TH16117
Detected presence of software components that can detect installed security software.
priority | CI/CD status | severity | effort | RL level | RL assessment |
---|---|---|---|---|---|
pass | medium | high | None | None |
About the issueโ
Each security solution has a unique footprint that consists of installed files and changes to system configuration. Malicious code often tries to detect security solutions by accessing registry keys and folder locations associated with the software installation. Detecting which security solution is installed plays a key role in selecting the optimal malware infection strategy. When a computer system is protected by a security solution, malware may decide to behave differently. Malware may choose to delay its execution, change infection stages, or even avoid running altogether. While the presence of code that detects security solutions does not necessarily imply malicious intent, all of its uses in a software package should be documented and approved. Only select applications should consider using functions that check for presence of installed security software. One example of acceptable use for such functions is informing the user about possible compatibility issues with the detected security software.
How to resolve the issueโ
- Investigate reported detections as indicators of software tampering.
- Consult Mitre ATT&CK documentation: T1518.001 - Security Software Discovery.
- Consider rewriting the flagged code without using the marked behaviors.
Recommended readingโ
- T1518.001 - Security Software Discovery (External resource - Mitre ATT&CK documentation)
- Malware (ReversingLabs glossary)