With the new mail scanner the mail is scanned when the service is running. BUT if someone (could be a program) stops the mail scanning service the mail still work - but is not scanned anymore - no warning.
Is there a way to protect the avast! services?
I can see that the ZoneAlarm TrueVector service (vsmon) is protected in some way. Even with administrator right it’s not possible to change any service setting, neither stop the service. How did they do that?
How can I do the same for the avast! services? Protect them again settings changing, stopping them and so on (if ZoneLabs can, then…)
Depending on your firewall, most keep track of a checksum (MD5 or similar) for each of the programs allowed access. If an avast! service is modified, your firewall should tell you and ask for permission for the modified program-which you should deny unless you have just consciously done an avast! update. For secure email, you can search on ssl or stunnel here to find an avast! approach that will only send or receive email when the avast! email provider is running.
I’m not afraid of someone changing the avast! files. I’m worried about that one could STOP the mail-scanner service (just with a “net stop”) without any warning, and then mail-traficc goes through unscanned.
ZoneLabs protects their service (you can’t stop it or change the settings of the service, not even with administrator rights).
I’d like to do that with the avast! services as well.
The new transparent mail-scanner is nice, but the down side is if the service is stopped you want notice that mail is not scanned anymore (with the old solution, mail could not be send when service down)
Again, a firewall answer. I use KPF 2.1.5, and do not allow email to go in or out except through avast! The email client has only permission to access the email proxy (127.0.0.1:25, for example); direct access to the mail server is blocked. Only the email service has permission to access the mail server. Similarly rules for other firewalls.
But that’s not possible with all firwalls. ZA sets access for programs. And I can’t block internet access for Forte Agent. Even if I filter both news and e-mail through avast! it uses internet connections directly for other things (I guess anyway). With the transparent avast! e-mail scanner it should be able to restrict serivce control (like ZA does) to be sure (or more sure) that the avast! service cannot easily be stopped (today it’s very easy to stop, just a “net stop” command from anywhere)
For Zone Alarm, you may need the Pro version?-it has been a while. For Sygate, Kerio, most other free firewalls you can set up packet filters like this. Using SSL/TLS email this all works independent of firewall by using stunnel as the mail access gate to the internet and setting up explicit proxies.
I have not done it myself, but I think you can also go through the W98 explicit mail setup procedures (see the help file) to prevent direct access to the internet mail servers if avast! is stopped. Have no idea on how to protect the services from being stopped, but maybe you can start out not being compromised by it.
Yes, I have used the old style mail scanner, and that will stop mail access if service is down - for the configured mail clients. Other mail clients will have direct access. The pro for the new way to do it is that all mail client will be scanned. The con that if the service stops then all mail client have access still.
So best way would be protecting the service like ZoneLab has done (no one can stop it). Must be some setting somewhere for that.
If you write that over at Wilders, they’ll propably shoot you ;D
I’ve tried it for a while, but I didn’t need it. But i won’t say that it isn’t good at what it is supposed to do. It does have some problems though (for me, Diskeeper wouldn’t stop running >:( ).
i will concur this time … full version of Process Guard 3.150 is more stable than e.g. Kerio 4.2.x and theirs “HIPS” :))
(bsods caused by KPF in past years on my test systems goes to hundreds but since they start to experiment with various injection preventions it turned worse :))
to be fair to PG … after i finally was able configure it right and understood how and what exactly define … i have zero compatibility problems (usually any stability problem is caused by another software or drivers (e.g. abnormal hooking methods or accesses to memory))
there are some drawbacks when someone uses PG …
first … if You are not SKILLED person in Windows OS usage … then forget about it it …
second … if You refuse to read PG manuals, FAQs and forums … then forget about using it
also PG is not for gamers !..
anticheat solution PunkBuster for now refuse users with PG to join PB protected games (for obvious reason as it was used to hide cheats and prevent PB to operate)
PG is good software but only for users who really uderstood what it does …
so there is not much similar application to Process Guard
but i will suggest to take look at System Safety Monitor or Tiny Firewall 2005
there are of course more but these 3 are good start …
ZoneLabs manage to protect their “vsmon” service w/o any extras.
They have just disabled the “Stop” button and you can’t edit properties on the service.
This has to something you can set in Windows (w/o any extra program).
Why hasn’t avast! done this (to prevent something from stopping it’s services)? It should be easy (I guess it’s done when the service is added) and effective (haven’t found any way to neither edit nor stop the “vsmon” service from ZoneLabs once it has started - very good)
I think that it was Vlk that said in a previous post along similar lines about protecting processes, that if someone wanted to disable something then they could no matter what we do to protect it.
One of the things that help virus/malware writers is our insistence in browsing with Admin privileges (XP) as once the virus/malware gets past our defences, then it also has admin privileges and can reap havoc.
I use MS DropMyRights on all Browsers and email clients, so you are still logged on as a user with admin privileges, but your on-line activity hasn’t. It is quick and easy to close the browser and open the link that has full privileges should you need it, such as for windows update.
Lars, it’s a good idea but as discussed a lot in the past, with administration privileges no way… the process could be terminated as they say.
I don’t know how, just they say that it’s possible. Listen what David posted.
When I post in Wilders I’m always shot! ;D
Probably tECHNODROME won’t agree with me but as much I post there more I get fired…
Maybe I do not found the right way.
It could bring a lot of trouble indeed. As much you ‘close’ its settings and the computer starts to crash… BSODs are frequently.
Stupid colaboration:
Will the option PassThrough=0 into avast4.ini file (section [MailScanner]), will it work? Or only if you use 127.0.0.1 (old method)?
Does the Trust value change this behavior?
Sure? I have admin priviledge, and I cannot stop the “vsmon” service (just says “access denied” or something like that). So they got to have disabled somthing (anyone know WHERE I can change that, I’d like to change some settings on the “vsmon” service, but ain’t allowed
You can test it with Advanced Process Termination: http://www.diamondcs.com.au/index.php?page=apt
It provides nine (9) different process termination techniques. Won’t any of them be able to kill ‘vsmon’?