DDE_Server

Level 21
Verified
it seems all Antivirus software have the capability to lock them with password ? is it worth it if no other person has physical contact to my machine ?? does it add any other security benefit just other than locking the setting from being changed by another person
 

MacDefender

Level 11
Verified
But it read in another forum that it doesnot matter as malware can disable antivirus without need to enter through antivirus GUI
Yeah I guess it depends on the AV and how good the password protection is. Seems like a lot of AVs don't protect against msiexec uninstalls. I would theorize the best way to test this is to go to Add Remove Programs and attempt to uninstall your AV -- pretend like you just executed malware that performed this action. How does your AV respond?

Some pop up a dialog asking for your confirmation to continue. Some pop one up saying that they are stalling for 30 seconds but someone is trying to uninstall it. Others (Sophos in particular) deny uninstalling unless you can type in a passcode set by you or the Enterprise management server.
 

DDE_Server

Level 21
Verified
Yeah I guess it depends on the AV and how good the password protection is. Seems like a lot of AVs don't protect against msiexec uninstalls. I would theorize the best way to test this is to go to Add Remove Programs and attempt to uninstall your AV -- pretend like you just executed malware that performed this action. How does your AV respond?

Some pop up a dialog asking for your confirmation to continue. Some pop one up saying that they are stalling for 30 seconds but someone is trying to uninstall it. Others (Sophos in particular) deny uninstalling unless you can type in a passcode set by you or the Enterprise management server.
Emsisoft has the same action of sophos (put pass code is generated randomly by CAPTCHA) (however the password protection is not active)
 

MacDefender

Level 11
Verified
Emsisoft has the same action of sophos (put pass code is generated randomly by CAPTCHA) (however the password protection is not active)
I think that is good enough for the average home user where you really just want to confirm that a human at the computer authorized the deactivation, not some automated background process.

If you don't trust the human though (like shared
computers where the operator may want to cause harm), then a passcode seems more appropriate.
 

Parsh

Level 25
Verified
Trusted
Malware Hunter
Another major reason to provide password protection besides what @MacDefender mentioned, is to prevent unauthorized manual disabling of your AV modules in case a remote attacker has (remote) access to your machine.
Anyways, a small bunch of sophisticated malware has been capable of disabling some security suites in other ways as we've read at places (And the AVs try to keep up). If password protection is linked to the GUI toggle, it might not help during a non-GUI based attack in this context.
Some AVs need you to enter that password not only when disabling components but also when taking decisions on rules and detected threats. Again helpful in case of unauthorized remote access.

Some AVs have a self-protection, that has to be disabled via GUI first, like Defender's Tamper Protection. It could be easily disabled via script.
Well I see that there's a registry change and also a GP edit option allowing disabling of WD.
Have you tried (or read about) that and shouldn't WD alert about a script disabling WD or its Temper Protection?
 
Last edited:
Yes you should password protect AV, Firewall, and all other security software.

I've noticed a shift from attackers, instead of disabling/uninstalling AV completely, they turn on silent mode/gaming mode and that basically turns off the AV without raising indicators of compromise. It's hard to notice this change because you have to check the AV logs to notice, if gaming mode/silent mode is activated in some software there is no popup.

The first thing a attacker will do is try to escalate to admin, local privesc bugs are worth their weight in gold. Then they will try and drop files and drivers to disk for persistence, then progress to take over firewall controls/settings to allow a RAT/Backdoor/RDP to function. Even APT crews need to drop files to disk, they always do because fileless malware only gets you so far. If you need to do the dirty work you need to drop files to disk.
 
Top