Can "kav's" proactive module be so stupid?

Discussion in 'other anti-virus software' started by faenil, Sep 25, 2007.

Thread Status:
Not open for further replies.
  1. faenil

    faenil Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    88
    I noticed it can be easily putoff just by changing date back to 1986...

    can an AV be so stupid? I can't believe it...Any malware can bypass it, just need to bind it with an exe which sets date back to 1986...

    unbelievable
     
  2. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    Re: Can the proactive module be so stupid?

    which proactive module??
     
  3. faenil

    faenil Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    88
    Re: Can the proactive module be so stupid?

    kav's
     
  4. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Re: Can the proactive module be so stupid?

    Unbelievable as it is, ALL VERSIONS OF KAV are COMPLETELY DISABLED and rendered 100% HELPLESS by this stupid trick. Not just the Proactive Defense Module (PDM), but the resident scanner as well.

    I've raised this issue before here on Wilders, and apparently after being reposted on the Kaspersky fan forums, Eugene Kaspersky's personal opinion is that this "isn't a big problem". I wonder if he knows that this is the #1 method that commercially-manufactured malware use to defeat KAV in China, where it holds a considerable percentage of the market share. In fact, the very reason that EQSecure, ProSecurity and Micropoint (made-in-China HIPS/behavior blocker programs) added the feature to detect and block changes to system time is because of the wide proliferation of this type of malware. Change the system time = invalid license file = COMPLETELY DISABLED KAV.
     
    Last edited: Sep 25, 2007
  5. faenil

    faenil Registered Member

    Joined:
    Oct 25, 2006
    Posts:
    88
    Re: Can the proactive module be so stupid?

    lol...omg....not a big problem...lol...
     
  6. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Re: Can the proactive module be so stupid?

    The KAV analysts must be aware of the extent of this problem. The numbers of such malware they receive every day have to tell them something (if not, they completely deserve to be fired). As it is, Kaspersky has yet to do anything about this problem, opting to rely solely on their unbelievably insane (fast) response times to bottle up this issue.

    I must admit, I'm kind of puzzled as to what they're thinking.
     
  7. Thug21

    Thug21 Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    141
    Location:
    Illinois
    Re: Can the proactive module be so stupid?

    I haven't seen this first hand (never used KAV) but that is just plain freaky!
    I wonder if any other security programs have that problem.
     
  8. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    Re: Can the proactive module be so stupid?

    Pretty obvious to me what they are thinking...
     
  9. scirious

    scirious Registered Member

    Joined:
    Apr 12, 2007
    Posts:
    110
    Re: Can the proactive module be so stupid?

    and to you what are they thinking?
     
  10. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    Re: Can the proactive module be so stupid?

    i posted this on the kaspersky fan forum a few months ago.
    i think it is due to be changed in kav/kis8.0 if you look at the kis/kav8.0 beta section on the kav forums.
    lodore
     
  11. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    Re: Can the proactive module be so stupid?

    Hint 1 : Protecting their users is secondary to making money.

    Hint 2 : Now think about what this date change effect is meant to do....
     
  12. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    Re: Can the proactive module be so stupid?

    It is a serious business not a charity org, offcourse money should be there main object trough securing their customers but i guess they could sellout to comodo and go into the fashon industry. Darn shame of their hard work and high education but change can be refreshing.
     
  13. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    Any av that issues you with a licence for a set time(1yr 2yr whatever)and allows you to backdate your PC at the end of its "term" should auto disable if you try and do this(in my opinion)otherwise you could extend any licence,even a trial one,indefinately
     
  14. scirious

    scirious Registered Member

    Joined:
    Apr 12, 2007
    Posts:
    110
    However this makes it really simple to malware writers to bypass the security if it isn't detected at the time of the infection what lead the AV useless since it won't even update to detect it later.
     
  15. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    not really because any malware would have to get past Kav and alter your system clock:-if it was "that simple" why hasn't it been done already?
     
  16. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    LMAO, and what makes you think it hasn't.
     
  17. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    think it would be all over the forums if it had!doubt this "vulnerability" hasn't gone unoticed until now,and have you tried killing Kav on a system without admin priviledges,and can you adjust system clock without admin priviledges?I don't know never tried it
     
  18. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    So why don't you try it and see for yourself, instead of claiming it can't be true because it "isn't all over the forums"?
     
  19. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    when i posted in the kaspersky fanclub forum someone said it kav has been bypasted before because of the clock.
    lodore
     
  20. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    wow, i really didnt know kaspersky did this.

    infact, if kaspersky completly shuts down just by doing this, what is the point of kaspersky?
     
  21. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    Do you not think if one of the best regarded AV products was so simple to bypass and had been successfully done it would be in every AV forum on the net,especially here with nod users gloating over it?
    If you have proof that this has been done please post proof instead of claiming that this is a "simple way to bypass kav" or perhaps try writing some code or batch file to execute altering the sytem time,after all you claim it is simple/easy(batch file would'nt do to infect other pc's as bit too difficult to disguise and are written in such a way as to be easily understood)
    as for altering my system clock with out admin priviledges:-I'm not really bothered if you can or cannot do it,its not me that feels this is a big prob with Kav:-I bet most concerns are due to fact that once somebody hastried this to extend their licence you cannot get Kav working again without a new key,so they are probably a bit pissed off that it works the way it does
     
  22. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    The "point" of Kaspersky is that if KAV has a signature for that malware, it can still kill said malware before it executes and modifies the system time.

    However, the amount of zero-day malware in China that bypass and disable KAV is staggering. Most are tweaked specifically to evade KAV and Rising, two of the biggest players in the Chinese antivirus market. KAV's PDM is supposed to shore up its signature scanner, but what happens in reality is that malware bypasses KAV's signature scanner, executes, resets the date to 1986, and then gets to work unimpeded by the PDM because the PDM just killed itself.

    So to sum up, you'd still need malicious code that KAV cannot detect so it can reset the system date. However, bypassing any single AV is a trivial matter, and KAV is not an exception. In fact, as previously mentioned, it gets targeted all the more in China due to its market share. The number of anti-KAV zero-day variants that pop up on an hourly basis is nothing short of amazing, when you first see it.

    @steve, I don't need to demonstrate what groups of hackers have been demonstrating IN BULK all this while. There's even a simple method to experiment it for yourself, if you're really interested in the truth, but if you prefer to just stick your fingers in your ears and go "lalala", so be it, I have no obligation to convince you.
     
  23. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    why do you think this is so stupid?
    by turning the clock back you could fool the license to make your license last longer.
    am i right in saying only an administator can change the date anyway?
    i belive this question has been asked at wilders before as well.
    i have found my thread in the kaspersky lab fan forum.
    link
    read the response from Eugine himself.
    lodore
     
    Last edited: Sep 27, 2007
  24. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    no you haven't and you haven't
    strange my friend out in china has never wrned me off this!
     
    Last edited by a moderator: Sep 27, 2007
  25. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Again, in case you were incapable of understanding the first two times, there's an exceedingly simple and convenient method to verify this for yourself.

    If, for whatever insecurities you have you're not willing to try that, then I'm afraid your skepticism is quite meaningless.
     
Loading...
Thread Status:
Not open for further replies.