AVs that are vulnerable to being Disabled

Hi all,

My copy of Nortons Systemsworks is coming up for renewal. I am considering McAfee and KAV but also others if they are compatible with my system setup.

My current concern is that I believe that NAV is vulnerable to being disabled by certain exploits. This may have already happened lots of weird stuff was happening on my system before it crashed and I was unable to re-boot. (Prior scans with McAfee and KAV could not find anything but I think something was definitely there).

Anyway, is it possible for exploits to disable NAV. Are there reasonable ways to prevent this? If not, are there better AV solutions that are less susceptible to this problem. I would appreciate any advice. Thanks.

Rich

 

Not being an expert, I'll tell you what I know. Most people that I help with thier computer had Norton disabled - one was by the agobot worm. This could have been prevented by a firewall not allowing the attacker to re-infect the computer.

One method to help avoiding this is to have your AV password protected. KAV and NOD32 are a couple that have password protection. McAfee dosen't have password protection but seems a lot less vulnerable to this exploit.

 

Technically there is no limits on killing the AV process. Its not that hard to do it at all. Its harder to protect such processes. Even Process Guard can be bypassed.

Password protection is just to keep users from changing the settings.
Worm doesn't bother with passwords. It simply kills the process or erases some important entry that is required for AV to work correctly.

 

Nod32 has a secure password and start up procedure, also very fast scanning.
It is a very good AV with excellent detection rates [consistent VB100% award]
There is a free 30-day trial available here if u want to try it:
http://www.nod32.com/download/trial.htm

 

Doesn't the worm need to attack a *specific* antivirus program? If so, does this mean that -- for the moment at least -- I might be better off if I used a more obscure but competent AV, such as VirusBuster or Rising, perhaps?

Also, DrWeb's SpiderGuard used to be on the list of running applications that I accessed by doing ctl-alt-del. Since DrWeb updated to version 4.32a, I notice that SpiderGuard is no longer on that list, even though SpiderGuard is running. Can anyone explain what, if any, significance this change might indicate?

 

Interesting RejZoR, Is that an assumption or do you have evidence to support it? Is this a new method or one that has been discussed here before?

There were two possible methods that Process Guard could be bypassed both difficult to accomplish, these are concepts and no where near release to the wild.
They have been closed in the latest version of Process Guard which is due for release very soon.

If you were talking about Close Meassage Handling issues these have also been addressed.

Hope this clarifies these possible issues. Pilli

To answer the original question, yes all security programs can be bypassed though some are much more difficult than others,

There is no such thing as 100% security but we can get pretty close by protecting important processes, progranms etc with tools such as Process Guard.

If I was allowed just one security application it would be Process Guard

Cheers.

 

I wont go into details,but usually worms wont even bother with Process Guard.
The post was not written to show PG ineffective (if maybe sounded that way). Worms usually target common antiviruses like Norton and McAfee. Terminating process/shutting down services isn't a big deal and its usually harder to protect them then to terminate them.
Unless they make something that would protect such processes on a global system basis (protected by OS itself). But even this could be bypassed as many other "unbreakable" things in the world.

 

Hi again, No worm will stop a process protected by Process Guard or be able to inject into the processe's physical memory space. Even a script to close the process using normal exits or quits will not work with Close message handling enabled.

If you want to try this out there many other methods used to close processes, try this tool on your security programmes:
http://www.diamondcs.com.au/index.php?page=apt
Then try it with Process Guard enabled.

Pilli.

 

I managed to delete the service but its still protecting the test process,which means that is protecting it on a driver level...

 

Process Guard works at the kernel level, once it is installed and providing that the system is clean, nothing can get below it.

So once a process is added to the Process Guard's protection list it is VERY secure especially when the four general options are enabled.

Regarding the question of this thread, yes all security processes are vulnerable to closure or supension rendering them useless, this includes most firewalls and AV / ATs etc.
Process Guard can protect these processes to a very high degree. Hackers and Crackers can find much easier nuts to crack
Good security relies on a layered defence, process Guard is a very strong layer.

 

Someone would have to pick on PG (examine it in detail),but i doubt its worth the effort since its not used widely.

 

This has already been done. The SIG^2 G-TEC team from Singapore analysed Process Guard in depth and found just one vulnerability (which actually applies to virtually all other driver-based security software - in other words, it's not a problem specific to Process Guard). Information can be found here:
http://www.security.org.sg/vuln/procguard.html
We've actually developed a fix for this which is already implemented in Process Guard v3 (already available to all registered users), and not only does it prevent Process Guard from being attacked using this vulnerability but Process Guard now also lets you protect other vulnerable processes from this attack. It is currently the only program that I know of that allows you to protect processes from this attack.

Best regards,
Wayne

 

HI, thank you to the guys from DimondCS for their posts on this topic, extremely interesting.

Is there a site that has more info on this topic, [i.e. research on vulnerable AV's, security apps?]?
It would be good to know how safe our particular security software is.
Thanks.

 

I tried Diamond CS's APT test on all my security software. While the tests did shut down NOD32's GUI, they could not shut down nod32krn.exe which is NOD32's on access scanner. The APT did, however, shut down my BOClean, Giant Antispyware and Win Patrol on the 1st try. It took a couple of tries to shut down LooknStop. So, most security softwware does not seem to be as robust as NOD32 when it comes to being shutdown by exploits.

 

Just in regards to APT, we'll be releasing a new build of that which offers a few more termination methods, and also introduces some crash techniques -- if you can fatally crash a security application it's as good as terminated, so the next release of APT allows you to test for these attacks, and Process Guard v3 already protects against them.

Enjoy the rest of the weekend folks.
Best regards,
Wayne

 

This is how the vulnerability referrenced by Wayne now fails against Process Guard .

Regards,
Jade.

 

Hi everyone,

Thanks for all of the in-depth information. I pretty much understand what everyone is saying and the vulnerabilities that currently exist and how PG attempts to protect against these vulnerabilities.

Since PG 3.0 is still in beta, it is difficult to assess whether it will be appropriate for my system. There are compatibility issues that I have to test out. So with the PG decision still on hold, can anyone say that one AV product is less susceptible to disabling than another. It appears that NAV is very susceptible (without PG), are others better? I noticed a message concerning NOD32. Anyone have any experiences with KAV, Trend Micro, and McCaffee. Any of the others?

Thanks for all of the help and any additional info that you can provide.

Rich

 

When I tried KAV, the background scanner (avp32) seemed to resist everything APT could throw at it - this was a mixed blessing though because I wanted to shut the damn thing down given the impact it was having on my system performance!

To be honest, if an AV scanner does not find malware on your system before it gets executed, it has failed and cannot help further so its resistance to termination becomes a moot point. More general security programs not relying on malware signatures (firewalls, process and registry monitors, etc) are your best hope at this stage.

 

Droll. Informative. Startling. Excellent!

 

Interestingly enough I took some time to test KAV 5, kavscv.exe and it could not be killed by anything that I tried against it, though I am no expert. The KAV 5 service appears to use a kernel level driver that guards very well ATM.
I believe latest version of Zone Alarm also has such a protection, IMHO this is a move in the right direction security wise.

 

Hi Rich,

I Have McAfee VS 8 on my pc and while browsing the web was told that Activeshield had detected a virus. When I looked the the system tray my McAfee VirusScan had been disabled! Ran a scan which found nothing, did an online scan with Bitdefender which found two trojans allegedly but couldn't disinfect them. When I re-booted, McAfee was still disabled which i found strange, having enabled it, now seems fine. My pc is running fine as before, but I find it all a bit disturbing.

 

Well,terminating AV is one thing,but deleting its components is another.
And you can't avoid that. If you delete critical components you can disable pretty much anything.

 

You mean that if an anti-virus programme is disabled it's still protecting against attack?

 

If an antivirus program is disabled in any way, its not protecting you anymore. Processguard is capable of preventing your security software from being terminated by spyware and other types of malicious software, but Processguard CANNOT prevent security software from being terminated by the computer user himself/herself.

Only the computer user can terminate the security programs, other processes or software cannot terminate the security programs.

 

yes but that still does not stop the virus/worm/trojan from deleting files not in use that will effect the scanner or delete registry entries that may effect the way the scanner runs.

So unless the scanner catches the virus to begin with you are not going to be having a good time. And in my shop norton is shutdown allot. Not all the time but allot of the time.