N0d32 and self defence mechanisms.

Discussion in 'NOD32 version 2 Forum' started by Palombaro, Aug 1, 2005.

Thread Status:
Not open for further replies.
  1. Palombaro

    Palombaro Registered Member

    Joined:
    May 13, 2005
    Posts:
    77
    Location:
    UK
    Is it possible for AV progs like NOD32 to protect themselves against shutdown as a consequence of an attack by trojan/virus/malware? If so does NOD32 do it?
    Probably a very naive question but.....
     
    Last edited: Aug 1, 2005
  2. JoCool

    JoCool Registered Member

    Joined:
    Jun 6, 2005
    Posts:
    46
    You mean like Sygate it does by itself ? I think, it is othe one and only Desktopfirefall with this kind of protection.

    That's a very interesting question ! What's about NOD ?
     
  3. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    ZoneAlarm affords protection against malicious shutdown as does NOD. It is not impossible to shut them down but it is at least difficult.
     
  4. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Do you mean to ask whether NOD will not allow unauthorised shutdown from strange applications? I'm not sure, but I think it should be there......

    Happy Bytes always has right answer, lets wait for his reply :D
     
  5. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    I tried to kill the NOD32 kernel process: nod32krn.exe with DiamonCS APT (click) but no luck, nod32krn.exe kept on running :)
     
  6. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Yes NOD has kill protection. ZoneAlarm does as well, Sygate is not the only firewall with this protection, Outpost and Kerio do as well.

    A quote from a PCMag review of ZASS and Panda's IS suite which uses Sygate's firewall. According to the review, Sygate's protection doesn't work very well as, they could shut down the firewall.

    Whereas a good firewall stealths all ports but one, ZASuite's firewall actually stealths them all. It restricts Internet access so that only authorized programs can get online, and a large database of known programs helps minimize confirmation pop-ups. Along with NIS and F-Secure, ZASuite blocked all ten leak-test utilities we used to try to trick program control. And all of our Trojan-like attempts to kill the firewall process failed.

    and the reviw of Panda;

    The firewall successfully stealthed all significant ports, rendering them invisible to hackers. It limits Internet access to authorized programs but doesn't try to block Trojan-like leak-test techniques for circumventing program control. It did, however, recognize four of our ten tests as hacking tools based on signatures. But when we attacked the firewall itself, as a Trojan might, we found two fairly simple ways to disable it.

    The Panda review can be found here; http://www.pcmag.com/article2/0,1895,1754437,00.asp

    The ZASS review is here;
    http://www.pcmag.com/article2/0,1895,1754972,00.asp
     
  7. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    And that means I made yet another correct guess :D
     
  8. 12steven

    12steven Registered Member

    Joined:
    Jun 9, 2005
    Posts:
    15
    zone alarm is actually quite cool in this respect as I seem to remember. If it is shut down by a trojan it offers you the option of restarting and if this happens several times it blocks other traffic and takes you to a secure site with a link to an online scan. The language they use is really quite calming as well and helps stop you panicking or doing something impulsive. The trojan I had by the way wouldnt let me install Kaspersky but I managed to install a trial Nod and get it running- the reason I have a paid version today actually :)
     
  9. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    Did you read my post above, Palombaro? :)
     
  10. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Sorry you thought I was taking you off topic. I answered your question in post #3, YES NOD has shutdown protection. it is not perfect but it is quite effective. SSK also answered you in post #5 when he stated that he tried using Diamond's Advanced Process Termination, which uses 9 different known trojan techniques to shutdown running processes, and he was unsuccessful. I was also answering post #2 which stated that Sygate was the ONLY firewall that afforded such protection which is incorrect for two reasons, one it isn't true and two Sygate's implementation is not very effective. Sorry for straying from your original question, but again I thought I answered it.
     
  11. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I don't think you did stray FF, you answered very well indeed :D

    Cheers :D
     
Thread Status:
Not open for further replies.