for adventurous types I have an early code drop of a new functionality from avast 5 - an avast process execution prevention module. I’d be glad if you could test drive it on your machine (it seems to be pretty stable) and maybe even play a bit with it - i.e. use all the tricks in your arsenal and try to overcome the protection (i.e. manage to kill the avast process).
Here’s the contents of the readme.txt file included in that package:
[i]=======================================
Avast! Process Termination Prevention
July 12, 2006
Early code drop from avast! 5
Copyright (c) 2006 ALWIL Software
Purpose
The driver’s goal is to prevent malware (or a malicious user) from killing the avast’s on-access scanner. There are many ways to kill a process under Windows, and this driver tries to cover most (if not all) of them.
Please note that normal means of stopping of the avast protection are not prevented. Only the crude ones (i.e. killing one of the avast service process). In other words, the avast service can still be stopped by using the command
net stop “avast! Antivirus”
(or via the Services Control Panel applet). This may change in the release version of avast 5 - we’re currently evaluating the pros and cons of doing so (it’s not a technical problem, rather a “political” decision; most likely, we’ll make this
configurable).
Installation
copy AntiKill.sys to \Windows\System32\Drivers
Run inst.reg (allow registry value import)
Restart the machine
Configuration Options
At this time, there are no configuration options.
If the driver is running, it just protects the avast modules.
EDIT:
One question, not sure if it’s related.
When i have avast! installed and fully operational, i cannot see “avast! Standard Shield” driver under “Non-Plug and Play Drivers”. But when i uninstall avast! all the sudden it’s there. Is this already a mean of protecting current avast! versions or something else?
When i have avast! installed and fully operational, i cannot see "avast! Standard Shield" driver under "Non-Plug and Play Drivers". But when i uninstall avast! all the sudden it's there. Is this already a mean of protecting current avast! versions or something else?
Probably something else :). There’s no code in avast that would be causing this deliberately.
Just “installed” the new part, and almost everything is OK, but after I restarted my PC I don’t have sound in my Resident Protection (I mean there are no sounds for VPS update, Virus Found and so on… and I can’t ennable them) and also the Resident Provider Window is in Win98/NT interface style(I’ve attached a picture), is this related to this new part installation. In the On-Demand scanner and the other parts of avast! everything is fine. :-[
Vlk, what about avast! registry and files tempering? Something like Kaspersky’s Self-Defense that prevents all kinds of modifications to program components unless they are performed by program itself (so they are allowed).
Vlk, what about avast! registry and files tempering? Something like Kaspersky's Self-Defense that prevents all kinds of modifications to program components unless they are performed by program itself (so they are allowed).
Of course. We’re talking about a behavior blocker here.
Another favorite feature of avast 5.
Ok, that too but i meant self protection of avast! registry keys and files too, not just anti process termination. I mean process can b running but if i erase half avast! folder and all its registry keys it won’t help much right? Plus behavior blocker could be triggered when some external file tries to temper with avast! files.
Ok, that too but i meant self protection of avast! registry keys and files too, not just anti process termination. I mean process can b running but if i erase half avast! folder and all its registry keys it won't help much right? Plus behavior blocker could be triggered when some external file tries to temper with avast! files.
Technically, this IS the behavior blocker. A preset rule of the behavior blocker, to be more specific…
But, won’t there be some minor update or release before (say e.g. Avast 4.8)?
Things like to separate avast data from avast executables would be essential but not with great “merchan” appeal. For version 5 the idea of using idle times to perform scan or other actions (present in Windows xp) could be used (continuing to have speed and low resources consumption in the order of the day), to low memory usage of the services when they are not “activiting” so much, etc… I suppose that these and other things are already used by the architects, but it does not cost a thing to say…
I believe the current version (protecting avast! processes) prevents code injection as well (though they are probably multiple ways to do that) - so I’d say the answer would be yes.
Wow, interesting toy it is To my surprise it’s extremelly resistant.
avast! processes aren’t even listed in Advanced Process Termination tool (you can’t terminate stuff thats not listed) , tempering with them in Task Manager is impossible.
Process Explorer also can’t do a thing. I have to test two more things and then i’ll report back again
I think I found a bug or a non-good interaction with IDS monitor…
Maybe I’m wrong but some processes are ‘running’ hidden in background and the GUI does not appear ??? :
For instance, here, trying to install a new ClamWin version…
IceSword 1.16en can terminate all of the processes apparently.
Well, IceSword operates in kernel mode (it’s an anti-rootkit tool) and for that reason, it can do whatever patching it needs to. Either we kill it first, or it kills us, it’s as simple as that (it’s a cat & mouse game).
In avast 5, the anti-termination feature will be accompanied by a comprehensive behavior blocker, and one of the behavior blocker triggers will be installation of kernel-mode code. So, it will at least warn you that an application (IceSword in this case) is attempting to load some code into the kernel, and you will be given a chance to block that (and of course, the program will then deny to load and no process killing will take place).
;D