AVs that are vulnerable to being Disabled

Discussion in 'other anti-virus software' started by richrf, Oct 17, 2004.

Thread Status:
Not open for further replies.
  1. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi all,

    My copy of Nortons Systemsworks is coming up for renewal. I am considering McAfee and KAV but also others if they are compatible with my system setup.

    My current concern is that I believe that NAV is vulnerable to being disabled by certain exploits. This may have already happened lots of weird stuff was happening on my system before it crashed and I was unable to re-boot. (Prior scans with McAfee and KAV could not find anything but I think something was definitely there).

    Anyway, is it possible for exploits to disable NAV. Are there reasonable ways to prevent this? If not, are there better AV solutions that are less susceptible to this problem. I would appreciate any advice. Thanks.

    Rich
     
  2. Ailric

    Ailric Guest

    Not being an expert, I'll tell you what I know. Most people that I help with thier computer had Norton disabled - one was by the agobot worm. This could have been prevented by a firewall not allowing the attacker to re-infect the computer.

    One method to help avoiding this is to have your AV password protected. KAV and NOD32 are a couple that have password protection. McAfee dosen't have password protection but seems a lot less vulnerable to this exploit.
     
  3. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Technically there is no limits on killing the AV process. Its not that hard to do it at all. Its harder to protect such processes. Even Process Guard can be bypassed.

    Password protection is just to keep users from changing the settings.
    Worm doesn't bother with passwords. It simply kills the process or erases some important entry that is required for AV to work correctly.
     
  4. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    Nod32 has a secure password and start up procedure, also very fast scanning.
    It is a very good AV with excellent detection rates [consistent VB100% award]
    There is a free 30-day trial available here if u want to try it:
    http://www.nod32.com/download/trial.htm
     
  5. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Doesn't the worm need to attack a *specific* antivirus program? If so, does this mean that -- for the moment at least -- I might be better off if I used a more obscure but competent AV, such as VirusBuster or Rising, perhaps?

    Also, DrWeb's SpiderGuard used to be on the list of running applications that I accessed by doing ctl-alt-del. Since DrWeb updated to version 4.32a, I notice that SpiderGuard is no longer on that list, even though SpiderGuard is running. Can anyone explain what, if any, significance this change might indicate?
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Interesting RejZoR, Is that an assumption or do you have evidence to support it? Is this a new method or one that has been discussed here before?

    There were two possible methods that Process Guard could be bypassed both difficult to accomplish, these are concepts and no where near release to the wild.
    They have been closed in the latest version of Process Guard which is due for release very soon.

    If you were talking about Close Meassage Handling issues these have also been addressed.

    Hope this clarifies these possible issues. Pilli

    To answer the original question, yes all security programs can be bypassed though some are much more difficult than others,

    There is no such thing as 100% security but we can get pretty close by protecting important processes, progranms etc with tools such as Process Guard.

    If I was allowed just one security application it would be Process Guard :D

    Cheers.
     
  7. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    I wont go into details,but usually worms wont even bother with Process Guard.
    The post was not written to show PG ineffective (if maybe sounded that way). Worms usually target common antiviruses like Norton and McAfee. Terminating process/shutting down services isn't a big deal and its usually harder to protect them then to terminate them.
    Unless they make something that would protect such processes on a global system basis (protected by OS itself). But even this could be bypassed as many other "unbreakable" things in the world.
     
  8. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi again, No worm will stop a process protected by Process Guard or be able to inject into the processe's physical memory space. Even a script to close the process using normal exits or quits will not work with Close message handling enabled.

    If you want to try this out there many other methods used to close processes, try this tool on your security programmes:
    http://www.diamondcs.com.au/index.php?page=apt
    Then try it with Process Guard enabled. ;)

    Pilli.
     
  9. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    I managed to delete the service but its still protecting the test process,which means that is protecting it on a driver level...
     
  10. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Process Guard works at the kernel level, once it is installed and providing that the system is clean, nothing can get below it. :)

    So once a process is added to the Process Guard's protection list it is VERY secure especially when the four general options are enabled.

    Regarding the question of this thread, yes all security processes are vulnerable to closure or supension rendering them useless, this includes most firewalls and AV / ATs etc.
    Process Guard can protect these processes to a very high degree. Hackers and Crackers can find much easier nuts to crack :)
    Good security relies on a layered defence, process Guard is a very strong layer.
     
  11. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Someone would have to pick on PG (examine it in detail),but i doubt its worth the effort since its not used widely.
     
  12. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    This has already been done. The SIG^2 G-TEC team from Singapore analysed Process Guard in depth and found just one vulnerability (which actually applies to virtually all other driver-based security software - in other words, it's not a problem specific to Process Guard). Information can be found here:
    http://www.security.org.sg/vuln/procguard.html
    We've actually developed a fix for this which is already implemented in Process Guard v3 (already available to all registered users), and not only does it prevent Process Guard from being attacked using this vulnerability but Process Guard now also lets you protect other vulnerable processes from this attack. It is currently the only program that I know of that allows you to protect processes from this attack.

    Best regards,
    Wayne
     
  13. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    HI, thank you to the guys from DimondCS for their posts on this topic, extremely interesting.

    Is there a site that has more info on this topic, [i.e. research on vulnerable AV's, security apps?]?
    It would be good to know how safe our particular security software is.
    Thanks.
     
  14. profhsg

    profhsg Registered Member

    Joined:
    May 18, 2004
    Posts:
    145
    I tried Diamond CS's APT test on all my security software. While the tests did shut down NOD32's GUI, they could not shut down nod32krn.exe which is NOD32's on access scanner. The APT did, however, shut down my BOClean, Giant Antispyware and Win Patrol on the 1st try. It took a couple of tries to shut down LooknStop. So, most security softwware does not seem to be as robust as NOD32 when it comes to being shutdown by exploits.
     
    Last edited: Oct 17, 2004
  15. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Just in regards to APT, we'll be releasing a new build of that which offers a few more termination methods, and also introduces some crash techniques -- if you can fatally crash a security application it's as good as terminated, so the next release of APT allows you to test for these attacks, and Process Guard v3 already protects against them. :)

    Enjoy the rest of the weekend folks.
    Best regards,
    Wayne
     
  16. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia
    This is how the vulnerability referrenced by Wayne now fails against Process Guard :).

    Regards,
    Jade.
     

    Attached Files:

  17. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi everyone,

    Thanks for all of the in-depth information. I pretty much understand what everyone is saying and the vulnerabilities that currently exist and how PG attempts to protect against these vulnerabilities.

    Since PG 3.0 is still in beta, it is difficult to assess whether it will be appropriate for my system. There are compatibility issues that I have to test out. So with the PG decision still on hold, can anyone say that one AV product is less susceptible to disabling than another. It appears that NAV is very susceptible (without PG), are others better? I noticed a message concerning NOD32. Anyone have any experiences with KAV, Trend Micro, and McCaffee. Any of the others?

    Thanks for all of the help and any additional info that you can provide.

    Rich
     
  18. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    When I tried KAV, the background scanner (avp32) seemed to resist everything APT could throw at it - this was a mixed blessing though because I wanted to shut the damn thing down given the impact it was having on my system performance!

    To be honest, if an AV scanner does not find malware on your system before it gets executed, it has failed and cannot help further so its resistance to termination becomes a moot point. More general security programs not relying on malware signatures (firewalls, process and registry monitors, etc) are your best hope at this stage.
     
  19. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Droll. Informative. Startling. Excellent!
     
  20. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Interestingly enough I took some time to test KAV 5, kavscv.exe and it could not be killed by anything that I tried against it, though I am no expert. The KAV 5 service appears to use a kernel level driver that guards very well ATM.
    I believe latest version of Zone Alarm also has such a protection, IMHO this is a move in the right direction security wise.
     
  21. Ashak011

    Ashak011 Guest

    Hi Rich,

    I Have McAfee VS 8 on my pc and while browsing the web was told that Activeshield had detected a virus. When I looked the the system tray my McAfee VirusScan had been disabled! Ran a scan which found nothing, did an online scan with Bitdefender which found two trojans allegedly but couldn't disinfect them. When I re-booted, McAfee was still disabled which i found strange, having enabled it, now seems fine. My pc is running fine as before, but I find it all a bit disturbing.
     
  22. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Well,terminating AV is one thing,but deleting its components is another.
    And you can't avoid that. If you delete critical components you can disable pretty much anything.
     
  23. Ashak011

    Ashak011 Guest

    You mean that if an anti-virus programme is disabled it's still protecting against attack?
     
  24. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    If an antivirus program is disabled in any way, its not protecting you anymore. Processguard is capable of preventing your security software from being terminated by spyware and other types of malicious software, but Processguard CANNOT prevent security software from being terminated by the computer user himself/herself.

    Only the computer user can terminate the security programs, other processes or software cannot terminate the security programs.
     
  25. webmedic

    webmedic Registered Member

    Joined:
    Nov 7, 2004
    Posts:
    123
    Location:
    just curious how much info you can get into here a
    yes but that still does not stop the virus/worm/trojan from deleting files not in use that will effect the scanner or delete registry entries that may effect the way the scanner runs.

    So unless the scanner catches the virus to begin with you are not going to be having a good time. And in my shop norton is shutdown allot. Not all the time but allot of the time.
     
Loading...
Thread Status:
Not open for further replies.