Some Malware Disables AV...

Discussion in 'NOD32 version 2 Forum' started by phasechange, Jul 3, 2006.

Thread Status:
Not open for further replies.
  1. phasechange

    phasechange Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    359
    Location:
    Edinburgh
    I once had a virus infection that turned off Norton a long long time ago. Are there any such threats for NOD32 that are known? Can this be protected against?

    Fairy
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    By design no, but the possibility remains.

    Cheers :D
     
  3. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    If I'm not wrong, some Bagle variants try to kill NOD32 processes. However, NOD32 is able to detect many new Bagle using heuristics and thus prevent it from infecting the system and killing NOD32. Also, if some disable NOD32 Service, the service will start itself automatically.
    Anyway you can use ProcessGuard to enhance protection :)
     
  4. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    basically this can't happen because nod32 process is integrated into kernel and it can't be stopped. :)
     
  5. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    Yes it can!
     
  6. ASpace

    ASpace Guest


    You mean , Yes , it can be stopped or Yes , it is true
    [MOVE]o_O [/MOVE]
     
  7. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    I mean yes it can be stopped/disabled
     
  8. fosius

    fosius Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    479
    Location:
    Partizanske, Slovakia
    But when it is closed, it is automatically restarted by operating system.
     
  9. ASpace

    ASpace Guest

    Agree and moreover NOD32 should detect any threat attemping such evil thing before it messes the things :thumb:
     
  10. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    There is a "test" app available wich attempts to close AV progs using various methods,Nod32 can be stopped and doesn't auto restart(unless your talking on reboot)If any malware manages to remove/alter reg entries that cause Nod to start(or any other av for that matter)your av will be disabled
     
  11. Ngwana

    Ngwana Registered Member

    Joined:
    Jul 5, 2006
    Posts:
    156
    Location:
    Glasgow, United Kingdom
    There is a growing concern about 'who protects security software' when it is installed. So it seems most of AV's will sooner or later learn to defend themselves from being disabled or corrupted. I will be careful about claiming 100% immunity by any AV vendor.
     
  12. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    You are talking about the Control Center and not the Kernal Service aren't you?
    NOD32 would normally detect anything trying to play funny with it's Kernal Service I believe....
     
  13. fosius

    fosius Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    479
    Location:
    Partizanske, Slovakia
    I tried Advanced Process Termination. Yes, it could close NOD32 service, but it was automatically restarted.
     
  14. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Thanks fosius - good to know :)
     
  15. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    Thats very good news:-eset must have improved robustness since it was tested a year(might be longer I lose track of time:-its my age lol) or so ago,then when it was terminated it stayed terminated
     
  16. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Well, if that test is so old, I'm sure NOD32 can't be stoppped now. It's hard to do that. :)
     
  17. gnervt

    gnervt Registered Member

    Joined:
    May 6, 2005
    Posts:
    53
    Location:
    Germany
    That's not so hard as you think. If you are working with admin rights then a program could change the nod32krn service startup-type and could terminate the service. For example (winxp, admin rights, @command prompt) :

    Code:
     sc config nod32krn start= disabled       // default: set it to 'auto' & reboot
    Then you can kill the nod32krn process with the taskmanger or simply reboot. The nod32krn service will not running anymore. Only the gui would running (nearly useless)... :cautious:
     
  18. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    ~snip~ removed quote ~ Blackspear
    You can probably disable most if not all AV's using tis technique so he probably isnt giving away a big secret
     
    Last edited by a moderator: Jul 11, 2006
  19. Zombini

    Zombini Registered Member

    Joined:
    Jul 11, 2006
    Posts:
    469
    It is too easy to disable NOD32. Besides using the "sc" command you can do the same thing programmatically using ChangeServiceConfig2.

    Additionally NOD32 can be disabled by:
    - terminating all its processes
    - deleting any and all its directories/files
    - deleting its registry keys
    -adding loopback entries for

    127.0.0.1 u2.eset.com
    127.0.0.1 u3.eset.com
    127.0.0.1 u4.eset.com
    127.0.0.1 u7.eset.com
    127.0.0.1 u8.eset.com

    in the hosts file.

    Most AV products today, Kaspersky, Norton protect against all of these. You may have the "best" AV product, but its useless if it can be disabled. So choose your AV product wisely.
     
  20. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Using the loopback entries you have mentioned does not prevent updates....
     
  21. ASpace

    ASpace Guest

    It has only two processes : nodkrn.exe and nodkui.exe

    nodkui.exe is not important at all about the protection . It is only the User Interface (NOD32 Control Center) . nodkrn.exe ,as already mentioned , can hard be stopped because it is in the kernel level

    Ooops , sorry , you are wrong here . By default , the folder and the files of NOD32 are locked . See :
    http://pandaman.my.contact.bg/123.PNG


    This won't prevent NOD32 from updating


    The onliest I cannot confirm because I haven't tried is about the reg key but I am sure ESET have somehow protected them .

    Please , NOTE ,the current thread is about malware disablling antivirus softwares , not about complicated user actions . Nobody will do what you explain moreover most people even don't know how to do it.
     
  22. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    A couple posts have been removed from this thread because they were both defamatory and inaccurate.

    Someone replied to a post by 'gnervt' with this: "Maybe it's just a feeling, but it seems, you've worked for ESET in the past. :D And now, by using a new nick, you talking about this kind of things which were not very fair to ESET. ;)" Some people took to mean that gnervt was actually Michael, (aka. Inspector Clouseau, formerly Happy Bytes when he was an Eset Moderator). That is wrong! gnervt is not Michael.

    Further, that post is defamatory to gnervt, i.e. implying that he is a former Eset employee, and that he somehow broke trust by revealing something proprietary to that company. (Of course, there is nothing proprietary in what gnervt posted. The "sc" statement shown there is a documented command available in Windows for the management of services. That is in no way any form of secret information.)

    In any case, even if the poster of this remark was just joking, defamatory comments like that are totally inappropriate and have no place on this forum. People need to stop and think before posting anything like that, not only because it is libelous, but because it could adversely effect another person's reputation and livelihood.
     
Thread Status:
Not open for further replies.