Author Topic: excluding khown trojans  (Read 9776 times)

0 Members and 1 Guest are viewing this topic.

Offline aphexv3

  • Newbie
  • *
  • Posts: 1
excluding khown trojans
« on: August 25, 2004, 03:17:20 AM »
if i know a file is a trojan/virus, how can i exclude it? i dont want to move/rename or move to chest, i want to leave it right where it is and have avast ignore the file in the future. like most antivirus programs do. can avast do this?

Offline techie101returns

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1900
Re:excluding khown trojans
« Reply #1 on: August 25, 2004, 03:48:33 AM »
ap,

Firstly, If you know you have a trojan or virus, WHY would you want to keep it?
Avast can move the file to the Chest where it will be rendered harmless, but you can restore it from whence it came if the need arises.

Secondly,  I am not wholly sure if this will work for the Home version (since you didn't state PRO), but you can open up the On Access Protection Module by right clicking on the A ball in the tray, locate the Standard Module on the right panel, open it up and find the Advanced tab.

You can enter the FULL path to the file or virus in the list.
This should work.

......but again....why would you want to do this?
Other AVs may be able to do this because they incorporate an "ignore list" which Avast does not have in that context.

Good luck.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11791
    • AVAST Software
Re:excluding khown trojans
« Reply #2 on: August 25, 2004, 10:39:10 AM »
Right, you can put the file to the list of exclusions of the Standard Shield (and you may also want to put it into the list of exclusions of the Simple/Enhanced User Interface).

Offline Dwarden

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1789
  • Ideas, that's ocean without borders!
    • Bohemia Interactive
Re:excluding khown trojans
« Reply #3 on: August 25, 2004, 12:18:42 PM »
this question brought me to this:

 as i noticed exclusion paths are stored in Avast4.ini , and this file is not encrypted ...

 this lead me to user visiting site with malicious script which first add line with exclusion for trojan / virus file/directory/extension/whatever ....

and then execute trojan/virus ...

and that lead to question:

how are Avast users protected against this situation ?
https://twitter.com/FoltynD , Tech. Community, Online Services & Distribution manager of Bohemia Interactive

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11791
    • AVAST Software
Re:excluding khown trojans
« Reply #4 on: August 25, 2004, 12:29:11 PM »
This "script" itself would be malicious then... and should be detected as such, and not be allowed to start.
If the script can modify an ini file, it can do other things as well... e.g. delete files.

Offline Dwarden

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1789
  • Ideas, that's ocean without borders!
    • Bohemia Interactive
Re:excluding khown trojans
« Reply #5 on: August 25, 2004, 01:15:23 PM »
so in fact,
when this type of script or executable (which alter exclusion entries in avast ini)
pass throught "malicious" script detection of Avast , script blocker or browser/os security

then Avast users are not protected ... right?

hmm, any way to force avast use encrypted config? :)
https://twitter.com/FoltynD , Tech. Community, Online Services & Distribution manager of Bohemia Interactive

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11791
    • AVAST Software
Re:excluding khown trojans
« Reply #6 on: August 25, 2004, 01:26:35 PM »
Well, I was trying to say that when such a malware is executed, you simply have a running virus on your computer. It can do anything... delete files, spread itself, kill & delete any antivirus... why bother with modifying the antivirus settings?

Offline techie101returns

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1900
Re:excluding khown trojans
« Reply #7 on: August 25, 2004, 05:46:03 PM »
Dwarden,

Don't mean to upset the "apple cart" but it would be hard to encrypt an Av file with a modecum of success.
Encryption is a touchy issue and for general purpose applications like an AV, should be avoided.

However, your comment was a good one.  The only thig that does help somewhat is a process guard which can be set to "prevent" AV shutdown from such an executable.  ( I have one installed).  This way, your AV continues to function and should be able to deal with the intruder.

What happens quite often is as Igor stated....
the exe file modifies or shutdowns the AV to the point of uselessness.

You can download "freeware" process guards.

Good luck

Offline Dwarden

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1789
  • Ideas, that's ocean without borders!
    • Bohemia Interactive
Re:excluding khown trojans
« Reply #8 on: August 26, 2004, 12:30:05 AM »
Dwarden,

Don't mean to upset the "apple cart" but it would be hard to encrypt an Av file with a modecum of success.
Encryption is a touchy issue and for general purpose applications like an AV, should be avoided.

However, your comment was a good one.  The only thig that does help somewhat is a process guard which can be set to "prevent" AV shutdown from such an executable.  ( I have one installed).  This way, your AV continues to function and should be able to deal with the intruder.

What happens quite often is as Igor stated....
the exe file modifies or shutdowns the AV to the point of uselessness.

You can download "freeware" process guards.

Good luck

but even if your process guard works, if configuration is changed, you as user are not aware of such change, also this virus can go in multiple stages ...

first it will alter avast configuration file and add exclusion to various files/folders etc
second it wait till computer / avast restart ...
third execute real trojan / virus ...

i know the content of that code in someway dangerous, but if it become directed against avast, it will be very hard to defend before you know there is something like this ...

same problem got Kerio Personal Firewall and Tiny Personal Firewall and some other PF ... they got configurations in pure mode (xml etc) and were like open doors to mess with ...

avast can have e.g. md5 hash of own configuration file, if something alter it then md5 change, Avast see someone messed with and it will tell user in warning ...

that will be simple compromise ...

thoughts ?
https://twitter.com/FoltynD , Tech. Community, Online Services & Distribution manager of Bohemia Interactive

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11664
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re:excluding khown trojans
« Reply #9 on: August 26, 2004, 08:55:37 AM »
Basicaly, if the malware is running with admin rights and explicitly knows its target it wants to kill (like avast), there's NO way to prevent it from doing so (no ProcessGuard, no MD5 hashes of config etc. will help). Such a process can load even device drivers (as some of the latest viruses/worms actually do), modify kernel structures etc... E.g., it can zero out the memory of the avast process to make it crash etc.etc. -- the possibilities are unlimited. There's really no way to prevent this generally.

On the other hand, there can be some ad hoc solutions aimed to protect avast from specific types of attacks. Fortunately, most virus writers really are not so smart (=computer proficient) as they feel and their code is far from perfect. But again, once a (malware) process is executed under admin rights, it can effectively become part of the OS and can alter behavior of any part of the system, including avast...
If at first you don't succeed, then skydiving's not for you.

Offline techie101returns

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1900
Re:excluding khown trojans
« Reply #10 on: August 26, 2004, 03:45:14 PM »
VLK,

Well, if that is the case......
What can we do to protect our systems short of not using them anymore?  :D

Is there any way to "early detect" the presence of these executables before they start the damage, or a way to limit the damage caused?

I was under the belief that a process guard would protect at least the AV.  Now I am a bit worried.

Thanks.

Offline lee20

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2326
  • The only true failure is when you give up
Re:excluding khown trojans
« Reply #11 on: August 26, 2004, 04:37:53 PM »
Techie101

Im not really sure how to do it, but im told you can "debug" the win INI file.

--lee

"Anyone who has never made a mistake has never tried anything new."-Albert Einstein

Comodo Firewall, Avast 4.8, SpywareBlaster, Spybot + superantispyware, PeerGuardian and ALL software patched!

Offline whocares

  • Super Poster
  • ***
  • Posts: 1698
  • I'm not a llama! :-)
Re:excluding khown trojans
« Reply #12 on: August 26, 2004, 04:40:29 PM »

What can we do to protect our systems short of not using them anymore?  :D


1) SafeHex & Brain 1.x
2) Trust that avast detects the malware as it's written to the disk and blocks it before execution
3) if that fails: you didn't use No 1) enough..
 ;D ;D ;)

Offline Dwarden

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1789
  • Ideas, that's ocean without borders!
    • Bohemia Interactive
Re:excluding khown trojans
« Reply #13 on: August 27, 2004, 03:25:58 AM »
you simple missing the fact that AVAST ini file is raw text file and don't have anything with active process of avast

no validation of ini done on program restart (e.g. md5 or so)

also i never said here "bad" program/script must kill avast (ie need use of process guard)

it will simple wait for next reboot ...

saying like, it will not happen, is like asking for it to happen ....

so i become now prophet and say if nobody take care about this, then it will happen ...

understood it as you want  ::) ...
https://twitter.com/FoltynD , Tech. Community, Online Services & Distribution manager of Bohemia Interactive

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re:excluding khown trojans
« Reply #14 on: August 27, 2004, 04:51:44 AM »
Vlk, can you answer Techie... I'm curious too...
I thought there will be a way to prevent that... Maybe the only will be use the system as a limited user but, in this case, the malware could be executed with a 'Run as' similar command  :-\
Life is becoming dangerous... we're near to the Matrix  ;D
The best things in life are free.