Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Vlk on July 13, 2006, 09:19:11 AM
-
Hi guys,
for adventurous types I have an early code drop of a new functionality from avast 5 - an avast process execution prevention module. I'd be glad if you could test drive it on your machine (it seems to be pretty stable) and maybe even play a bit with it - i.e. use all the tricks in your arsenal and try to overcome the protection (i.e. manage to kill the avast process).
You can download the tiny package from here:
http://public.avast.com/~vlk/AntiKill.zip
Here's the contents of the readme.txt file included in that package:
=======================================
Avast! Process Termination Prevention
=======================================
July 12, 2006
Early code drop from avast! 5
Copyright (c) 2006 ALWIL Software
Purpose
-------
The driver's goal is to prevent malware (or a malicious user) from killing the avast's on-access scanner. There are many ways to kill a process under Windows, and this driver tries to cover most (if not all) of them.
Please note that normal means of stopping of the avast protection are not prevented. Only the crude ones (i.e. killing one of the avast service process). In other words, the avast service can still be stopped by using the command
net stop "avast! Antivirus"
(or via the Services Control Panel applet). This may change in the release version of avast 5 - we're currently evaluating the pros and cons of doing so (it's not a technical problem, rather a "political" decision; most likely, we'll make this
configurable).
Installation
------------
1. copy AntiKill.sys to \Windows\System32\Drivers
2. Run inst.reg (allow registry value import)
3. Restart the machine
Configuration Options
---------------------
At this time, there are no configuration options.
If the driver is running, it just protects the avast modules.
System Requirements
-------------------
Windows 2000 or Windows XP (32-bit versions only)
Feedback
--------
Please send respective comments / bug reports to vlk@avast.com.
Thank you.
Have fun! :)
Vlk
-
Interesting! I'll have to try this on my virtual machine ... ;D
-
So, an actual avast! 5 part ;D
EDIT:
One question, not sure if it's related.
When i have avast! installed and fully operational, i cannot see "avast! Standard Shield" driver under "Non-Plug and Play Drivers". But when i uninstall avast! all the sudden it's there. Is this already a mean of protecting current avast! versions or something else?
-
When i have avast! installed and fully operational, i cannot see "avast! Standard Shield" driver under "Non-Plug and Play Drivers". But when i uninstall avast! all the sudden it's there. Is this already a mean of protecting current avast! versions or something else?
Probably something else :). There's no code in avast that would be causing this deliberately.
-
Testing...
Glad that the development did not stop :)
-
Hi Vlk ;D
Just "installed" the new part, and almost everything is OK, but after I restarted my PC I don't have sound in my Resident Protection (I mean there are no sounds for VPS update, Virus Found and so on... and I can't ennable them) and also the Resident Provider Window is in Win98/NT interface style(I've attached a picture), is this related to this new part installation. In the On-Demand scanner and the other parts of avast! everything is fine. :-[
EDIT: The picture is now atteched :)
-
Vlk, what about avast! registry and files tempering? Something like Kaspersky's Self-Defense that prevents all kinds of modifications to program components unless they are performed by program itself (so they are allowed).
-
Vlk, what about avast! registry and files tempering? Something like Kaspersky's Self-Defense that prevents all kinds of modifications to program components unless they are performed by program itself (so they are allowed).
Of course. We're talking about a behavior blocker here.
Another favorite feature of avast 5. ;) :)
-
Ok, that too but i meant self protection of avast! registry keys and files too, not just anti process termination. I mean process can b running but if i erase half avast! folder and all its registry keys it won't help much right? Plus behavior blocker could be triggered when some external file tries to temper with avast! files.
-
Ok, that too but i meant self protection of avast! registry keys and files too, not just anti process termination. I mean process can b running but if i erase half avast! folder and all its registry keys it won't help much right? Plus behavior blocker could be triggered when some external file tries to temper with avast! files.
Technically, this IS the behavior blocker. A preset rule of the behavior blocker, to be more specific... :)
-
Ok, cool then ;) Btw could you guys plz use more generic signatures till you release this behavior blocker? :P ;D
-
I'm hoping that another batch of them will be released just before the deadline for the upcoming av-comparatives.org test, that is, in about 3 weeks. ;)
-
Generic as Win32:Ardamax-gen, Win32:SdBot-genXX, Win32:Rbot-gen and Win32:Agent-gen etc, not those Trojan-gen :P
-
Good, very good. ;D
But, won't there be some minor update or release before (say e.g. Avast 4.8)?
Things like to separate avast data from avast executables would be essential but not with great "merchan" appeal. For version 5 the idea of using idle times to perform scan or other actions (present in Windows xp) could be used (continuing to have speed and low resources consumption in the order of the day), to low memory usage of the services when they are not "activiting" so much, etc... I suppose that these and other things are already used by the architects, but it does not cost a thing to say... ;)
-
Technically, this IS the behavior blocker. A preset rule of the behavior blocker, to be more specific... :)
This indeed sounds interesting. Will it also prevent Code Injection into a running process' memory environment?
-- tom
-
I believe the current version (protecting avast! processes) prevents code injection as well (though they are probably multiple ways to do that) - so I'd say the answer would be yes.
-
Wow, interesting toy it is :) To my surprise it's extremelly resistant.
avast! processes aren't even listed in Advanced Process Termination tool (you can't terminate stuff thats not listed) , tempering with them in Task Manager is impossible.
Process Explorer also can't do a thing. I have to test two more things and then i'll report back again :)
-
IceSword 1.16en can terminate all of the processes apparently. :-\
-
How to uninstall the Avast! Process Termination Prevention?
I've sent a comment / bug report to vlk@avast.com
I think I found a bug or a non-good interaction with IDS monitor...
Maybe I'm wrong but some processes are 'running' hidden in background and the GUI does not appear ??? ::)
For instance, here, trying to install a new ClamWin version... :P
-
IceSword 1.16en can terminate all of the processes apparently.
Well, IceSword operates in kernel mode (it's an anti-rootkit tool) and for that reason, it can do whatever patching it needs to. Either we kill it first, or it kills us, it's as simple as that (it's a cat & mouse game).
In avast 5, the anti-termination feature will be accompanied by a comprehensive behavior blocker, and one of the behavior blocker triggers will be installation of kernel-mode code. So, it will at least warn you that an application (IceSword in this case) is attempting to load some code into the kernel, and you will be given a chance to block that (and of course, the program will then deny to load and no process killing will take place).
Thanks :)
Vlk
-
How to uninstall it?
And so? ???
-
Just delete registry entries that you imported, delete the driver and reboot the system. Thats it. Behavior blocker will again keep an eye on these two parts in case someone or something wants to temper with the protection driver.
-
IceSword 1.16en can terminate all of the processes apparently.
Well, IceSword operates in kernel mode (it's an anti-rootkit tool) and for that reason, it can do whatever patching it needs to. Either we kill it first, or it kills us, it's as simple as that (it's a cat & mouse game).
In avast 5, the anti-termination feature will be accompanied by a comprehensive behavior blocker, and one of the behavior blocker triggers will be installation of kernel-mode code. So, it will at least warn you that an application (IceSword in this case) is attempting to load some code into the kernel, and you will be given a chance to block that (and of course, the program will then deny to load and no process killing will take place).
Thanks :)
Vlk
Hi Vlk,
it's just me or does this sound like sort of HIPS (aka ProcessGuard / System Safety Monitor ? )
-
It will be something like Panda TruPrevent or Kaspersky Proactive Defense Module.
-
HIPS is a good word, too. Yes, you got it right ;)
-
Vlk, the problem occured when using Kerio and the Application Behavior Blocking monitor (one application started by another).
It's not only with the second option (HIPS) that is only available in the paid version of Kerio.
On the freeware version, even without HIPS, avast antikill feature 'conflicts' with the Application Behavior Blocking.
I don't know if this will be a problem or not... With Comodo firewall, which does not have this feature, no problem.
Will this feature conflict with System Safe Monitor as stated above?
-
Sure sounds very exiting this avast 5 ;D
I 'm going to try the protection myself. ::)
MounierNetwork
-
Hello,
I just tested the antikill feature and it works great ; ;)
The only thing is that it actually works twoo well in disabling the shutdown of the process named ashdisp.exe,etc... this can be exploited by a malware which would be named ashdisp.exe or any other file name that is protected by the driver. :P
Try it,take any application and change its name to ashdisp.exe and you won't be able to shut it down.
Maybe specifing the path and the filenames would be better that way the files would have to be replaced by the virus which is inpossible or maybe checking the md5 for which file to protect.
I hope this helps ;)
Al968
-
ashDisp.exe is the avast icon and interface to the on-access providers, it doesn't actually have any security function other than it is a pain in the rear when it isn't there. It is just a windows startup item and not a full blown avast service.
-
yes I do know that but I do not see the relation with my previous post.
As I mentioned in my previous post the problem is that if a malware has the same filename that any avast application have such as :
ashServ.exe
ashWebSv.exe
ashMaiSv.exe
ashDisp.exe
aswUpdSv.exe
avast.setup
aswServ.exe
aswWebSv.exe
aswMaiSv.exe
aswDisp.exe
AvAgent.exe
then avast nor any program will be able to stop it.
please do download macfee stinger,rename it aswMaiSv.exe, then run it and try to stop it using the task manager.
You won't be able to because of the new antikill.
Hope this clarifies my previous post ;)
Al968
-
Hi al968.
What you found was cool. Hopefully there will be some system in place to prevent something like this but still have avast not killable.
-
well actually it is possible by standard operation as igor mentioned I believe by doing:
net stop .....
But Alwil is deciding on whether or not to disable that option.
I personally would prefer that they do however this means that the ashserve.exe and other exe causing problems should be fixed because if avast is unstoppable then in case of a problem it can't be stopped. So the alternate would to disable other programs from shutting down avast processes but aloowing avast to shutdown its won processes.
Al968
-
All these issues are related to AntiKill and avast! 4.x only. It was never really designed with this feature in mind. avast! 5.x will be built ground up with this in mind. So don't worry ;)
-
I am not worry. ;D
I am just saying what I am seeing.
Al968
-
Well you can still stop the On-Access scanner like you did before. Termination of avast! processes was never really an official option. However you could do that since there was no protection...
-
The request is reasonable, however - I also think it's not a good idea to match just the filename, some more thorough check should be implemented.
-
Glad to help ;)
And congratulation on the latest av-comparatives.org results :)
Al968
-
Hi,
There is an utility, called "Simple Process Termination" by System Safety.
You can download it here: http://syssafety.com/leaktests.html.
It could terminate ashDisp.exe, ashMaiSv.exe, ashServ.exe and ashUpdSv.exe with:
9 - terminate process as a task;
15 - simulation of normal process exit;
and
16 - terminate process by "bruteforce" message posting;
Moreover, I can stop avast! service by stopping manually ("Administrating Tools"->"Services") or with any program for starting/stopping services.
I hope, You'll fix it. ::)
PS
My farewall passed this test. None of 16 methods could terminate its processes or services. When I go to "Administrating Tools"->"Services", I cannot manually stop it. The same thing was when I used Kaspersky Antivirus. I couldn't stop it anyhow, except of choosing item "Exit" in its menu.
Thanks!
-
Purpose
-------
The driver's goal is to prevent malware (or a malicious user) from killing the avast's on-access scanner.
Under Windows Vista this module is useless because in Windows Vista you have the UAC and a lot of security technologies (for example: system services isolation from the user session)
-
yes but two secuirties are better than one, and remeber that no everyone will upgrade to Vista when it comes out. ;)
Al968
-
seems like Sophos jumped on HIPS bandwagon too http://www.sophos.com/security/topic/behavioral-protection.html
looks like one mention it, second experiment with and all then go for it ;)
-
seems like Sophos jumped on HIPS bandwagon too http://www.sophos.com/security/topic/behavioral-protection.html
looks like one mention it, second experiment with and all then go for it ;)
Yea, but at $60 US, kinda steep for an AV
-
There is an utility, called "Simple Process Termination" by System Safety.
You can download it here: http://syssafety.com/leaktests.html.
It could terminate ashDisp.exe, ashMaiSv.exe, ashServ.exe and ashUpdSv.exe
Do you mean using or not the AntiKill avast feature?
My farewall passed this test. None of 16 methods could terminate its processes or services. When I go to "Administrating Tools"->"Services", I cannot manually stop it. The same thing was when I used Kaspersky Antivirus. I couldn't stop it anyhow, except of choosing item "Exit" in its menu.
Which is your firewall?
yes but two secuirties are better than one, and remeber that no everyone will upgrade to Vista when it comes out. ;)
For the ones that stay with XP, the AntiKill feature will be added on version 5... won't it?
-
UAC does provide a new level of protection. But what happens if a trojan is embedded within a legitimate file? If the user accepts the UAC dialog elevation will occur, and Avast!'s processes may be terminated. Also, the behaviour blocker that is supposedly shipping with Avast! 5 will be a nice addition to UAC (because, even after UAC elevation, we may not want certain changes made).
-
Hi!
1)It's great you All keep developing the Avast 5 ;)
2) I have a small question: Will Avast 5 be divided into two versions just like Avast 4, or the 5th version will be only in pro version (paid)?, which may be dissapointing for me, cause I love to use a free Home version it's just awesome.
Thankyou :)
-
From what i was told, avast! will ALWAYS use this product model, so Home Edition for non commercial personal usage and Pro for everything else.
-
That's very good! :)
-
Hi guys,
for adventurous types I have an early code drop of a new functionality from avast 5 - an avast process execution prevention module.
I'm glad to see that alwil is moving forward!
I'm curious: I just ordered my license for gdata's antivirenkit 2007 (avk) - will any of the new avast!5 technology be implemented in this or any version of the avk?
-
When can we expect avast! 5 to hit the shelves? (Figuratively speaking, of course)
-
I'm curious: I just ordered my license for gdata's antivirenkit 2007 (avk) - will any of the new avast!5 technology be implemented in this or any version of the avk?
Right now, the capabilities of the avast! engine in AVK is identical to the one in avast! itself (possibly with small variations due to different build versions). What happens in the future, it's hard to forecast, of course ;)
However, avast! engine in AVK is really just the scanning engine (unpackers + detection) - so I don't think these high-level features, such as protecting avast! processes, would be included there. AVK programmers handle this kind of things themselves (which means that AVK might already include it, don't know).
When can we expect avast! 5 to hit the shelves? (Figuratively speaking, of course)
Unknown yet, i.e. not very soon.
-
Do you mean using or not the AntiKill avast feature?
I mean that it should be upgraded.
Which is your firewall?
My firewall is COMODO Personal Firewall (http://personalfirewall.comodo.com/)
Here is one more program. Avast! shows me that I've got a virus (Sign of "EICAR Test-NOT virus!!" has been found in "Program Files\Vanquish Media Inc\Win32v.com" file. AND Sign of "Win32:Orpheus [Wrm]" has been found in "Program Files\Vanquish Media Inc\Win32r_vanquish\bin\vanquish.exe" file. ) after that avast! is closed by those viruses.
http://www.morgud.com/interests/security/dfk-threat-simulator.asp
-
So is there a date for when Avast will be released ??
Has Avast found an AntiKill method ?
What is Avast's resolution on blocking normal ways to stop Avast ?
Thanks
Al968
-
So is there a date for when Avast will be released ??
Has Avast found an AntiKill method ?
What is Avast's resolution on blocking normal ways to stop Avast ?
1. No date has been given for avast version 5.
2. Did you read the first page ?
3. Download the antikill.zip and test it.
Hi guys,
for adventurous types I have an early code drop of a new functionality from avast 5 - an avast process execution prevention module. I'd be glad if you could test drive it on your machine (it seems to be pretty stable) and maybe even play a bit with it - i.e. use all the tricks in your arsenal and try to overcome the protection (i.e. manage to kill the avast process).
You can download the tiny package from here:
http://public.avast.com/~vlk/AntiKill.zip
-
Thanks for the Reply
Actually I mean an newewer version of the AntiKill feature because as I pointed out there was a bug in the code.
Al968
-
I guess we will have to await a response from Vlk, or one of the Alwil team to see if the antikill trial zip will be repeated if any bugs ironed out. Or whether we will have to wait for version 5 beta ;D whenever that is.
-
Interesting, current v.4.7.925 beta is the last before v.5 ;D ;D or will we see avast v.4.8 in the future? ;D ;D ;D ;D
-
Personally I think we will continue to see small incremental updates before version 5.
-
Alwil Can we have the answers ?? ;D ;D
Thanks
Al968
-
It seems Aliwl is being hush-hush like Apple about product releases ;D