Rule for Kav AV?

Discussion in 'Ghost Security Suite (GSS)' started by Rilla927, Mar 15, 2007.

Thread Status:
Not open for further replies.
  1. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
  2. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    This rules touch all subkey of kav install root.
    However from the screenshot you have made i cannot see what decision have you made about those key ...

    My suggestion could be read only for all, and allow write access for kav.
    Then there would be two rule,
    one global to deny write
    one per application to allow write to only truste ones

    Also i do not know what is stocked under this subkey.
    But i higly doubt that kaspery would be smart enougth to prevent disabling hteir av by setting a simple 1 to a 0 in regisry.


    What are you trying to do exactly ?
     
  3. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    The Key you are protecting is not in itself sufficient. Firstly you would need to protect all the sub-keys and values, secondly there are other areas in the Registry to consider, for example:-

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_KL1

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kl1

    Personally I don't consider it worthwhile attempting to protect KAV's Reg entries using RD, because KAV has its own self defence mechanism (just ensure it is enabled) which should prevent critical changes from occuring. Just go to the latter Key above in Regedit and try and create a new value - you will find that it is not possible to do so, 'cos KAV's self defence does not allow such editing.
     
  4. plantextract

    plantextract Registered Member

    Joined:
    Feb 13, 2007
    Posts:
    392
    i wouldn't restrict kav to much, there are other things it needs to read, for example the startup entries to get the loaded programs/modules/drivers etc.
    again, as topperid said, there's always self defense.
     
  5. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    @f3x, TopperID, Plantextract

    I just wanted to see if that rule was correct*(just*learning) for Kav or not in order to protect it.

    Since Topper mentioned the PDM module/ self protection I will leave it a lone. I forget about that module sometimes.

    Thanks too all of you,
     
Thread Status:
Not open for further replies.