PE 2.1 and KAV 2006

Discussion in 'Port Explorer' started by Defenestration, Oct 28, 2005.

Thread Status:
Not open for further replies.
  1. Defenestration
    Offline

    Defenestration Registered Member

    I am currently using the KAV 2006 pre-beta has a Web Scanner in it. PE does not show either of the avp.exe (ie. KAV) processes while browsing the web, and also doesn't show the avp.exe processes when updating the definitions.

    Something is surely wrong ?
  2. Gavin - DiamondCS
    Offline

    Gavin - DiamondCS Former DCS Moderator

    Hi,

    This KAV beta seems to present some issues, you should ask them to test it, the same results will be there in the free version or we can send them a key.

    The "web anti virus" seems to be firewall and script checker together. This means that most of what it does won't produce sockets anyway.. as far as I can see so far.

    The update sockets ARE shown, however they will show as SYSTEM (but with the correct PID). We will resolve this as soon as possible, the PE DLL is definitely getting them correctly, since if you look at logs or the log window it shows avp.exe:pID which matches the PID shown in the main window.
  3. Defenestration
    Offline

    Defenestration Registered Member

    Thanks for taking the time to respond Gavin.

    What issues are you referring to ?
  4. Gavin - DiamondCS
    Offline

    Gavin - DiamondCS Former DCS Moderator

    There is some socket (must be a KAV proxy socket) which keeps re-opening or appears to do so. It could be ok though, I believe its related to something else:

    PE couldn't get the name of the avp.exe, but we've since found that this was only when self protection enabled (hides its own driver and prevents getting a handle to the EXE file). Without access to it, PE can't get the full filename or icon. This is not a huge problem though :)
  5. Gavin - DiamondCS
    Offline

    Gavin - DiamondCS Former DCS Moderator

    Looks to be causing a crash in PG as well, with driver verifier enabled PG's driver now tries to access an invalid handle and BSOD. Uninstall KAV and it doesn't happen so definitely the cause.

    They need to be very careful with "self protection"..
  6. Defenestration
    Offline

    Defenestration Registered Member

    Is this a problem with PG or KAV ?

    Should I report this to Kaspersky staff (pointing them to this thread) and give them your e-mail address since you will be able to answer their questions in more detail than myself ?

    BTW, I am not getting any BSOD in PG 3.2 when starting as AUTOMATIC instead of SYSTEM. I also never got a BSOD in PG 3.15 when starting as AUTOMATIC, so sometrhing appears to have changed between 3.15 and 3.2 beta.
  7. Gavin - DiamondCS
    Offline

    Gavin - DiamondCS Former DCS Moderator

    PG 3.200 should be the same stability under the same setting - AUTOMATIC. This is what 3.150 was released as. With SYSTEM startup, 3.150 will fail under some setups. So in that case, its not that something has changed there.

    The problem with PG and KAV is not a problem per se. KAV hides an object in kernel mode to secure itself, PG also has some self protection mechanisms. There is only a problem when verifying the drivers because the driver verifier is very picky about invalid handles to kernel objects. No surprise there. In a normal system without the verifier running, the attempt to access this handle simply fails.. no errors of course. It just means KAV are putting self protection in the right place I guess.. :)
Thread Status:
Not open for further replies.