Author Topic: Early code drop from avast 5 for you to test :-)  (Read 42921 times)

0 Members and 1 Guest are viewing this topic.

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11664
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Early code drop from avast 5 for you to test :-)
« on: July 13, 2006, 09:19:11 AM »
Hi guys,

for adventurous types I have an early code drop of a new functionality from avast 5 - an avast process execution prevention module. I'd be glad if you could test drive it on your machine (it seems to be pretty stable) and maybe even play a bit with it - i.e. use all the tricks in your arsenal and try to overcome the protection (i.e. manage to kill the avast process).

You can download the tiny package from here:
http://public.avast.com/~vlk/AntiKill.zip

Here's the contents of the readme.txt file included in that package:

=======================================
 Avast! Process Termination Prevention
=======================================

July 12, 2006
Early code drop from avast! 5
Copyright (c) 2006 ALWIL Software


Purpose
-------
The driver's goal is to prevent malware (or a malicious user) from killing the avast's on-access scanner. There are many ways to kill a process under Windows, and this driver tries to cover most (if not all) of them.

Please note that normal means of stopping of the avast protection are not prevented. Only the crude ones (i.e. killing one of the avast service process). In other words, the avast service can still be stopped by using the command

net stop "avast! Antivirus"

(or via the Services Control Panel applet). This may change in the release version of avast 5 - we're currently evaluating the pros and cons of doing so (it's not a technical problem, rather a "political" decision; most likely, we'll make this
configurable).


Installation
------------
1. copy AntiKill.sys to \Windows\System32\Drivers
2. Run inst.reg (allow registry value import)
3. Restart the machine


Configuration Options
---------------------
At this time, there are no configuration options.
If the driver is running, it just protects the avast modules.


System Requirements
-------------------
Windows 2000 or Windows XP (32-bit versions only)


Feedback
--------
Please send respective comments / bug reports to vlk@avast.com.
Thank you.



Have fun! :)
Vlk
If at first you don't succeed, then skydiving's not for you.

..::ReVaN::..

  • Guest
Re: Early code drop from avast 5 for you to test :-)
« Reply #1 on: July 13, 2006, 09:37:14 AM »
Interesting! I'll have to try this on my virtual machine ...  ;D

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9384
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Early code drop from avast 5 for you to test :-)
« Reply #2 on: July 13, 2006, 10:29:38 AM »
So, an actual avast! 5 part ;D

EDIT:
One question, not sure if it's related.
When i have avast! installed and fully operational, i cannot see "avast! Standard Shield" driver under "Non-Plug and Play Drivers". But when i uninstall avast! all the sudden it's there. Is this already a mean of protecting current avast! versions or something else?
« Last Edit: July 13, 2006, 10:42:33 AM by RejZoR »
Visit my webpage Angry Sheep Blog

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11664
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: Early code drop from avast 5 for you to test :-)
« Reply #3 on: July 13, 2006, 10:51:47 AM »
Quote
When i have avast! installed and fully operational, i cannot see "avast! Standard Shield" driver under "Non-Plug and Play Drivers". But when i uninstall avast! all the sudden it's there. Is this already a mean of protecting current avast! versions or something else?


Probably something else :). There's no code in avast that would be causing this deliberately.
If at first you don't succeed, then skydiving's not for you.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67247
Re: Early code drop from avast 5 for you to test :-)
« Reply #4 on: July 13, 2006, 01:43:15 PM »
Testing...
Glad that the development did not stop  :)
The best things in life are free.

Offline XMAS

  • Avast translator
  • Super Poster
  • ***
  • Posts: 1211
  • Santa is watching you ;)
    • avast! in Bulgarian
Re: Early code drop from avast 5 for you to test :-)
« Reply #5 on: July 13, 2006, 02:13:18 PM »
Hi Vlk  ;D

Just "installed" the new part, and almost everything is OK, but after I restarted my PC I don't have sound in my Resident Protection (I mean there are no sounds for VPS update, Virus Found and so on... and I can't ennable them) and also the Resident Provider Window is in Win98/NT interface style(I've attached a picture), is this related to this new part installation. In the On-Demand scanner and the other parts of avast! everything is fine.  :-[

EDIT: The picture is now atteched  :)
« Last Edit: July 13, 2006, 02:50:27 PM by .:X:M:A:S:. »
You've Got To Get Close To The Flame To See What It's Made Of...

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9384
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Early code drop from avast 5 for you to test :-)
« Reply #6 on: July 13, 2006, 04:24:02 PM »
Vlk, what about avast! registry and files tempering? Something like Kaspersky's Self-Defense that prevents all kinds of modifications to program components unless they are performed by program itself (so they are allowed).
Visit my webpage Angry Sheep Blog

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11664
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: Early code drop from avast 5 for you to test :-)
« Reply #7 on: July 13, 2006, 05:36:42 PM »
Quote
Vlk, what about avast! registry and files tempering? Something like Kaspersky's Self-Defense that prevents all kinds of modifications to program components unless they are performed by program itself (so they are allowed).


Of course. We're talking about a behavior blocker here.
Another favorite feature of avast 5. ;) :)
If at first you don't succeed, then skydiving's not for you.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9384
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Early code drop from avast 5 for you to test :-)
« Reply #8 on: July 13, 2006, 05:40:09 PM »
Ok, that too but i meant self protection of avast! registry keys and files too, not just anti process termination. I mean process can b running but if i erase half avast! folder and all its registry keys it won't help much right? Plus behavior blocker could be triggered when some external file tries to temper with avast! files.
« Last Edit: July 13, 2006, 05:41:43 PM by RejZoR »
Visit my webpage Angry Sheep Blog

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11664
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: Early code drop from avast 5 for you to test :-)
« Reply #9 on: July 13, 2006, 05:53:15 PM »
Quote
Ok, that too but i meant self protection of avast! registry keys and files too, not just anti process termination. I mean process can b running but if i erase half avast! folder and all its registry keys it won't help much right? Plus behavior blocker could be triggered when some external file tries to temper with avast! files.



Technically, this IS the behavior blocker. A preset rule of the behavior blocker, to be more specific... :)
If at first you don't succeed, then skydiving's not for you.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9384
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Early code drop from avast 5 for you to test :-)
« Reply #10 on: July 13, 2006, 05:54:23 PM »
Ok, cool then ;) Btw could you guys plz use more generic signatures till you release this behavior blocker? :P ;D
Visit my webpage Angry Sheep Blog

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11664
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: Early code drop from avast 5 for you to test :-)
« Reply #11 on: July 13, 2006, 05:59:42 PM »
I'm hoping that another batch of them will be released just before the deadline for the upcoming av-comparatives.org test, that is, in about 3 weeks. ;)
If at first you don't succeed, then skydiving's not for you.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9384
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Early code drop from avast 5 for you to test :-)
« Reply #12 on: July 13, 2006, 06:01:10 PM »
Generic as Win32:Ardamax-gen, Win32:SdBot-genXX, Win32:Rbot-gen and Win32:Agent-gen etc, not those Trojan-gen :P
Visit my webpage Angry Sheep Blog

Offline avvidro

  • Jr. Member
  • **
  • Posts: 75
  • I'm not a llama!
Re: Early code drop from avast 5 for you to test :-)
« Reply #13 on: July 14, 2006, 03:40:26 PM »
Good, very good.   ;D

But, won't there be some minor update or release before (say e.g. Avast 4.8)?

Things like to separate avast data from avast executables would be essential but not with great "merchan" appeal. For version 5 the idea of using idle times to perform scan or other actions (present in Windows xp) could be used (continuing to have speed and low resources consumption in the order of the day), to low memory usage of the services when they are not "activiting" so much, etc... I suppose that these and other things are already used by the architects, but it does not cost a thing to say... ;)



Offline nomad

  • Newbie
  • *
  • Posts: 1
Re: Early code drop from avast 5 for you to test :-)
« Reply #14 on: July 15, 2006, 01:47:54 PM »
Technically, this IS the behavior blocker. A preset rule of the behavior blocker, to be more specific... :)

This indeed sounds interesting. Will it also prevent Code Injection into a running process' memory environment?

-- tom