The Cog in the Machine

Level 23
Verified
Yes you should password protect AV, Firewall, and all other security software.

I've noticed a shift from attackers, instead of disabling/uninstalling AV completely, they turn on silent mode/gaming mode and that basically turns off the AV without raising indicators of compromise. It's hard to notice this change because you have to check the AV logs to notice, if gaming mode/silent mode is activated in some software there is no popup.

The first thing a attacker will do is try to escalate to admin, even standard user account is useless against local privesc. Then they will try and drop files and drivers to disk for persistence, then progress to take over firewall controls/settings to allow a RAT/Backdoor/RDP.
Trend Micro here is password protected but I was able to enable "Mute Mode" and it did not ask for password!
 

The Cog in the Machine

Level 23
Verified
Exactly, most AV vendors are guilty of this, it is a huge security risk that needs to be addressed. Why delete a AV when you can turn off real time scanning.
I have run a quick test to see if real time scanning is disabled if "Mute Mode" is enabled. I have enabled "Mute Mode" and headed to Amtso.org and tried to download the PUP test sample and it was blocked but with no notifications.

Screenshot (6).png
 
Firewall module is still active, that's not the problem I'm talking about. All malware traffic is port 443 tcp, maybe port 53 udp for enterprise and you can't block those ports. It's the AV module that's the problem. I imagine when muted/silent/gaming mode is enabled the AV wont notify you of changed settings/whitelisting of files with a popup. That's the problem.
 

The Cog in the Machine

Level 23
Verified
Firewall module is still active, that's not the problem I'm talking about. All malware traffic is port 443 tcp, maybe port 53 udp for enterprise and you can't block those ports. It's the AV module that's the problem. I imagine when muted/silent/gaming mode is enabled the AV wont notify you of changed settings/whitelisting of files with a popup. That's the problem.
But you'll get notified of every single change when you exit "Mute Mode".
 

DDE_Server

Level 21
Verified
Yes you should password protect AV, Firewall, and all other security software.

I've noticed a shift from attackers, instead of disabling/uninstalling AV completely, they turn on silent mode/gaming mode and that basically turns off the AV without raising indicators of compromise. It's hard to notice this change because you have to check the AV logs to notice, if gaming mode/silent mode is activated in some software there is no popup.

The first thing a attacker will do is try to escalate to admin, local privesc bugs are worth their weight in gold. Then they will try and drop files and drivers to disk for persistence, then progress to take over firewall controls/settings to allow a RAT/Backdoor/RDP to function. Even APT crews need to drop files to disk, they always do because fileless malware only gets you so far. If you need to do the dirty work you need to drop files to disk.
Then my case is good as i am using Standard user account by default and enabled password protection which also need administrator privilege to type it so this will make privilege escalation and disabling AV more harder than in case administrator account
 

DDE_Server

Level 21
Verified
bu
Firewall module is still active, that's not the problem I'm talking about. All malware traffic is port 443 tcp, maybe port 53 udp for enterprise and you can't block those ports. It's the AV module that's the problem. I imagine when muted/silent/gaming mode is enabled the AV wont notify you of changed settings/whitelisting of files with a popup. That's the problem.
but there is a problem in case i run video player for example silent mode is enable in Emsisoft then when i exit it is disabled however i think such as @The Cog in the Machine .it is process still work in the background only notification is disabled not AV capability
 
But you'll get notified of every single change when you exit "Mute Mode".
When you exit muted mode notifications and scanning will go back to normal yes but during it you probably wont get the notifications of changes. Scanning during muted mode is basically neutered on all AV. I seriously doubt you will be notified if a file has been whitelisted/changed hash during muted mode after you come out of it. The only way you can detect changes is checking the logs, and how many people do that every day? If your a skilled attacker you delete logs anyway if they are not restricted.

bu

but there is a problem in case i run video player for example silent mode is enable in Emsisoft then when i exit it is disabled however i think such as @The Cog in the Machine .it is process still work in the background only notification is disabled not AV capability
The problem with Emsisoft (I love Emsisoft btw) is that it whitelists windows files automatically and excludes some windows processes from scanning and protection in the behavior blocking module which should really be monitored for changes. Plus Emsisoft adds trusted security setting to files the behavior blocker pops up with warnings with if you accept allow.
 
Last edited:

DDE_Server

Level 21
Verified
When you exit muted mode notifications and scanning will go back to normal yes but during it you probably wont get the notifications of changes. Scanning during muted mode is basically neutered on all AV. I seriously doubt you will be notified if a file has been whitelisted/changed hash during muted mode after you come out of it. The only way you can detect changes is checking the logs, and how many people do that every day? If your a skilled attacker you delete logs anyway.
yes i check the log regularly as it is integrated directly in Emsisift interface
1585178620616.png
 

DDE_Server

Level 21
Verified
When you exit muted mode notifications and scanning will go back to normal yes but during it you probably wont get the notifications of changes. Scanning during muted mode is basically neutered on all AV. I seriously doubt you will be notified if a file has been whitelisted/changed hash during muted mode after you come out of it. The only way you can detect changes is checking the logs, and how many people do that every day? If your a skilled attacker you delete logs anyway if they are not restricted.



The problem with Emsisoft (I love Emsisoft btw) is that it whitelists windows files automatically and excludes some windows processes from scanning and protection in the behavior blocking module which should really be monitored for changes. Plus Emsisoft adds trusted security setting to files the behavior blocker pops up with warnings with if you accept allow.
yes as trusted windows process doesnot allow to be monitored which only could be abused by injections or exploitation and if this cases happened any AV will be bypassed except in case exploitation could be prevented in memory which could be applied with special software such as hitman pro alert for example)
 

Local Host

Level 22
Verified
Gaming/Silent mode does not disable any AV component, it simply surpresses notifications and avoids triggering scans.

Password protecting your AV won't do much against malware either, the idea is to protect the AV locally (from human tampering), not to protect the AV against malware/remote attacks (for malware protection AVs have other modules for self protection).
 
Last edited:
Top