Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: Antivirus override

35 views
Skip to first unread message

David H. Lipman

unread,
Sep 24, 2005, 7:25:42 PM9/24/05
to
From: "visions" <vis...@discussions.microsoft.com>

| Can anybody tell me what this is all about, because I can't think of any
| reason why microsoft would wish to override my antivirus program and switch
| off my active guard.
| Regestry entery: Windows Security Center.AntiVirusOverride: Settings
| (Registry change, fixed)
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
| Center\AntiVirusOverride!=dword:0
| --
| If it ain''t broken don''t fix it

It is NOT an override of anti virus.
It is a Security Center override of warning if your AV software is not installed or
disabled.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


MowGreen

unread,
Sep 25, 2005, 12:01:09 AM9/25/05
to
David,

Are you certain that's not a malware value ? AntiVirusOverride!=dword:0
with the exclamation point isn't in any DWord names on any of my XP
systems.
Without the exclamation point, it is.

MowGreen [MVP 2003-2005]
===============
* 343 * FDNY
Never Forgotten
===============

David H. Lipman

unread,
Sep 25, 2005, 7:44:08 AM9/25/05
to
From: "MowGreen" <mowg...@nowandzen.com>

| David,
|
| Are you certain that's not a malware value ? AntiVirusOverride!=dword:0
| with the exclamation point isn't in any DWord names on any of my XP
| systems.
| Without the exclamation point, it is.
|
| MowGreen [MVP 2003-2005]
| ===============
| * 343 * FDNY
| Never Forgotten
| ===============
|

Interesting point.

However if if the OS does not read the "AntiVirusOverride!" but reads "AntiVirusOverride"
then it would be ignored by the OS and I can't see how malware could use this altered value
to change the Security Center.

Am I certain ? -- No.

Nor could I find further info in the Knowledge Base or TechNet.

MowGreen

unread,
Sep 25, 2005, 9:38:28 PM9/25/05
to
David H. Lipman wrote:
> From: "MowGreen" <mowg...@nowandzen.com>
>
> | David,
> |
> | Are you certain that's not a malware value ? AntiVirusOverride!=dword:0
> | with the exclamation point isn't in any DWord names on any of my XP
> | systems.
> | Without the exclamation point, it is.
> |
> | MowGreen [MVP 2003-2005]
> | ===============
> | * 343 * FDNY
> | Never Forgotten
> | ===============
> |
>
> Interesting point.
>
> However if if the OS does not read the "AntiVirusOverride!" but reads "AntiVirusOverride"
> then it would be ignored by the OS and I can't see how malware could use this altered value
> to change the Security Center.
>
> Am I certain ? -- No.
>
> Nor could I find further info in the Knowledge Base or TechNet.
>

Perhaps someone from MS will see this thread and give us privy to such
knowledge ?
I'll ask around in the meantime, David.

MowGreen [MVP 2003-2005]
===============
*-343-* FDNY
Never Forgotten
===============

David H. Lipman

unread,
Sep 25, 2005, 9:46:36 PM9/25/05
to
From: "MowGreen" <mowg...@nowandzen.com>

| Perhaps someone from MS will see this thread and give us privy to such
| knowledge ?
| I'll ask around in the meantime, David.
|
| MowGreen [MVP 2003-2005]
| ===============
| *-343-* FDNY
| Never Forgotten
| ===============

Sounds good to me !

Gracias !

MowGreen [MVP]

unread,
Sep 26, 2005, 1:27:05 PM9/26/05
to
visions,

How were you able to "see" this entry, via Spybot or searching through
the registry ?
From what I've heard so far, the exclamation point ( ! ) added to
AntiVirusOverride ! means that

" The detection in Spybot means that the regval AntiVirusOverride is not
equal to zero (which it should be). If it is zero, the AV monitoring
in the Security Center of Windows XP SP2 is enabled. If it is
non-zero, the AV monitoring would be disabled. "
and ...
" In several programming languages and elsewhere in the tech world, an
exclamation mark means "not". "

In plain English, it is possible that a malware has added the
exclamation point so that you're not being notified that the installed
AV is NOT monitoring the system.

Is McAfee the installed AV ?

MowGreen [MVP 2003-2005]
===============
-343-* FDNY
Never Forgotten
===============

MowGreen [MVP]

unread,
Sep 26, 2005, 1:30:10 PM9/26/05
to
Howdy David,

Check my reply to the original post. The added exclamation point does
have significance.

MowGreen [MVP 2003-2005]
===============
*-343-* FDNY
Never Forgotten
===============

David H. Lipman

unread,
Sep 26, 2005, 1:45:59 PM9/26/05
to
From: "MowGreen [MVP]" <mowg...@nowandzen.com>

| visions,
|
| How were you able to "see" this entry, via Spybot or searching through
| the registry ?
| From what I've heard so far, the exclamation point ( ! ) added to
| AntiVirusOverride ! means that
|
| " The detection in Spybot means that the regval AntiVirusOverride is not
| equal to zero (which it should be). If it is zero, the AV monitoring
| in the Security Center of Windows XP SP2 is enabled. If it is
| non-zero, the AV monitoring would be disabled. "
| and ...
| " In several programming languages and elsewhere in the tech world, an
| exclamation mark means "not". "
|
| In plain English, it is possible that a malware has added the
| exclamation point so that you're not being notified that the installed
| AV is NOT monitoring the system.
|
| Is McAfee the installed AV ?
|
| MowGreen [MVP 2003-2005]
| ===============
| -343-* FDNY
| Never Forgotten
| ===============
|
| visions wrote:
|

Isn't that close to what I said...

"It is a Security Center override of warning if your AV software is not installed or
disabled."

--

MowGreen [MVP]

unread,
Sep 26, 2005, 1:50:33 PM9/26/05
to
Yup. Now let's find out why it was overridden ... ;)
It may be harmless ... it may not. Hope visons posts back, Dave.

MowGreen [MVP 2003-2005]
===============
*-343-* FDNY
Never Forgotten
===============

0 new messages