Unfortunately it can be very trivially killed without having to know the password.
First we call OpenProcessToken() to get the security token for our own application. Then we call AdjustTokenPriviledges() to allow the program to gather to itself debug priviledges that allow us to forcefully terminate any process. Then we call OpenProcess() to acquire the PROCESS_TERMINATE permission and finally TerminateProcess() to send Kerio Personal Firewall to the graveyard.
When Kerio PFs process is terminated forcefully it, like every application, exits immediately without warning. This has been tested and found to work on WinXP without any security alerts happening.
I suspect this will work with ALL personal firewalls.
A piece of software on the local machine can disable the firewall? Is this even a flaw?
Any firewall that runs as a user-started service (such as Kerio WinRoute Firewall) can be disable by other pieces of software. Kerio WinRoute can be disable simply by typing "net stop winroute" at a windows command line. I suspect much is true of other firewalls - even those that done run as services could probably be terminated with good ol' taskkill.
If the malicious software is already on your machine disabling the firewall is the least of your worries.
Slashdot Mirror
Today's Confirmed Attacks from Zone-H.org
12 single IP, 364 mass defacements
Linux: 87.2%
Win2000: 4.8%
As of 1100h GMT+00.
-wolf
IE v6.0 after an SP2 install.
Unfortunately it can be very trivially killed without having to know the password. First we call OpenProcessToken() to get the security token for our own application. Then we call AdjustTokenPriviledges() to allow the program to gather to itself debug priviledges that allow us to forcefully terminate any process. Then we call OpenProcess() to acquire the PROCESS_TERMINATE permission and finally TerminateProcess() to send Kerio Personal Firewall to the graveyard. When Kerio PFs process is terminated forcefully it, like every application, exits immediately without warning. This has been tested and found to work on WinXP without any security alerts happening. I suspect this will work with ALL personal firewalls.
A piece of software on the local machine can disable the firewall? Is this even a flaw?
Any firewall that runs as a user-started service (such as Kerio WinRoute Firewall) can be disable by other pieces of software. Kerio WinRoute can be disable simply by typing "net stop winroute" at a windows command line. I suspect much is true of other firewalls - even those that done run as services could probably be terminated with good ol' taskkill.
If the malicious software is already on your machine disabling the firewall is the least of your worries.