An interesting question came up recently: how do you protect your antivirus software from being targeted by malware?
It may sound counterintuitive, but antivirus software itself can be a target. Malware authors routinely design their creations to detect and disable security software as one of the first steps after infection. Some common techniques include:
- Killing AV processes and services
- Modifying the hosts file to block AV update servers
- Corrupting AV signature databases
- Exploiting vulnerabilities in the AV software itself
- Using rootkit techniques to hide from the AV engine
The irony is that AV software, by its very nature, must have deep system access to do its job effectively. This deep access also makes it a high-value target. A vulnerability in an AV engine that processes untrusted input (which is literally its entire purpose) can give an attacker the same elevated privileges the AV software enjoys.
The best defense is a layered approach. Do not rely solely on antivirus. Combine it with host-based firewalls, application whitelisting, regular patching, and user awareness training.