Registry permission issues caused by SAV

Zheng Hao
==========================================
As we all know, by modifying the system time, the Kaspersky Internet Security Package 6.0 will prompt that the authorization file key has expired, and thus the system cannot be properly monitored and protected. Currently, the mainstream repair method is to set access permissions for a modified time item through a group policy, such as deleting all authorized users, so that normal users or administrators cannot modify the system time.
For Windows, the Registry is a database that stores system and application software configurations. As Windows features become more and more abundant, there are more and more configuration items in the registry, and many configurations can be customized, however, these configurations are released in every corner of the Registry. If they are manually configured, it may be difficult and complicated. The group policy integrates important configuration functions of the system into various configuration modules for management personnel to use directly, so as to facilitate computer management. To put it simply, the Group Policy is to modify the configuration in the registry. In the preceding example, the permission to refuse to modify the system time is the same. The last modification is the permission of a registry key.
There are still many problems caused by Registry Permissions, such as deletecantivirus. The anti-virus software is based on the underlying system and has powerful anti-virus capabilities. For example, if the LiveUpdate button in the Enterprise Edition client changes to gray, there is a small lock sign in front, which indicates that the client will force automatic upgrade of the virus database and related components. If there is a small lock icon in front of the button, the user has no permission to modify this item. This does fully reflect the advantages of the Enterprise Edition: mandatory. Such powerful anti-virus software is not perfect. In a word, it is too dependent on the registry (Here we use the test version 8-9.0.0.x as an example ). We only need to modify several key values in the registry, and this anti-virus software will lose its original functionality. The problem is concentrated in the key value under "hkey_local_machinesoftwareintellian=virusprotect6currentversionstoragesfilesystemrealtimescan. For example, if real-time protection is disabled, the software is automatically enabled. The default automatic start time is 3 minutes, and you do not have the permission to change it. Now, change the "APESleep" key value, and restart real-time monitoring after several minutes. 3b is a hexadecimal number and is converted to a hexadecimal value of 59. After this value is changed to 3b, the original 3 minutes are changed to 59 minutes, as shown in 2.
 
Figure 1
 
Figure 2
Don't forget, this is in the Enterprise Edition environment, and it is more dangerous. Find "APEOn-L" = dword: 00000001, change to 0, then the small lock sign disappears, so that normal users can change the settings here. If you change the value of "APEOn-L" to 1 and the value of "APEOn" to 0, the "Real-time Monitoring disabled" check box is removed, and there is a small lock sign in front of it, in this way, when real-time protection is disabled, real-time monitoring will no longer be automatically enabled for the program, and users cannot change it. By default, real-time monitoring is enabled. You can enable real-time monitoring or temporarily disable monitoring. When disabled, a red circle and a slash are added to the Symantec Mouse icon. Whether to enable real-time protection with the key value "OnOff", and then modify the value of "OnOff-L" to 1. After the two key values are changed, as shown in 3, you are not authorized to enable the protection function! This applies to the Personal Edition.

Figure 3
Similarly, among the key values FirstAction, FirstMacroAction, FileType, FileType-L, FirstMacroAction-L, FirstAction-L, Heuristics-L, delimiter, Heuristics, PrescanExclude, Networks, MessageBox, and NoScanDir list ), if some hackers or virus makers exploit this vulnerability, the antivirus program cannot work or become invalid. Since the software itself does not protect the registry, it is easy to be damaged, making the computer lose the original powerful protection. I am only pointing out that the main key value and the SAV enterprise client (the Personal Edition is also the case) have such defects, so that you can refer to and promptly handle problems with the software.
It is true that all the settings of a program are reflected in the registry, which is not an error. However, anti-virus software does not protect the Registry. Once the registry is changed, the settings of the program are changed illegally. This is an urgent solution for improving the anti-virus tool of Enterprise Edition and individual edition. When a malicious program needs to tamper with the registry, it will execute the program code to modify the registry, which is more concealed. However, the anti-virus software registry monitoring program is not available, and it is unlikely to monitor each operation to change the registry, but to monitor sensitive areas. This is a tricky issue. You must allow valid programs to modify the registry, and effectively prevent malicious programs from tampering with important key values (including those related to anti-virus software. How can this problem be solved? I only propose my own suggestions.
1) You can consider implementing real-time protection for the Registry. You can change the permissions of the corresponding key value in the registry or the anti-virus software processes occupy a key value in real time, such as Kaspersky, when you change the related registry key value, it is displayed that the key value is occupied by key processes of the system and cannot be changed.
2) You can also start with the development of the program itself so that the registry is not involved in the changes to the program settings. In short, anti-virus software must implement self-protection first, and then protect the computer to solve similar problems.
3) set the Registry Key Permissions. This can be set by both the software developer and the developer. Start Registry Editor, right-click the corresponding item, select permissions, and then cancel the inheritance of users and groups, delete all users, as shown in result 4, that is, no one can change the registry key. When a value is created in this key, a message is displayed, indicating that the registry cannot be created. You can also set the permissions for key registration items involved in the SAV mentioned above to read-only and cannot be changed. This problem can be solved temporarily.
 
Figure 4
In addition, you can use tools such as setacl.exe 0.904 and regini to set Registry Permissions. The SetACL tool is recommended here. If you have learned CCNA, you should know that ACL is the meaning of the access control list. This tool can not only set permissions for the Registry, but also set permissions for files (folders), similar to the cacls command in Windows, such as the following command example.
SetACL.exe c: xxx/dir/set everyone/read_ex
Set the everyone user in the c: xxx folder to read and run permissions.
SetACL.exe HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun/registry/set everyone/full
Set the registry key value Run to full control permissions.
Html "> http://info-lib.net/post/20.htmlthis is a Chinese help document. The original file and help in English are described at http://www.helge.mynetcologne.de/setacl /.
In addition to the above two methods, the API function can also implement regedit32 to modify the Registry permission. The key functions are as follows:
// Create an ACE that allows Everyone to fully control objects and allows sub-objects to inherit this permission
ZeroMemory (& ea, sizeof (EXPLICIT_ACCESS ));
BuildExplicitAccessWithName (& ea, "Everyone", KEY_ALL_ACCESS, SET_ACCESS, SUB_CONTAINERS_AND_OBJECTS_INHERIT );

To sum up, as long as there is a Windows operating system, there will be a registry (in fact, if you regard the registry as the storage area of the operating system configuration file, similarly, other operating system platforms also have similar issues), registry security issues will be an immortal topic. SymantecAntivirus antivirus software has similar problems, which must be corrected and improved. Everything is constantly being improved. Let us use our own smart eyes to discover and solve problems.