Port Explorer can't see KAV service

Discussion in 'Port Explorer' started by nameless, Apr 22, 2004.

Thread Status:
Not open for further replies.
  1. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    I am using Port Explorer 1.800 on WinXP Pro SP-1. I'm also using ZoneAlarm Pro 4.5 and KAV 5.0 (the technical preview).

    I have found that when KAV first launches, ZAP prompts as to whether or not to allow it (specifically, kavsvc.exe) to act as a server. However, Port Explorer does not list kavsvc.exe at all.

    I think that KAV is doing something funky, because Sysinternals Process Explorer can't resolve KAV's paths either (normally, it can provide the EXE's full path, and the command line it was started with).

    This does concern me, since I like to know everything that is going on with my system.
     
  2. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    KAV does a couple of tricks to protect itself - along similar lines as Process Guard but only on its own process, so although I haven't tested what you're saying, I'm assuming that'll be the reason why neither Port Explorer or SysInternals Process Explorer can see it. Can you see the process(es) with Task Manager? If I had to have a guess I'd say it was hooking OpenProcess, and only allowing its own processes to be opened when 'tame' privileges are requested (ie. READ, but not WRITE).
     
  3. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    There are two KAV processes: kav.exe and kavsvc.exe, the GUI and engine, respectively. Both do appear in WinXP's native Task Manager.

    Both of those processes also appear in Process Explorer, but their "Image" and "Environment" tabs in Process Explorer are essentially totally blank. For the "Path" of kavsvc.exe, as an example, Process Explorer displays "Not Available".

    KAV is obviously doing something tricky, but if it allowed reads, wouldn't Process Explorer and Port Explorer work with it just fine? It must be blocking everything, I guess.
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Basically, as a driver you can hook whatever you want and intercept calls to most native functions - it just requires enough care to handle anything that happens.. things like other hooks, unhooking, and OS changes come to mind as the biggest challenges. Also.. when you can write directly to memory and modify pretty much anything even kernel memory, well of course pretty much anything is possible.

    Process Explorer uses undocumented and injection methods to obtain process and thread information, and KAV is probably just blocking all of this.. for obvious reasons :) Thats a good thing. AV's either need to protect themselves.. or allow the OS - or perhaps Process Guard to protect them ;)

    I don't think they will tell you.. :)
     
  5. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    So, what's the bottom line? Port Explorer won't ever be able to display an application hiding itself like this? (Which means any trojan that uses the same approach.)

    No thanks on Process Guard. Version 2.000 is still about as beneficial to my system as a strong magnet would be.
     
  6. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    We'll try to have a closer look on Tuesday (public holiday here in Australia on Monday), but KAV is the only program we're aware of that has that level of self-protection - there has never been a single trojan with that type of self-protection and to be honest I'd be surprised if there ever was, because such technology requires a lot of testing on a wide variety of systems (both operating systems and different hardware setups), as well as a very low-level programming knowledge, so the chance of any trojans even attempting to use such technologies is extremely unlikely as there's a fair chance it will result in a blue-screen for the trojan, which is the last thing the person using the trojan would want. I'd encourage you to try other port-to-process mappers as well, I'd be extremely surprised if all others weren't affected in the same way - there are only so many ways to map ports back to their owner processes. Btw - there is not a single TCP/UDP port-based trojan currently in existance that Port Explorer cannot see, and KAV is a fairly large and complex driver-based system and would've been extremely difficult to 1) research, 2) develop/program, and 3) test and debug it to the point where it's stable on international systems - we know, as we wrote similar kernel technology for Process Guard.

    With that logic you might as well throw out your anti-virus scanner(s) as well as your port-to-process mapper(s) because no anti-virus scanner will ever achieve 100% detection, which seems to be your concern with Port Explorer 'only' being able to detect 99.9% of hidden server sockets (actually Port Explorer is the only port-to-process mapper with any hidden server detection capability). Likewise, your personal firewall won't be able to keep 100% of nasty packets out so you might as well lose that as well ... ?

    I can understand why you might've initially had those concerns, but I hope you can now see that there's really nothing to worry about.
     
    Last edited: Apr 25, 2004
  7. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    My comment on Process Guard wasn't a way of saying that it isn't foolproof, but rather that it still causes serious and undesirable problems on my system. But whatever...

    I just noticed that Port Explorer does display the entries attributable to kavsvc.exe. The thing is, it depicts the two ports that kavsvc.exe listens on (1110 and 1125) as the "SYSTEM" and "* SYSTEM" process, rather than as "kavsvc.exe". These items can be spied on using Port Explorer, and when that's done, kavsvc.exe's path and communication data is shown correctly.

    The PIDs shown for the applicable "SYSTEM" and "* SYSTEM" entries are correct, too. (That is, the PIDs shown correlate to what Sysinternals Process Explorer displays as being assigned to the kavsvc.exe process.) So it appears that the only thing that Port Explorer doesn't do correctly is to assign the right name to those two entries. And since Sysinternals Process Explorer can do that much correctly, I very strongly assume Port Explorer should be able to do it correctly as well.

    I don't use Port Explorer very much, or I would have noticed this sooner. Sorry about that.
     
    Last edited: May 11, 2004
  8. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hmm very interesting, thanks for the info. We might be making an update to PE relatively soon so that will go on the list of things to look at. The only thing is, that Process Explorer can do so because it uses a kernel mode driver. Port Explorer does NOT, and we dont like the idea of adding yet another driver risking compatibility problems and taking a long time to develop - especially when the "problem" is limited to a trusted security app :)
     
  9. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Seems like Kaspersky is blocking applications from resolving it's name and path, obviously to stop malware targetting it. Port Explorer obviously still has control over the socket as you have said, because you can socket spy on it, just it cannot resolve the name.

    If you choose to install software which modify the way the operating system works I don't understand why you are complaining that Port Explorer cannot resolve the name. Obviously that is the effect you wanted by installing KAV, if not maybe you should uninstall it.
     
  10. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    I don't remember reading "Changes the way the operating system works" and "Screws with utilities that try to resolve its path" on the list of KAV 5 selling points. Sorry, I didn't anticipate every little freaky thing that KAV 5 would do on my system.

    I didn't install KAV 5 in order to give other applications problems to deal with; I just noticed that ZoneAlarm Pro and Process Explorer can resolve the name, and Port Explorer can't (except for the "socket spy" sub-utility). It wasn't obvious up front that a kernel-mode driver was the reason for the difference. If that's the only way to make Port Explorer resolve the name, then I agree it is undesirable. But it seems strange to me that the "socket spy" utility can resolve the path, but the main application cannot.
     
    Last edited: May 11, 2004
Thread Status:
Not open for further replies.