Jump to content

brian

Members
  • Content Count

    13
  • Joined

  • Last visited

About brian

  • Rank
    Candidate
  1. I thought of and verified a loophole. Anyone can change permissions on these files. This allows a malicious user or malware run by any user (even probably the Guest account) to disable Kaspersky entirely, which is probably what most malware writers would want to do. The following steps don't just disable Kaspersky but appear to trash it, requiring a reinstall to get Kaspersky working again. Keep that in mind before you try them Log in as any user, go to the "C:\Documents and Settings\All Users\Application Data\Kaspersky Lab" folder, right-click on the AVP6 subdirectory, and remove every user and every group from the Permissions -- make sure that no group nor user has any permission to do anything with the AVP6 folder and its children. Make sure that no permissions are being inherited from the parent. Once you do this, updates no longer work. When you reboot. Kaspersky will no longer start. Kaspersky might fail sooner than a reboot -- I didn't play around with different scenarios. A malicious script could even schedule itself to do this on Patch Tuesday, since the system often automatically reboots then, anyway, if you have Automatic Updates turned on. I looked at one of my older machines, and it appears that Kaspersky 5.0 did not give "Everyone" Full Control over its data folder. Instead, its data folder ("KAV for Workstations") inherited much more restrictive permissions from: C:\Documents and Settings\All Users\Application Data It looks like this security hole was introduced with KAV 6.
  2. I've been running with the more restrictive permissions for a few days and it seems to be working. I don't know if there's a scenario out there, though, that could eventually cause it to break. For example, the Quarantine directory is affected by the change in permissions -- will quarantining a virus still work? Base updates appear to be working -- will application module updates also work? If someone from Kaspersky is reading this, I'd be interested in your thoughts.
  3. While checking file permissions, I noticed that Kaspersky 6.0 for Windows Workstation gives "Everyone" full control over the files in its data folder: C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6 This includes the anti-virus bases, config files, report files, and an XML file named updcfg.xml that appears to contain the URLs for the servers that KAV gets its updates from. I'm running Kaspersky 6.0.2.678 on Windows XP with SP2. I have Kaspersky's Settings panel password-protected. Even though Everyone has Full Control, in practice I was (thankfully) unable to modify or delete any of the files (although I was able to create new folders), so there appears to be some Kaspersky magic going on here. It still makes me uneasy to see "Everyone" and "Full Control" applied to such important files. On one of our machines, I restricted the permissions for this folder as follows: * Administrators - Full Control * SYSTEM - Full Control * Users - Read Only (i.e. Read & Execute and List Folder Contents) In order for updates to still I run, I also had to configure Kaspersky's Update service to run as Administrator. Kaspersky's Settings has an option for this. I have two questions about restricting the permissions on this folder to make them more restrictive: 1) Is there any harm in doing this? 2) Is there any point in doing this? (does it make my system any more secure?) Thanks, Brian
  4. I'm experiencing this same problem updating to version 5.0.228. The "Application Modules Update" seems to corrupt the bases. Our laptop started getting periodic errors about a "black list of license keys" after I installed Kaspersky on it last fall. After a reformat and reinstall of Windows XP Pro, it began happening again. The steps I took: 1) Install Windows XP Pro, SP2, and all the Microsoft patches. Install nothing else. 2) Install Kaspersky Anti-Virus for Windows Workstations version 5.0.225 (the latest version available for download). 3) Run the "Application Modules Update". Choose to update to version 5.0.228. 4) Kaspersky downloads & installs the updated modules, then says that it will restart. 5) After the restart, Kaspersky complains that its database is corrupted, and real-time scanning is permanently disabled. After uninstalling Kaspersky & deleting all the files in C:\Program Files\Kaspersky Lab and C:\Documents and Settings\All Users\Application Data\Kaspersky Lab, I reinstalled Kaspersky 5.0.225 again. Again, it worked fine until I tried to update to 5.0.228. This time, I did the update with real-time scanning disabled, and I got the error message about "Missing or corrupted 'black' list of license keys". Hopefully, this info can help you track down & fix this problem. We've been using Kaspersky Anti-Virus for 2 years, and, other than this problem, are very happy with it. Thanks, Brian
  5. It sounds like the updates are not done by [sYSTEM]. But since the updates end up owned by [Administrator] or [Administrators], they must be done by the [Administrator] account, right? My understanding of XP is that while you can claim ownership of a file (given rights), a non-Administrator [user] could not assign ownership to the [Administrator]. Hence, the [Administrator] must be the one doing the downloading.
  6. I think the updates are done by a process owned by SYSTEM. If so, writing to ProgramFilesDir or CommonFilesDir wouldn't seem to be an issue. I checked the ownership of the files in Bases, and everything is owned by either [Administrator] or [Administrators], not any particular [user].
  7. Okay, thanks for the info. Out of curiousity, why not store the bases in either: a) The "Kaspersky Lab" subdirectory under the "Program Files" directory, or A "Kaspersky Lab" subdirectory under the "Common Files" directory? Since the location of both the ProgramFilesDir and CommonFilesDir can be changed in the registry, I've been able to get all my programs to install on my P: drive -- including the Kaspersky program. Unfortunately, the bases still get stuck on C:.
  8. Thanks for the tip on "shared folders". Unfortunately, I think I'm trying to accomplish something different. I want the anti-virus bases completely off of the C: drive since the C: drive is so slow. If I understand correctly, with the "shared folder", the updates to the bases are retrieved from the P: drive, but the bases are then still copied to the C: drive for use by Kaspersky.
  9. Thanks for deleting the dupe. The PC is on the net. Right now, it automatically downloads the updates every 3 hours. Instead of downloading the bases (these are the anti-virus definitions, correct?) into the folder on the C: drive, though, I'd like it to download the bases into a folder on the P: drive, which is my new hard drive.
  10. I accidentally posted this originally in the "Home Users" forum but meant to post it here. I have KAV 5.0 Workstation for Windows. It looks like KAV stores its anti-virus definitions in the directory: C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\KAV for Workstations\5.0\Bases Because this is an older computer, I added a new, faster hard drive on a new controller card. Loading the Kaspersky anti-virus definitions is probably the slowest, most disk-intensive thing my comptuer does, so I'd like to move these to the new drive (P:). Is there a option, registry setting, etc that lets me do this? Thanks, Brian
×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.