Self-protection of NOD32

Discussion in 'ESET NOD32 Antivirus' started by viruscraft, Feb 22, 2008.

Thread Status:
Not open for further replies.
  1. viruscraft

    viruscraft Registered Member

    Joined:
    Sep 22, 2007
    Posts:
    114
    As it is known,NOD32 V3 is weak in self-protection.

    The self-protection method of NOD32 used is that the service of NOD32 whose name is "eset service" re-generate its' process at once by function provided by Windows OS after it is terminated.

    I think it is not safe enough because this can be easily exploited by virus to stop or even destroy NOD32.

    Look at some other AV products such as Norton or Kapersky, they both have great self-protection ability. Their process cannot be terminated by windows task manager or other third-part tools while their program files are well protected too.

    Today threats are evolving very fast, more and more virus beomes aggressive and designed to destroy the anti-virus software in order to perform their action.

    Does ESET intend to improve self-protection of NOD32 in nearly future? Or ESET has its’ own opinion about this issues?
     
  2. guest

    guest Guest

    Actually it has no self protection. Just set ESET Service to Disabled and then kill the ekrn.exe process. No virus needed, a batch file can do that...
     
  3. ASpace

    ASpace Guest


    Anything with admin rights can do this. Please , try your bat file in Vista with UAC enabled - it won't pass.

    ESET's service cannot be killed (if someone manually stops the service that is another story). Since 3.0.621 ekrn.exe cannot be renamed , too.
     
  4. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Self-protection is pointless and might cause more problems than solutions. IMO, the only acceptable self-protection is:
    - Prevent the service from being modified/disabled.
    - Prevent autostart keys from being modified/disabled.
    - Prevent AV files from being modified/disabled.
    - Password-protect the GUI to protect against window messages.
    The rest of the self-protection must be handled by Windows. If you're running a LUA, your AV is well protected.
     
  5. PaulB2005

    PaulB2005 Registered Member

    Joined:
    Apr 19, 2005
    Posts:
    525
    Can't comment on Kaspersky but i've seen many a Norton installation damaged by virus, kids meddling or even had to kill it myself because it slows a PC down so much.....
     
  6. viruscraft

    viruscraft Registered Member

    Joined:
    Sep 22, 2007
    Posts:
    114
    IMO,self-protection can protect the AV product against the virus which are not detected by AV product with signature up to data.

    I agree with the acceptable self-protection you said,but it seems NOD32 do not have all the aforementioned acceptable self-protection.
     
    Last edited: Feb 23, 2008
  7. viruscraft

    viruscraft Registered Member

    Joined:
    Sep 22, 2007
    Posts:
    114
    I have a question all the while.

    Is there any possibility that some virus kill nod32 by disable its service?
     
  8. sasa843

    sasa843 Registered Member

    Joined:
    Feb 1, 2007
    Posts:
    113
    Location:
    Serbia, Europe
    I, for example tryed to disable NOD 3.0 service from administrative tools and failed, better said I didn't have option available for stoping service. As for malware I am not sure. Maybe someone with better knowledge can explain?
     
  9. ASpace

    ASpace Guest


    In both v2 and v3 there is no right click Stop option , but you can choose the service to "Disabled" . After that you can stop it from the Task Manager .

    However , again , this requires Administrator rights (and knowledge to be done by a person).
     
  10. viruscraft

    viruscraft Registered Member

    Joined:
    Sep 22, 2007
    Posts:
    114
    thanks for your tips,HiTech_boy!

    You mean a virus cannot perform this operation?
     
Thread Status:
Not open for further replies.