nod32krn process killing

Discussion in 'NOD32 version 2 Forum' started by pcaca, Feb 25, 2005.

Thread Status:
Not open for further replies.
  1. pcaca

    pcaca Guest

    Why the nod32krn process is not protected from killing. If i kill it by task manager it restarts but it is not protected like other antiviruses from process killing. I think that this is a security risk because if virus killes this process it can infect the computer during the time needed for nod32krn process to restart.
     
  2. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    It's not so important.
    Think this example: the av process is protected. You run a malware that try to kill the process of the AV. the malware will can't but it will infect your system without problems. So, if the malware can or can't kill the av process it makes no difference. The main problem is when the AV can't detect the malware, because if NOD detect the malware, then the malware will not have chance to kill any process. Moreover, there're many and many modes for kill process, it's technical impossible to make a process 100% secure from being killed. You can try Process guard from DiamondCS.

     
  3. pcaca

    pcaca Guest

    It's all ok. But when the definitions for that malware are available later with the antivirus with protetcted process you will be protected. And the antivirus without killing protection will be also damaged by mallware so you will not be protected after the availability of definitions. I think that if the antivirus is active it will not get damaged because it is in use. Thats why i think that killing protection is so important. And if it's not important why other antiviruses use that kind of protection.
     
  4. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    No, for example, if the kernel is protected, the malware will can't delete or damage it because is protected and running, but what happend with the rest of the components? Scanner, Update, etc.
    The most hardened AV is KAV and KAV hasn't all process protected. For example, KAV Scanner and Updater aren't protected at all. I'm speaking about 4.5 version, I never used and I don't want to test 5.

     
  5. pcaca

    pcaca Guest

    The other files of the antivirus can be monitored for unauthorised canges, if they were changed the antivirus can alarm you and you will know that something is wrong and get some necesary steps. But the damaged antivirus kernel can't alarm you. Also i can suspend the process "nod32krn" and there is no way to see if the antivirus is paused without special tools or too check that it is not scanning files in AMON status.
     
  6. scrood

    scrood Guest

    I agree that KAV is more "hardened" than NOD32, but that's also why it has more compatibility and stability issues on so many systems, and why it kills performance so much more than NOD32.

    I love KAV, but man, that's one hell of a security trade-off. I'm using NOD32 right now.
     
  7. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    If something kill nod32krn.exe, the service restart itself and you'll be protected again.
    Moreover, NOD32 Scanner check itself if something has infected nod32.exe and if that occurs, then NOD will alert you and you'll know there're something wrong.

     
  8. pcaca

    pcaca Guest

    When it's killed it will be infected so it can't restart. And with infected kernel you cannot be protected, after that the virus takes the controll of the computer.
    I know that NOD32 is one of the best antiviruses and i use it. I have tried KAV and i uninstaled it in 3 days. But i think that ESET should implement the process killing protection in NOD32 and it isn't so hard to implement because many other security products use that, for example: KAV, Ewido, Trojan Hunter etc.
     
  9. An10Bill

    An10Bill Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    21
    Location:
    Norway/Sweden
    I'me having trouble that the NOD installtions on clients HANGS and do not report to the RAS in the specified time window (5 minutes) and thus not updates itself - After several hours/days of hanging and not updating, I decided to KILL the nod32krn process, and after that it worked fine and reportet to the RAS every 5 minutes.... (But some days later it hanged again)

    My experience is that nod32krn seems to lock up sometimes when it comes to reporting back to the RAS, and beeing able to KILL/RESET the process without restarting the entire server is crucial to me, so I would not like the process to be KILL protected. (It would make alot more HASSLE when this reporting to RAS hangs occures) - And It happens every now and then on my servers (it seldom happens at the workstations, but come to think about it, they are turned off at night, and restarted in the morning)

    So a KILL protection would not be appreciated by me......

    --
    an10bill
     
  10. Howard

    Howard Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    313
    Location:
    Wales, UK
    If I have understood Nancy McAleavey's post correctly in https://www.wilderssecurity.com/showthread.php?t=62006&highlight=BOClean then running numerous applications/programmes such as NOD32 with their own kill protection is not necessarily beneficial to system stability- much better to have one programme such as Process Guard, as mentioned by sir_carew, to do the job for all that need it.
     
  11. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    I have to agree.. I seriously doubt that NOD32's anti-termination protection will let you down, but if you are worried about it get ProcessGuard. It will protect everything you want from termination and more.
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Frankly, there are always ways how to kill a process. Such programs can only make it more difficult, but relying on an idea of being 100% protected is utopic.
     
Thread Status:
Not open for further replies.