Should I protect my antivirus with password or it doesn't matter ?

Divine_Barakah

Divine_Barakah

Level 33
Verified
Top Poster
Well-known
May 10, 2019
2,289
Zero Knowledge said:
Yes you should password protect AV, Firewall, and all other security software.

I've noticed a shift from attackers, instead of disabling/uninstalling AV completely, they turn on silent mode/gaming mode and that basically turns off the AV without raising indicators of compromise. It's hard to notice this change because you have to check the AV logs to notice, if gaming mode/silent mode is activated in some software there is no popup.

The first thing a attacker will do is try to escalate to admin, even standard user account is useless against local privesc. Then they will try and drop files and drivers to disk for persistence, then progress to take over firewall controls/settings to allow a RAT/Backdoor/RDP.
Click to expand...

Trend Micro here is password protected but I was able to enable "Mute Mode" and it did not ask for password!
 
  • Like
Reactions: Stopspying, Protomartyr, roger_m and 3 others
Divine_Barakah

Divine_Barakah

Level 33
Verified
Top Poster
Well-known
May 10, 2019
2,289
Zero Knowledge said:
Exactly, most AV vendors are guilty of this, it is a huge security risk that needs to be addressed. Why delete a AV when you can turn off real time scanning.
Click to expand...
I have run a quick test to see if real time scanning is disabled if "Mute Mode" is enabled. I have enabled "Mute Mode" and headed to Amtso.org and tried to download the PUP test sample and it was blocked but with no notifications.

Screenshot (6).png
 
  • Like
Reactions: Stopspying, Protomartyr, roger_m and 2 others
Z

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
884
Firewall module is still active, that's not the problem I'm talking about. All malware traffic is port 443 tcp, maybe port 53 udp for enterprise and you can't block those ports. It's the AV module that's the problem. I imagine when muted/silent/gaming mode is enabled the AV wont notify you of changed settings/whitelisting of files with a popup. That's the problem.
 
  • Like
Reactions: Stopspying, Protomartyr, roger_m and 3 others
Divine_Barakah

Divine_Barakah

Level 33
Verified
Top Poster
Well-known
May 10, 2019
2,289
Zero Knowledge said:
Firewall module is still active, that's not the problem I'm talking about. All malware traffic is port 443 tcp, maybe port 53 udp for enterprise and you can't block those ports. It's the AV module that's the problem. I imagine when muted/silent/gaming mode is enabled the AV wont notify you of changed settings/whitelisting of files with a popup. That's the problem.
Click to expand...
But you'll get notified of every single change when you exit "Mute Mode".
 
  • Like
Reactions: Stopspying, Protomartyr, DDE_Server and 1 other person
DDE_Server

DDE_Server

Level 22
Thread author
Verified
Top Poster
Well-known
Sep 5, 2017
1,190
Zero Knowledge said:
Yes you should password protect AV, Firewall, and all other security software.

I've noticed a shift from attackers, instead of disabling/uninstalling AV completely, they turn on silent mode/gaming mode and that basically turns off the AV without raising indicators of compromise. It's hard to notice this change because you have to check the AV logs to notice, if gaming mode/silent mode is activated in some software there is no popup.

The first thing a attacker will do is try to escalate to admin, local privesc bugs are worth their weight in gold. Then they will try and drop files and drivers to disk for persistence, then progress to take over firewall controls/settings to allow a RAT/Backdoor/RDP to function. Even APT crews need to drop files to disk, they always do because fileless malware only gets you so far. If you need to do the dirty work you need to drop files to disk.
Click to expand...
Then my case is good as i am using Standard user account by default and enabled password protection which also need administrator privilege to type it so this will make privilege escalation and disabling AV more harder than in case administrator account
 
  • Like
Reactions: Stopspying, Protomartyr and Venustus
DDE_Server

DDE_Server

Level 22
Thread author
Verified
Top Poster
Well-known
Sep 5, 2017
1,190
bu
Zero Knowledge said:
Firewall module is still active, that's not the problem I'm talking about. All malware traffic is port 443 tcp, maybe port 53 udp for enterprise and you can't block those ports. It's the AV module that's the problem. I imagine when muted/silent/gaming mode is enabled the AV wont notify you of changed settings/whitelisting of files with a popup. That's the problem.
Click to expand...
but there is a problem in case i run video player for example silent mode is enable in Emsisoft then when i exit it is disabled however i think such as @The Cog in the Machine .it is process still work in the background only notification is disabled not AV capability
 
  • Like
  • +Reputation
Reactions: Stopspying, Protomartyr, Venustus and 1 other person
Z

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
884
The Cog in the Machine said:
But you'll get notified of every single change when you exit "Mute Mode".
Click to expand...

When you exit muted mode notifications and scanning will go back to normal yes but during it you probably wont get the notifications of changes. Scanning during muted mode is basically neutered on all AV. I seriously doubt you will be notified if a file has been whitelisted/changed hash during muted mode after you come out of it. The only way you can detect changes is checking the logs, and how many people do that every day? If your a skilled attacker you delete logs anyway if they are not restricted.

DDE_Server said:
bu

but there is a problem in case i run video player for example silent mode is enable in Emsisoft then when i exit it is disabled however i think such as @The Cog in the Machine .it is process still work in the background only notification is disabled not AV capability
Click to expand...

The problem with Emsisoft (I love Emsisoft btw) is that it whitelists windows files automatically and excludes some windows processes from scanning and protection in the behavior blocking module which should really be monitored for changes. Plus Emsisoft adds trusted security setting to files the behavior blocker pops up with warnings with if you accept allow.
 
Last edited:
  • Like
Reactions: Stopspying, Protomartyr, Venustus and 2 others
DDE_Server

DDE_Server

Level 22
Thread author
Verified
Top Poster
Well-known
Sep 5, 2017
1,190
Zero Knowledge said:
When you exit muted mode notifications and scanning will go back to normal yes but during it you probably wont get the notifications of changes. Scanning during muted mode is basically neutered on all AV. I seriously doubt you will be notified if a file has been whitelisted/changed hash during muted mode after you come out of it. The only way you can detect changes is checking the logs, and how many people do that every day? If your a skilled attacker you delete logs anyway.
Click to expand...
yes i check the log regularly as it is integrated directly in Emsisift interface
1585178620616.png
 
  • Like
Reactions: bribon77, Stopspying, Protomartyr and 1 other person
DDE_Server

DDE_Server

Level 22
Thread author
Verified
Top Poster
Well-known
Sep 5, 2017
1,190
Zero Knowledge said:
When you exit muted mode notifications and scanning will go back to normal yes but during it you probably wont get the notifications of changes. Scanning during muted mode is basically neutered on all AV. I seriously doubt you will be notified if a file has been whitelisted/changed hash during muted mode after you come out of it. The only way you can detect changes is checking the logs, and how many people do that every day? If your a skilled attacker you delete logs anyway if they are not restricted.



The problem with Emsisoft (I love Emsisoft btw) is that it whitelists windows files automatically and excludes some windows processes from scanning and protection in the behavior blocking module which should really be monitored for changes. Plus Emsisoft adds trusted security setting to files the behavior blocker pops up with warnings with if you accept allow.
Click to expand...
yes as trusted windows process doesnot allow to be monitored which only could be abused by injections or exploitation and if this cases happened any AV will be bypassed except in case exploitation could be prevented in memory which could be applied with special software such as hitman pro alert for example)
 
  • Like
Reactions: Stopspying, Protomartyr, Venustus and 1 other person
L

Local Host

Gaming/Silent mode does not disable any AV component, it simply surpresses notifications and avoids triggering scans.

Password protecting your AV won't do much against malware either, the idea is to protect the AV locally (from human tampering), not to protect the AV against malware/remote attacks (for malware protection AVs have other modules for self protection).
 
Last edited:
  • Like
  • +Reputation
Reactions: RXZ6Q, Stopspying, Protomartyr and 6 others
Z

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
884
That's a big problem though, if you don't get a notification svchost.exe hash has changed or a windows file is calling out to a server in China and a scan is not made on the file you are hosed. The reason you password protect your security software especially firewall is two fold, internal and external tampering. They both overlap each other.
 
  • Like
Reactions: Stopspying, Protomartyr, Divine_Barakah and 2 others

Similar threads

XylentAntivirus
    • Like
  • Poll
Serious Discussion Should I don't use YARA rules in my antivirus product? Or Machine Learning AI with very fast scan is best?
Replies
5
Views
770
Other security for Windows, Mac, Linux
XylentAntivirus
XylentAntivirus
Shadowra
    • Like
    • +Reputation
    • Hundred Points
App Review Shadowra's Big Comparative : Episode 2 - Paid Antivirus
Replies
127
Views
5,381
Video Reviews - Security and Privacy
cartaphilus
cartaphilus
oldschool
    • Like
    • +Reputation
    • Thanks
New Update Enhanced Phishing Protection in Microsoft Defender SmartScreen
Replies
11
Views
1,049
Windows 11
simmerskool
simmerskool

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top