3

Is there any way to make a file totally uneditable and undeleteable ? I am creating simple Anti-Virus program and I want to protect my malware signatures which are saved in files.

TN888
  • 7,659
  • 9
  • 48
  • 84
  • Possibly related: http://stackoverflow.com/questions/1265810/prevent-file-from-being-edit – Anderson Green Aug 17 '13 at 16:26
  • 1
    possible duplicate of [Preventing a file from deletion and change](http://stackoverflow.com/questions/6020109/preventing-a-file-from-deletion-and-change) – Anderson Green Aug 17 '13 at 16:27
  • That isn't duplicate, I have different problem. That answers aren't helpful for me – TN888 Aug 17 '13 at 16:29
  • 1
    The second link provides an answer - you can do it through file permissions. – BartoszKP Aug 17 '13 at 16:44
  • I need accurate answer – TN888 Aug 17 '13 at 20:37
  • @Ty221 This is the link that BartoszKP was referring to. It appears to be a nearly identical question, so it might be helpful in this situation: http://stackoverflow.com/questions/6020109/preventing-a-file-from-deletion-and-change – Anderson Green Aug 20 '13 at 00:40

4 Answers4

5

The short answer is 'you can't.' The long answer follows. =)

You may implement it via file permissions, but those can be changed if a process have enough privileges.

TMK, the only way to implement this kind of restriction is to keep a process running, with the file open in exclusive mode. That won't prevent an application like Unlocker from killing your main process or deleting the block handles, though.

Community
  • 1
  • 1
OnoSendai
  • 3,960
  • 2
  • 22
  • 46
3

No, you can't. If a software runs with enough privileges, it will be able to erase them along with your antivirus. This also happens with commercial antivirus software.

What you can do, in order to at least prevent modifications, is store the definitions as compressed, signed and, encrypted. In this way, unless the malware can obtain the criptographic key, it won't be able to meaningfully modify the virus database, but only to delete it. In both cases, your software can detect the intervention and try to react (but if a malware is privileged enough to delete system files, maybe it' already too late)

Giulio Franco
  • 3,170
  • 15
  • 18
1

you cant really do so, but you can try outsmarting malware...

  1. Save a checksum of the file so you know if it was tampered.
  2. Use Async Encryption on the file (somwhat similar to 1.)
  3. make the signatures downloadable through Internet access, and make your software download those...
  4. check the last accessed times of the files.

there are many more tricks like the four above, but they are all NOT boolet proof...

One Crazy idea that i dont really know how to implement... but came to mind is that:
you can create a SATA/IDE Driver and make the a specific file unaccesible...
but again thats my kind of creativity crazy talk :)

Tomer W
  • 3,395
  • 2
  • 29
  • 44
1

The best you can do with C# is to just set the permissions of the file so that only your service has full access, and anyone else doesn't. That don't protects against someone/something that managed to get administrator access, as they always can change permissions.

What many antiviruses do for self-protecting their files and services is to install kernel-mode drivers that block both the critical files and processes, so not even administrators can stop them. Of course C# is unable to create them.

Alejandro
  • 7,290
  • 4
  • 34
  • 59