Should I protect my antivirus with password or it doesn't matter ?

Divine_Barakah

Level 29
Verified
Top Poster
Well-known
May 10, 2019
1,854
Yes you should password protect AV, Firewall, and all other security software.

I've noticed a shift from attackers, instead of disabling/uninstalling AV completely, they turn on silent mode/gaming mode and that basically turns off the AV without raising indicators of compromise. It's hard to notice this change because you have to check the AV logs to notice, if gaming mode/silent mode is activated in some software there is no popup.

The first thing a attacker will do is try to escalate to admin, even standard user account is useless against local privesc. Then they will try and drop files and drivers to disk for persistence, then progress to take over firewall controls/settings to allow a RAT/Backdoor/RDP.

Trend Micro here is password protected but I was able to enable "Mute Mode" and it did not ask for password!
 

Divine_Barakah

Level 29
Verified
Top Poster
Well-known
May 10, 2019
1,854
Exactly, most AV vendors are guilty of this, it is a huge security risk that needs to be addressed. Why delete a AV when you can turn off real time scanning.
I have run a quick test to see if real time scanning is disabled if "Mute Mode" is enabled. I have enabled "Mute Mode" and headed to Amtso.org and tried to download the PUP test sample and it was blocked but with no notifications.

Screenshot (6).png
 

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
841
Firewall module is still active, that's not the problem I'm talking about. All malware traffic is port 443 tcp, maybe port 53 udp for enterprise and you can't block those ports. It's the AV module that's the problem. I imagine when muted/silent/gaming mode is enabled the AV wont notify you of changed settings/whitelisting of files with a popup. That's the problem.
 

Divine_Barakah

Level 29
Verified
Top Poster
Well-known
May 10, 2019
1,854
Firewall module is still active, that's not the problem I'm talking about. All malware traffic is port 443 tcp, maybe port 53 udp for enterprise and you can't block those ports. It's the AV module that's the problem. I imagine when muted/silent/gaming mode is enabled the AV wont notify you of changed settings/whitelisting of files with a popup. That's the problem.
But you'll get notified of every single change when you exit "Mute Mode".
 

DDE_Server

Level 22
Thread author
Verified
Top Poster
Well-known
Sep 5, 2017
1,168
Yes you should password protect AV, Firewall, and all other security software.

I've noticed a shift from attackers, instead of disabling/uninstalling AV completely, they turn on silent mode/gaming mode and that basically turns off the AV without raising indicators of compromise. It's hard to notice this change because you have to check the AV logs to notice, if gaming mode/silent mode is activated in some software there is no popup.

The first thing a attacker will do is try to escalate to admin, local privesc bugs are worth their weight in gold. Then they will try and drop files and drivers to disk for persistence, then progress to take over firewall controls/settings to allow a RAT/Backdoor/RDP to function. Even APT crews need to drop files to disk, they always do because fileless malware only gets you so far. If you need to do the dirty work you need to drop files to disk.
Then my case is good as i am using Standard user account by default and enabled password protection which also need administrator privilege to type it so this will make privilege escalation and disabling AV more harder than in case administrator account
 

DDE_Server

Level 22
Thread author
Verified
Top Poster
Well-known
Sep 5, 2017
1,168
bu
Firewall module is still active, that's not the problem I'm talking about. All malware traffic is port 443 tcp, maybe port 53 udp for enterprise and you can't block those ports. It's the AV module that's the problem. I imagine when muted/silent/gaming mode is enabled the AV wont notify you of changed settings/whitelisting of files with a popup. That's the problem.
but there is a problem in case i run video player for example silent mode is enable in Emsisoft then when i exit it is disabled however i think such as @The Cog in the Machine .it is process still work in the background only notification is disabled not AV capability
 

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
841
But you'll get notified of every single change when you exit "Mute Mode".

When you exit muted mode notifications and scanning will go back to normal yes but during it you probably wont get the notifications of changes. Scanning during muted mode is basically neutered on all AV. I seriously doubt you will be notified if a file has been whitelisted/changed hash during muted mode after you come out of it. The only way you can detect changes is checking the logs, and how many people do that every day? If your a skilled attacker you delete logs anyway if they are not restricted.

bu

but there is a problem in case i run video player for example silent mode is enable in Emsisoft then when i exit it is disabled however i think such as @The Cog in the Machine .it is process still work in the background only notification is disabled not AV capability

The problem with Emsisoft (I love Emsisoft btw) is that it whitelists windows files automatically and excludes some windows processes from scanning and protection in the behavior blocking module which should really be monitored for changes. Plus Emsisoft adds trusted security setting to files the behavior blocker pops up with warnings with if you accept allow.
 
Last edited:

DDE_Server

Level 22
Thread author
Verified
Top Poster
Well-known
Sep 5, 2017
1,168
When you exit muted mode notifications and scanning will go back to normal yes but during it you probably wont get the notifications of changes. Scanning during muted mode is basically neutered on all AV. I seriously doubt you will be notified if a file has been whitelisted/changed hash during muted mode after you come out of it. The only way you can detect changes is checking the logs, and how many people do that every day? If your a skilled attacker you delete logs anyway.
yes i check the log regularly as it is integrated directly in Emsisift interface
1585178620616.png
 

DDE_Server

Level 22
Thread author
Verified
Top Poster
Well-known
Sep 5, 2017
1,168
When you exit muted mode notifications and scanning will go back to normal yes but during it you probably wont get the notifications of changes. Scanning during muted mode is basically neutered on all AV. I seriously doubt you will be notified if a file has been whitelisted/changed hash during muted mode after you come out of it. The only way you can detect changes is checking the logs, and how many people do that every day? If your a skilled attacker you delete logs anyway if they are not restricted.



The problem with Emsisoft (I love Emsisoft btw) is that it whitelists windows files automatically and excludes some windows processes from scanning and protection in the behavior blocking module which should really be monitored for changes. Plus Emsisoft adds trusted security setting to files the behavior blocker pops up with warnings with if you accept allow.
yes as trusted windows process doesnot allow to be monitored which only could be abused by injections or exploitation and if this cases happened any AV will be bypassed except in case exploitation could be prevented in memory which could be applied with special software such as hitman pro alert for example)
 
L

Local Host

Gaming/Silent mode does not disable any AV component, it simply surpresses notifications and avoids triggering scans.

Password protecting your AV won't do much against malware either, the idea is to protect the AV locally (from human tampering), not to protect the AV against malware/remote attacks (for malware protection AVs have other modules for self protection).
 
Last edited:

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
841
That's a big problem though, if you don't get a notification svchost.exe hash has changed or a windows file is calling out to a server in China and a scan is not made on the file you are hosed. The reason you password protect your security software especially firewall is two fold, internal and external tampering. They both overlap each other.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top