Circumventing Critical Security in Windows XP

[barkley@xxxxxxx]

Hi,


I've detailed below just how easy (too easy) it is to circumvent the security 
of the following critical security services. Thus can't now become can!

It goes without saying that malware on entering a system by whichever means, 
and on detecting critical security services, can now even more easily 
(automated/scripted) disarm critical security services, just by modifying 
unprotected registry entries, for whatever malevolent purposes.

I've created registry entries (I can send these to you should you be 
interested) to demonstrate just how easy it is to circumvent the security of 
these critical security services, which unfortunately is all too easily a very 
effective way of immobilising critical security functions i.e. firewall, 
antivirus etc. This in my opinion is certainly not a vulnerability nor a flaw 
so to speak, but rather a functional design oversight?

I've verified this against the following with success. After these registry 
modifications have been effected and the system rebooted, these critical 
services will be disarmed.

BlackICE
McAfee
Pointsec
ISS Proventia
ZoneAlarm

On successfully disarming these security services, one could also use the 
following to then further manipulate the drivers & services, by reconfiguring 
their startup parameters to 'manual' and not 'automatic', or just disable them 
alltogether.

i.e. The following will reconfigure the startup parameters to 'manual' and not 
'automatic' (default)
C:\>sc config VPatch start= demand
C:\>sc config BlackICE start= demand
C:\>sc config McShield start= demand
C:\>sc config McTaskManager start= demand
C:\>sc config McAfeeFramework start= demand
C:\>sc config Pointsec_start start= demand
C:\>sc config Pointsec start= demand


Cheers

Andrew Barkley
(-_-)