Attacking Anti-Virus Software

Interesting Article

 

Epitome of this article:

"...end users have been putting so much faith in antivirus solutions,
and have ignored the fact that antivirus software itself can be compromized."

As a Member of this Forum writes:
"There is no Security; only degrees of Insecurity" (or something like that )

If Hackers want..., they -certainly- can...

 

this is scary, because i never had issue with my anti-virus but today it disabled for the first time itself and i got a popup there it showed me that something was wrong..
Right now i use Avira.

 

..that is my subline

I never ignored it I watched how they did it.

That is not scary it is logical, these assembler junkies can interfere and communicate with each little piece of cpu code that is the reason why they can misuse avs for their own purpose and even redirect and use as proxy.
Kind of direct injected/written/redirected process memory (mainly in memory modifications likely even in cpu code)

 

so i am in danger here or what?
what should i do to found if anyone is trying to disable my anti-virus?

 

well make sure you have an av with self protection and check there website everyso often to make sure there isnt a known remote or local exploit that needs to be plugged by an update.

 

I prefer to start my attack with a baseball bat.

 

...and with some minor change it could also be as following:

"...end users have been putting so much faith in HIPS solutions,
and have ignored the fact that HIPS software itself can be compromized."

/C.

 

Not to forget divers phrase:

 

I like this one

 

Does anyone know if NOD32 2.7 and 3.0 have self protection for program termination?
What about Avira? Does it have self protection?

 

The only test I have found regarding anti-virus self protection is here:

http://www.anti-malware-test.com/?q=taxonomy/term/16

The results are from 9/12/2007 however. I do no know how often the test will be conducted.

 

I wonder how much would avast! score with release version 4.8 which has a dedicated self-defense system...

 

No objection. Everything can be compromised.
I no longer trust the AV/AS scanners for being my primary protection.
On the other hand, I have no BLIND trust in HIPS, too.
That's why our last resort of defense has been the Instant System Recovery software
and after it the Backup (Imaging) software.

Only naive Funboys or Shills claim that their 'X' AV/AS scanner, or HIPS or Sandbox
or ISR or Backup or whatever offers bullet-proof protection.
-The first ones are ignorant enough to believe it.
-The second ones simply want to promote their products.

Some times, Hackers laugh so much here...

 

Very true and a very good post.

 

only protection is EM shielded computer with self sustained powersource w/o access to internet lol
sry for being offtopic but that's only what come to my mind

 

Yes, but the truth is bad for sales and marketing. Acronis is really my defense; if any of the "protectors" fail, you simply go back a day before the **** hit the fan. Real simple-real basic. I am not sure it matters which AV or HIPS you use. Just restore an image and you are back to a working system. No stress.

 

I certainly am no expert and I wouldn't even dare to claim that my AV/AS/Backup offers bulletproof protection, but I do think that the level of protection also depends on your needs and computer habits.

 

Just a simple question...., could we try to have a discussion without abusively trying to categorize and personalize the subject in terms of fanboys/funboys and shills? It's not necessary to make the underlying technical points, but it sure starts the discussion on a downward spiral. How about we all aim a little higher in the discourse?

Blue

 

I only trust ShadowProtect and then FDISR (Frozen) in that order.
Both restore my computer in a fresh installed, malware-free and unused state.
If FDISR fails and it will in the future, SP will do the job + my Zero Tool, if necessary.

Once I turn ON my internet connection, I consider my system partition already as possibly infected, because I don't trust any of my security softwares to keep my computer clean. That's why I replace my system partition with a clean one during each reboot in order to remove the daily mistakes of all my security softwares. I only need my security software to stop the execution of malware during two reboots, because my boot-to-restore only removes malware during reboot and that is too late.
FDISR is also constantly online and can't be trusted either and that's why I need ShadowProtect (+ Zero Tool) to get my FDISR back as it was. Until now FDISR isn't compromised, but that will happen one day.
That's why I have a double recovery set : clean and daily.

I don't use any security software based on blacklists or partly based on blacklists, only evergreens like Anti-Executable, DefenseWall HIPS, Sandboxie, ...

Personally, I consider scanners as a sissy way to fight against malware. You don't win the malware war by running AFTER the bad guys and collecting their droppings. You have to run faster than them.

 

Sissy way or not, unfortunately it's the only way for 70-80% of computer users to fight the battle. Most people don't understand how other, more advanced, appz work I'm afraid.

Then again, not everyone needs all kinds of appz to protect themselves on the web. It also depends on what YOU do when you're online.
Go looking for trouble and you're bound to find it. Or doesn't this make sense?

@ErikAlbert: Is ShadowProtect a StorageCraft product? Can it be compared to Acronis TI?

 

Yes, ShadowProtect is also an Image Backup software (Desktop and Server version).
http://www.storagecraft.com/products/ShadowProtectDesktop/

 

After reading the witepaper, this question comes in mind for me "Is it correct to asume that using a security product for protecting your "data" isn't enough anymore. And a end user wood be better off with a wider range of products.

 

Dear Blue,

There is NO way to have an -Objective- discussion with the fanboys/funboys and shills.
Everytime, I say that I used/tested product 'X', but I did't like it because of the
a), b), c) reasons, the fanboys/funboys and shills of product 'X' came and attacked on me.
For example, in a previous thread, I wrote some things about several AS products
I had used/tested. Then, some members moved/wrote against me. Who were they?
After reading some previous posts of them, I clearly found that they were
-Constantly- promoting a specific AS product.

-Being a user who tests a lot of security products is one thing.
-Being a naive/ignorant/blind/stupid fanboy/fun(ny)boy of a security product is another thing.
-Being a shill, who came here to promote specific products and attack on
the ones who dislike his products and have valid reasons to do so, is a PURE HYPOCRISY.

Some last points:
-We all saw what happened with av-comparatives and F-Prot.
-We all saw the recent story with the last Matousec test, Comodo and Online Armor.
Final Result: The average user doesn't know what to believe anymore.

Like I said before: Sometimes, Hackers laugh so much here.

 

Hi,

the funny thing is, most of the people I know are not so called security experts,
they are just ordinary users, they surf, share, skype or whatever.

They run their desktops and labtops with a free av and the windows firewall
(but only because the FW is active by default...).

They sit in front of their computers for ten years or longer,
but they don't ever use chkdsk, defrag, backup or such things.
Nor do they even know what a HIPS, imaging tool or sandbox is good for.

Most of them run their system for years without problems,
which I know for sure, because if there is a problem, I'll be the first to be told.

Sometimes I ask myself, what would they all think about all these bombastic lines from first-rated experts?
Maybe "Outlandish! What a waste of time!"

Cheers