbound connection and can untrust the AV, a user can have such suspicion.

The big problem for Anti-execution security layer is social engineering. The hacker can just obfuscate his malware into something a victim would likely execute or click. [HIPS can probably catch suspicious behaviours like dll injections, driver loading, keystroke logging, etc.] The hacker also can use exploit to do the job. For e.g, the Duqu malware was pushed by a zero day kernel exploit after opening a seemingly innocuous Word document. They said all security layers are bypassable by any kernel exploit but Faronics claimed they can still catch the main dll of that malware from executing, which I doubt.

[Amit]

interesting thread/topic .....just to input info on how Dr. protect itself:

Dr.Web is immune to any attempts by malicious programs to disrupt its operation. Dr.Web SelfPROtect is the unique anti-virus component that maintains the anti-virus’ security.

* Dr.Web SelfPROtect is implemented as a driver that operates on the lowest system level. The driver can’t be stopped or unloaded without a system reboot.
* Dr.Web SelfPROtect restricts access to a network, files and folders, certain branches of the Windows Registry and removable data-storage devices on the system driver level and protects the software from anti-antiviruses aiming to disrupt the operation of Dr.Web.
* Some anti-viruses modify the Windows kernel through intercepting interrupts, changing vector tables or using other undocumented features. This may have a negative impact on the stability of a system and pave new ways for malicious programs to get into a system. At the same time, Dr.Web SelfPROtect maintains security of the anti-virus and doesn’t interfere with routines of the Windows kernel.
* New! Automatic restoring of anti-virus modules

[Ranget]

wouldn't hurt to try Drweb protection
i will report back later

BTW extremely helpful Post trismegistos's

[DX2]

I know WSA is password protected to stop services or uninstall.