How Does Security Software Prevent its Unauthorized Removal from System?

Question

It's been my experience that some security software (like Symantec's Norton AntiVirus) oftentimes prohibit their removal from a Windows system via the "Add or Remove Programs" utility, going so far as to occasionally require a removal program obtained from Symantec's homepage. (I assume this it to prevent a malicious program from disabling the security software... any other reason?)

How can a program be configured to resist removal via a system's uninstall utility, or via deleting the program's directory? Is Norton the only software suite that employs this technique, or is this widespread amongst security software? Are there similar techniques that can be used on Unix / -like systems?

Answer 1

Norton is not the only one that does this, however McAfee and Norton are the only ones who make it almost impossible to remove the software. Not because they care about viruses or security threats, they don't want to give up control of the system. Many other Antivirus software that works just as well if not better than Norton, like AVG, Avast, and others do allow you to uninstall from the add remove. If they tell you anything different they are just lying because you have to physically click the add remove programs to run the uninstall process. There is no programmatic way to do this.

They do this by just hijacking the uninstall with a custom process. There is not really a standardized uninstall method. The closest to that is the MSI package that Microsoft provides, however that doesn't have to be used, and even if they do use it they can customize the operations to do whatever they want when uninstalling.

In NTFS you can lock folders and files that are currently executing in memory. Norton either uses this method or uses the service running in the background to prevent it.

Norton and McAfee are some of the most invasive resource hogs that you can never get out of your system once installed. They don't do this for security. They do this because they are in a market that has Free alternatives that are 20 times better than their legacy software. So they strike deals with the OEM's to install their software by default in the hopes that people will continue to pay yearly subscriptions to them. On top of that if they make it really hard to remove, some people won't be bothered and just pay up.

Answer 2

If you are looking for a "sollution" where the system can't be damaged by the user you don't need any hacks like that. Just don't give the user access to the administrator account. If the user is you, even easier, don't run anyting that is not trusted when logged in as administrator.

Answer 3

Are you looking for ideas, or methods to prevent security software from being uninstalled, stopped, or "killed" while running? If so, I have some ideas that I had been working on while I was working for an AV company, and none of them had anything to do with "trying to keep control of the machine".. It simply had to do with the volume of viruses I saw that attacked the most popular AV software out there... My goal was to make it so only I could shutdown our service in prep for an upgrade...

Using Cryptography, I think I found some good ways to do it too.