Batman

Password Doesn't Prevent Uninstalling EAM

Recommended Posts

On 8/28/2019 at 5:22 AM, GT500 said:

My apologies, I misread your original post.

To my knowledge, there is no way to uninstall Emsisoft Anti-Malware on all workstations on a network automatically. Automating uninstalls of Anti-Virus software is a major security risk, as it would allow an attacker to remove protection from all computers on the network easily (a good example of where this would be possible is RDP compromise).

A hacker can easily uninstall the Anti-Malware without any problems and hardship!
There is no password request even for uninstallation!
Do you have a solution to this problem other than the group policy?

Share this post


Link to post
Share on other sites
On 10/6/2019 at 5:56 AM, Batman said:

A hacker can easily uninstall the Anti-Malware without any problems and hardship!
There is no password request even for uninstallation!
Do you have a solution to this problem other than the group policy?

It's physically impossible to prevent an attacker from removing security software. Once they're in the system, and have admin rights, they have full control. They can terminate any process, delete any file, disable any startup entry, etc. This is one of the reasons why it is imperative to prevent an attacker from getting in to the system in the first place.

EAM does have self-protection that can prevent automated removal of its components, however this will only stop an infection, and won't stop someone who's remotely accessing the system.

BTW: If you configure an admin password for Emsisoft Anti-Malware, it won't allow someone to uninstall it without the password while Windows is running normally.

  • Like 1

Share this post


Link to post
Share on other sites
6 hours ago, GT500 said:

BTW: If you configure an admin password for Emsisoft Anti-Malware, it won't allow someone to uninstall it without the password while Windows is running normally.

Thanks a lot

I configured an admin password, but administrator password does not work to uninstall Anti-Malware!

Share this post


Link to post
Share on other sites
17 hours ago, Batman said:

I configured an admin password, but administrator password does not work to uninstall Anti-Malware!

It's supposed to be that way when Windows is running in Safe Mode (after all, if you forget your password, you need to have a way to regain control). I'll ask if we've changed this functionality.

  • Like 1

Share this post


Link to post
Share on other sites
On 10/9/2019 at 7:11 AM, GT500 said:

It's supposed to be that way when Windows is running in Safe Mode (after all, if you forget your password, you need to have a way to regain control). I'll ask if we've changed this functionality.

This feature is missing. Is there an explanation for it?

Share this post


Link to post
Share on other sites
On 10/12/2019 at 10:37 AM, Batman said:

This feature is missing. Is there an explanation for it?

Limited user accounts in Windows can't install or uninstall software. If you don't want someone to be able to uninstall your security software, then you should keep a single account with administrator rights that is protected by a reasonably secure password, and then all other accounts (including the one you normally log in with) should be limited accounts.

  • Like 1

Share this post


Link to post
Share on other sites
10 hours ago, GT500 said:

Limited user accounts in Windows can't install or uninstall software. If you don't want someone to be able to uninstall your security software, then you should keep a single account with administrator rights that is protected by a reasonably secure password, and then all other accounts (including the one you normally log in with) should be limited accounts.

I'm a little confused about what's the difference between these two cases.
Any user with the administrator account cannot shut down the protection or disable the components due to the password, but they can uninstall it without any limitation!

I have several antivirus contracts with small companies.

They require admin user accounts for their third-party software. It's not possible to limit their user accounts, and they uninstall the software whenever they have conflict within the Emsisoft. 

Also, it is not possible to monitor if the EAM has been removed in the cloud console.

I've worked with Kaspersky, Sophos, and Eset before. They didn't have this problem. Using them, I was able to limit the uninstall of antivirus.

Share this post


Link to post
Share on other sites
13 hours ago, Batman said:

Any user with the administrator account cannot shut down the protection or disable the components due to the password, but they can uninstall it without any limitation!

I'm fairly certain that the password isn't required for an administrator (it's intended to grant admin rights for limited users). This, of course, would depend on how the permissions in EAM are configured (you can configure them so specific users or groups have limited permissions, regardless of the permissions they have in Windows).

As for uninstalling, that's a matter of permissions in Windows. An administrator can remove anything they want to. If you try to block the uninstall, then they can just manually remove the software. You literally can not prevent it.

 

13 hours ago, Batman said:

... they uninstall the software whenever they have conflict within the Emsisoft. 

Is it not possible to teach them how to add exclusions?

  • Like 1

Share this post


Link to post
Share on other sites

Many thanks for your attention.

7 hours ago, GT500 said:

Is it not possible to teach them how to add exclusions?

I always set their permission level to "No access". 
For this reason, they cant to exclude and change the configuration.
Therefore they choose the fastest option: Uninstall Emsisoft.

In your opinion, Does this feature help improve protection and security?

Most unauthorised users are unable to uninstall EAM and other AV via the registry key and other options, which means improved protection.
Also, this feature can disrupt hackers' work and even stop them from continuing their malicious activity. Do you agree with this argument?

Most companies have this feature. Did they mistakenly develop this feature?

Password_undefined.png.fbaaddb13f49dd8326be785e4084f384.png
Download Image

post-624098-1491206443.jpg.9bc170ca48db3432e3358e53c148c6a1.jpg
Download Image

66409_WechatIMG37.jpeg.416b52c89fce40c92fff169974cf1b57.jpeg
Download Image

download.png.4d7e97fe503da494ad1f8a0cfb47faab.png
Download Image

Pic2.jpg.198c3af02a4af73873141673f7d75663.jpg
Download Image

2016-03-12_16-43-35.jpg.f84f4ead11d9c8fc639c55f5dd985f5f.jpg
Download Image

OfficeScanUninstallPassword.png.2b650563e792a1d458a8811d591969d6.png
Download Image

 

5.png
Download Image

Share this post


Link to post
Share on other sites
15 hours ago, Batman said:

Also, this feature can disrupt hackers' work and even stop them from continuing their malicious activity. Do you agree with this argument?

As I keep saying, there is absolutely nothing you can do to stop someone who has administrator access to a computer from removing security software. I don't care if the Anti-Virus can't be "uninstalled" without a password, I could remove it with a batch file. I could also just terminate its running processes, then delete its files, and unregister its drivers and services. It takes very little actual work to remove an Anti-Virus software, even if you don't have permission to do so.

 

16 hours ago, Batman said:

Most companies have this feature. Did they mistakenly develop this feature?

We used to have it as well. I think it was removed when we changed how our permissions system works.

  • Like 1

Share this post


Link to post
Share on other sites

FYI: I've split our posts into a new topic so that we are no longer hijacking someone else's topic with an unrelated discussion. ;)

  • Like 1

Share this post


Link to post
Share on other sites

Dear Arthur, Thanks for your excellent support.

Is there a solution other than "Limit User Accounts in Windows" for this issue? I need to set the maximum possible limit for users with administrator access.

Will I be able to view and check uninstalled EAM from the cloud console in the future? This feature will be very beneficial.

Unfortunately, over the past few months, this has diminished my credibility and performance.
 

Share this post


Link to post
Share on other sites
17 hours ago, Batman said:

Is there a solution other than "Limit User Accounts in Windows" for this issue? I need to set the maximum possible limit for users with administrator access.

There is no official way to accomplish what you want when an account has administrator rights. That being said, you could use various tricks to prevent uninstall. For instance, install EAM using the old InnoSetup-based installer and then delete the uninstaller that's in the EAM folder. Or simply delete the uninstall entry for EAM from the registry after you install it.

You could also change the permissions on the EAM folder to prevent deletion of the folder and any files inside, however this may prevent EAM from being able to update, and if any mistakes are made in permissions then EAM may not run correctly and you may not be able to fix it. Needless to say, this method is not really recommended, especially since the drivers and service could still be unregistered leaving EAM completely useless.

 

18 hours ago, Batman said:

Will I be able to view and check uninstalled EAM from the cloud console in the future? This feature will be very beneficial.

I'll submit it as a feature request. For now, it should be possible to tell that logging has stopped on a specific workstation, and it should be possible to check the Last Update time/date.

  • Like 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.