-
February 7th, 2006, 07:24 PM
#1
Symantec CE
Hi there
I have a couple of networks that run Symantec CE version Antivirus....where uninstall and on-line\realtime scanning settings are controlled by the server...where to uninstall or disable\modify the settings...you require a password set when the CE server was set up.....so the client cannot disable the AV settings
I have read recently about malware "disabling" or "ending" certain prcesses associated with Anti virus.
Does having Symantec AV configured with a password....stop these malware from disabling Symantec AV on the client....in the CE environment?????
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
February 7th, 2006, 08:08 PM
#2
I do not think it could completely prevent it. You cannot password protect the termination of an application...
-
February 7th, 2006, 08:23 PM
#3
Well...when I try to end task anyone of Symantecs processes on the client...it says access denied....????
Or if I try and change the setup...the options are greyed out.
When I try and uninstall.....it asks for a password...
So I am wondering if these malware are able to disable client AV
and if so...how???
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
February 7th, 2006, 09:05 PM
#4
Originally posted here by morganlefay
Well...when I try to end task anyone of Symantecs processes on the client...it says access denied....????
Or if I try and change the setup...the options are greyed out.
When I try and uninstall.....it asks for a password...
So I am wondering if these malware are able to disable client AV
and if so...how???
MLF
My Bold
It will ask for a password by default. If the admin has not applied a change to the default password, "symantec", you will be able to uninstall by simply entering, "symantec".
I imagine you are aware of this anyway.
I can not give you a difinative answere to your main question, but it is possible to kill client protection manualy and uninstall protection. I have had to do this and it was before I learnt about the password default above.
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry
-
February 7th, 2006, 09:15 PM
#5
Well I know you can hack it out of the registry....I have had to do this myself...that is quite the job....
would the malware just try and remove it from the run key...would that disable it???
But that would also require a reboot...to disable...and trust me...not many people reboot...they just log off....
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
February 7th, 2006, 09:40 PM
#6
Morgan, we're using Symantec's CE at my night job and I know what you're talking about. From what I understand, the password used to change settings can't be bypassed by malware and the like. But, here's a huge problem I had with Symantec's CE on the clients end. I had an issue where one of my clients wasn't updating it virus defs. correctly and followed an article posted on Symantec's site that walked me through the process of repairing the issue.
Now, here's where I am bothered. On the client end, you can go in and delete the folders that contain the recent virus definitions with no password. If you've ever had problem with Symantec's definition updates, you know that it screws up Real-Time scanning. It will actually disable Real-Time if the virus defs. are missing/corrupt. So, if I wanted to design malware to disable Symantec's Real-Time protection, all I would have to do is go in and manipulate the virus defs. folders which are not password protected on the client side.
Granted, all you have to do is set the rights on the folder to limit access but, that always bothered me.
The object of war is not to die for your country but to make the other bastard die for his - George Patton
-
February 7th, 2006, 09:54 PM
#7
Now we are getting somewhere....
I am sure that would muck it up pretty good...
I guess its not smart enough........ if it cant find it locally...it would look at the server for the defs.
Does anyone know of an AV suite...server based that would TRULY runs off a server...and would not be vulnerable to local interference\tampering....
I guess that would chew alot of resources\bandwidth.
Actually I Havent seen near the amount of viruses since we strip most email attachments at the server level....
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
February 8th, 2006, 03:08 PM
#8
Re: Symantec CE
Originally posted here by morganlefay
Does having Symantec AV configured with a password....stop these malware from disabling Symantec AV on the client....in the CE environment?????
MLF
No, they can still terminate the AV software if they're running as an administrator.
-
February 8th, 2006, 03:39 PM
#9
Well as administrator...I cannot terminate the process.....
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
February 8th, 2006, 04:21 PM
#10
Hi Morgana~,
I havent used Symantec for a while but I remember reading a couple of years back a review of about a dozen corporate AV products. They tested them to see if they could be terminated both as user and local administrator.
There had been a spate of malware that tried to kill security processes/applications. I would guess that they have all been beefed up against this sort of attack by now. As I recall, Semantec came out quite well in the review.
You don't say but did you try it as a local administrator or system administrator?
I guess that to mess with it you can attack unprotected files as already suggested, or go for the registry or startup programs.
I would suspect that you are reasonably safe at the moment, as any decent AV will now be protected against known methods of killing it. It is new ones that would be hard to prevent.
As for an AV running off the server, I would have thought that most corporate editions would have that facility. After all it is just like the online scanning of Panda or PC-cillin's "Housecall"?
The problem with that over here would be ensuring that everyone left their machines powered up. It is quite common practice to turn them off because of potential fire risk, cost of electricity, and lightning strikes.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|