Can "kav's" proactive module be so stupid?

I think the thread alludes to the fact that KAV protects itself better than most of it's competition, if I read it correctly...

 

means nothing if the date can be changed though

im not a kaspersky user, but it annoys me that this could be done, if i used kaspersky, i would be constantly wanting some answers regarding this issue.

 

It's less of a self-protection issue, it's just that KAV commits hara-kiri all by itself when the system date is changed with no further intervention on the malware's part.

 

Ok I give in:-Kav's crap and there's loads of malware about that changes your system time/date to disable it,be back in a bit when i've uninstalled it from PC's,can I have your learned recommendation as to what i should install??

 

"can I have your learned recommendation as to what i should install??"

I'd also like to learn what should be installed. But I have not removed KIS7, and will wait to see what should be substituted.

Thanks,
Jerry

 

It's probably been said thousands of times here, but that call is really dependent on you and how you use your computer. If we strip away the preliminaries and assume that you've already determined having an installed AV is appropriate, think about the issues that are important:

• Do you avail yourself of the vendor support system or rely on forums like Wilders and fellow users? If it's the latter, give live vendor support a relatively low weighting
• Do you plan on covering more than one computer and is total cost of ownership a significant factor? If total cost is an issue, look at free options, products such as F-Prot which have good home licensing terms, vendors who provide steep multi-machine/multi-year discounts or competitive upgrades, have boxed versions in retailers that are often available at steep discount through liquidators at year end, and so on.
• Are you using an AV in conjunction with other approaches (HIPS, virtualization, image restoration, etc.)? It may be quite suited to reduce the emphasis on detection levels (within reason, of course)
• The fundamental requirement for someone who uses their machine for banking, p2p, and surfing crack sites is fundamentally different than a casual user who likes to get news from CNN and other commercial news organizations. If your usage style is the latter, you may actually need only sparse coverage while the former will require a more hardened system
• What type of information is retained on the machine? Is it confidential and/or difficult to readily replicate? In other words, look at the worst downside potential and how easily you could recover from that type of event.

and so on. There are many ways to look at the question, but it ends with putting potential approaches and (possibly) products on the table for assessment/trialing, it doesn't start there.

Blue

 

was meant as a joke lads and lasses!

 

Maybe I'm missing something but, if you use LUA, the system date can't be rolled back. And if you run under admin., using HIPS or such, would prevent the rollback. (Hell, I don't even let Windows synchronize the time) It's no different than the "exit-mode" provided to users. Should KAV prevent it's users from that option too I don't use KAV, but I also don't expect my AV to guard my calendar. I just don't see the issue, other than "bashing"...

 

In any layered setup, the antivirus is often the least-impact factor in security. If you know how to shore up your system sufficiently, you can do away with an antivirus entirely, as I've done for the last six months. If you're going to throw an AV into such a setup, HIPS and all, then yes, Kaspersky's flaws aren't an issue, but only because the whole Kaspersky program itself is no longer an issue.

As for "bashing", I believe it's just stating a simple fact. One which some people who claim to not make excuses for the failings of their pet product seem to have taken quite some time to grasp. No, there's no reason for your AV to guard your calender, just like there should be no reason for your AV to refuse to work just because the calender changed.

EDIT: When you say you use your HIPS to guard your system time, I'll assume you're using EQSecure or ProSecurity. Now take a moment to remember which country those programs came from, and why do you think they included such a function.

 

No, I said...

meaning that guarding the system time isn't to be given a 2nd thought...

There's wa-a-a-a-ay too many cracks available to worry about "rolling back the odometer", but what exactly does coming from China have to do with this

 

Hi
He seems to forget that most forms of malware become global very quickly,due to something called the internet I believe(well I think its called that but I could be wrong!)

 

True. There are also special utilities created specifically to lock the system time. This is that big of a problem in China, where KAV holds a sizable portion of the market share and gets targeted on a daily basis.

A lot of vulnerabilities in other software are also covered under LUA, like nicM's kernel unhooking test for HIPS programs demonstrated. However, that doesn't mean they aren't a problem and don't need to be fixed.

Because that's where this "change the date to kill KAV" trick is the most rampant. It's a quick and easy way to kill one of the leading AV software in the market. EQSecure, ProSecurity and Micropoint added the feature to block date changes due to how common this function is in malware, and companies like Qihoo released tools to lock the system time as well, all because too many malware were targeting one of the top heavyweights in the Chinese AV scene in terms of market share.

 

So KAV has a critical vulnerability that needs to be patched, so everyone is doing that for KAV and giving it away for free
But really, all AV's have their weaknesses... https://www.wilderssecurity.com/showthread.php?t=186002 ...so are you criticizing KAV's weaknesses, or AV's in general

 

The chances of this thread being open much longer is very low. Flaming and off topic posts don't do this thread any good.

 

I suppose an analogy would be third-party companies writing programs to patch up a disclosed and widely-attacked Windows flaw because Microsoft has yet to release a patch. In the case of EQSecure/PS/MP, it's not exactly solely a patch, it's probably product innovation as well, because this type of attack was annoying even for people who don't use KAV.

All AVs have weaknesses, but in this case Kaspersky has let a widely-publicized and easily-exploited flaw, with staggering amounts of ITW attacks released to date, to go unfixed for too long. Even the automatic virus creation kits include the option to change the system date. There would be no reason for malware to include this functionality at all, were it not for KAV and its market share.

 

So obviously it's not just a KAV problem...

So with all these free solutions, why bother changing? They are protecting their interests (against piracy), while other companies benefit (from product innovation).

 

They're "low" but there is a chance We can attempt to not let it sink any lower

It never does any thread any good....however by removing some of the posts We hope the focus can return to the thread title and those that wish to have a tit for tat will take their childish attitude in this thread to another venue other than our threads.

Latitude was given in hopes that it would die out and if it continues the only choice is to bring it to a close.

Regards,
Bubba

 

Not really. You can delete almost everything, including it's updates and engine files, leading it useless next boot. Also, if some tools can unlock locked files malwares also can.

 

I'm sorry, but how did that get implied?

The only reason such attacks exist is because of KAV. For KAV users, their AV gets shut down. But even if one doesn't use KAV, it's still annoying to have the system date reset to 01-01-2000, especially if I'm a user of a HIPS program, which are judged on their ability to control every aspect of process activity and should be able to block everything a malware tries to do.

You're effectively saying a company doesn't need to patch their software because it should be the user's job to figure out how to mitigate vulnerabilities by themselves. Er... hello?

True. But then, this is (a) not product-specific, as it applies to every other product, and there is little individual software vendors can do to remedy this, and (b) nowhere near how widely-exploited the Kaspersky date bug is.

Again, the problem isn't that Kaspersky can be circumvented. It's that it can be easily done, has been easily done, and continues to be easily done on a wide scale. Kaspersky obviously knows about this, yet chooses to stay silent for I'm not sure how long, since I only learned of this problem during November last year. And besides, while some may claim that this date bug is Kaspersky's effort to combat piracy, part of KAV's market share in China is, indeed, due to its tolerance towards pirated copies of its software.

 

I can't really argue abouty how much it is exploited, but the easyness is the same. And it doesn't apply to every program. With self protection enabled, KAV files can't be deleted. Neither can NAV's or BitDefender 2008 (don't know about previous versions). And ESS seems to be able to protect it self this way too. Bit it won't be develop to NOD v2.

 

Do they watch the PendingFileRenameOperations and/or BootExecute registry keys so their files don't get wiped out upon reboot? You mentioned this method of bypassing protection yourself. Again, also like you mentioned, programs that bypass the normal Windows API have no problems deleting such locked files. I'd be surprised if IceSword didn't work on them.

Just for the record, ESS still gets wiped out by three lines of code in a batch file. Its "self-protection" is really non-existent, it's just that its service is set to automatically restart every time ekrn.exe gets terminated. I have never used BD and haven't touched Symantec for years, so I can't comment about them. But my point remains - Kaspersky has ignored a widely-attacked exploit for a hell lot longer than necessary. Claiming that all software have weaknesses is not a good defense in this case, and according to Sjoeii it seems that Kaspersky is finally acknowledging this issue.

 

who is daft enough to allow a batch file to run without knowing what it contains:-these things are OK in theory or when your experimenting on your own PC but to get a batch file to run on a remote PC with no user input??

 

Trojans and other malware that use exploits typically run without user input, but of course you probably didn't know that.

It doesn't have to be a batch file. An exe that contains instructions to delete the ekrn service will do the same trick, it's just that a batch file is the easiest method to do it and can be written by virtually anyone with minimal programming knowledge.

 

This thread is done. Too many off-topic excursions and personal comments.

Later.

Blue