Self protection in ESS

Discussion in 'ESET Smart Security v3 Beta Forum' started by Bazzatogo, Jun 1, 2007.

Thread Status:
Not open for further replies.
  1. Bazzatogo

    Bazzatogo Registered Member

    Joined:
    Jun 1, 2007
    Posts:
    1
    Good morning from a newbie. I have been trying ESS for a few days on WinXP and so far have found it very nice with no problems to speak about. My question though, is ESS self protected against malicious software trying to shut down security programs and if not are there any plans to include this feature in future releases? Thanks. Baz
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Like in v2, the kernel service is protected from being killed.
     
  3. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    A token gesture, I think. As far as I can tell, there's nothing to stop malware from deleting the ekrn.exe service entirely, and THEN terminate the kernel.
     
  4. Steel

    Steel Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    219
    Really good question. Particularly the Sygate is still considered as the Firewall with best self protection, correctly? Is in ESS implemented similarly well or better protected?
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    With administrator right you can circumvent any self-protection system.
     
  6. Steel

    Steel Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    219
    So far clearly. But for what reason Sygate until today is considered as almost invulnerable with self protection? Does the ESS offer to similar good, or better protection? Can nevertheless certainly be compared by a specialist. And, to compare now is no Problem, because Sygate is death.

    Don't hit me, i know this is not the Sygate Forum, but, this is imho a really good question.
     
  7. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    While I am not knowledgeable enough to challenge you on that claim, I think the real question here is: how easily can it be done?

    In ESS' case: very. The inability to terminate ekrn.exe via the Task Manager is false reassurance at best, as one doesn't really need to look much further to find out how to accomplish that feat. I wonder if this issue might be relevent, BUT considering that the majority of Windows boxes run on admin-rights accounts...
     
  8. vapor

    vapor Registered Member

    Joined:
    May 27, 2007
    Posts:
    24
    ...uh? Is this a problem with the beta, or all versions of NOD32. What about other AV?
     
  9. ASpace

    ASpace Guest

    Marcos is very right . What they have already implemented is enough for preventing most malware . With administrator right and with the creture sitting behind the keyboard , no matter what self protection the software may have , it can be easily killed . Actually , softwares which claim to have better self-protection create a false sense of more security because their self-protection can also easily be bypassed with Admin account .

    About your point that the majority of Windows run with Admin rights , you are right but Microsoft are doing their best to change this . As you know in the next generation OS - Vista , the standart account has no Admin rights . User Account Control is incorporated for ALL types of accounts (incl.the Admin account) . UAC will limit the rights even to the administrator , I mean , it will limit the rights to a point where it will be the human to decide what actually is/will be going on.
     
  10. cerBer

    cerBer Registered Member

    Joined:
    Jul 29, 2006
    Posts:
    81
    Talking about ESS, is it now up to human to decide?
    I mean, can you switch it off completely?
     
  11. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    To give you an idea of how very easily this might be done: any Joe Schmoe who knows nothing more complicated than writing a batch file can completely terminate the ESS kernel and even prevent the user from restarting it by hand, just by writing 2 lines of code.

    Try to terminate something like Dynamic Security Agent, SSM or Cyberhawk without taking the easy way out and using the program's "exit" command. With the proper tools and know-how I'm sure you'll manage it eventually, but it'll give you a proper appreciation of what real self-protection is like.
     
  12. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    A quick straw poll, how many people have had nasties terminate NOD? How many posts have been made in either NOD forum saying NOD had been terminated?

    OK, been using NOD for a year and a half and it's not happened to me.
     
  13. Orion71

    Orion71 Registered Member

    Joined:
    Jun 25, 2006
    Posts:
    7
    You don't think those can go down with only even 1 line of code ?
    How bout a nice and non-recursive format then ?
    I'm quite sure those running protected processes won't survive that either.

    One shouldn't exagerate the importance of the measure of being able to selfprotect their running service. Security starts with the person behind the computer - not with the computer.

    It's nice to have somewhat of a feature built-in which acts like a sort of speed-bump.. but that's all.. just nice. It will never save you.
    It didn't save sygate's personal firewall :)
     
  14. NAMOR

    NAMOR Registered Member

    Joined:
    May 19, 2004
    Posts:
    1,526
    Location:
    Arkham Asylum
    I always find these posts interesting (seriously). I just have one question... Let's says that a piece of malware has the ability to disable your security product(s)... It is my guess that disabling your protection is just a means to an end, where the MAIN OBJECTIVE is to destroy or take over your computer. Now if this virus/trojan did happen to make it on your computer undetected and was executed, would it really matter if your AV program can protect itself or not? I would figure that you would have much bigger problems to worry about than your AV remaining intact.
     
  15. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    A recursive format doesn't bring about any real benefits to the malware author. It doesn't allow his/her malware to propagate, and it doesn't allow him/her to reap any economic benefits from the compromised machine by stealing data or anything else. Not that that's not an equally valid method of killing security software, but because it offers no incentive whatsoever to the author, it's rarely seen.

    Specifically turning off security software, however, is a much less remote possibility. An example of this would be product K, which is completely killed by resetting the system date. I have never seen anyone complaining of this in English-language forums either, but it doesn't mean that this kind of malware is extremely rampant in China (and perhaps some other regions as well). It offers the malware writer an easy method of slipping their malware past security software, even if said security software is able to detect said malware. For example, pack your malware and a batch file into an encrypted dropper executable to protect it from scanners. Release the batch file, which kills security software, then release and execute the malware, which is then able to do its work unimpeded.
     
  16. NAMOR

    NAMOR Registered Member

    Joined:
    May 19, 2004
    Posts:
    1,526
    Location:
    Arkham Asylum
    Gotcha, thanks for the input. :D Guess that's why it's best to have a layered approach...
     
  17. Orion71

    Orion71 Registered Member

    Joined:
    Jun 25, 2006
    Posts:
    7
    All true.. and indeed my example was more theoretical than anything else, but that's why I said that real protection starts (and very often ends) with the knowledge of the user - software is just merely an aid to accomplish what you really want.
    If one of my running processes suddenly stops, I instantly know there's something wrong and I have to take precautions and steps accordingly.
    I also know I did try very hard to keep malware out of my box in the first place, and instead of implementing failsafes for moments its pretty much too late (because the infection already is in your box at that time) already, I'd rather see people use their common sense in the first place instead of trusting their implemented security tools, yet after installing these tools visiting the dark dungeons of the web, opening every attachment they can get their hands on, installing every little crappy keygen they can torrent, and so on.

    I'm probably alone in this, but thats why I don't want security tools to be 100% effective - most people only learn after screwing up in one way or another - it's online-based-evolution-theory - if only by evolving and learning from mistakes people will start to think for themselves, then thus it should be - conclusion : 75% software-based protection should be enough :)

    That way in the end, the happy few, the true survivors, will have all the bandwidth they can handle. And THAT.. my friends.. is a noble cause :)
     
    Last edited: Jun 2, 2007
  18. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    the problem is when eset get more and more known there AV will be targeted.
    thats why kaspersky added self protection in kav6.0 and improved it in v7
    malware has any easy ride if it can disable your av first
    lodore
     
  19. Orion71

    Orion71 Registered Member

    Joined:
    Jun 25, 2006
    Posts:
    7
    Rest assured that every "skilled" malware-writer knows who the major players are and were last several years. Just like ppl who visit Wilders do.
    So I dont think that a particular threat to get targeted will increase that much. Scriptkiddies entering the world of malware right now have a long way to catch up, and altho there will be many.. there won't be many extremely knowledgeable.. furthermore will they not have the tools and means when beginning nowadays to be able to keep up with the R&D departments of those same major players.

    Since security IS booming business I expect a consilidation-round in the next few years, which will only increase the R&D departments of the major players. Being in this business those companies AB-SO-LU-TE-LY understand that they can't sit still and have to improve their knowledge and products - and they will.

    Don't forget that besides the security-companies, there's a huge community of people like us on forums like Wilders, which outnumbers the malware-dudes easily, and amongst whom many highly skilled persons reside. There have been enough examples of persons who started out with a freeware tool to fight a threat, and who know are either part of, or even run a commercial company. So for every threat they will throw at us, there will be a solution.
    Downside is that we often have to react on a "live" threat instead of being able to pre-emptively dissolve threats.

    But I guess this is not the right part of the forum to have this discussion (although it being an interesting one), so I'll try to keep further postings a bit more on topic towards the goal of this particular forum :)
     
  20. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    We're beginning to deviate from the main point already. To summarize: although ESET claims NOD32 is capable from protecting its kernel from termination, the protection mechanisms in place are ridiculously easy to bypass, and are put in place mostly for show. While it may or may not be true that any process can be terminated with admin rights, NOD32's protection is so easily circumvented that it might as well not be there.

    The same goes for another popular product on the market. Unfortunately, the vendor is also of the opinion that such attacks aren't widespread, and the issue warrants no further attention. I'm not sure if they're aware that such attacks are widespread in China (since the product is popular there) and simply want no further questions from their Western customers, but I digress.
     
Thread Status:
Not open for further replies.