AVs that are vulnerable to being Disabled

Actually on my eScan I tried to kill the AVPM monitor process once but it warned me saying 'Warning! Suspicious program tries to kill avpm.exe' or something like that.

 

When I trialled eScan, I found avpm to be resistant to anything APT could throw at it but the "suspicious program" warning came when closing the eScan process.

The (slight) downside is if only avpm is left running, you do not receive prompts about virus-infected files, access just gets blocked with the KAV "pig squeal" sound (so if browsing a folder, you do not find out which file triggered it).

 

Of course Prevx will protect against this. PG and Prevx go quite well together in this regard

 

I didn't disable the AV myself, I got a McAfee Activeshield pop up saying that there was a virus on the pc and when I looked at the sys tray, the M icon had turned from red to blue and it had been disabled. This made me suspicious that the virus had something to do with it as I am quite sure I hadn't manually disabled it. Having said that, the pc is running normally, and I have had the AV disable by itself before, although it's very rare and hasn't happened for a long time. I am now wondering whether McAfee is enough protection as a stand alone AV, or maybe I need ProcessGuard as well?

 

Well other processes could terminate the security program if it could beat the
captcha system in PG no?

 

There is a finite possibility but it would be a hit and miss affair, not worth the effort of a Trojan writer except as a concept attack. Nobody has done it as yet as far as I am aware. Especially when you consider PG's comparatively small user base.


Pilli

 

NOT SO with NAV 2005, it is **VERY** hardened, I have not succeeded in terminating **ANY** processes associated with either NAV or the Worm Blocking {NIS} component; in fact **ALL SYMANTEC PROCESSES** are very hardened, I challenge anyone to get a working copy of NAV 2005 and terminate any of its processes. This was obviously a priority with Symantec in the design of their new release of the product.

 

Thanks Randy, Do you know whether Norton survives all of DCS's Advanced Process Termination techniques?

Pilli

 

I haven't tested that, maybe if you can give me a link, I can test it on my box. I'll go out on a limb and suggest NAV 2005 will pass but I could be wrong. It seems very hardened to me, I tried using the "Taskman Plus" {a version of taskman by DiamondCS with elevated privileges} to terminate Symantec processes and they are so-far stone cold resistant to termination.

 

OK Randy, Here is the link: http://www.diamondcs.com.au/index.php?page=apt Be interesting to see your results.

Thanks, Pilli

 

Thanks for the link! I'm not sure but I think it PASSED. I tested against CCAPP.exe which is the email and Auto-Protect service {the RTM or realtime monitor, the most important component}. I tried all nine of the KILL techniques and none of them said they had suceeded. However, one of them managed to "hide" the window and it disappeared from the System Tray; however when I ran "services.msc" I found that the Auto-Protect Service was stiill alive and well {still running} so I assume that means failure to terminate, since my system is still protected. Anyone else is welcome to try and verify or refute this, since I'm not sure I understand all the techniques or know what I'm doing .. hehe .. thanks again.

 

Here is a pic from APT of the running processes which shows most of the Symantec processes -- CCAPP, the one I tested, is highlighted in blue.

 

Looking good Randy, Can the GUI parts be closed down? by other than a human using APT. Not important to me though it could have security implications I believe.

Thanks for the screenshots. Pilli.

 

You're welcome, thanks again for the link. I have tested all the other processes with Taskman Plus and they won't terminate, but something {one of the tests} in APT did manage to cause the Tray icon to disappear even though it failed to terminate the Auto-Protect Service. So I'm not sure what that implies. I had to reboot to get my Tray icon back; but I think so long as the Auto-Protect Service is still running in Windows XP, my system is protected {well, as much as the Viral Signatures and capabilities of NAV will protect; not as good as KAV but still decent protection}. Thanks again ..

 

Thank you, Randy, you've given me even more peace of mind than I already had with Norton2005.

Acadia