Bug? ekrn.exe can be terminated by users!

Discussion in 'ESET Smart Security' started by rahx, Nov 13, 2007.

Thread Status:
Not open for further replies.
  1. OMEGA_RAZER

    OMEGA_RAZER Registered Member

    Joined:
    Apr 11, 2007
    Posts:
    94
    Location:
    24.24.2.2147
    It's never impossible to terminate the self-defence of a program. The best self-defence of ANY program I have ever seen or come across so far was Deep-Freeze. What it did is tracked everything the user did in their session and undid any changes on the next startup. The owner would set up the enviroment as they wanted it to be used and then installed the program and at first inspection the computer was fully open but you could fully and completely delete every file and folder on your system drive or any other drive not marked as protected and it would all be back at next startup. A friend of mine managed to get my old high schools install file (with embedded password) and then installed it on my PC when I went to get my dinner and it took me almost two weeks of constant fiddling to remove it without formating (which they also say it protects against but didn't wanna test it out ;)). Anyone else here every seen or used Deep-Freeze?
     
  2. bluesprite

    bluesprite Registered Member

    Joined:
    Apr 11, 2007
    Posts:
    71
    I agree that there may be a way to disable any defence, but two lines in the command prompt? Please... I'm trying BitDefender 2008 right now. The real-time protection service can't be stopped, the process can't be terminated and the corresponding file can't be renamed - you get Access Denied in any of those (Admin account in XP). I'd like to see that (or better) in ESS, then I'll live with the knowledge that there might be a way to disable the self-defence somehow, as long as it's not as simple as it currently is. I suppose you'll agree with that. :)

    What you say about Deep Freeze sounds similar to GoBack, if I understand correctly. But that requires a large hidden partition to keep the backups, doesn't it?
     
  3. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    It's so incredibly easy to trivialize, isn't it?

    Just for the record, I can disable Kaspersky with one. At least before v7 MP1.
     
  4. OMEGA_RAZER

    OMEGA_RAZER Registered Member

    Joined:
    Apr 11, 2007
    Posts:
    94
    Location:
    24.24.2.2147
    I know Deep Freeze doesn't need an extra partition, not sure about GoBack cause I've never experimented with it... just DF cause I had to :p but how I managed was to disable the service for a second (or less it was a whole thing of luck timing) and switched the settings file with a different one that I made on a different computer and it tottaly killed the program... it stopped running and didn't start up again and I couldn't even start it manualy anymore :S if ESET could find out how to do that I deffanatly don't think there'd be any problems... just not sure how they'd be able to as I don't know either of the apps are codded :p
     
  5. rahx

    rahx Registered Member

    Joined:
    Nov 13, 2007
    Posts:
    22
    If you are talking about changing systime, then yah, I completely agree. And that's why I'm not using KIS any more.

    Personally, I'd like to see some basic self-defense. At least do not allow ekrn.exe to be renamed (or any file in the ESS folder, for that matter) while it is running. Is that too much to ask for?
     
  6. ugly

    ugly Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    276
    Location:
    Romania
    Self-protection test.
     
  7. SteveBlanchard

    SteveBlanchard Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    312
    Location:
    ENGLAND
    No, it does not restart automatically. ekm.exe was off for about 45 minutes before I fixed the other AVS, the only way to resart ekm.exe is to go into All Programs; ESS and click on the launch program icon, or re boot.
    This may just be my PC but as we have seen ESS tends to have varying degrees of unstability whether XP or Vista, old Pc or new PC.
     
  8. bluesprite

    bluesprite Registered Member

    Joined:
    Apr 11, 2007
    Posts:
    71

    Well, it is supposed to restart automatically. If it didn't, it means the service hung and couldn't restart, you can check your even viewer for confirmation. But this just comes to show that even the basic self-defence failed in your case.

    The other way to restart ekrn.exe is from the Services administrative console.

    @solcroft - that's just a reason not to use either program, not to justify the short comings of ESS.
     
  9. _Rupert_

    _Rupert_ Registered Member

    Joined:
    Jan 3, 2006
    Posts:
    61
    Location:
    United Kingdom
    Was hoping Marcos may have posted in here by now :/

    Hopefully it'll be something that's pretty high on ESET's to-fix list..
     
  10. SteveBlanchard

    SteveBlanchard Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    312
    Location:
    ENGLAND
    Doubt it, they haven't repsonded to my support request.
     
  11. crummock

    crummock Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    198
    I had a support reply saying that an admin can do what they like and nothing ESET can do to stop that.

    Not sure he got the point :)
     
  12. SteveBlanchard

    SteveBlanchard Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    312
    Location:
    ENGLAND
    Thing is it is not just admin, my son's limited user account is very restriceted, but I managed to kill ESS in task manager.

    I cannot see why such a brilliant peice of AV software with near 100% AV signature is screwed by some lapse programing/cost cutting etc. I mean you are paying near £44 for a product with one big hole in the back door. There is plenty of other AV software available that does as good as job.

    Even if the back door cannot be closed, then what guarantee have we got that once we notice we have been remotely terminated by a Trojan and finally got ESS back on line that ESS can clean the infected computer?
     
  13. Palombaro

    Palombaro Registered Member

    Joined:
    May 13, 2005
    Posts:
    77
    Location:
    UK
    ESET's silence on this matter is deafening.What I would like to hear from them -as a non-technical customer of theirs - are answers to the following questions:-
    1) Is the issue discussed in this thread a genuine problem? If not why not?
    2) If it is a problem when can we expect a remedy?
     
    Last edited: Nov 14, 2007
  14. ASpace

    ASpace Guest

    Are you sure ?!?

    This is not possible here on XP both Administrator and Limited account . This = I mean one cannot terminate the ESET kernel because it will reload in the moment
     
  15. _Rupert_

    _Rupert_ Registered Member

    Joined:
    Jan 3, 2006
    Posts:
    61
    Location:
    United Kingdom
    If ESET haven't replied to this by the end of the week, I'm ditching NOD.. which would be a great shame. I've been using it for 5 years and recommended no end of people.

    Just tell us you're aware of the issue and are working to fix it (i.e. prevent ekrn.exe from being renamed at the very least!).
     
  16. SteveBlanchard

    SteveBlanchard Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    312
    Location:
    ENGLAND
    Quiet certain, Logged onto his account and into Task Manager etc.

    This seems to be a general problem for ESS users, that User A gets a result different to User B, User C only gets User A result if he uses XP and not Vista.

    And as I said earlier, when I put the other AV on with ESS running, I killed ekm for at least 45 minutes whilst the other AVS settled down, it did not start again. Now this morning was a M$ update whether that had any change on the system I don't know. Unfortunately I cannot replicate the process as ESS is having a rest whilst I try KIS 7.0
     
  17. soulstace

    soulstace Registered Member

    Joined:
    Nov 14, 2007
    Posts:
    5
    Only allow the SYSTEM account to have permissions on ekrn.exe (remove all other permissions, including Administrator).

    Now users and/or malware should not be able to rename it as easily.

    I still think it would be a good idea to prevent ekrn from being terminated at all however. Think antivirus with anti-rootkit technology.
     
    Last edited: Nov 14, 2007
  18. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Why doesen't ESET comment on this?

    I can say that i did buy ESS 3 days ago and if i had knew about this THEN,
    Then i woulden't buy ESS.
    But i HOPE that ESET will put out an fix to this included in the automatic updates, or a new build update.

    SweX
     
  19. nodyforever

    nodyforever Registered Member

    Joined:
    Oct 30, 2007
    Posts:
    549
    Location:
    PT / Lisbon
    Maintain the calm on Eset it will give us an answer shortly:)
     
  20. OMEGA_RAZER

    OMEGA_RAZER Registered Member

    Joined:
    Apr 11, 2007
    Posts:
    94
    Location:
    24.24.2.2147
    a little harsh don't you think?
     
  21. SteveBlanchard

    SteveBlanchard Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    312
    Location:
    ENGLAND
    Fixed
    Thanks to Jozef Manduch, ESS Tech Support in Slovakia

    Right click on my computer – manage – services – find Eset Kernel Service – double click on it – Check if it is set to „Automatic“.


    Now going to scan everything and see if any of the viruses Kis 7 found are still on the PC
     
  22. crummock

    crummock Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    198
    That fixes your issue where ESS didn't restart but it does not address the issue that this thread is about, which is that the ekrn.exe can be renamed while ESS is running and thus prevent it restarting.
     
  23. _Rupert_

    _Rupert_ Registered Member

    Joined:
    Jan 3, 2006
    Posts:
    61
    Location:
    United Kingdom
    Harsh? Not at all.

    I'm not asking for the problem to be fixed within any time period, just simply for ESET to atleat acknowledge it.
    The fact remains, that a problem like this should not be present in a final release of security software!
     
  24. crummock

    crummock Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    198
    ... and that is precisely what is wrong with the way ESET treat their customers. We are often reminded that Wilders is the Official ESET support forum yet an issue which is seen by many to be quite serious has now been on here for two days with not one comment from an ESET employee.

    Even if it was only an acknowledgement of the issue and a comment that they would come back with a detailed response by a given reasonable date.
     
  25. jackm

    jackm Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    22
    You're three weeks late.

    https://www.wilderssecurity.com/showthread.php?p=1101050#post1101050
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.