Reverse Engineering Terminator aka Zemana AntiMalware/AntiLogger Driver


Level 18
Thread author
Top Poster
May 4, 2019
Recently, a threat actor (TA) known as SpyBot posted a tool, on a Russian hacking forum, that can terminate any antivirus/Endpoint Detection & Response (EDR/XDR) software. IMHO, all the hype behind this announcement was utterly unjustified as it is just another instance of the well-known Bring Your Own Vulnerable Driver (BYOVD) attack technique: where a legitimate signed driver is dropped on victims’ machine and later used to disable security solutions and/or deliver additional payloads.


Level 29
Top Poster
Sep 13, 2018
I sincerely hope Microsoft will add this driver to the blocklist, as it’s easy to weaponise for nastiest attacks.

The thing is, it's already in a blocklist. If you have Core Isolation/Memory Integrity enabled in Windows 10 and 11, no Zemana product will install. You will get a small white box saying the SDK failed to install. If you disable CI/MI, then the Zemana product (possibly also the Watchdog anti-malware--what is up with that, is it still in development?) will install on your system. :eek:

Edited to add: yep, I just tried it as I would have been super-embarrassed if this didn't end up being the case. Since I don't feel like restarting my machine in order to switch CI/MI off, this was enough to satisfy my curiosity.

zemana sdk failed.PNG
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.