Firewalls and Viruses
 

I'm a Network Administrator.

I've had it up to here *points past head* with viruses. I don't know why I hadn't thought of this before, and why large software companies haven't thought of this (yet?) either, but here it goes:

Considering that most viruses of this generation have an internal list of processes to kill (anti-virus or firewall programs), would it be an effective use of my time to try to rename my firewall and/or anti-virus program filenames?

What would I have to consider? The Windows registry, any configuration files (I suppose)? Would anyone have any idea if doing this would harm an installation of the software (ie, do any of the software programs reference a constant filename?) Does anyone have any experience doing this?

What if the large software companies that build these programs modified their build process so that during the installation all the references could be changed to reflect the new, randomly chosen filename?

Theoretically, you should be able to do that. However here are some problems.

Lets say you have an executable that you change the name of...no problem. Then that executable spawns another process. You can not change the name of this process.

Also, if that executable calls another executable, that name can not be changed either or the file won't run.

Renaming processes might work, but in the long run, it'd probably cause more problems than it would solve. If you're a network administrator, I'm guessing you have user's workstations to look after, and that's where the virii are coning in? You might want to look into limiting what your users can and can't do, via blacklists, policy files(for windows), proxy servers, and limiting permissions. In a network, you can setup all of these without worrying so much about programs not working.

Just to add, to what JohnnyRoyale above has said, 80 to 90% of the time viruses are coming from the outside.

Each security measure has a flaw. As I found out yesterday.

Antiviruses are only as good as the latest update. Any virus past that update, as well as new viruses pretty much renders your antivirus software useless.

Firewalls, can't prevent viruses, worms, or trojans from working their way through your network. If someone downloads a virus, trojan, or worm guess what, your firewall isn't going to save your @ss.

I think the solution, to most of the virus problems is that more time needs to be spent on education. If you give someone an idea what to look for and what to avoid, im pretty sure that you will spend less time dealing with viruses.

Also another thing that researchers are beginning to say is, "use another alternative to internet explorer". Mozilla, Opera, Avant, are all exceptional browsers.

Also another deathtrap is, Outlook Express, a great number of viruses are email viruses. Educate your users, to take precaution before opening attachments. In fact if possible avoid using outlook, instead use a web mail service, and let the mail service deal w/ the viruses.

Tell them also to avoid attachments w/ filenames w/ the following extensions, .exe, .vbs, .com

Another thing is if they bring work from an outside source, on a cd, usb drive, flash media, they should do a virus scan, before they bring it in.

Speaking from experience, renaming those executables is generallly a bad idea unless they are a single-executable program. Proggies like Norton and ZA or Black Ice will launch new processes that will still be named the same, and virii can still kill them.

Personally, I'm a fan of DeepFreeze. My users all have a shared server folder that all of their data is sotred in, and every workstation reverts to a prostine state when rebooted. Now instead of recovering a machine, I just have a user save their work and reboot.

....
 

My point to having them renamed though is that when the viruses go through their internal list to kill a certain process, they'll skip over the running firewall/anti-virus executable because it is renamed.

In theory, any good program that references itself through its filename should in theory be able to store its running filename in memory (which may or may not be a bad thing) and pass it to whoever needs it.

Although I don't know if that function exists in (this example) the Windows APIs.

I see what you're saying. But what exactly do you want the filename to end up as? Say the firewall was called firewall.exe
Do you want it to be

1) firewall8.exe (prefix/suffix)
2) f1r3wall.exe (simple substitution)
3) happy.exe (completely different)
4) sgfsdyfg.exe (just random shit)

For any of them, the average user could look at their processes and not know what any of them are (less than usual) because instead of firewall.exe you have f1r3wall.exe(main), fyrewall5.exe(support), fir3wall3.exe(virus), fsdfsggsd.exe(nobody knows)

But, whatever. I see what you're saying, and it's not a bad idea