Disabling Antivirus

Some malware can also use specific command to disable the antivirus and to avoid detection.

U0508

Detection Rules

import "pe"

rule disable_antivirus 
{
    meta:
	author = "x0r"
	description = "Disable AntiVirus"

    strings:
        $p1 = "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun" nocase
        $p2 = "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\" nocase
        $p3 = "SOFTWARE\\Policies\\Microsoft\\Windows Defender" nocase

        $c1 = "RegSetValue" 

        $r1 = "AntiVirusDisableNotify" 
        $r2 = "DontReportInfectionInformation" 
        $r3 = "DisableAntiSpyware" 
        $r4 = "RunInvalidSignatures" 
        $r5 = "AntiVirusOverride" 
        $r6 = "CheckExeSignatures"

        $f1 = "blackd.exe" nocase
        $f2 = "blackice.exe" nocase
        $f3 = "lockdown.exe" nocase
        $f4 = "lockdown2000.exe" nocase
        $f5 = "taskkill.exe" nocase
        $f6 = "tskill.exe" nocase
        $f7 = "smc.exe" nocase
        $f8 = "sniffem.exe" nocase
        $f9 = "zapro.exe" nocase
        $f10 = "zlclient.exe" nocase
        $f11 = "zonealarm.exe" nocase

    condition:
        ($c1 and $p1 and 1 of ($f*)) or ($c1 and $p2) or 1 of ($r*) or $p3
}
rule:
  meta:
    name: check for sandbox and av modules
    namespace: anti-analysis/anti-av
    author: "@_re_fox"
    scope: basic block
    unprotect: U0508
    mbc:
      - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]
      - Anti-Behavioral Analysis::Sandbox Detection [B0007]
    examples:
      - ccbf7cba35bab56563c0fbe4237fdc41:0x0040a4a0
  features:
    - and:
      - api: GetModuleHandle
      - or:
        - string: /avghook(x|a)\.dll/i
          description: AVG
        - string: /snxhk\.dll/i 
          description: Avast
        - string: /sf2\.dll/i 
          description: Avast
        - string: /sbiedll\.dll/i
          description: Sandboxie
        - string: /dbghelp\.dll/i 
          description: WindBG
        - string: /api_log\.dll/i 
          description: iDefense Lab
        - string: /dir_watch\.dll/ 
          description: iDefense Lab
        - string: /pstorec\.dll/i
          description: SunBelt Sandbox
        - string: /vmcheck\.dll/i
          description: Virtual PC
        - string: /wpespy\.dll/i
          description: WPE Pro
        - string: /cmdvrt(64|32).dll/i 
          description: Comodo Container
        - string: /sxin.dll/i 
          description: 360 SOFTWARE
        - string: /dbghelp\.dll/i
          description: WINE
        - string: /printfhelp\.dll/i 
          description: Unknown Sandbox
title: Get antivirus details via WMIC query
status: experimental
description: Get antivirus details via WMIC query
author: Joe Security
date: 2020-03-27
id: 200069
threatname:
behaviorgroup: 5
classification: 8
mitreattack:

logsource:
      category: process_creation
      product: windows
detection:
      selection:
          CommandLine:
              -'*wmic * path antivirusproduct get displayname*'
      condition: selection
level: critical

Additional Resources

Subscribe to our Newsletter and don't miss important updates