Jump to content

Question about AV


ThoughtfulDev

Recommended Posts

Hey,

i recently tried to kill the AV Processes of for example AVG. My payload had SYSTEM privileges but i couldn't kill the AV Processes which also run under the SYSTEM user.

I noticed a process which ran higher than SYSTEM which belonged to AVG. Is it common thats a av has some sort of process which runs in kernel mode or sth which protects the other processes.

Is there even a way to kill the av as a System user?

Link to comment
Share on other sites

I've noticed AV processes are fickle in when they can and cannot be killed, sometimes they feed on other processes and tampering one of those locks the process.  Sometimes I've had no trouble in killing an AV process that governs the uinstall security of the AV (for instance) and then turn around on a different but very similar environment, exact same AV, same OS version, and can't kill the process or make any of the changes I just did to a similar machine with same OS version and exact same deployed AV.

Sometimes it's various files locking them.

The most success I've seen with AVs is to shotgun blast their .sys files and take out the processes the hard way.  Editing regkeys as SYSTEM can help facilitate as well.

This way I've been able to disable the security features of AVs and uninstall them even when password protected, etc, without having to have the password protecting them.  If you do have system level credentials to that system you can take it out.

 

PS not sure what NT_AUTHORITY higher than SYSTEM you're referring to?

If you can uninstall them without a password prompt then you've pretty much disabled the last layer of that onion which is why I mentioned yes it's very do-able.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...