Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
How to know if my Antivirus is really necessary?
Message
<blockquote data-quote="436880927" data-source="post: 828097"><p>Pfftttt... so you want me to stroke you and tell you that everything's going to be alright and that MemProtect can explicitly block code injection when it cannot?</p><p></p><p>Pathetic.</p><p></p><p></p><p>If you are already in the kernel, like a good AV will already be, then these mechanisms cannot stop you.</p><p></p><p>1. Anyone already in the kernel can use DKOM to disable the protected process mechanism and re-enable it after they have performed work. Such has always been the case and Microsoft have never done anything about it because they do not consider it to be a "security issue".</p><p></p><p>2. MemProtect can be bypassed from user-mode with standard rights generically. It isn't specific to MemProtect. The technique is allowed by Microsoft - they have been aware of it for over a decade and since it doesn't exploit any security features, it is perfectly acceptable.</p><p></p><p>3. MemProtect's driver uses ObRegisterCallbacks to restrict handle creation or duplication. It does not explicitly block code injection. However, it would be stupid to expect it to block an AV with kernel-mode software from injecting code, because such doesn't even have to try and bypass MemProtect.</p><p></p><p>So [USER=50782]@Windows_Security[/USER]: are you going to continue dancing like an idiot or listen to what you're being told?</p></blockquote><p></p>
[QUOTE="436880927, post: 828097"] Pfftttt... so you want me to stroke you and tell you that everything's going to be alright and that MemProtect can explicitly block code injection when it cannot? Pathetic. If you are already in the kernel, like a good AV will already be, then these mechanisms cannot stop you. 1. Anyone already in the kernel can use DKOM to disable the protected process mechanism and re-enable it after they have performed work. Such has always been the case and Microsoft have never done anything about it because they do not consider it to be a "security issue". 2. MemProtect can be bypassed from user-mode with standard rights generically. It isn't specific to MemProtect. The technique is allowed by Microsoft - they have been aware of it for over a decade and since it doesn't exploit any security features, it is perfectly acceptable. 3. MemProtect's driver uses ObRegisterCallbacks to restrict handle creation or duplication. It does not explicitly block code injection. However, it would be stupid to expect it to block an AV with kernel-mode software from injecting code, because such doesn't even have to try and bypass MemProtect. So [USER=50782]@Windows_Security[/USER]: are you going to continue dancing like an idiot or listen to what you're being told? [/QUOTE]
Insert quotes…
Verification
Post reply
Top
