last step of an APT : remove tracks.
Proper attackers will remove all traces of their infiltration.
Proper attackers will remove all traces of their infiltration.
Probably off-topic, but I'll never work for Kaspersky... Or any other AV vendor I am not in charge of. But don't worry, I'm currently in the process of starting my own security company to provide security software such as Antivirus, Internet Security.
As for the question regarding Dr. Web, I cannot actually answer your question. However, I will try to estimate how some things work for e.g. a web filter. But not aimed directly at Dr. Web.
A web filter can be made via many different methods.
- Hosts file
- Hooking functions (user-mode/kernel-mode)
- Driver to sniff the network
The first method I mentioned, the Hosts file, is a file stored in the windows directory/system32/drivers/etc. It's responsible for holding hosts to block. If you use the format: 127.0.0.1 <host domain> in the hosts file, it will block these hosts from successfully connecting. You can also use this as a basic adblocker, if you add the hosts to the advertisements in the Windows Hosts file. Hence, why it's called the "Hosts" file.
This method is especially insecure because if you wrote to the Hosts file to remove the entries added by the product, then it won't work as the entries would have been removed. If you use this, set hooks to prevent modifications to the Hosts file at the least.
The second method I mentioned, hooking functions, can be used for many things related to networking. You can even make a firewall out of hooking specific functions. For Internet Explorer, you could hook functions like HttpSendRequest/Ex. It's called when a request to HTTP server is done in Internet Explorer, it's located in WinInet.dll (HttpSendRequest!WinInet / same with Ex version).
Another function to hook could be InternetConnect().
But, the issue with this is you'd have to hook a lot of functions, other browsers/processes may use other libraries for other functions.
The last method would be the best in my opinion. From kernel-mode, you have access to the hardware and all software running (you can access all the memory on the system). You can monitor and sniff the network and you can block requests as well.
Just a very short and not very detailed reply, I apologize this post of mine lacks interest and detail. I should really extend it.
Cheers.
- May 11, 2014
- 1,639
Wow, I never knew there was so many ways AV software could function, re: ability to block attacks and changes to their files/registry keys. So, Comodo you can right click the icon and it's disabled, no warning, nothing. Does that suggest it's an easy target, or impossible as the user made the changes and malware cannot do it?
Could you possibly re-write your question? I do not understand the question/what you are speaking about?
i think he asks if a malware can disable the components like a user may do via right-clicking the system tray icon of CIS
- May 11, 2014
- 1,639
With Comodo, you can right click the icon in the toolbar and it will shut Comodo down, with Kaspersky it will issue a warning before hand. Can malware easily do the same, i.e., Comodo requires no other user input it shuts the whole program down. Before in version 5 users were unable to disable Comodo via task manager, now you can. Bitdefender, Kaspersky blocks such attempts, as accessed denied, does this mean Comodo's ability to protect their files and registry keys against attacks are weaker than Kaspersky? That's a crap explanation, but hope you understand what I mean....
- May 11, 2014
- 1,639
Yes, Umbra is correct, that's what I mean, but he knows how to explain it better, and a lot shorter
Tony , to answer your question , a malware can potentially disable any AV, but for that it just have to change the registry (means the AV has been bypassed silently by the malware or let be bypassed by the user's happy clicking) , i remember a malware that disabled totally all components of Avast IS and replaced the tray icon by a fake one , so the user still think that avast was protecting.
With Comodo, you can right click the icon in the toolbar and it will shut Comodo down, with Kaspersky it will issue a warning before hand. Can malware easily do the same, i.e., Comodo requires no other user input it shuts the whole program down. Before in version 5 users were unable to disable Comodo via task manager, now you can. Bitdefender, Kaspersky blocks such attempts, as accessed denied, does this mean Comodo's ability to protect their files and registry keys against attacks are weaker than Kaspersky? That's a crap explanation, but hope you understand what I mean....
Both BitDefender and Kaspersky blocks process attack attempts via a kernel-mode driver, they return STATUS_ACCESS_DENIED from kernel-mode, which generates the Access Denied error message. It blocks Task Manager as well because it's done in kernel-mode, they don't make exceptions for any programs other than the main to terminate (they must allow the own process otherwise it won't be able to close when user wants, because when you close a program, it calls ZwTerminateProcess at a point in time).
Even the big vendors, some products can be easily manipulated, others not so easily. You can try making a driver, then make it boot before the others and from kernel-mode in that driver, clean out the drivers belonging to the installed security software (and the files, etc). Then remove the entries via registry of them to auto-start on boot also. As another example.
Yes, Comodo is more vulnerable if they do not protect their process, registry keys, files, etc. Each vendor may have different techniques. Avast use ObRegisterCallback for self protection, for example.
Cheers.
- May 25, 2014
- 1,559
A bit Off-topic:
Big guns like Kaspersky (i dont know any other, put might be the case), are still using .NET for their AV Softwares.
Try to install Kaspersky on a machine without :NET and you get an error, the installer gives an option to install .NET, but funnily enough it never worked for me
Big guns like Kaspersky (i dont know any other, put might be the case), are still using .NET for their AV Softwares.
Try to install Kaspersky on a machine without :NET and you get an error, the installer gives an option to install .NET, but funnily enough it never worked for me
Even if they are using .NET, they are doing important things such as self defence via kernel-mode drivers, which does not involve .NET. (and I highly doubt they use any .NET components to involve in any action of hooking).A bit Off-topic:
Big guns like Kaspersky (i dont know any other, put might be the case), are still using .NET for their AV Softwares.
Try to install Kaspersky on a machine without :NET and you get an error, the installer gives an option to install .NET, but funnily enough it never worked for me
Although, what is possible, is they have a driver and talk back to the .NET process. That's possible, and reasonable.
Last edited by a moderator:
Similar threads
