Sophos On-Access Scanner gets "disabled" by Juniper Networks Host-Checker

Hello TomSadowski,

you asked for thoughts, so ...

Guess while "important" files could be locked (doing so for a driver might be tricky - nevertheless the (in)famous sptd.sys does it) it would add quite some complexity. Note that "protecting" just executables or all files is not sufficient, you'd also have to take care of e.g. registry keys. In addition an anti-virus is not static, it should honour legitimate configuration requests and it has to update itself regularly. And it is not guaranteed that what you do doesn't adversely interact with other schemes. As a result "clever" locking mechanisms might mean that you'd have to to go through Safe Mode in case of even a minor hiccup. It's the usual trade-off security vs. usability.
While it might be alarming that Sophos (or other similar products) can seemingly easily be disabled this falls short of depicting an actual successful attack (which you anyway can't absolutely prevent). Whatever cripples your AV must also do some "useful" (from the point of view of malware) work - and this intention likely makes it suspicious in the first place (it has to come from somewhere and it should be scanned on the way, therefore ...). As an aside - does the Juniper software install and run with the recommended AV settings without triggering an alert (and don't forget that signed applications have slightly more leeway than unknown)? If the malicious component (apart from the "AV disabler") isn't detected it won't have to turn off your AV anyway. Actually in this such a case the fiddling with your AV is counterproductive as it increases the chance of being detected. Ever wondered why "direct" attacks on AV software aren't more widespread?

Be assured - "self-protection" is something no serious AV vendor has neglected or discarded. But AFAIK no one has come up with a perfect or even satisfying solution (and similarly the "bad guys" haven't been able to build the ultimate weapon).       

Christian

Hello TomSadowski,

you asked for thoughts, so ...

Guess while "important" files could be locked (doing so for a driver might be tricky - nevertheless the (in)famous sptd.sys does it) it would add quite some complexity. Note that "protecting" just executables or all files is not sufficient, you'd also have to take care of e.g. registry keys. In addition an anti-virus is not static, it should honour legitimate configuration requests and it has to update itself regularly. And it is not guaranteed that what you do doesn't adversely interact with other schemes. As a result "clever" locking mechanisms might mean that you'd have to to go through Safe Mode in case of even a minor hiccup. It's the usual trade-off security vs. usability.
While it might be alarming that Sophos (or other similar products) can seemingly easily be disabled this falls short of depicting an actual successful attack (which you anyway can't absolutely prevent). Whatever cripples your AV must also do some "useful" (from the point of view of malware) work - and this intention likely makes it suspicious in the first place (it has to come from somewhere and it should be scanned on the way, therefore ...). As an aside - does the Juniper software install and run with the recommended AV settings without triggering an alert (and don't forget that signed applications have slightly more leeway than unknown)? If the malicious component (apart from the "AV disabler") isn't detected it won't have to turn off your AV anyway. Actually in this such a case the fiddling with your AV is counterproductive as it increases the chance of being detected. Ever wondered why "direct" attacks on AV software aren't more widespread?

Be assured - "self-protection" is something no serious AV vendor has neglected or discarded. But AFAIK no one has come up with a perfect or even satisfying solution (and similarly the "bad guys" haven't been able to build the ultimate weapon).       

Christian