Author Topic: Protecting avast! services (Read 10072 times)

Lars-Erik · « **on:** April 18, 2005, 12:59:30 AM »

With the new mail scanner the mail is scanned when the service is running. BUT if someone (could be a program) stops the mail scanning service the mail still work - but is not scanned anymore - no warning.

Is there a way to protect the avast! services?

I can see that the ZoneAlarm TrueVector service (vsmon) is protected in some way. Even with administrator right it's not possible to change any service setting, neither stop the service. How did they do that?

How can I do the same for the avast! services? Protect them again settings changing, stopping them and so on (if ZoneLabs can, then...)

sded · « **Reply #1 on:** April 18, 2005, 01:33:57 AM »

Depending on your firewall, most keep track of a checksum (MD5 or similar) for each of the programs allowed access. If an avast! service is modified, your firewall should tell you and ask for permission for the modified program-which you should deny unless you have just consciously done an avast! update. For secure email, you can search on ssl or stunnel here to find an avast! approach that will only send or receive email when the avast! email provider is running.

Lars-Erik · « **Reply #2 on:** April 18, 2005, 01:37:11 AM »

I'm not afraid of someone changing the avast! files. I'm worried about that one could STOP the mail-scanner service (just with a "net stop") without any warning, and then mail-traficc goes through unscanned.

ZoneLabs protects their service (you can't stop it or change the settings of the service, not even with administrator rights).

I'd like to do that with the avast! services as well.

The new transparent mail-scanner is nice, but the down side is if the service is stopped you want notice that mail is not scanned anymore (with the old solution, mail could not be send when service down)

sded · « **Reply #3 on:** April 18, 2005, 01:52:15 AM »

Again, a firewall answer. I use KPF 2.1.5, and do not allow email to go in or out except through avast! The email client has only permission to access the email proxy (127.0.0.1:25, for example); direct access to the mail server is blocked. Only the email service has permission to access the mail server. Similarly rules for other firewalls.

Lars-Erik · « **Reply #4 on:** April 18, 2005, 01:55:29 AM »

But that's not possible with all firwalls. ZA sets access for programs. And I can't block internet access for Forte Agent. Even if I filter both news and e-mail through avast! it uses internet connections directly for other things (I guess anyway). With the transparent avast! e-mail scanner it should be able to restrict serivce control (like ZA does) to be sure (or more sure) that the avast! service cannot easily be stopped (today it's very easy to stop, just a "net stop" command from anywhere)

sded · « **Reply #5 on:** April 18, 2005, 02:14:02 AM »

For Zone Alarm, you may need the Pro version?-it has been a while. For Sygate, Kerio, most other free firewalls you can set up packet filters like this. Using SSL/TLS email this all works independent of firewall by using stunnel as the mail access gate to the internet and setting up explicit proxies.

Lars-Erik · « **Reply #6 on:** April 18, 2005, 02:16:45 AM »

OK, but my original questions still stand:

How do I protect the avast! services from "stop" and editing the properties, in the same way "vsmon" is protected?

ZoneLabs did it. So there has to be a way to do it?
Some rights that can be set som where in Windows
(all controls from their service is greyed out)

sded · « **Reply #7 on:** April 18, 2005, 03:44:22 AM »

I have not done it myself, but I think you can also go through the W98 explicit mail setup procedures (see the help file) to prevent direct access to the internet mail servers if avast! is stopped. Have no idea on how to protect the services from being stopped, but maybe you can start out not being compromised by it.

Lars-Erik · « **Reply #8 on:** April 18, 2005, 12:05:51 PM »

Yes, I have used the old style mail scanner, and that will stop mail access if service is down - for the configured mail clients. Other mail clients will have direct access. The pro for the new way to do it is that all mail client will be scanned. The con that if the service stops then all mail client have access still.

So best way would be protecting the service like ZoneLab has done (no one can stop it). Must be some setting somewhere for that.

Spyros · « **Reply #9 on:** April 18, 2005, 12:18:16 PM »

You can protect avast services with Process Guard http://www.diamondcs.com.au/processguard/index.php?page=download

Vlk · « **Reply #10 on:** April 18, 2005, 12:50:30 PM »

Well, I'd stay away from ProcessGuard... I've seen way too many (hard-to-track) problems with this program. Just my €0.02 worth.

Spyros · « **Reply #11 on:** April 18, 2005, 01:43:39 PM »

Quote from: Vlk on April 18, 2005, 12:50:30 PM

Well, I'd stay away from ProcessGuard... I've seen way too many (hard-to-track) problems with this program. Just my €0.02 worth.

If you write that over at Wilders, they'll propably shoot you

I've tried it for a while, but I didn't need it. But i won't say that it isn't good at what it is supposed to do. It does have some problems though (for me, Diskeeper wouldn't stop running

).

Arup · « **Reply #12 on:** April 18, 2005, 02:12:51 PM »

There is a free app called Antihook which wont let any process not in its list hook to another program, you can give it a try.

Dwarden · « **Reply #13 on:** April 18, 2005, 07:40:14 PM »

Quote from: Vlk on April 18, 2005, 12:50:30 PM

Well, I'd stay away from ProcessGuard... I've seen way too many (hard-to-track) problems with this program. Just my €0.02 worth.

i will concur this time ... full version of Process Guard 3.150 is more stable than e.g. Kerio 4.2.x and theirs "HIPS"

(bsods caused by KPF in past years on my test systems goes to hundreds but since they start to experiment with various injection preventions it turned worse

to be fair to PG ... after i finally was able configure it right and understood how and what exactly define ... i have zero compatibility problems (usually any stability problem is caused by another software or drivers (e.g. abnormal hooking methods or accesses to memory))

there are some drawbacks when someone uses PG ...
first ... if You are not SKILLED person in Windows OS usage ... then forget about it it ...
second ... if You refuse to read PG manuals, FAQs and forums ... then forget about using it

also PG is not for gamers !...

anticheat solution PunkBuster for now refuse users with PG to join PB protected games (for obvious reason as it was used to hide cheats and prevent PB to operate)

PG is good software but only for users who really uderstood what it does ...

so there is not much similar application to Process Guard
but i will suggest to take look at System Safety Monitor or Tiny Firewall 2005
there are of course more but these 3 are good start ...

Lars-Erik · « **Reply #14 on:** April 18, 2005, 08:10:57 PM »

But but but :-)

ZoneLabs manage to protect their "vsmon" service w/o any extras.

They have just disabled the "Stop" button and you can't edit properties on the service.

This has to something you can set in Windows (w/o any extra program).

Why hasn't avast! done this (to prevent something from stopping it's services)? It should be easy (I guess it's done when the service is added) and effective (haven't found any way to neither edit nor stop the "vsmon" service from ZoneLabs once it has started - very good)

Author Topic: Protecting avast! services (Read 10072 times)

Lars-Erik

Protecting avast! services

sded

Re: Protecting avast! services

Lars-Erik

Re: Protecting avast! services

sded

Re: Protecting avast! services

Lars-Erik

Re: Protecting avast! services

sded

Re: Protecting avast! services

Lars-Erik

Re: Protecting avast! services

sded

Re: Protecting avast! services

Lars-Erik

Re: Protecting avast! services

Spyros

Re: Protecting avast! services

Vlk

Re: Protecting avast! services

Spyros

Re: Protecting avast! services

Arup

Re: Protecting avast! services

Dwarden

Re: Protecting avast! services

Lars-Erik

Re: Protecting avast! services