3

How does antivirus protect itself from malware?

Some types of malware will kill the running processes and since antivirus is just another software like any other why they can't just kill the antivirus process?

I understand that antivirus will scan the malware before it can kill the antivirus process but still it does not guarantee that the malware signature is in the database or that the malicious behavior of malware will be detected right away.

I assume that antivirus software somehow makes itself "closer" to operating system and because of that disables random software from killing its process but would like to know if this is true and how it is achieved.

Same question could be asked for other security systems/software like host-based intrusion detection systems and its agents that run on workstations and send data to server.

Thank you

Improve this question
1

1 Answer 1

Reset to default
5

Usually the antivirus runs at a high privilege level; on Windows systems this will be LOCAL_SYSTEM.

It may also have hooks into operating system functions. This post describes an example which has made itself "unkillable": https://stackoverflow.com/questions/11212945/terminating-a-protected-antivirus-process

Windows offers special protections: https://docs.microsoft.com/en-us/windows/win32/services/protecting-anti-malware-services-

However, none of these are perfect. There have been a couple of cases where malware has directly exploited an antivirus program! e.g. https://cisomag.eccouncil.org/almost-every-antivirus-software-program-can-be-exploited-researchers-say/

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.