To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

How prevent administrators privilege to stop F-Secure easily?

MichaelYou W/ Alumni Posts: 14 Security Scout

I don't know why F-Secure allow administrator stop F-Secure related service easily? (ex : Device Control、F-Secure Management Agent)...

Some virus or malware have "watch dog",if A process terminated by user.B process will wake it up.

If virus have this ability WHY F-Secure don't have ?

I think "protect F-Secure process and service" is the most important to defend Virus to stop it!!



  • MichaelYou
    MichaelYou W/ Alumni Posts: 14 Security Scout


  • MichaelYou
    MichaelYou W/ Alumni Posts: 14 Security Scout

    Dear Ben :


    Actually I don't think administrator is windows nature so that whom can stop Antivirus Easyly!

    Antivirus must have Local System permission and shoud be have self protection to prevent virus or malware to stop or terminate it! It is basic function for the Antivirus software.

  • etomcat
    etomcat W/ Alumni Posts: 1,172 Firewall Master



    I think antivirus would need to run in kernel mode to be "un-stoppable" by full admin. This means computer would go BSOD in case of a software bug or any other problem. F-Secure used to run in the kernel many years ago, but was rewritten to be a users-pace software as much as possible, because users are concerned about system stability before security. I think only small parts of the F-Secure proprietary personal firewall in FSAVCS and FSAV PSB run in kernel mode nowadays.


    On the other hand, for most antivirus software, the vendors (including F-Secure Corp.) release well-known standalone utility programs to uninstall their protection suites. Even if the protection was proof againt admin-stopping, the uninstallation would need to be password protected to make unauthoried use of the uitool util impossible. Such per-computer password management would be complicated for a company or enterprise customer. If the password is static, it will be post-it noted on the caffe machine after a few days, that's the nature of things.


    But I think adding the password based uninstall-prevention method is worth considering, if it could be integrated with FS Policy Manager and PSB Portal.


    Best Regards: Tamas Feher, Hungary.

  • MichaelYou
    MichaelYou W/ Alumni Posts: 14 Security Scout

    Dear etomcat :


    Thanks for your reply.

    I think Antivirus is "Security software" and virus or malware increase very fast everyday.

    I know the most vendor of antivirus scan engine run Kernel Mode

    In my experience viruses from China is most run Kernel Mode too!

    Therefore if F-Secure run User Mode for the reason of system stabilty

    F-Secure process or service can easily stop if virus have admin permission.

    we  have over 2500 computer using F-Secure product in my company.

    I hope F-Secure should be face and solve this problem ASAP.

  • MichaelYou
    MichaelYou W/ Alumni Posts: 14 Security Scout



    I think it is not a solution from your reply.

    because it's IMPOSSIBLE give everyone only "Normal User" permission in my company even others.

    We have over 2000 empolyee using F-Secure product and the most user is "Normal user"

    But some manager have "Administrator permission" 



  • Ben
    Ben W/ Alumni Posts: 664 Cybercrime Crusader

    Thank you for the feedbacks.


    You can always make your request more visible by posting it to the Feature Requests board or commenting on the already suggested ideas going in the same direction. 

  • Patrick
    Patrick W/ Alumni Posts: 13 Digital Defender

    Even though it's some time ago, someone wrote something within this topic...


    Within AD you can easily create a GPO to change Administrators rights to prevent them stopping F-Secure services. Just create a new GPO and change the permissions for F-Secure services (Sorry only german screenshots...):





    With read access only, even an admin will receive Error 5 (Access Denied).

This discussion has been closed.