Sec apps self protection ?

Discussion in 'other security issues & news' started by gambla, Dec 29, 2013.

Thread Status:
Not open for further replies.
  1. gambla

    gambla Registered Member

    Joined:
    Sep 4, 2007
    Posts:
    161
    Location:
    Frankfurt, Germany
    One of the first things malware does is trying to terminate any anti malware app processes. All the great security software is useless if the self protection is rather poor.

    I wonder if there is any tool available that monitors and alerts if a certain app/process isn't running anymore ? I couldn't find any. :(

    (I've read that Online Armor has a feature to protect processes but it's only available in the 32 bit version.)
     
  2. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    [Disclaimer: this isn't expert advice. I may have things wrong; feel free to correct me. Thx.]

    Almost all security software for Windows NT has "self protection." Though that's a bit of a misnomer IMO - it's not protecting itself, Windows is protecting it.

    e.g. If you try to turn off Privatefirewall's system service, it will refuse to stop, whether you're logged in locally or over a reverse TCP shell... Even if you're admin. Because you're admin in userspace, but the firewall driver runs in kernel space; and the kernel makes the rules, even for admin users. This is the same principle by which a rootkit works (though the mechanisms may be different, I don't know).

    Also note that the real protecting is done by the x86 architecture - kernel and user space, aka ring 0 and ring 3 respectively, are separate physical states of the CPU.

    Needless to say, malware that gets itself kernel privileges somehow can bypass this protection. How that might be possible depends on the security software in question though. For a well-designed HIPS you might need a kernel exploit, or a way of injecting code into an unrestricted process; for a very poorly designed one, you might just need to set up a registry entry to start a rootkit driver before the HIPS starts.

    So, what qualifies as "self protection" may depend a lot on what software you use and what threats you are dealing with.

    Edit: also I notice you're using 64-bit Windows... That might complicate things. IIRC some 64-bit security software uses inferior methods due to the usual ones not working with Patchguard.

    Edit 2: see here: http://rce.co/why-usermode-hooking-sucks-bypassing-comodo-internet-security/
     
    Last edited: Dec 29, 2013
  3. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    Most of the technicalities of this stuff is beyond my reach, but in a nutshell, because I use x64 Windows, it is why I utilize much of what's already built-in and available in the O/S as opposed to using and relying on 3rd party utilities.
     
  4. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I can't comment on Win 7 or 64 bit specifically. That said, a lot of security-ware has some degree of self protection. Some HIPS have the ability to protect other apps from termination and/or the ability to restart an app if it is terminated. A fair amount of the older adware/spyware used to do that, multiple processes that would monitor and restart each other if one was terminated. It made removal a fight. There's no reason a user can't employ the same method with security software. A 3rd party system scheduler I use has the ability to check if a given process is running and start it if it's not detected. There's quite a few ways to approach this, depending on what limits win 7, 64 bit allows.
     
  5. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Metasploit has a Ruby script that terminates several dozen security programs (as applicable) at once. There's probably even more comprehensive stuff in the wild.

    Anyway, if malware has the necessary privileges to unhook and terminate your AV, you have bigger problems and are probably better off reimaging your system.
     
  6. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    The systems with the interlocking malware weren't mine. They were cleaning jobs I'd taken on, ones I wished I'd had images to restore. A Ruby script works fine if the target system has Ruby installed, otherwise it does nothing. That also assumes that the target OS allows new/unknown scripts to run.

    I wasn't suggesting the approcah as a complete solution, just as an additional measure that can be part of a layered package. On mine for instance, SSM is quite resistant to termination. Most of the malware that would have the ability to terminate security apps won't be able to execute with a default-deny security policy in place. That said, I also set SSM to protect the firewall, Kerio 2.1.5, from being terminated or suspended. I won't assume that SSM covers all of the methods malicious code could use to terminate an app, so SSM is also set to restart Kerio if it is terminated and alert me to the fact. If something manages to terminate SSM, another app will detect that it's not running, restart it and alert me to the problem. That's part of the idea behind layered security using individual, freestanding apps. Besides protecting themselves, each layer monitors and protects other layers. In order for an attacker to take them all down, they have to use something that can execute with default-deny implemented and they have to identify each layer and hit all of them together. If the attack fails to take down all of them, they will be restarted and I will be warned of the attack.
     
  7. gambla

    gambla Registered Member

    Joined:
    Sep 4, 2007
    Posts:
    161
    Location:
    Frankfurt, Germany
    Thanks guys,
    @Gullible Jones: thank you for the link, good read
    @noone_particular: What "3rd party system scheduler" do you use ?

    No doubt that any AV software can be terminated but so i'd like to have a reliable monitoring and notification about it. I still need to get more familiar with Windows event viewer/notification.
     
  8. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    533
    Location:
    UK


    Thanks for explaining a complicated subject in a form easy to understand...I gained a lot of insight from that.

    :thumb:
     
  9. gambla

    gambla Registered Member

    Joined:
    Sep 4, 2007
    Posts:
    161
    Location:
    Frankfurt, Germany
  10. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
Loading...
Thread Status:
Not open for further replies.