| |||||||||||||
Security quotes of the weekSecurity quotes of the weekPosted Jun 5, 2012 19:55 UTC (Tue) by Cyberax (✭ supporter ✭, #52523)In reply to: Security quotes of the week by hummassa Parent article: Security quotes of the week
"Disable antivirus"? Which one and how?
It's not a simple task. And exploiting the kernel is only the first part of it. Next you need to somehow isolate antivirus-installed hooks without tripping them and leave the system working.
Most malware actually doesn't try to do this. Instead it tries to stay quiet and do not trip any antivirus detection heuristics.
(Log in to post comments)
Security quotes of the week Posted Jun 5, 2012 20:30 UTC (Tue) by hummassa (subscriber, #307) [Link]
All of them. How many executable names for antivirus programs do you think there are? Interate ten to twenty of those, kill any running processes with those names, and you have disabled protection in 99% of the cases. At that point in the infection (just exploited root hole, nothing was written to disk yet) it's quite trivial.
Security quotes of the week Posted Jun 5, 2012 22:32 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]
Try it. Really, go on and try it with Kaspersky antivirus. Nothing will happen - you won't be able to kill antivirus' process. It's protected on the kernel mode level.
It also sets a lot of hooks and tries to monitor self-integrity, so even if you try to kill it by patching kernel process table or in any other obvious way - you'll simply trigger these hooks and either initiate a self-healing attempt or create a BSOD. It's possible to work around them, of course, but decidedly non-trivial. Even Flame malware doesn't try to do it - it simply stays under the radar.
|
|||||||||||||