ABK has the ability to identify the installed anti-virus product on the compromised host.[2]
APT38 has identified security software, configurations, defensive tools, and sensors installed on a compromised system.[3]
Astaroth checks for the presence of Avast antivirus in the C:\Program\Files\ folder. [4]
Avenger has the ability to identify installed anti-virus products on a compromised host.[2]
BadPatch uses WMI to enumerate installed security products in the victim’s environment.[5]
BLUELIGHT can collect a list of anti-virus products installed on a machine.[7]
build_downer has the ability to detect if the infected host is running an anti-virus process.[2]
Carberp has queried the infected system's registry searching for specific registry keys associated with antivirus products.[8]
Clop can search for processes with antivirus and antimalware product names.[10][11]
Cobalt Group used a JavaScript backdoor that is capable of collecting a list of the security solutions installed on the victim's machine.[12]
CookieMiner has checked for the presence of "Little Snitch", macOS network monitoring and application firewall software, stopping and exiting if it is found.[14]
The main CozyCar dropper checks whether the victim has an anti-virus product installed. If the installed product is on a predetermined list, the dropper will exit.[15]
Crimson contains a command to collect information about anti-virus software on the victim.[16][17]
Darkhotel has searched for anti-malware strings and anti-virus processes running on the system.[18][19]
down_new has the ability to detect anti-virus products and processes on a compromised host.[2]
Epic searches for anti-malware services running on the victim’s machine and terminates itself if it finds them.[22]
EvilBunny has been observed querying installed antivirus software.[23]
EVILNUM can search for anti-virus products on the system.[24]
Felismus checks for processes associated with anti-virus vendors.[25]
FELIXROOT checks for installed security software like antivirus and firewall.[26]
FIN8 has used Registry keys to detect and avoid executing in potential sandboxes.[27]
FinFisher probes the system to check for antimalware processes.[28][29]
Flame identifies security software such as antivirus through the Security module.[30][31]
FlawedAmmyy will attempt to detect anti-virus products during the initial infection.[32]
Frankenstein has used WMI queries to detect if virtualization environments or analysis tools were running on the system.[33]
Gold Dragon checks for anti-malware products and processes.[34]
Grandoreiro can list installed security products including the Trusteer and Diebold Warsaw GAS Tecnologia online banking protections.[35][35]
InvisiMole can check for the presence of network sniffers, AV, and BitDefender firewall.[36]
JPIN checks for the presence of certain security-related processes and deletes its installer/uninstaller component if it identifies any of them.[37]
jRAT can list security software, such as by using WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details.[38][39]
Kasidet has the ability to identify any anti-virus installed on the infected system.[40]
LiteDuke has the ability to check for the presence of Kaspersky security software.[41]
MarkiRAT can check for running processes on the victim’s machine to look for Kaspersky and Bitdefender antivirus products.[42]
Metamorfo collects a list of installed antivirus software from the victim’s system.[43][44]
Micropsia searches for anti-virus software and firewall products installed on the victim’s machine using WMI.[45][46]
MoleNet can use WMI commands to check the system for firewall and antivirus software.[47]
More_eggs can obtain information on installed anti-malware programs.[48]
Mosquito's installer searches the Registry and system to see if specific antivirus tools are installed on the system.[49]
MuddyWater has used malware to check running processes against a hard-coded list of security tools often used by malware researchers.[50]
Naikon uses commands such as netsh advfirewall firewall to discover local firewall settings.[51]
netsh can be used to discover system firewall settings.[52][53]
Netwalker can detect and terminate active security software-related processes on infected systems.[54]
NotPetya determines if specific antivirus programs are running on an infected host machine.[55]
Operation Wocao has used scripts to detect security software.[56]
Patchwork scanned the "Program Files" directories for a directory with the string "Total Security" (the installation path of the "360 Total Security" antivirus tool).[57]
PipeMon can check for the presence of ESET and Kaspersky security software.[58]
POWERSTATS has detected security tools.[59]
POWRUNER may collect information on the victim's anti-virus software.[60]
A module in Prikormka collects information from the victim about installed anti-virus software.[61]
PUNCHBUGGY can gather AVs registered in the system.[62]
QakBot can identify the installed antivirus product on a targeted system.[63][64][64][65]
Remsec has a plugin to detect active drivers of some security products.[66]
Rocke used scripts which detected and uninstalled antivirus software.[67][68]
RogueRobin enumerates running processes to search for Wireshark and Windows Sysinternals suite.[69][70]
RTM can obtain information about security software on the victim.[73]
Sidewinder has used the Windows service winmgmts:\.\root\SecurityCenter2 to check installed antivirus products.[74]
Skidmap has the ability to check if /usr/sbin/setenforce exists. This file controls what mode SELinux is in.[75]
SpicyOmelette can check for the presence of 29 different antivirus tools.[76]
StoneDrill can check for antivirus and antimalware programs.[77]
StreamEx has the ability to scan for security tools such as firewalls and antivirus tools.[78]
StrongPity can identify if ESET or BitDefender antivirus are installed before dropping its payload.[79]
Stuxnet enumerates the currently running processes related to a variety of security products.[80]
SUNBURST checked for a variety of antivirus/endpoint detection agents prior to execution.[81][82]
T9000 performs checks for various antivirus and security products during installation.[83]
TajMahal has the ability to identify which anti-virus products, firewalls, and anti-spyware products are in use.[84]
Tasklist can be used to enumerate security software currently running on a system by process name of known products.[85]
TeamTNT has searched for security products on infected machines.[86]
The White Company has checked for specific antivirus products on the target’s computer, including Kaspersky, Quick Heal, AVG, BitDefender, Avira, Sophos, Avast!, and ESET.[87]
ThiefQuest uses the kill_unwanted function to get a list of running processes, compares each process with an encrypted list of "unwanted" security related programs, and kills the processes for security related programs.[88]
Tropic Trooper can search for anti-virus software running on the system.[89]
Turla has obtained information on security software, including security logging information that may indicate whether their malware has been detected.[90]
Valak can determine if a compromised host has security products installed.[91]
VERMIN uses WMI to check for anti-virus software installed on the system.[92]
Waterbear can find the presence of a specific security software.[93]
Windshift has used malware to identify installed AV and commonly used forensic and malware analysis tools.[94]
Wingbird checks for the presence of Bitdefender security software.[95]
Wizard Spider has used WMI to identify anti-virus products installed on a victim's machine.[96]
xCaon has checked for the existence of Kaspersky antivirus software on the system.[97]
XCSSET searches firewall configuration files located in /Library/Preferences/ and uses csrutil status to determine if System Integrity Protection is enabled.[98]
YAHOYAH checks for antimalware solution processes on the system.[99]
Zeus Panda checks to see if anti-virus, anti-spyware, or firewall products are installed in the victim’s environment.[100][101]