Stopping virii from shutting down AV

A couple of months ago I was hit by the "Klez" virus because a family member opened an attachement in Outlook. I had F-Prot 3.12 running, but "Klez" simply shut it down, and ruined the executable. Which antivirus programs can handle attempts by virii to shut them down ('cause F-Prot certainly cannot)? I mean, they are not to much use if that can happen. Furthermore, is it possible to use Windows 2000 permissions to protect Antivirus applications? Suggestions are welcome.

 

Theorectically there is no way to protect AV (or AT software) against attacks from running malware. The princip is simple: what runs first, strikes first.

wizard

 

There is a way ;o). ANTS 3.0 can block process manipulations ;o).

 

I think there's an option to password protect processes in AVP as well but I kind of hate the newer versions so I haven't tried it. What is ANTS 3.0 ??

 

Thanks!

 

>Andreas, correction: there will be a way - as soon as ANTS v3.0 is out of RC1 and
>ready for use

The current beta is able to block process manipulations, too ;o).

 

of cause i agree.

 

How many does it take to make a quorum again? Pete

 

Spy 1 did you get your copy of ANTS 3.0 RC1 yet?
I tried the scan engine and then never saw anymore updates to it. All I got it the scan engine , not a full RC1.
When running the update all I get is the same Sig file.

 

Hey, controler! Nope, not yet! Pete

 

Sophos AV is almost impossible to shut down from memory process. Virii (if trying from MP)won't be able to shut it down unless sophos directory is completely deleted!


Technodrome

 

put the thread into debug mode and terminate it - where is the problem? *fg*

 

RegRun is a nice little program that will keep processes from being terminated, or at least warn you if it is.

 

does it prevent the termination or does it only warn and restart the process?

 

Hi Andreas. You know, I really haven't dug into that yet. I have several files that are watched, but have never had any of them messed with.
I do know that with watchdog enabled, whenever certain changes are made to the registry, I get a popup notifying me and asking if I want to keep the change.
Regrun has a forum at Beckys.

 

ok - but warns it if your kav was kicked out of your memory? ;o) ANTS 3.0 does it - and it doesn't only warn, it PREVENTS it. Only if you say, yes, its ok if this process will be modified/terminated you can get access ;o).

 

TDS4 products will include process protection

For now, JUST RENAME all your AV products' EXE files and their reg keys and you wont have a problem

 

No - thats partly wrong. Do you know Next Generation Killer? If not i will send you. It detects the process using class and window names . It won't help if you simply "rename" the file.