Circumventing Critical Security in Windows XP

[barkley () usa net]

Hi,


I've detailed below just how easy (too easy) it is to circumvent the security of the following critical security 
services. Thus can't now become can!

It goes without saying that malware on entering a system by whichever means, and on detecting critical security 
services, can now even more easily (automated/scripted) disarm critical security services, just by modifying 
unprotected registry entries, for whatever malevolent purposes.

I've created registry entries (I can send these to you should you be interested) to demonstrate just how easy it is to 
circumvent the security of these critical security services, which unfortunately is all too easily a very effective way 
of immobilising critical security functions i.e. firewall, antivirus etc. This in my opinion is certainly not a 
vulnerability nor a flaw so to speak, but rather a functional design oversight?

I've verified this against the following with success. After these registry modifications have been effected and the 
system rebooted, these critical services will be disarmed.

BlackICE
McAfee
Pointsec
ISS Proventia
ZoneAlarm

On successfully disarming these security services, one could also use the following to then further manipulate the 
drivers & services, by reconfiguring their startup parameters to 'manual' and not 'automatic', or just disable them 
alltogether.

i.e. The following will reconfigure the startup parameters to 'manual' and not 'automatic' (default)
C:\>sc config VPatch start= demand
C:\>sc config BlackICE start= demand
C:\>sc config McShield start= demand
C:\>sc config McTaskManager start= demand
C:\>sc config McAfeeFramework start= demand
C:\>sc config Pointsec_start start= demand
C:\>sc config Pointsec start= demand


Cheers

Andrew Barkley
(-_-)