3

How does antivirus protect itself from malware?

Some types of malware will kill the running processes and since antivirus is just another software like any other why they can't just kill the antivirus process?

I understand that antivirus will scan the malware before it can kill the antivirus process but still it does not guarantee that the malware signature is in the database or that the malicious behavior of malware will be detected right away.

I assume that antivirus software somehow makes itself "closer" to operating system and because of that disables random software from killing its process but would like to know if this is true and how it is achieved.

Same question could be asked for other security systems/software like host-based intrusion detection systems and its agents that run on workstations and send data to server.

Thank you

Marko
  • 43
  • 3
  • 1
    please don't **[cross-post](https://meta.stackexchange.com/tags/cross-posting/info "'Cross-posting is frowned upon...'")**: https://stackoverflow.com/questions/71935080/how-does-antivirus-protect-itself "Cross-posting is frowned upon as it leads to fragmented answers splattered all over the network..." – gnat Apr 21 '22 at 09:16

1 Answers1

5

Usually the antivirus runs at a high privilege level; on Windows systems this will be LOCAL_SYSTEM.

It may also have hooks into operating system functions. This post describes an example which has made itself "unkillable": https://stackoverflow.com/questions/11212945/terminating-a-protected-antivirus-process

Windows offers special protections: https://docs.microsoft.com/en-us/windows/win32/services/protecting-anti-malware-services-

However, none of these are perfect. There have been a couple of cases where malware has directly exploited an antivirus program! e.g. https://cisomag.eccouncil.org/almost-every-antivirus-software-program-can-be-exploited-researchers-say/

pjc50
  • 10,595
  • 1
  • 26
  • 29