Protecting Windows Services on older (and new) editions

As the title implies, Im interested in protecting a windows service on older editions of Windows like Win 7 and up to the latest. Currently Im developing a software suite that’s “anti-virus” like and I need to protect it’s main service. I do have knowledge and experience using services however until now I never had the need to “protect” it.

For the sake of testing I have inspected the antivirus I am using and it seems they are using “anti-malware light” protection. Doing some research it seems that starting from Windows 8.1 there is functionality added for this purpose: https://docs.microsoft.com/en-us/windows/win32/services/protecting-anti-malware-services-

Some basic tests like trying to suspend a thread fails with “Access Denied” on Windows 10, so I went ahead and tested on Windows 7 and the same thing happens. The difference is that on Windows 7 there is such “anti-malware” feature.

Upon digging a bit deeper I have noticed that the antivirus software is using callbacks (no surprise here), however I`m not sure if they are using this to protect their service as well; need to investigate more. https://prnt.sc/161cuv1

They are also using a mini-filter (again no surprise) which makes things more interesting: https://prnt.sc/161d0pv

My questions would be as follows:

  • It is “ok” to use callbacks to protect your service?
  • If the above does not apply, are there specific rights that can be used to prevent anyone & admin from suspending your service? (which I doubt?)
  • Are there are other methods to “protect” your service?

My intentions are:

  • Prevent service from being suspended (and it’s threads)
  • Prevent process memory from being patched at runtime (if possible)

Your help is greatly appreciated :slight_smile:

What you really want is a Protected Process I would think. https://docs.microsoft.com/en-us/windows/win32/services/protecting-anti-malware-services- Peter

@“Peter_Viscarola_(OSR)” said:
What you really want is a Protected Process I would think.

https://docs.microsoft.com/en-us/windows/win32/services/protecting-anti-malware-services-

Peter

Yeah that’s what I imagined as well however it’s only from 8.1 available. And AV’s seem to have protection even on Win 7, which makes me think callbacks :#