Detect AV process

Harsha_Sabbineni · April 10, 2011, 11:30pm

Hi Experts,

Is it possible to detect if a process making a call (OPEN etc) is an anti-virus process in a filter driver?

Thanks,
Harsha

NTDEV-26 · April 11, 2011, 1:49am

Filter Driver are not processes. They are kernel module.

Besides there is no distinction between a normal process and an antivirus
process.
You might need to check process name kind of heuristics to determine if a
process is a AV process.

But what is your bigger problem, what are you trying to solve here.

-Deepak

On Mon, Apr 11, 2011 at 8:59 AM, wrote:

> Hi Experts,
>
> Is it possible to detect if a process making a call (OPEN etc) is an
> anti-virus process in a filter driver?
>
> Thanks,
> Harsha
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Harsha_Sabbineni · April 11, 2011, 2:02am

Hmm…I know that filter drivers are not processes. But I am wondering if an antivirus process has some special attributes that I can detect inside of a filter driver. For example, when an AV process makes an open call to open a file, I would like detect that from a FS filter driver if possible.

Yes, checking process name is one option. But I am looking for a more general method.
I heard that Windows OS can detect if a process is an AV process. This made me ask the question.

Thanks,
Harsha

NTDEV-26 · April 11, 2011, 2:11am

There are many malwares out there who check for specific process names
(specifically AV Process names) in their code.

If Windows OS is providing such params in ProcessCreate API’s, I am sure
many AV vendors won’t use such functionality, It will make malware authors
job more easy to detect them and avoid detection.

I have seen many AV vendors whose processname are randomized each time they
are instantiated to avoid being pried by malware.

-Deepak

On Mon, Apr 11, 2011 at 11:31 AM, wrote:

> Hmm…I know that filter drivers are not processes. But I am wondering if
> an antivirus process has some special attributes that I can detect inside of
> a filter driver. For example, when an AV process makes an open call to open
> a file, I would like detect that from a FS filter driver if possible.
>
> Yes, checking process name is one option. But I am looking for a more
> general method.
> I heard that Windows OS can detect if a process is an AV process. This made
> me ask the question.
>
> Thanks,
> Harsha
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Maxim_S_Shatskih · April 11, 2011, 6:43am

> I heard that Windows OS can detect if a process is an AV process.

Not so.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com