none
How do the antivirus programs make their real time protection process unkillbal by the admin? RRS feed

  • Question

  • Can somebody please offer me a code (preferably in c++) how the antivirus programs do it?

    i've tried some methods such as:

        running as SYSTEM account

        modify ACL

        watch-dog process (taskkill /F can kill mulitple process at once)

    I'm not skilled at low-level windows stuff so the methods didn't work out.

    THANKS!

    Sunday, November 3, 2019 4:21 AM

All replies

  • In the past, malware that obtained elevated privileges on a system was able to hide from, interfere with, or turn off antivirus software.  To enhance system security and reduce this exposure processes and services for antivirus software receive additional protection. 

    Removing a user's ability to terminate a non-critical, non-system process is not a good idea.

    Why does your process need to be unkillable?

    Sunday, November 3, 2019 9:36 AM
  • Well, how does the antivirus programs do it? I mean, those programs could as well be a virus if the programmer wants it to be right? So, there has to be a way to make a non-criticle process unkillble, as antivirus program's real time protection process prove.

    THANKS!

    Sunday, November 3, 2019 5:31 PM
  • Well, how does the antivirus programs do it? I mean, those programs could as well be a virus if the programmer wants it to be right? So, there has to be a way to make a non-criticle process unkillble, as antivirus program's real time protection process prove.

    So far, you haven't given a reason why your non-critical, non-system process should be unkillable.

    Here's some background reading for you -- https://docs.microsoft.com/en-us/windows/win32/services/protecting-anti-malware-services-

    Sunday, November 3, 2019 6:28 PM
  • Often malware is successful because the developer is more technically capable than most others. In other words, they must know how to do stuff that others might call secrets. You are asking for secrets and we have good reason to suspect you have malicious intent. Most people around here do not want to help someone develop malware.

    Another problem is that your question is very general. You will get better help if you ask more specific questions. In this case, you probably need to learn more about Windows before you can ask a sufficiently specif question.



    Sam Hobbs
    SimpleSamples.Info

    Sunday, November 3, 2019 8:50 PM