Antivirus Software Shield Against Antivirus Terminators

In the last several decades, the arms race between malware writers and antivirus programmers has become more and more severe. The simplest way for a computer user to secure his computer is to install antivirus software on his computer. As antivirus software becomes more sophisticated and powerful, evading the detection of antivirus software becomes an important part of malware. As a result, malware writers have developed various approaches to increase the survivability and concealment of their malware. One of these technologies is to terminate antivirus software right after the execution of the malware. In this paper, we propose a mechanism, called ANtivirus Software Shield (ANSS), to prevent antivirus software from being terminated without the consciousness of the antivirus software users. ANSS uses System Service Descriptor Table (SSDT) hooking to intercept specific Windows APIs and analyzes them to filter out hazardous API calls that will terminate antivirus software. When using several pieces of malware that can terminate various brands of antivirus applications to make our experiments, the results show that ANSS can protect antivirus software from being terminated by them with at most 0.42% CPU performance overhead and 1.77% memory write performance overhead.