Can Terminate Nod32 Antivirus On Win XP Sp3

Hi,

Just wanted to let u guys know Nod32 can be terminated on Win XP SP3 , with all updates as of today.

Assuming the user is running an admin account, which almost everyone is in XP.

Not sure if it works as limited user but that doesnt really matter...unless the person is using Vista, in which case UAC probably annoyed them so much they turned it off anyway.

Here is how I did it (its not all that complicated really)

Nod32 apparently doesn't protect the registry, I just changed the Start Value of all services to 4 (disabled) in HKLM\System\CurrentControlSet\Services\ This could be done via a registry file I believe, which a virus could put on the machine and run. After a reboot, the drivers and systems are no longer running, all you have to do is a simple TerminateProcess on the gui process and you're golden.

Let me know what u think about this

 

Everything can be terminated, especially under the admin account, no matter how good the protection is. I'm sure we could do the same (or find another way to accomplish it) with other AV products.

 

It would be quite strange were it any different.
Long story short: DON'T let your users work as admins.

 

So you think everyone is a business employee? I dont think you are taking this seriously enough

You realize I hope, that millions of people are running XP as an ADMIN user so that they can actually use their computer to the fullest extent. I am talking about home users here. NOT just business.

With Vista, maybe not, but tons of people are still at risk in XP. and will remain so, that is why its a serious problem that needs to be fixed.

Even with Vista most Home users are going to be annoyed by UAC due to its excessive levels of warnings and turn it off, which will leave them at risk as well.

Regardless, there are always exploits to escalate priviledges and such, that the malware could use.

So this should be fixed- doesn't matter the fact that it only affects admins, admins make up a large and important number of users.

Think about it- what if the admin of a business got infected? I don't know too many admins who dont run as admin user... Oops. there goes the business. Wouldn't be too hard for a new malware to slip in, given that Nod32 only caught 57% of new malware (see http://www.av-comparatives.org ~~snipped direct link per av-comparatives.org linking policy - just look for the specific test results by its description~~) for a test May 2008 of proactive malware detection.

And lastly; you're saying that just because "everything can be terminated", you shouldn't make an effort to try and secure it more...that is counter productive, and a defeatist attitude. You are representing a security company, your job is to make things more secure. Yes, its true that nothing is foolproof, but you can work towards that goal, or at least be willing to.

Just my 2 cents, sorry if this sounded hostile, wasn't intending to, just trying to point out the importance, as I see it, of this issue.

Joe

 

I log in as an admin account and I can terminate every process on my machine. This is what an admin account is designed for....total control.

I have personally used a wide variety of security products over the years and I have never come across one that I couldn't kill off running as administrator. Some processes may tell you they don't want to close, but you can still kill them.

This is why it is highly recommended not to let anyone run as administrator. Not saying everyone deserves a limited account, but there is a lot of middle ground in that subject.

 

I think those defending NOD are missing the point. Yes, of course you can terminate processes in an Admin account which is exactly why most other Anti-Virus solutions implemented self-protection features.

What if an unknown virus used a new exploit to elevate up to Admin and then easily shut down NOD before the database could be updated?

Have you actually tried terminating Norton or Kaspersky processes? Even Process Explorer would not kill them. They also protect changes to the registry.

Yes there are probably ways around it but that is no reason not to lock the door is it?

 

Hmmmm....

What the OP has posted here is really scary. I mean really.

I didn't know this could be done.

I'm running Win XP PRO with SP-3 on a laptop with ESET NOD32 3.0.667 along with ZoneAlarm Anti-Spyware 7.0.473 (ZAAS) and I tested what he wrote and, YES, NOD32 can easily be disabled running as an Administrator on Win XP Pro.

However, I tried the same trick with the vsmon process of ZAAS (the main driver of this firewall) and I couldn't terminate it even using Sysinternals' Process Explorer.

ESET : Hello, what's going on ?

Carlos

 

If you reach that level of unknown threat infecting your machine , your antivirus will be the smallest concern . If the antivirus misses a malware , no matter if the AV will be active or not , the threat will be there actively doing its job - destroy , spy , steal information , etc...

It is much more important to first catch the threat and eliminate it before it has tried to do anything . It doesn't matter if the threat cannot destroy the AV but can destroy the OS or steal my data .

Yes , they can defende their processes from simple tools you can use . However , in order to achieve this , do you know what other changes to the OS have been made ? No ?

 

the main point here is that 99.9percent of home users will run as admin accounts on xp mainly because some programs wont run on limited user accounts and also because when they get there pc there will be just one account which is set as admin and they will just add more accounts with admin rights. its the reality of it.
how many people here use xp with an admin account all the time?
limited user accounts on windows xp at home are a pain in the ass.
if you set windows live messenger in xp to run with limited rights you cannot play the msn games.

with vista you can live with a limited user account because all programs work fine like that all you need to do is type in your password and click on yes for legitimate uac prompts. or you could use the fake admin account which still has uac prompts but doesn't ask for your password for uac prompts.

 

No amount of antivirus/antispyware software or other security measures can or will fully protect those anyway.

You can't fix the unfixable.

Excessive levels? Don't be ridiculous. Learn to use the OS properly.

Such a worker should be fired on sight for negligance and incompetence, just for not observing the most basic of security principles.

 

I simply don't understand people who defends bad things in security software.

Every vendor try to implement stronger self defense but ESET think different...ESET guys and lovers do you know what's happen to Quark because they've been ignorant and self-sufficient?...At the end they implemented long time wished features but too late...most people switched to InDesign...cheers

 

Yes, I agree with you guys, I really don't know why you are DEFENDING your product instead of FIXING IT...

To quote the arguments you used, and point out why they are invalid;

Unknown threats are ALWAYS Out there. Changing a file just by a bit results in a completely new signature, rendering a traditional antivirus almost useless. Malware is changing so fast that it is nearly impossible to keep up with. Example being the Rustock.C trojan, which existed in the wild for an entire YEAR before ANYONE was able to even detect it, and then it took them a heck of a time trying to fix it..

The point is, if the malware gets on the machine Which it will (did you not look at my detection of proactive malware by Antivirus?) ... it WONT be doing its job if the antivirus can BLOCK IT. and the antivirus can only block it....if it is running....duh!

Its NOT unfixable. Its very easy to fix, just implement device drivers, restrict access to the registry, and implement some low level protection.

That is a bad attitude to have, very defeatist. Your attitude is, sure I can make it better, but it wont make a difference even if i do...well guess what, it will, and you should care, because this affects a lot of people. and we CAN fix this issue , its not THAT hard.

Umm...I don't know what you are talking about...every single time you open even a single FOLDER, it asks you TWICE to confirm this action, which is completely annoying...every time you do anything practically you get 2 prompts...of course its exessive, of course i am not ridiculous, of course i can use the OS properly.

Regardless of "security principles", a 0-day exploit can cripple your machine..or a stealth rootkit could exist on it for a year (rustock.c for example) you wouldn't even know...

If you put even half the energy that you do into defending your ideas into ACTUALLY defending the product, us end users would be more secure.

Joe

 

If the antivirus blocks it, it doesn't have to fear that the malware is going to disable it, anyway.

What ever method you come up with, there will be a way for undetected + privileged malware to kill it.
Please, feel free to come up with a description for a solution that you think would work, and I'll "circumvent" it promptly.

The solution is to teach the people not to do their day-to-day work with unneeded system privileges.

Don't be ridiculous.

 

What if the antivirus don't block it but after next update can detect and remove the threat? In this scenario it's good that antivirus isn't disabled. Btw...are you trying to say that weak self-defense is more suitable for security software than strong self-defense?...that's nonsense!

 

I am not ridiculous

I will explain:

But the antivirus won't block it, as I have already stated. 35% detection rates of unknown malware, that leaves a lot to be desired. Meaning 75% gets through. 75% of all malware can easily disable the admin's antivirus. not such a good thing. should be fixed.

Thats my point; security is a cat and mouse game, and the AV company had better work hard to keep up with the bad guys...which means constant updating of protection every time a way is devised to get around it. Constant updates. and the willingness to change one's product when a flaw is found, which I have found.

Okay, you have got a valid point, kind of. However, People who run the show, the business, the company, the network, whatever, will need the power over the other users, they will still need full rights; and they are vulnerable.

Exactly.

 

Something you also have to keep in mind, is even if the Active scanning module in NOD32 doesn't scan within the archive and detect the malware, if the file is ever accessed or executed, the file is immediately checked by NOD32 and it will be stopped then and there.

Having a really bad virus in an archive file just sitting on your computer isn't going to hurt anything. Malware won't do anything until it is executed, and that is when the heuristics of NOD32 can shine through.

I have a folder full of virus source code sitting in front of me right now, all potential threats. NOD32 leaves them alone because it isn't doing anything, but if I renamed one of them a .vbs instead of a .txt and activated it, NOD would jump all over it.

 

I know that...btw this questioning is from other thread...but anyway...I simply don't like the scenario that I can download archive (not password protected) with viruses from internet (protocol other than http) with every module of NOD32 set to active...and even send this archive via email without detection.

 

As far as i know blocking access to registry and files, process termination is a HIPS behaviour, NOD is not a HIPS !!!, and personnaly i think that hooking SSDT like all HIPS does is a bad idéa, it always cause instability to the system, and because of that i have choosen to use NOD, lite and without all that crapy hooks, and like 'wrathchild' said at ESET they think different, and if you want a HIPS combined with an AV choose KAV for expmple that hook every entry in the SSDT (kilf.sys), in that way you will have 10000 popup, and a BSODs !!!!

I hope that ESET will never implemente such things in thier beautiful product....

 

Then your machine has already been owned, and the damage is done.

That, and the fact that once the malware has full privileges on the machine the game is already over, is enough reason not to go that way.

 

So what?...I should buy new machine or what?
What's your "point"?

 

compromized is compromized is compromized!
Don't you wash your clothes too or just buy new ones?

 

I don't know why I bother asking, but can we just let this thread die?

No matter what software you are talking about,

Admin rights = inherent risks
Physical access to computer = compromisable