This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Auto restart of AV services.

As you may know there are many viruses out there that attempt to shut down the AV service in the backgroud without user knowledge. I have figured out a way using our LEM (Solarwinds Log and Event Manager) to restart any AV service as soon as it's shut down. I've been running it for a while with Sophos AV and another AV without any issues. It looks for "Service Stop" events.

If you have the LEM or similar and are interested let me know.

Mark.

This thread was automatically locked due to age.

0 QC over 10 years ago

Hello Mark,

during updates (actual updates, not just checks) the SAV service is restarted. Apparently LEM doesn't cause issues but be warned.
Now, malware which shuts down AV might monitor its "success" the same way LEM does, so ... And why should malware stop at AV and not also target monitors?

Christian
:56500
Cancel
Vote Up 0 Vote Down

Cancel
0 ZMagnum over 10 years ago

Yes, I did think about that but restarting has not been an issue. The LEM responds to shutdown logs and then restarts but during an update there's nothing to restart until it's finished updating.
Malware could target the system that restarts it but how would it know about that? I had to write my own rule that does this and no one would know about it.
:56553
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 10 years ago

Hello ZMagnum,
basically you can perform - let's call it - remediation either with an agent on the endpoint/client or using Windows APIs. The former could be targeted by malware in the same way as an AV service and there are ways to thwart the latter. Regardless of the method the malware could, as I've said, take a dynamic approach, i.e. monitor the service's state, instead of doing a one-shot attempt to stop it.
Christian
:56578
Cancel
Vote Up 0 Vote Down

Cancel