How to Stop Norton Antivirus

or 'How You May Have a Virus and Not Know It'

by AtomAntic (hacks@shadowpuppet.net)

Disclaimer of Responsibility and Liability:

Under no circumstances should any of these instructions be enacted on an unwitting or unauthorized computer or individual. Any damage, physical or digital, that arises from the use or misuse of these instructions is strictly to the fault of the user who implements the damaging actions. The author cannot be held responsible for any illegal action(s) arising from the use of these instructions. These instructions are provided for educational purposes only!

Why Stop Norton Antivirus?

Norton Antivirus claims to protect many computers from infiltrating trojan horses, keyloggers, password stealers, and other virus's and malicious code. But what if you want to disable Norton Antivirus on a computer so that your virus, trojan, keylogger, etc... can do what it does, without getting quarantined? Well, it is all too easy for a computer literate monkey to get this program to overlook anything from a single file or directory to the entire computer.

Background Info

Norton Antivirus comes with an option to exclude files and directories from all scanning processes. It stores this information in a file called exclude.dat, which resides in the installation directory of Norton Antivirus (default location: c:/Program Files/Norton Antivirus/). Strangely, Norton Antivirus doesn't alert the user if this file is overwritten; it just updates the data and acts accordingly. Additionally, Norton Antivirus doesn't label the file it creates with any kind of identifying mark (not even a version number), so you can use an exclude.dat file, created with Norton Antivirus 2002, to overwrite the exclude.dat on a machine running version 2003 and Norton won't know the difference. Once you make your own file that excludes everything on the computer, you can package it up with a virus or trojan and make it overwrite the exclude.dat on the target computer. After doing that, the virus can do whatever it wants, and the antivirus software will just ignore it.

What you will need

• A target computer
• A copy of Norton Antivirus, or a prepared exclude.dat file (www.shadowpuppet.net/philes/viral/exclude.dat)
• A file joining program
• A viral file or application to test
• A basic understanding of the Windows Operating System
• A basic understanding of batch files or MSDOS commands is helpful but not required

The Instructions

WARNING!

Enacting these instructions illegally may result in the FBI knocking on your door, at an unpleasant hour, with unpleasant plans.

Setting Up the Files

This section explains where to get or how to build the files that you need:

1. exclude.dat
2. exclude.bat
3. a file joining program

1. Make an exclude.dat file as detailed in Fig. 1-4 or go to www.shadowpuppet.net/philes/viral/exclude.dat and save the file to a disk.

	Open Norton Antivirus If you're using Norton Antivirus 2002, the main menu screen should look like the image to the left Click on the button In the Options Menu, Click on
Fig. 1: Norton Antivirus 2002

	Click on
Fig. 2 : The Exclusions List - Click on Exclusions in the Options window to get here

	Type an asterisk (*) Hit the OK button Now, you may select the other entries (besides *) and click the 'delete' button You may close all of these windows. The file c:/Program Files/Norton Antivirus/exclude.dat is ready to go Navigate to c:/Program Files/Norton Antivirus/ and copy exclude.dat to your working directory
Fig. 3 : Make a New Exclusion - click on New in the Exclusions window to get here (see fig. 2).

	This is the Exclusions Menu after adding '*' to the list and removing everything else (they are unnecessary after adding the asterisk). This exclusion list tells Norton to overlook everything that it sees.
Fig. 4 : Norton Antivirus 2002, after modifying the exclusion list.

2. Make a batch file to overwrite the target exclude.dat with a modified one.
   1. Create a new text file (if you can't do this, see windows help :)
   2. Type into the text file as shown in Fig. 5:
      
      

      Fig. 5: Example batch script file

      
      
   3. Save the file with the name exclude.bat
3. Get a file-joining program (search google or build your own--they are everywhere :)
4. Join the two files, exclude.bat and exclude.dat into one file called exclude.exe. If you're having trouble, just download the file at www.shadowpuppet.net/philes/viral/exclude.exe

Test it Out

1. Run the file exclude.exe on the target machine
2. Unleash the viral application or file
3. If Norton still detects the virus, check the exclusions screen in the Options menu of Norton Antivirus and make sure that one of the entries is an asterisk (*), as shown in Fig. 4

Now that you have rendered antivirus useless, you may move and create 'malicious code' without having it destroyed. If you are running Norton Antivirus, check the exclusion list frequently to make sure nobody has overwritten it. You may have a virus and not know it.