When disabling anti-virus applications, there are a few common misconceptions with what is actually required to completely disable the realtime protection that can prevent some virus removal tools from running.
Safe Mode will load only a basic set of drivers and devices, which often will temporarily disable the AV. However, some removal tools will reboot to Normal Mode during the removal process, at which point, AV will be re-enabled and can prevent those tools from running. Likewise, Safe Mode limits other functionality of Windows that may be required to remove particular infections.
Disabling in AV any real-time scanning portions of the software is the easiest way to insure that portions of the software that could potentially cause problems with surgical removal of infections don't interfere. Some AV cannot be disabled in the event that it is expired however, and in that case, it should be uninstalled using Add/Remove Programs, or the official uninstaller for that particular AV.
AR (AutoRuns) can be used to disable the services for an AV suite, however, with most AV packages, just disabling the services is not enough, as the package will generally install virtual devices that are used for various purposes in providing protection. Often, when the software service is disabled, these devices are not, and doing so leaves the system in a partially-broken state.
Removing AV is a guaranteed way to insure it does not interfere with the removal process. Most modern AV is not entirely removed by using Add/Remove Programs however, and the official removal tool from the AV manufacturer should be used to remove the product. A list of removal tools can be found here (ESET KB - Uninstallers for common AV Software). The list is slightly dated, but more or less provides a comprehensive index of common AV software and links to their respective removal tools or removal how-to guides.
In closing, in the event you can't or shouldn't remove the AV entirely, the preferred method for disabling the AV is to use the AV's own controls to disable the real-time scanning and/or firewall portions of its protection engine. AR and Safe Mode are simply incomplete or ineffective methods for disabling AV.
No comments:
Post a Comment