Self-defense shortcoming with the registry

Discussion in 'ESET NOD32 Antivirus' started by coch, Sep 25, 2011.

Thread Status:
Not open for further replies.
  1. coch

    coch Registered Member

    Joined:
    Mar 13, 2010
    Posts:
    8
    Hi, I wanted to report that it is possible to edit the registry and remove NOD32's startup entry.

    It looks like NOD32 protects its startup entry which is the key "egui"="\"C:\\Program Files\\ESET\\ESET NOD32 Antivirus\\egui.exe\" /hide /waitservice" under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, however it is possible to delete the whole key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run including the egui entry and all other entries for other software.

    I can reproduce this every time i.e. deleting the whole HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key, with NOD32 v5 with self-defense on.
    Furthermore, re-adding the key is not possible without turning off self-defense, for some reason (one would think that removing the key is a more serious security issue than adding a key which runs an antivirus).

    I am on Windows 7 x86 using NOD32 v5.
     
  2. cupez80

    cupez80 Registered Member

    Joined:
    Jun 28, 2005
    Posts:
    605
    Location:
    Surabaya Indonesia
    i read somewhere in wilders that Egui (is the GUI only) not really protected by self-defense and can be disabled but no harm for your system cause Ekrn is the core AV.
     
  3. coch

    coch Registered Member

    Joined:
    Mar 13, 2010
    Posts:
    8
    Agreed, that's my understanding as well, but without the GUI even though you are still protected I believe you will not see any warnings or any prompts from the antivirus, so if there is a virus it could be deleting the file or blocking access without you knowing (or you knowing why) as no feedback would be provided to the user.

    Besides, it seems like the egui.exe run entry is protected by the self-defense module. Just to try to delete that specific run entry and self-defense will prevent it (just like it will prevent adding it back when it is missing although I find that strange), however you can delete the whole key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and this will not be prevented by self-defense.
     
  4. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    I think is more precise to rename the "modify registry" operation with "write to registry".
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Can you do this as a user?
     
  6. coch

    coch Registered Member

    Joined:
    Mar 13, 2010
    Posts:
    8
    Good question, I had not tried this before (I am running an administrator account). But I tried just now and no it does not work, with a regular user account I cannot delete the whole key.
     
Thread Status:
Not open for further replies.