6 Replies Latest reply on Jul 8, 2009 8:00 AM by carend

    Programmatically disable real time scanning

    Rookie

      Is it possible to disable real time scanning using the command-line?  I'm going to speculate and say no, just for obvious reasons.

       

      We're implementing new backup software and during the backup process on our servers the vendor recommends disabling the real time scanning for the duration of the backup.

       

      I'm not quite sure how to go about it.

        • 1. Re: Programmatically disable real time scanning
          Master

          LANDesk modified a security threat that is currently in content to be able to enable and disable real-time spyware scanning on a client without redeploying an agent to machines. ST0047 was a detection only vulnerability and has now been changed to be able to enable and disable real-time scanning. The custom variable tab of the definition will now allow “On” or “Off” values to be selected. This would be one method.

          • 2. Re: Programmatically disable real time scanning
            phoffmann SupportEmployee

            Note that *BECAUSE* we're talking about an AV here, it's not "just as simple as" killing off processes in order to kill off the AV.

             

            Oddly enough, it's one of the first things a virus would do - try and kill off the AV process, so that the virus / spyware / piece of malicious code might go about its dirty business.

             

            What nearly EVERY AV vendor then does (to the best of my knowledge) is not JUST have processes running, but also have a driver loaded into memory. This way, the AV can protect itself. Ours is no exception here - there's more to the AV than just the visible processes.

             

            So, depending on what your backup software does, this MAY or may NOT become a problem (I'd recommend thorough testing).

             

            Apologies if this somewhat throws a spanner in your works, but I hope you understand why AV's tend to have to go this extra mile to be "unkillable" (in a way) on the quick. Given enough system priviledges, the right detailed info and a reboot or two, anything (or nearly anything) can be brought down ... but that's beside the point here .

             

            - Paul Hoffmann

            LANDesk EMEA Technical Lead

            • 3. Re: Programmatically disable real time scanning
              Employee

              Disclaimer: This is going to be really lame, albeit working.

               

              Copy ST000047 to two new custom definitions, "enable-spyware" and "disable-spyware". For details on how to modify vuln definitions, see here: http://www.droppedpackets.org/security/what-s-in-that-security-threat/

               

              open backup window:

              batch file

              "%PROGRAMFILES%\LANDesk\LDClient\vulscan.exe" /removeav

              "%PROGRAMFILES%\LANDesk\LDClient\vulscan.exe" /repair vulnerability="disable-spyware"

               

              For luck, I'd reboot here.... might not be necessary though.

               

              Do the backup.

               

              close backup window:

              batch file

              "%PROGRAMFILES%\LANDesk\LDClient\vulscan.exe" /repair vulnerability="enable-spyware"

              "%PROGRAMFILES%\LANDesk\LDClient\vulscan.exe" /installav

               

              More discussion on the general concept: http://www.droppedpackets.org/security/maintenance-window-reboots/

               

              You'll want to deal with exit codes and such once you're familiar with the concepts and committed to this path.

              1 of 1 people found this helpful
              • 4. Re: Programmatically disable real time scanning
                LANDave SupportEmployee

                An easier alternative to this would be a similar script that would simply do "NET STOP LDAVSERVICE" and "NET START LDAVSERVICE"

                • 5. Re: Programmatically disable real time scanning
                  Rookie

                  Almost there...

                   

                  So if I stop the av service, will agent watcher restart it?  Should I push an agent update to my servers to remove agent watcher?

                   

                  The only people who can log into servers with administrative rights are the network admin team here, so that would probably be an acceptable solution.  Stop the service and then restart it, assuming that does in fact kill real time scanning.

                  • 6. Re: Programmatically disable real time scanning
                    Master

                    defuseme2k wrote:

                     

                    Almost there...

                     

                    So if I stop the av service, will agent watcher restart it?  Should I push an agent update to my servers to remove agent watcher?

                     

                    The only people who can log into servers with administrative rights are the network admin team here, so that would probably be an acceptable solution.  Stop the service and then restart it, assuming that does in fact kill real time scanning.

                    Real time spyware scanning is run by Softmon and not AV. You could also stop the softmon service.