Author Topic: Early code drop from avast 5 for you to test :-)  (Read 43086 times)

0 Members and 1 Guest are viewing this topic.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11808
    • AVAST Software
Re: Early code drop from avast 5 for you to test :-)
« Reply #15 on: July 15, 2006, 10:53:13 PM »
I believe the current version (protecting avast! processes) prevents code injection as well (though they are probably multiple ways to do that) - so I'd say the answer would be yes.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9385
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Early code drop from avast 5 for you to test :-)
« Reply #16 on: July 19, 2006, 10:23:28 AM »
Wow, interesting toy it is :) To my surprise it's extremelly resistant.
avast! processes aren't even listed in Advanced Process Termination tool (you can't terminate stuff thats not listed) , tempering with them in Task Manager is impossible.
Process Explorer also can't do a thing. I have to test two more things and then i'll report back again :)
Visit my webpage Angry Sheep Blog

Offline ross

  • Jr. Member
  • **
  • Posts: 46
Re: Early code drop from avast 5 for you to test :-)
« Reply #17 on: July 19, 2006, 02:03:03 PM »
IceSword 1.16en can terminate all of the processes apparently.  :-\

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67247
Re: Early code drop from avast 5 for you to test :-)
« Reply #18 on: July 24, 2006, 03:47:08 PM »
How to uninstall the Avast! Process Termination Prevention?

I've sent a comment / bug report to vlk@avast.com

I think I found a bug or a non-good interaction with IDS monitor...
Maybe I'm wrong but some processes are 'running' hidden in background and the GUI does not appear  ??? ::)

For instance, here, trying to install a new ClamWin version...  :P
The best things in life are free.

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11664
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: Early code drop from avast 5 for you to test :-)
« Reply #19 on: July 24, 2006, 07:33:33 PM »
Quote
IceSword 1.16en can terminate all of the processes apparently.

Well, IceSword operates in kernel mode (it's an anti-rootkit tool) and for that reason, it can do whatever patching it needs to. Either we kill it first, or it kills us, it's as simple as that (it's a cat & mouse game).

In avast 5, the anti-termination feature will be accompanied by a comprehensive behavior blocker, and one of the behavior blocker triggers will be installation of kernel-mode code. So, it will at least warn you that an application (IceSword in this case) is attempting to load some code into the kernel, and you will be given a chance to block that (and of course, the program will then deny to load and no process killing will take place).


Thanks :)
Vlk
If at first you don't succeed, then skydiving's not for you.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67247
Re: Early code drop from avast 5 for you to test :-)
« Reply #20 on: July 24, 2006, 07:52:45 PM »
The best things in life are free.

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9385
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Early code drop from avast 5 for you to test :-)
« Reply #21 on: July 24, 2006, 07:54:32 PM »
Just delete registry entries that you imported, delete the driver and reboot the system. Thats it. Behavior blocker will again keep an eye on these two parts in case someone or something wants to temper with the protection driver.
Visit my webpage Angry Sheep Blog

Offline Dwarden

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1791
  • Ideas, that's ocean without borders!
    • Bohemia Interactive
Re: Early code drop from avast 5 for you to test :-)
« Reply #22 on: July 25, 2006, 04:41:52 PM »
Quote
IceSword 1.16en can terminate all of the processes apparently.

Well, IceSword operates in kernel mode (it's an anti-rootkit tool) and for that reason, it can do whatever patching it needs to. Either we kill it first, or it kills us, it's as simple as that (it's a cat & mouse game).

In avast 5, the anti-termination feature will be accompanied by a comprehensive behavior blocker, and one of the behavior blocker triggers will be installation of kernel-mode code. So, it will at least warn you that an application (IceSword in this case) is attempting to load some code into the kernel, and you will be given a chance to block that (and of course, the program will then deny to load and no process killing will take place).


Thanks :)
Vlk


Hi Vlk,

 it's just me or does this sound like sort of HIPS (aka ProcessGuard / System Safety Monitor ? )
https://twitter.com/FoltynD , Tech. Community, Online Services & Distribution manager of Bohemia Interactive

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9385
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Re: Early code drop from avast 5 for you to test :-)
« Reply #23 on: July 25, 2006, 04:57:10 PM »
It will be something like Panda TruPrevent or Kaspersky Proactive Defense Module.
Visit my webpage Angry Sheep Blog

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11664
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: Early code drop from avast 5 for you to test :-)
« Reply #24 on: July 25, 2006, 05:58:17 PM »
HIPS is a good word, too. Yes, you got it right ;)
If at first you don't succeed, then skydiving's not for you.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67247
Re: Early code drop from avast 5 for you to test :-)
« Reply #25 on: July 25, 2006, 07:34:23 PM »
Vlk, the problem occured when using Kerio and the Application Behavior Blocking monitor (one application started by another).
It's not only with the second option (HIPS) that is only available in the paid version of Kerio.
On the freeware version, even without HIPS, avast antikill feature 'conflicts' with the Application Behavior Blocking.
I don't know if this will be a problem or not... With Comodo firewall, which does not have this feature, no problem.

Will this feature conflict with System Safe Monitor as stated above?
« Last Edit: July 25, 2006, 07:38:14 PM by Tech »
The best things in life are free.

Offline al968

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 847
Re: Early code drop from avast 5 for you to test :-)
« Reply #26 on: August 23, 2006, 10:27:22 PM »
Sure sounds very exiting this avast 5  ;D
I 'm going to try the protection myself.  ::)

MounierNetwork

Offline al968

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 847
Re: Early code drop from avast 5 for you to test :-)
« Reply #27 on: August 29, 2006, 06:37:52 PM »
Hello,

I just tested the antikill feature and it works great  ; ;)
The only thing is that it actually works twoo well in disabling the shutdown of the process named ashdisp.exe,etc... this can be exploited by a malware which would be named ashdisp.exe or any other file name that is protected by the driver. :P
Try it,take any application and change its name to ashdisp.exe and you won't be able to shut it down.
Maybe specifing the path and the filenames would be better that way the files would have to be replaced by the virus which is inpossible or maybe checking the md5 for which file to protect.

I hope this helps  ;)

Al968

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 85959
  • No support PMs thanks
Re: Early code drop from avast 5 for you to test :-)
« Reply #28 on: August 29, 2006, 08:58:12 PM »
ashDisp.exe is the avast icon and interface to the on-access providers, it doesn't actually have any security function other than it is a pain in the rear when it isn't there. It is just a windows startup item and not a full blown avast service.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline al968

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 847
Re: Early code drop from avast 5 for you to test :-)
« Reply #29 on: August 29, 2006, 11:05:03 PM »
yes I do know that but I do not see the relation with my previous post.
As I mentioned in my previous post the problem is that if a malware has the same filename that any avast application have such as :
ashServ.exe
ashWebSv.exe
 ashMaiSv.exe   
ashDisp.exe
aswUpdSv.exe
avast.setup
aswServ.exe
aswWebSv.exe 
aswMaiSv.exe   
aswDisp.exe
AvAgent.exe

then avast nor any program will be able to stop it.
please do download macfee stinger,rename it aswMaiSv.exe, then   run it and try to stop it using the task manager.
You won't be able to because of the new antikill.

Hope this clarifies my previous post  ;)

Al968