Disabling Antivirus

Created the Monday 18 March 2019. Updated 6 months, 3 weeks ago.

Some forms of malware are programmed to disable antivirus software and evade detection by security measures. These malicious programs can use specific commands or techniques to undermine the antivirus software's effectiveness and remain hidden from detection..

Technique Identifiers

U0508 F0004

Technique Tags

computer system network device antivirus evade detection malicious programs

Code Snippets

Description

This command sets the DisableRealtimeMonitoring parameter in the Windows Defender preferences to true, effectively disabling the real-time monitoring feature of Windows Defender.

Set-MpPreference -DisableRealtimeMonitoring $true

Detection Rules

                                    rule:
  meta:
    name: check for sandbox and av modules
    namespace: anti-analysis/anti-av
    author: "@_re_fox"
    scope: basic block
    unprotect: U0508
    mbc:
      - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]
      - Anti-Behavioral Analysis::Sandbox Detection [B0007]
    examples:
      - ccbf7cba35bab56563c0fbe4237fdc41:0x0040a4a0
  features:
    - and:
      - api: GetModuleHandle
      - or:
        - string: /avghook(x|a)\.dll/i
          description: AVG
        - string: /snxhk\.dll/i 
          description: Avast
        - string: /sf2\.dll/i 
          description: Avast
        - string: /sbiedll\.dll/i
          description: Sandboxie
        - string: /dbghelp\.dll/i 
          description: WindBG
        - string: /api_log\.dll/i 
          description: iDefense Lab
        - string: /dir_watch\.dll/ 
          description: iDefense Lab
        - string: /pstorec\.dll/i
          description: SunBelt Sandbox
        - string: /vmcheck\.dll/i
          description: Virtual PC
        - string: /wpespy\.dll/i
          description: WPE Pro
        - string: /cmdvrt(64|32).dll/i 
          description: Comodo Container
        - string: /sxin.dll/i 
          description: 360 SOFTWARE
        - string: /dbghelp\.dll/i
          description: WINE
        - string: /printfhelp\.dll/i 
          description: Unknown Sandbox

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

https://blog.malwarebytes.com/cybercrime/2015/11/vonteera-adware-uses-certificates-to-disable-anti-malware/