- Feb 25, 2017
- 2,603
And this function takes one parameter - the process ID. This function gets a process handle and passes it to a Windows native API, namelyZmnPhTerminateProcessById()
(Part of ntddk.h) With the handle as a parameter. The native Windows API terminates the process.
Yeah, it is old Zemana real-time protection driver (registers as such) and this process killing functionality has been implemented in order to be able to terminate malware. Problem is, according to Voidsec (I’ve not seen the whole driver source but only what they show) only checks if a process is critical Windows process and nothing else.@Trident Is it related to ZAM (Zemana Anti-Malware) products reverse engineering or something? I ask because the ZAM products are gone?
I understood your explanation well. It's as if the spell turned against the sorcerer? My goodness, they do everything to fool the security products. I saw a malware that adds the C:\ in exclusions in MS Defender and MD had no reaction, I was scared, I was paranoid at the time, every day I checked MD if there was nothing exclusion lolSo yeah, that’s long story short.
This is a very old thing with Defender and MIcrosoft is not taking care of it because it requires elevated privileges. The answer would be "We don't expect malware to gain elevated privileges".I saw a malware that adds the C:\ in exclusions in MS Defender and MD had no reaction, I was scared, I was paranoid at the time, every day I checked MD if there was nothing exclusion lol
And the tamper protection serves no purpose? I saw it recently, that's why I'm commenting, if I remember the place I'll share it with you. Now I went for realThis is a very old thing with Defender and MIcrosoft is not taking care of it because it requires elevated privileges. The answer would be "We don't expect malware to gain elevated privileges".
The following command on elevated PowerShell adds exclusions:
Add-MpPreference -ExclusionPath “<Folder Path>”
Add-MpPreference -ExclusionExtension “<File Extension>”
Microsoft Defender for Business automatically ignores these exclusions but the home version doesn't.
No, Tamper Protection sadly doesn't stop this exclusion thing. There is a policy that can prevent adding exclusion from the windows security UI but not via any other method for example, like the PowerShell method that @Trident showed above.And the tamper protection serves no purpose? I saw it recently, that's why I'm commenting, if I remember the place I'll share it with you. Now I went for real
Got it, maybe blocking PowerShell and everything you have the right to by H_C as shown in this setup of a screenshot below in the spoiler and using SUA account might help. Unless you exploit some vulnerability or some bypass that does not use any locked script interpreter, in which case there is nothing to do, the truth is, they will always find a way around the security suites.No, Tamper Protection sadly doesn't stop this exclusion thing. There is a policy that can prevent adding exclusion from the windows security UI but not via any other method for example, like the PowerShell method that @Trident showed above.