Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Symantec CE

  1. #1
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152

    Symantec CE

    Hi there

    I have a couple of networks that run Symantec CE version Antivirus....where uninstall and on-line\realtime scanning settings are controlled by the server...where to uninstall or disable\modify the settings...you require a password set when the CE server was set up.....so the client cannot disable the AV settings

    I have read recently about malware "disabling" or "ending" certain prcesses associated with Anti virus.

    Does having Symantec AV configured with a password....stop these malware from disabling Symantec AV on the client....in the CE environment?????

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  2. #2
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,052
    I do not think it could completely prevent it. You cannot password protect the termination of an application...

  3. #3
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Well...when I try to end task anyone of Symantecs processes on the client...it says access denied....????

    Or if I try and change the setup...the options are greyed out.

    When I try and uninstall.....it asks for a password...

    So I am wondering if these malware are able to disable client AV

    and if so...how???

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  4. #4
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    Originally posted here by morganlefay
    Well...when I try to end task anyone of Symantecs processes on the client...it says access denied....????

    Or if I try and change the setup...the options are greyed out.

    When I try and uninstall.....it asks for a password...

    So I am wondering if these malware are able to disable client AV

    and if so...how???

    MLF
    My Bold

    It will ask for a password by default. If the admin has not applied a change to the default password, "symantec", you will be able to uninstall by simply entering, "symantec".

    I imagine you are aware of this anyway.

    I can not give you a difinative answere to your main question, but it is possible to kill client protection manualy and uninstall protection. I have had to do this and it was before I learnt about the password default above.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  5. #5
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Well I know you can hack it out of the registry....I have had to do this myself...that is quite the job....

    would the malware just try and remove it from the run key...would that disable it???

    But that would also require a reboot...to disable...and trust me...not many people reboot...they just log off....

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  6. #6
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    SC
    Posts
    718
    Morgan, we're using Symantec's CE at my night job and I know what you're talking about. From what I understand, the password used to change settings can't be bypassed by malware and the like. But, here's a huge problem I had with Symantec's CE on the clients end. I had an issue where one of my clients wasn't updating it virus defs. correctly and followed an article posted on Symantec's site that walked me through the process of repairing the issue.
    Now, here's where I am bothered. On the client end, you can go in and delete the folders that contain the recent virus definitions with no password. If you've ever had problem with Symantec's definition updates, you know that it screws up Real-Time scanning. It will actually disable Real-Time if the virus defs. are missing/corrupt. So, if I wanted to design malware to disable Symantec's Real-Time protection, all I would have to do is go in and manipulate the virus defs. folders which are not password protected on the client side.
    Granted, all you have to do is set the rights on the folder to limit access but, that always bothered me.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  7. #7
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Now we are getting somewhere....

    I am sure that would muck it up pretty good...

    I guess its not smart enough........ if it cant find it locally...it would look at the server for the defs.

    Does anyone know of an AV suite...server based that would TRULY runs off a server...and would not be vulnerable to local interference\tampering....

    I guess that would chew alot of resources\bandwidth.

    Actually I Havent seen near the amount of viruses since we strip most email attachments at the server level....

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  8. #8

    Re: Symantec CE

    Originally posted here by morganlefay

    Does having Symantec AV configured with a password....stop these malware from disabling Symantec AV on the client....in the CE environment?????

    MLF
    No, they can still terminate the AV software if they're running as an administrator.

  9. #9
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Well as administrator...I cannot terminate the process.....

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  10. #10
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi Morgana~,

    I havent used Symantec for a while but I remember reading a couple of years back a review of about a dozen corporate AV products. They tested them to see if they could be terminated both as user and local administrator.

    There had been a spate of malware that tried to kill security processes/applications. I would guess that they have all been beefed up against this sort of attack by now. As I recall, Semantec came out quite well in the review.

    You don't say but did you try it as a local administrator or system administrator?

    I guess that to mess with it you can attack unprotected files as already suggested, or go for the registry or startup programs.

    I would suspect that you are reasonably safe at the moment, as any decent AV will now be protected against known methods of killing it. It is new ones that would be hard to prevent.

    As for an AV running off the server, I would have thought that most corporate editions would have that facility. After all it is just like the online scanning of Panda or PC-cillin's "Housecall"?

    The problem with that over here would be ensuring that everyone left their machines powered up. It is quite common practice to turn them off because of potential fire risk, cost of electricity, and lightning strikes.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •