Self-protection of NOD32

As it is known,NOD32 V3 is weak in self-protection.

The self-protection method of NOD32 used is that the service of NOD32 whose name is "eset service" re-generate its' process at once by function provided by Windows OS after it is terminated.

I think it is not safe enough because this can be easily exploited by virus to stop or even destroy NOD32.

Look at some other AV products such as Norton or Kapersky, they both have great self-protection ability. Their process cannot be terminated by windows task manager or other third-part tools while their program files are well protected too.

Today threats are evolving very fast, more and more virus beomes aggressive and designed to destroy the anti-virus software in order to perform their action.

Does ESET intend to improve self-protection of NOD32 in nearly future? Or ESET has its’ own opinion about this issues?

 

Actually it has no self protection. Just set ESET Service to Disabled and then kill the ekrn.exe process. No virus needed, a batch file can do that...

 

Anything with admin rights can do this. Please , try your bat file in Vista with UAC enabled - it won't pass.

ESET's service cannot be killed (if someone manually stops the service that is another story). Since 3.0.621 ekrn.exe cannot be renamed , too.

 

Self-protection is pointless and might cause more problems than solutions. IMO, the only acceptable self-protection is:
- Prevent the service from being modified/disabled.
- Prevent autostart keys from being modified/disabled.
- Prevent AV files from being modified/disabled.
- Password-protect the GUI to protect against window messages.
The rest of the self-protection must be handled by Windows. If you're running a LUA, your AV is well protected.

 

Can't comment on Kaspersky but i've seen many a Norton installation damaged by virus, kids meddling or even had to kill it myself because it slows a PC down so much.....

 

IMO,self-protection can protect the AV product against the virus which are not detected by AV product with signature up to data.

I agree with the acceptable self-protection you said,but it seems NOD32 do not have all the aforementioned acceptable self-protection.

 

I have a question all the while.

Is there any possibility that some virus kill nod32 by disable its service?

 

I, for example tryed to disable NOD 3.0 service from administrative tools and failed, better said I didn't have option available for stoping service. As for malware I am not sure. Maybe someone with better knowledge can explain?

 

In both v2 and v3 there is no right click Stop option , but you can choose the service to "Disabled" . After that you can stop it from the Task Manager .

However , again , this requires Administrator rights (and knowledge to be done by a person).

 

thanks for your tips,HiTech_boy!

You mean a virus cannot perform this operation?