How prevent administrators privilege to stop F-Secure easily?

I don't know why F-Secure allow administrator stop F-Secure related service easily? (ex : Device Control、F-Secure Management Agent)...

Some virus or malware have "watch dog",if A process terminated by user.B process will wake it up.

If virus have this ability WHY F-Secure don't have ?

I think "protect F-Secure process and service" is the most important to defend Virus to stop it!!

 

Best Answer

  • BenBen Posts: 2,640
    Accepted Answer

    Hello MichaelYou,

     

    Sorry for the delay in the reply. This is unfortunately due to the nature of the administrator role on Windows. 

     

    We therefore advise not to give administrator rights to normal user. 

Answers

  • NOBODY REPLY ? NO SOLUTION ?

  • Dear Ben :

     

    Actually I don't think administrator is windows nature so that whom can stop Antivirus Easyly!

    Antivirus must have Local System permission and shoud be have self protection to prevent virus or malware to stop or terminate it! It is basic function for the Antivirus software.

  • etomcatetomcat Posts: 1,311

    Hello,

     

    I think antivirus would need to run in kernel mode to be "un-stoppable" by full admin. This means computer would go BSOD in case of a software bug or any other problem. F-Secure used to run in the kernel many years ago, but was rewritten to be a users-pace software as much as possible, because users are concerned about system stability before security. I think only small parts of the F-Secure proprietary personal firewall in FSAVCS and FSAV PSB run in kernel mode nowadays.

     

    On the other hand, for most antivirus software, the vendors (including F-Secure Corp.) release well-known standalone utility programs to uninstall their protection suites. Even if the protection was proof againt admin-stopping, the uninstallation would need to be password protected to make unauthoried use of the uitool util impossible. Such per-computer password management would be complicated for a company or enterprise customer. If the password is static, it will be post-it noted on the caffe machine after a few days, that's the nature of things.

     

    But I think adding the password based uninstall-prevention method is worth considering, if it could be integrated with FS Policy Manager and PSB Portal.

     

    Best Regards: Tamas Feher, Hungary.

  • Dear etomcat :

     

    Thanks for your reply.

    I think Antivirus is "Security software" and virus or malware increase very fast everyday.

    I know the most vendor of antivirus scan engine run Kernel Mode

    In my experience viruses from China is most run Kernel Mode too!

    Therefore if F-Secure run User Mode for the reason of system stabilty

    F-Secure process or service can easily stop if virus have admin permission.

    we  have over 2500 computer using F-Secure product in my company.

    I hope F-Secure should be face and solve this problem ASAP.

  • DearBen:

     

    I think it is not a solution from your reply.

    because it's IMPOSSIBLE give everyone only "Normal User" permission in my company even others.

    We have over 2000 empolyee using F-Secure product and the most user is "Normal user"

    But some manager have "Administrator permission" 

     

     

  • BenBen Posts: 2,640

    Thank you for the feedbacks.

     

    You can always make your request more visible by posting it to the Feature Requests board or commenting on the already suggested ideas going in the same direction. 

  • PatrickPatrick Posts: 130

    Even though it's some time ago, someone wrote something within this topic...

     

    Within AD you can easily create a GPO to change Administrators rights to prevent them stopping F-Secure services. Just create a new GPO and change the permissions for F-Secure services (Sorry only german screenshots...):

    Dienstauswählenundbearbeiten.png

    DienstBearbeiten.png

    AdminRechteNehmen.png

     

    With read access only, even an admin will receive Error 5 (Access Denied).

This discussion has been closed.