Author Topic: AntiVirusDisableNotify  (Read 10587 times)

0 Members and 1 Guest are viewing this topic.

Offline Alan Baxter

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 412
AntiVirusDisableNotify
« on: March 16, 2009, 03:21:31 AM »
It looks like avast! may have set the Windows registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify to 1, i.e. Windows itself won't provide a notification if avast! On-Access is disabled or paused.  I suppose the Windows notification is unnecessary because avast! provides its own notification in the system tray.  Is my assumption correct that this registry mod was done by avast! and it's appropriate to add it to my MBAM ignore list?

The reason I mention this now is because the MBAM scan I ran an hour ago reported it as a Security Center hijack:
Quote
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0)

Apparently MBAM just added this check a couple of days ago.  A search in the MBAM forum provided me with an analysis at http://www.malwarebytes.org/forums/index.php?showtopic=12624&view=findpost&p=64638
Quote
I too received the following errors on my scan today. I got this in my restricted user account on Window$ XP SP3. My understanding of the cause of these entries on my system is:

AntiVirusDisableNotify (Hijack.SecurityCenter) - Avast Pro anti-virus disabled this and is currently installed, updating and running correctly

MBAM's lead researcher responded:
Quote
QUOTE
Why did these entries suddenly appear?


We were asked to start fixing these as multiple infections are disabling them . Security center notification defs were added yesterday .

QUOTE
Is my interpretation on the entries above reasonable?


Yes

QUOTE
Is it safe to keep these entries in the ignore list permanently? (assuming the above reasons continue to be valid)


Yes it is safe and this is the correct course of action for all user/legit software initiated system modifications that MBAM may detect .

One thing people reading this need to keep in mind is that there is no way to tell how something got disabled , only that it is . The vast majority of people never go beyond the antivirus software preinstalled on their system and the occasional free scanner so these detections (for the vast majority of people) will only show up if malware has disabled them.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84113
  • No support PMs thanks
Re: AntiVirusDisableNotify
« Reply #1 on: March 16, 2009, 03:39:17 AM »
Not on mine it isn't I haven't made any changes to this setting, see image.

What I do find strange now you point me in that direction are all the other security applications (junk) mentioned that have never been installed on this system, there by default in my registry and not a single mention of avast bah.
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.9.2437 (build 20.9.5758.0) UI-1.0.579/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Alan Baxter

  • Avast Evangelist
  • Poster
  • ***
  • Posts: 412
Re: AntiVirusDisableNotify
« Reply #2 on: March 16, 2009, 04:16:11 AM »
I reinstalled avast! just last month on Feb 8.  Maybe this comes with a new installation now.  Or possibly it's a remnant from when I was using AVG a couple of years ago.

What I do find strange now you point me in that direction are all the other security applications (junk) mentioned that have never been installed on this system, there by default in my registry and not a single mention of avast bah.

Yeah.  What's that about?!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84113
  • No support PMs thanks
Re: AntiVirusDisableNotify
« Reply #3 on: March 16, 2009, 04:58:47 PM »
Totally baffled and I don't believe it is because they are MS approved products as I believe there would be more.
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.9.2437 (build 20.9.5758.0) UI-1.0.579/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline YoKenny

  • Serious Graphoman
  • **
  • Posts: 8786
Re: AntiVirusDisableNotify
« Reply #4 on: March 16, 2009, 09:35:41 PM »
Its a bit different on my Vista system



I don't get any errors reported by MBAM though and if I did I would be over in MBAM's forum right away checking for False Positives.
E5200 2.5GHZ, 4GB RAM, 320GB HD, Windows 7 Home Premium 64bit, avast! V9.0 Free, IE10
P4 2.8GHZ, 1.5GB RAM, 40GB HD, XP Pro SP3 32bit, avast! V9.0 Free, Google Chrome
with hpHosts, MVPS HOSTS files, SpeedFan, WinPatrol PLUS

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32809
  • malware fighter
Re: AntiVirusDisableNotify
« Reply #5 on: March 16, 2009, 09:47:20 PM »
Hi YoKenny,

Found these two messages after a scan with MBAM, well it is about the windows av solution and the windows firewall solution, if you have third party software installed these settings should be like that. So when you install ZA firewall for instance the sort-of-firewall the MS provides should be disabled,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline YoKenny

  • Serious Graphoman
  • **
  • Posts: 8786
Re: AntiVirusDisableNotify
« Reply #6 on: March 17, 2009, 02:32:14 AM »
Its a bit different on my Vista system



I don't get any errors reported by MBAM though and if I did I would be over in MBAM's forum right away checking for False Positives.

Mystery is solved.

That key does not exist in Vista so its not detected:
http://www.malwarebytes.org/forums/index.php?s=&showtopic=12670&view=findpost&p=64843
E5200 2.5GHZ, 4GB RAM, 320GB HD, Windows 7 Home Premium 64bit, avast! V9.0 Free, IE10
P4 2.8GHZ, 1.5GB RAM, 40GB HD, XP Pro SP3 32bit, avast! V9.0 Free, Google Chrome
with hpHosts, MVPS HOSTS files, SpeedFan, WinPatrol PLUS