How prevent administrators privilege to stop F-Secure easily?

I don't know why F-Secure allow administrator stop F-Secure related service easily? (ex : Device Control、F-Secure Management Agent)...

Some virus or malware have "watch dog",if A process terminated by user.B process will wake it up.

If virus have this ability WHY F-Secure don't have ?

I think "protect F-Secure process and service" is the most important to defend Virus to stop it!!

Find more posts tagged with

Comments

Patrick

Even though it's some time ago, someone wrote something within this topic...

Within AD you can easily create a GPO to change Administrators rights to prevent them stopping F-Secure services. Just create a new GPO and change the permissions for F-Secure services (Sorry only german screenshots...):

Dienstauswählenundbearbeiten.png

With read access only, even an admin will receive Error 5 (Access Denied).

Ben

Thank you for the feedbacks.

You can always make your request more visible by posting it to the Feature Requests board or commenting on the already suggested ideas going in the same direction.

MichaelYou

DearBen:

I think it is not a solution from your reply.

because it's IMPOSSIBLE give everyone only "Normal User" permission in my company even others.

We have over 2000 empolyee using F-Secure product and the most user is "Normal user"

But some manager have "Administrator permission"

MichaelYou

Dear etomcat :

Thanks for your reply.

I think Antivirus is "Security software" and virus or malware increase very fast everyday.

I know the most vendor of antivirus scan engine run Kernel Mode

In my experience viruses from China is most run Kernel Mode too!

Therefore if F-Secure run User Mode for the reason of system stabilty

F-Secure process or service can easily stop if virus have admin permission.

we have over 2500 computer using F-Secure product in my company.

I hope F-Secure should be face and solve this problem ASAP.

etomcat

Hello,

I think antivirus would need to run in kernel mode to be "un-stoppable" by full admin. This means computer would go BSOD in case of a software bug or any other problem. F-Secure used to run in the kernel many years ago, but was rewritten to be a users-pace software as much as possible, because users are concerned about system stability before security. I think only small parts of the F-Secure proprietary personal firewall in FSAVCS and FSAV PSB run in kernel mode nowadays.

On the other hand, for most antivirus software, the vendors (including F-Secure Corp.) release well-known standalone utility programs to uninstall their protection suites. Even if the protection was proof againt admin-stopping, the uninstallation would need to be password protected to make unauthoried use of the uitool util impossible. Such per-computer password management would be complicated for a company or enterprise customer. If the password is static, it will be post-it noted on the caffe machine after a few days, that's the nature of things.

But I think adding the password based uninstall-prevention method is worth considering, if it could be integrated with FS Policy Manager and PSB Portal.

Best Regards: Tamas Feher, Hungary.

MichaelYou

Dear Ben :

Actually I don't think administrator is windows nature so that whom can stop Antivirus Easyly!

Antivirus must have Local System permission and shoud be have self protection to prevent virus or malware to stop or terminate it! It is basic function for the Antivirus software.

Ben

Hello MichaelYou,

Sorry for the delay in the reply. This is unfortunately due to the nature of the administrator role on Windows.

We therefore advise not to give administrator rights to normal user.

MichaelYou

NOBODY REPLY ? NO SOLUTION ?