How do Security Products protect them self

Discussion in 'other anti-malware software' started by Ranget, Apr 15, 2012.

Thread Status:
Not open for further replies.
  1. Ranget
    Offline

    Ranget Registered Member

    i was Playing with some tools

    and i was able to Delete
    Antivirus Product
    Antimalware Product
    Firewalls

    i'm not going to Say How i killed Them in Public
    before i'm sure that this is a Vulnerbility

    i manged To Disable The Product to un Working condition :ouch:
    but before it's a very simple way

    anyway just wanted to be sure that's the Problem exisit and i'm not infected
    with some virus that makes product Less PowerFull


    so How Do product protect them self ??
    Note : it's a very simple way no invention in it
    i don't want to say it out Loud for obvious Reason

    AV Employee PM to tell you how i manged to do it
    Last edited: Apr 15, 2012
  2. EASTER
    Offline

    EASTER Registered Member

    Timely topic!

    The very reason why as part of my secuirty makeup that i take a page straight from malware maker's own devious designs themselves and field hidden drivers that BLOCK loading their wares by virtue of their own rootkits & securely nested in an alternate data stream. Only my AV knows for sure. ;)
  3. Ranget
    Offline

    Ranget Registered Member

    But it's a simple way using a free Tool
    tried more than one

    i managed to Disable the Software Inculding MBAM o_O
  4. 3x0gR13N
    Offline

    3x0gR13N Registered Member

    Let me guess, you used an anti-rootkit tool to disable security programs...
  5. Ranget
    Offline

    Ranget Registered Member

    I don't know if the Program i used Has a Driver installed
    it's very simple program not used to Delete Malware
  6. 3x0gR13N
    Offline

    3x0gR13N Registered Member

    Before we go further in any sort of discussion, we need to know the name of the tool. If it's widely available and not some specialized code created for the sole purpose of terminating AVs it's not forbidden to state which tool is it.
  7. Ranget
    Offline

    Ranget Registered Member

    well MBAM Process can be terminated by using any Process manager
    even the normal Task manager o_O

    As for comodo i was able to Delete the Config Password using Regedit (admin ) in Normal Mode while Comodo was running o_O
  8. Ranget
    Offline

    Ranget Registered Member

    Tried UltraVirusKiller UVK

    Killed everything Deleted Everything and i was able to terminate Most of the
    Programs
  9. Technical
    Offline

    Technical Registered Member

    If a program load a driver, i.e. has admin rights, it can do almost everything in terms of killing.
    There is not a solution in terms of Windows architecture.
    You need to do anything to avoid this situation: autosandbox the malware, reduce its rights, detect him first.

    It's simple a fact that, of course, we do not want to recognize and ask for the antivirus companies a miracle...
  10. Cudni
    Offline

    Cudni Global Moderator

    As mention already, if something is allowed to execute and that something is with bad intent then what it can do is only limited by the ability of whoever created it.
  11. Sordid
    Offline

    Sordid Registered Member

    If you can get an exploit to run that and direct it against the AV executable, you probably could just right-click quit the prog remotely ;)

    So unless you use some other protection like a password, exploits of this sort could take place in theory. Your AV should protect itself to some degree. You should get an access denied pop-up when trying to kill your engine. Also pushing UAC to max could help.

    & curious, does it actually kill the engine or just the UI. Killing MSE is hard even cutting it by startup.
  12. Technical
    Offline

    Technical Registered Member

    IF the driver is already loaded, a password or further UAC will be too late...
  13. trismegistos
    Offline

    trismegistos Registered Member

    That's why social engineering is very powerful. Without any need for exploit, by blindly trusting an application, which could be an obfuscated malware for e.g, and allowed the latter's driver/s to load, it can just unhook those AV/AM protections very easily. AV/AM won't even noticed it.

    For that reason, kernel driver loading should be on the top list to take due notice when executing an application.
    Last edited: Apr 15, 2012
  14. STV0726
    Offline

    STV0726 Registered Member

    Is MSE really hard to kill? That is sort of contrary to what was being discussed in another thread a week ago, over concerns that Rob Koch (MCC at MS Answers forum) stated that MSE basically doesn't believe in self-protection other than LUA and file permissions.
  15. blacknight
    Offline

    blacknight Registered Member


    HIPSs too ?
  16. Sordid
    Offline

    Sordid Registered Member


    Sure, unless there's some other prevention outside of that. But in the end, it's a hitters game. There is nothing that would perfectly defend such a hypothetical attack considering one could never guarantee stability of all critical system parts and the AV etc etc.

    The good news. If you have come this far, your AV proactively failed already and shutting it down probably would make the attack apparent. Poor man's IDS.:doubt:
  17. Sordid
    Offline

    Sordid Registered Member

    Was just suggesting that "killing" what seems to be major parts of the service actually doesn't always affect the actual engine. MSE doesn't reveal its main engine to a lot of common "startup" tools (CCleaner for one). And access should be denied and require UAC to access the process if on max. Gear like Hitman/Mbam OD is killed without any policy denial and also why Mbam has Chameleon tech instead.

    So IMO, MSE does a pretty good job in not sticking its head out towards malware and assume any real swing at it will be successful for the previous reasons above. If you're hacked, you're hacked anyhow, and killing stuff makes the intrusion obvious. I agree with Koch :argh:
  18. kupo
    Offline

    kupo Registered Member

    It's one of the rules in computer security right? :D If the bad guy gets you to install his software, it's not your computer anymore, or something like that. LOL
  19. Victek
    Offline

    Victek Registered Member

    While this can be done it's not a real world scenario. History buffs will remember that in WW1 there was something called the Maginot Line which was defeated by the enemy just walking around it. Basically that's what you're doing by using UVK to kill the resident security apps. What actually happens is malware comes up against the active protection of AV/AM and most of it is neutralized (at least by the better products). The malware that successfully penetrate the system are either unrecognized (inadequate signatures/heuristics), circumvent the protection (rootkit) or are given permission to execute by the user (clicking "yes" to UAC and security app prompts).

    The fact that self-protection isn't perfect doesn't invalidate it IMHO. It is desirable to harden the apps as much as possible. There is always going to be a contest between malware creators and app writers.
  20. Ranget
    Offline

    Ranget Registered Member

    yes hips too they alert you to the Running process if it run
    the HIPS like comodo / even MD won't tell you that the Process is tampring
    with it's files it will tell the Process is running or trying to do something

    but will fail to notice that it Deleting the Program file

    but what interest me that some malware won't be deleted in Normal mode
    you need to run in SafeMode with the security Tool to delete it
    or even to run a Live disk

    why security product won't use this technique ??
    why won't the security product use for an example MBR Rootkit technique o_O

    i said above that i managed to Delete CIS Config Password without the need
    to boot in safe mode using just the Registry editor

    i agree 100% but Don't forget that modern day malware it won't ask for your
    premision to Run it will use some kind of UAC bypass or Browser exploit
    even it can minpulate the AV
    most user won't even know that the machine is infected
    i think if a malware was able to run even your Antivirus is not trusted anymore
    i think malware to bypass firewall it need to inject it's code in a Legit process
    such as a Download manager or an Antivirus it self

    so your antivirus will be the Trojan that delivering stuff to the Hacker
    so for that i think anti viruses should be more powerful protecting it self

    Mostly it won't kill the av for that reason
    but it can minpulate it o_O


    BTW i now understand why expert users Like EPx0f,xylitol ,....etc won't use AV
  21. blacknight
    Offline

    blacknight Registered Member


    Ok, let me understand: you tried and you was able to delete CIS file in Programs also if is listed in Defense+ < Computer Security Policy < Protected folders and files as it effectively is ?
  22. Ranget
    Offline

    Ranget Registered Member

    yes Using Revo Uninstaller
    "without the Official uninstaller of comodo of course "
  23. blacknight
    Offline

    blacknight Registered Member

    Ok, but it sounds strange to me. I can't reproduce the trial now, hope someone here could. Did you try with Defense+ < Computer Security Policy < Defense+Rules setted either Ask either Block ?
  24. Ranget
    Offline

    Ranget Registered Member

    yup yup

    also Spyshelter free Got killed
  25. ellison64
    Offline

    ellison64 Registered Member

    That would be WW11 :eek:
Thread Status:
Not open for further replies.