NOD32 can be disabled via the registry

NOD32 GUI can be disabled via the registry

Hi,

What I initially reported in this thread for v5 still happens with v6 and happens with NOD32 and ESS both:
https://www.wilderssecurity.com/showthread.php?t=308495

Basically, as an administrator you can navigate to

and just delete the key. When rebooting NOD32 won't run.

Now, you might say that's normal since I am logged in as administrator and I should have control over my registry. However, if you make yourself a .reg file containing this:

in an effort to add the entry back, NOD32 self-defense will prevent the operation. With self-defense disabled the .reg file is added back without error.

This leads me to think that NOD32 has some features to prevent modifying its autorun entry, which makes sense, however it does not prevent its deletion which wrong in my opinion.
I also find it strange that deleting the registry key can be easily done, but not adding the key back (what harm can come from adding it back when it is not present?... seems like the logic is inverted here).

 

I'm unable to delete that value (Win7 x64). Does anybody else have the same issue? At any rate, egui is not a critical process, it's just the gui and the ekrn process responsible for scanning files is still running.

 

hmmmm.... that's odd, I failed to mention it above, but I am on Win7x64 as well and I can delete the value and I do have Self-Defense enabled. I am logged in as administrator (as a regular user I am unable to delete it).
I have UAC disabled too if that makes a difference.

Thanks for your input about egui, I understand that I am still protected as long as the ekrn service is running. I just found it strange to be able to delete the registry entry, but not adding it back (even as administrator!).

 

yes i can delete it here as well. but as said it seems eset is still running just the gui does not open any more. same win7 x64 running WITHOUT uac turned on (slider all the way down) and my account is the admin account.

 

very good thread
eset have to make self-defense more strong

 

even if this is deleted it seems i am still protected just the gui does not open. i tried to infect the machine and eset still pops up blocking the files just cant open the gui. but i agree they should not allow this key to be deleted

 

Yeah, in my opinion it should not be possible to delete it, at least with Self-Defense enabled, and I think it should allow adding the registry key instead. Seems like it is doing the opposite of what would be logical.

Try it yourself, backup the registry key before deleting it, and try to add it back by executing the .reg file you just backed up, it won't let you add it back, even as administrator.

Not being able to add it back messes up my automated batch files that I use for automatic install of all software when I reformat my PC (my script deletes all autorun entries for all software then add only those I want). The workaround I found is to re-add the autorun registry key to HKCU instead of HKLM.

 

Hello,

egui.exe is only the interface, not the protection.

The interface can be absent and protection active.

 

falsehood, wrong.

 

Windows Registry Editor Version 5.00/ Windows XP MODE

HIPS support module: 1065 (20130117)
rule
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*

 

very odd that eset blocks this for some and not for others?? it did allow it to be deleted here. im going to start with a totally fresh copy of windows and see what happens.

 

Just remember that you must reboot your computer after installation before self-defense can be enabled.

 

I've clarified the thread title to say that it is the GUI which can be disabled and not the whole scanning engine.
Still, I hope it's going to be fixed someday... I still have no explanation why I can remove the run entry from the registry (even though it appears that not everybody is able to do so) but I cannot write to the registry to add the run entry back so the egui would run.