Stopping virii from shutting down AV

Discussion in 'other anti-virus software' started by cfp999, Aug 3, 2002.

Thread Status:
Not open for further replies.
  1. cfp999

    cfp999 Registered Member

    Joined:
    Jul 12, 2002
    Posts:
    36
    A couple of months ago I was hit by the "Klez" virus because a family member opened an attachement in Outlook. I had F-Prot 3.12 running, but "Klez" simply shut it down, and ruined the executable. Which antivirus programs can handle attempts by virii to shut them down ('cause F-Prot certainly cannot)? I mean, they are not to much use if that can happen. Furthermore, is it possible to use Windows 2000 permissions to protect Antivirus applications? Suggestions are welcome.
     
  2. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    Theorectically there is no way to protect AV (or AT software) against attacks from running malware. The princip is simple: what runs first, strikes first.

    wizard
     
  3. DrSeltsam

    DrSeltsam Guest

    There is a way ;o). ANTS 3.0 can block process manipulations ;o).
     
  4. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Andreas, correction: there will be a way - as soon as ANTS v3.0 is out of RC1 and ready for use :cool:

    regards.

    paul
     
  5. cfp999

    cfp999 Registered Member

    Joined:
    Jul 12, 2002
    Posts:
    36
    I think there's an option to password protect processes in AVP as well but I kind of hate the newer versions so I haven't tried it. What is ANTS 3.0 ??
     
  6. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Hi cpf999,

    Most good AVs do have this option implemented nowadays. I would not rely on these blindly, though.

    Have a look over on the "other anti-trojan software" forum. You'll find the info needed over there.

    regards.

    paul
     
  7. cfp999

    cfp999 Registered Member

    Joined:
    Jul 12, 2002
    Posts:
    36
    Thanks!
     
  8. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    My pleasure ;)

    regards.

    paul
     
  9. DrSeltsam

    DrSeltsam Guest

    >Andreas, correction: there will be a way - as soon as ANTS v3.0 is out of RC1 and
    >ready for use :cool:

    The current beta is able to block process manipulations, too ;o).
     
  10. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Good to hear so. Nevertheless, a fully tested RC1, followed by the Official release, will prevent "common users" from using an app that's not completely "ironed-out" as far as possibly bugs and incompabilities is concerned. There are Beta's and RC's for good reasons, don't you agree? ;)

    regards.

    paul
     
  11. DrSeltsam

    DrSeltsam Guest

    of cause i agree.
     
  12. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Seems we have an understanding; I do agree with your statement above as well :D :D

    regards.

    paul
     
  13. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    :D How many does it take to make a quorum again? Pete
     
  14. controler

    controler Guest

    Spy 1 did you get your copy of ANTS 3.0 RC1 yet?
    I tried the scan engine and then never saw anymore updates to it. All I got it the scan engine , not a full RC1.
    When running the update all I get is the same Sig file.
     
  15. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Hey, controler! Nope, not yet! Pete
     
  16. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Sophos AV is almost impossible to shut down from memory process. Virii (if trying from MP)won't be able to shut it down unless sophos directory is completely deleted!


    Technodrome
     
  17. DrSeltsam

    DrSeltsam Guest

    put the thread into debug mode and terminate it - where is the problem? *fg*
     
  18. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    RegRun is a nice little program that will keep processes from being terminated, or at least warn you if it is. ;)
     
  19. DrSeltsam

    DrSeltsam Guest

    does it prevent the termination or does it only warn and restart the process?
     
  20. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Hi Andreas. You know, I really haven't dug into that yet. I have several files that are watched, but have never had any of them messed with.
    I do know that with watchdog enabled, whenever certain changes are made to the registry, I get a popup notifying me and asking if I want to keep the change.
    Regrun has a forum at Beckys.
     
  21. DrSeltsam

    DrSeltsam Guest

    ok - but warns it if your kav was kicked out of your memory? ;o) ANTS 3.0 does it - and it doesn't only warn, it PREVENTS it. Only if you say, yes, its ok if this process will be modified/terminated you can get access ;o).
     
  22. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    TDS4 products will include process protection

    For now, JUST RENAME all your AV products' EXE files and their reg keys and you wont have a problem :)
     
  23. DrSeltsam

    DrSeltsam Guest

    No - thats partly wrong. Do you know Next Generation Killer? If not i will send you. It detects the process using class and window names :). It won't help if you simply "rename" the file.
     
Loading...
Thread Status:
Not open for further replies.