It's probably because there is a TDI or NDIS driver installed as a shim between the network driver and the OS being used to filter traffic. Turning the service off probably just stops the driver from forwarding traffic. It's been a while since I worked on drivers but there should be some manual ways to get around this depending on how much the AV is watching for modifications. One easy thing you could try is stop the services like you did then go to device manager then in the view menu select show hidden devices. There should be a new list of non-plug and play drivers. You can try to figure out which ones are linked to the AV by name then confirm it by opening up the driver properties then click on the drivers tab and the driver details button. Once you have confirmed it you can stop the driver. See if that works. If not then you might need to look at some of the tools published by the driver development community that help in disabling and unloading drivers.
Thanks, ------------------------------------------ Ali Mesdaq (CISSP, GIAC-GREM) Sr. Security Researcher Websense Security Labs http://www.WebsenseSecurityLabs.com ------------------------------------------ -----Original Message----- From: hardware-boun...@hardwaregroup.com [mailto:hardware-boun...@hardwaregroup.com] On Behalf Of Thane Sherrington Sent: Tuesday, May 25, 2010 1:13 PM To: hardware@hardwaregroup.com Subject: [H] AV disabling question When a computer comes into the shop, I like to disable the current AV so as to speed up the scans and prevent two AVs conflicting. I've been disabling the AV's services, but I've found that when I do that with NIS (surprise, suprise, it's a piece of crap) then it shuts down access to the internet because it's firewall is off. Then I end up having to turn the service back on (no small feat because the PoS tries to prevent changes to it's service settings even though it's turned off.) Does anyone know of a better way to disable AVs (especially NIS) without uninstalling so that I can still access the internet? T To report this as spam, please forward to s...@websense.com. Thank you. Protected by Websense Hosted Email Security -- www.websense.com
