We have two frequently request from our customers side.
1- Password for unload product for a short time. (Just for unload not uninstall)
2- Deny admin users to stop F-Secure services. (In normal cases admin must can to access to services but in organizations antivirus administrator want to set strict policies)
Is this possible to add this options in next versions?
Point two is an interesting one.
One the face of it, it would seem reasonable, and indeed competing products do generally employ self-defence in the system services.
However, there's a flaw in F-Secure Gatekeeper where it can hang during scheduled scanning. Every subsequent scheduled or on-demand scan thereafter generates an F-Secure Gatekeeper Event 1 error in the event log. These events have no explanation ("The description for Event ID ( 1 ) in Source ( F-Secure Gatekeeper ) cannot be found …"; this should be held in a suitable DLL) and contain only a fragment of the original path (e.g. "The following information is part of the event: , \Device\HarddiskVolume1\WINDOWS\s...catdb.").
Years have passed and F-Secure have consistently failed to do anything to detect such a fault.
To clear this fault, you have to stop the F-Secure Gatekeeper Handler Starter service (which to this day is still called "FSGKHS" because the service name and display name are reversed) and then start it back up. In general, once you can get remote control of the server, stopping FSGKHS takes around 5–20 minutes, after which you regain control of the server (until the service is stopped, the computer is extremely slow, as every on-demand scan is being handed to a hung Gatekeeper and has to time out before it can be read).
Rebooting the server is not necessary, but self-defence would make it impossible to regain control of the server without a reboot.
(If this change was done by policy, I'm not sure how that would help, as our policy domain tree is divided by customer and then by desktop vs server, and I wouldn't object to this feature on client PCs, but on servers, not until Gatekeeper has a watchdog to catch this fault.)
1) What is a "short time"? 5 Mins, 10, 1h?
After an unload the product will be reloaded on next reboot.
2) The longer I think about I beleive that will not be possible. If you are an administrator to your system you can always grant any right to any account or group, including yourself. You could create an restricted SupervisorAccount with limited rights, but then again the Administator is still there.
perComp is a Platinum Partner of F-Secure since 1994. Any advice or help given by me in this forum is voluntarily and to my best knowledge based on working with the products since 1997. Direct contact for customers please check our homepage http://www.percomp.de
Regarding (2), there already are Windows services that cannot be stopped, and it's common for AV services to be completely protected against stopping the service and killing the processes even as an administrator. Unlike Linux, Windows is quite happy to block even administrators — if you recall, it was forbidden in Windows Server 2000 for an administrator to terminate a service process, so if say the Exchange store process hung, you were required to reboot the whole server instead of kill and restart the service. (You could enable this privilege if you really wanted, though.)
I'm curious whether you believe that the service self-defence in competing products really can be defeated?
1) It can have options. like other AV vendors. Unload product for 5 min, 30 min, 1 hour, Until rebood, Permanently. This option should have password protection like uninstall.
2) In our country , networks have seperate admin for Antivirus.
Just Antivirus admin should can stop antivirus. for example automation system or mail server admin shouldn't can stop antivirus.