Should I protect my antivirus with password or it doesn't matter ?

DDE_Server

Level 22
Thread author
Verified
Top Poster
Well-known
Sep 5, 2017
1,168
it seems all Antivirus software have the capability to lock them with password ? is it worth it if no other person has physical contact to my machine ?? does it add any other security benefit just other than locking the setting from being changed by another person
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
But it read in another forum that it doesnot matter as malware can disable antivirus without need to enter through antivirus GUI
Yeah I guess it depends on the AV and how good the password protection is. Seems like a lot of AVs don't protect against msiexec uninstalls. I would theorize the best way to test this is to go to Add Remove Programs and attempt to uninstall your AV -- pretend like you just executed malware that performed this action. How does your AV respond?

Some pop up a dialog asking for your confirmation to continue. Some pop one up saying that they are stalling for 30 seconds but someone is trying to uninstall it. Others (Sophos in particular) deny uninstalling unless you can type in a passcode set by you or the Enterprise management server.
 

DDE_Server

Level 22
Thread author
Verified
Top Poster
Well-known
Sep 5, 2017
1,168
Yeah I guess it depends on the AV and how good the password protection is. Seems like a lot of AVs don't protect against msiexec uninstalls. I would theorize the best way to test this is to go to Add Remove Programs and attempt to uninstall your AV -- pretend like you just executed malware that performed this action. How does your AV respond?

Some pop up a dialog asking for your confirmation to continue. Some pop one up saying that they are stalling for 30 seconds but someone is trying to uninstall it. Others (Sophos in particular) deny uninstalling unless you can type in a passcode set by you or the Enterprise management server.
Emsisoft has the same action of sophos (put pass code is generated randomly by CAPTCHA) (however the password protection is not active)
 

bribon77

Level 35
Verified
Top Poster
Well-known
Jul 6, 2017
2,392
Emsisoft has the same action of sophos (however the password protection is not active)
Screenshot_1.png
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
Emsisoft has the same action of sophos (put pass code is generated randomly by CAPTCHA) (however the password protection is not active)
I think that is good enough for the average home user where you really just want to confirm that a human at the computer authorized the deactivation, not some automated background process.

If you don't trust the human though (like shared
computers where the operator may want to cause harm), then a passcode seems more appropriate.
 

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
Another major reason to provide password protection besides what @MacDefender mentioned, is to prevent unauthorized manual disabling of your AV modules in case a remote attacker has (remote) access to your machine.
Anyways, a small bunch of sophisticated malware has been capable of disabling some security suites in other ways as we've read at places (And the AVs try to keep up). If password protection is linked to the GUI toggle, it might not help during a non-GUI based attack in this context.
Some AVs need you to enter that password not only when disabling components but also when taking decisions on rules and detected threats. Again helpful in case of unauthorized remote access.

Some AVs have a self-protection, that has to be disabled via GUI first, like Defender's Tamper Protection. It could be easily disabled via script.
Well I see that there's a registry change and also a GP edit option allowing disabling of WD.
Have you tried (or read about) that and shouldn't WD alert about a script disabling WD or its Temper Protection?
 
Last edited:

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
841
Yes you should password protect AV, Firewall, and all other security software.

I've noticed a shift from attackers, instead of disabling/uninstalling AV completely, they turn on silent mode/gaming mode and that basically turns off the AV without raising indicators of compromise. It's hard to notice this change because you have to check the AV logs to notice, if gaming mode/silent mode is activated in some software there is no popup.

The first thing a attacker will do is try to escalate to admin, local privesc bugs are worth their weight in gold. Then they will try and drop files and drivers to disk for persistence, then progress to take over firewall controls/settings to allow a RAT/Backdoor/RDP to function. Even APT crews need to drop files to disk, they always do because fileless malware only gets you so far. If you need to do the dirty work you need to drop files to disk.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top