1. well, the process is usually not simply disabled, the .exe file is often replaced or altered via registry, and an AV simply can't know how your registry looks before the malware altered it.....and to replace the files (like svchost.exe) would mean the AV would need to have loads of different exe files on board, this would turn an AV into a huge bloated app, and additionally there is a copyright on every exe by the original manufacturer so it can't simply be embedded into an app from a 3rd party.
2. I don't think disabling such processes is only done by the name, it's also done in the registry....and a new process name would also mean new registry entries every time. the problem is more a lack of self-protection of some AVs, look at AVs like Kaspersky or Norton, they have very good self-protection mechanisms (anyone that tried to kill Norton knows what I mean, when killing the process it simply spawns a new one).
3. well, that's a good idea, but the problem with MS is that the user permission system is simply too basic, this is also caused by the NTFS file system. have a look at Linux and its permission system with owners, groups, read/write/execute permissions, sticky bits, etc.
different people install different apps, and there is no way MS can divide them into good/bad ones without causing a lot of collateral damage by forcing users to validate loads of registry changes manually.
Do they really protect?
P4 thats the kind of thinking we like.
I concur with everything bb said - and your ideas.
the only real security is monitoring. A static program or even one that morphs with some predictability can be cracked. I agree with the idea that an .exe could be coded to be scrambled to a random (but agreed formula) .exe name - unfortunately it will just be another few lines of code in malware to detect the agreed upon formula and locate the renamed .exe
I suppose if the entire OS, applications, drivers were all made into one code, by one writer - then they could write code with close tolerance. I think a lot of code is written to be plug and play friendly - thus leaving too much 'open gaps' in software to be manipulated. Its an issue of trying to make software cross-platform friendly.
DNR
I concur with everything bb said - and your ideas.
the only real security is monitoring. A static program or even one that morphs with some predictability can be cracked. I agree with the idea that an .exe could be coded to be scrambled to a random (but agreed formula) .exe name - unfortunately it will just be another few lines of code in malware to detect the agreed upon formula and locate the renamed .exe
I suppose if the entire OS, applications, drivers were all made into one code, by one writer - then they could write code with close tolerance. I think a lot of code is written to be plug and play friendly - thus leaving too much 'open gaps' in software to be manipulated. Its an issue of trying to make software cross-platform friendly.
DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.