Hi,


I've detailed below just how easy (too easy) it is to circumvent the security of the following critical security services. Thus can't now become can!

It goes without saying that malware on entering a system by whichever means, and on detecting critical security services, can now even more easily (automated/scripted) disarm critical security services, just by modifying unprotected registry entries, for whatever malevolent purposes.

I've created registry entries (I can send these to you should you be interested) to demonstrate just how easy it is to circumvent the security of these critical security services, which unfortunately is all too easily a very effective way of immobilising critical security functions i.e. firewall, antivirus etc. This in my opinion is certainly not a vulnerability nor a flaw so to speak, but rather a functional design oversight?

I've verified this against the following with success. After these registry modifications have been effected and the system rebooted, these critical services will be disarmed.

BlackICE
McAfee
Pointsec
ISS Proventia
ZoneAlarm

On successfully disarming these security services, one could also use the following to then further manipulate the drivers & services, by reconfiguring their startup parameters to 'manual' and not 'automatic', or just disable them alltogether.

i.e. The following will reconfigure the startup parameters to 'manual' and not 'automatic' (default)
C:\>sc config VPatch start= demand
C:\>sc config BlackICE start= demand
C:\>sc config McShield start= demand
C:\>sc config McTaskManager start= demand
C:\>sc config McAfeeFramework start= demand
C:\>sc config Pointsec_start start= demand
C:\>sc config Pointsec start= demand


Cheers

Andrew Barkley
(-_-)