How can I make sure the anti-malware software doesn’t terminate my custom service?

Raymond Chen

A customer was developing a Windows service process, and it is important to them that the service keep running on their servers. They wanted to know if there was a way they could prevent users who connect to the server from terminating the service. In particular, they wanted to make sure that the user couldn’t use the anti-malware software to terminate their service, either by mistake or maliciously.

The fact that they made it to asking about anti-malware software tells me that they have already locked down the more obvious access points. For example, they’ve already set the appropriate permissions on their service so that only administrators can Stop the service.

But how do you protect your process from anti-malware software?

The answer, of course, is that you can’t.

Because if you could inoculate yourself against being terminated by anti-malware software, then malware would do it!

Anti-malware software runs with extremely high levels of access to the system. They have components that run in kernel mode, after all. Even if they can’t terminate your process, they can certainly make it so that your process can’t accomplish anything (say, by preventing its threads from being scheduled to execute). And if anti-malware software goes awry, the entire system can be rendered catastrophically broken.

The customer will have to work with the anti-malware software that runs on their server to see if there is a setting or other way to tell the anti-malware software never to terminate their critical service. (Of course, it means that genuine malware might masquerade as their critical service and elude detection. This is a risk assessment trade-off they will have to make.) And if their service runs on client-configured servers, where they don’t control what anti-malware software the client uses, then they’ll have to work with all of the anti-malware software (or at least all the major ones) and see if they can arrange something.¹

But Windows can’t help you. The anti-malware software is more powerful than you.

¹ For example, maybe they digitally sign their service process and give the public key to the anti-malware software, saying, “Please don’t terminate processes signed by this key.” Of course, the real question is whether the anti-malware vendors will accept that.

Author

Raymond Chen

Raymond has been involved in the evolution of Windows for more than 30 years. In 2003, he began a Web site known as The Old New Thing which has grown in popularity far beyond his wildest imagination, a development which still gives him the heebie-jeebies. The Web site spawned a book, coincidentally also titled The Old New Thing (Addison Wesley 2007). He occasionally appears on the Windows Dev Docs Twitter account to tell stories which convey no useful information.

14 comments

Discussion is closed. Login to edit/delete existing comments.

Joe Beans March 24, 2026

Unfortunately those reasons are why I can never for any reason or pretext allow antivirus on my machine, to the red line of non-negotiation. The pain of low social credit is limited to what’s on the other side of the socket connection, but a local antivirus is ultimately judging everything I own for intent, with license to kill and the brain of an AI that I didn’t get to train.
- Christopher Lee 1 week ago
  
  I find Xbox consoles fascinating because they are high-stakes Windows devices that lack Windows Defender, and I’ve learned so much and made corresponding PC computing lifestyle changes by asking myself questions. Why is USB keyboard and mouse input tagged as untrusted? Why is Windows Defender absent? What is a security boundary and why should I rely on the ones defined for Windows? Why are full trust applications blocked? What does it really mean to comply with Microsoft Store policies for a software application? How can I get an approximation of S mode without OEM cooperation?
Fredrik Orderud March 24, 2026

The Add-MpPreference PowerShell function seem to allow for paths & processes to be excluded from Windows Defender scans.
Shawn Van Ness March 24, 2026

The false-positive problem with antivirus is pretty bad.. I work on a PC game that has about 30-40 Gb (compressed) of resources. It is virtually impossible to download 30+ Gb of compressed (ie. random) bytes without triggering a false-positive hit from someone’s AV.

Heck even the source code .. the git repo is about 5 Gb and doing a git-clone often triggers a false-positive.

I don’t know the solution for this problem.. making it easier to sign stuff, might help? (We are a hobbyist / freeware project, without the resources to sign installers with an EV cert.)
- Joshua Hudson March 24, 2026
  
  I've wondered about that. Sometimes I think the answer is "Make a new Code Signing root." Once added to the system, the AV should recognize it. This is kind of shifting the target; you still need all the rest of the infrastructure. It's not a lot of money but it's a lot of moving parts. One misuse of your EV root and it will get banned.
  
  git clone should essentially never trip a false positive though; all such should be reported immediately as obviously bad. (scanning engine is pretty broken if it thinks a fragment of malicious code was found in...
  Read more
  I’ve wondered about that. Sometimes I think the answer is “Make a new Code Signing root.” Once added to the system, the AV should recognize it. This is kind of shifting the target; you still need all the rest of the infrastructure. It’s not a lot of money but it’s a lot of moving parts. One misuse of your EV root and it will get banned.
  
  git clone should essentially never trip a false positive though; all such should be reported immediately as obviously bad. (scanning engine is pretty broken if it thinks a fragment of malicious code was found in a context where it cannot run).
  
  Read less
  - Igor Levicki 1 week ago
    
    That wouldn’t work.
    
    I have a valid, paid-for, IV code-signing certificate which I use to sign my executables. Windows Defender (or is it Smartscreen?) still blocks the file when I share it with a friend saying how they saved his PC. That happens no matter if said executable is written in plain C, C++, or C# and no matter which, if any, system APIs it is using or paths it is accessing. I also had some questionable endpoint protection vendors (looking at you Crowdstrike!) flag them as malware through ML heuristic by listing totally bullshit reasons such as “uses LoadLibrary” (name...
    Read more
    That wouldn’t work.
    
    I have a valid, paid-for, IV code-signing certificate which I use to sign my executables. Windows Defender (or is it Smartscreen?) still blocks the file when I share it with a friend saying how they saved his PC. That happens no matter if said executable is written in plain C, C++, or C# and no matter which, if any, system APIs it is using or paths it is accessing. I also had some questionable endpoint protection vendors (looking at you Crowdstrike!) flag them as malware through ML heuristic by listing totally bullshit reasons such as “uses LoadLibrary” (name one Windows executable which doesn’t?) or connects to internet (while listing hxxps://www.ssl.com/ from the certificate as the target URL) or blaming my code for loading RPCRT4.dll (when it was vxole64.dll they injected into process that loaded it). If you want to see the full list of “indicators” I wrote an article about it on my website.
    
    At this point, it’s clear that it’s all just fear-mongering and forcing individual developers to pay the Endpoint Protection Tax by going full enterprise — founding a LLC, paying for Azure Portal access, setting up a domain and paying for server and CALs plus the outrageous fees for EV certification just so their executable isn’t held hostage by AV vendors.
    
    And then Crowdstrike Falcon happens and it shows how it is all a big scam — EV signed kernel mode driver has been so rigorously inspected for certification by Microsoft that it managed to infiltrate a full blown byte interpreter into kernel mode without as much as proper __try/__catch wrapper to not hose 8 million PCs. Think about that for a minute, you are supposed to guard against ANY exceptions in driver code, not to mention it is expressly forbidden to include any form of interpreter in kernel-mode drivers and that was ALLOWED TO PASS EV CERTIFICATION and cross-signed with Microsoft’s certs which have Windows Hardware Driver Verification (1.3.6.1.4.1.311.10.3.5) and Windows Hardware Driver Extended Verification (1.3.6.1.4.1.311.10.3.39) EKUs stamped on it.
    
    It’s not verification, it’s A RACKET.
    
    Read less
Martin Ba March 24, 2026

The question is a wee bit odd.

If I have a service (executable) that may be terminated (or has been terminated) by the anti?malware infrastructure, then the obvious answer is to add that service (executable) to the exclusion list of said system.

We have learned that any performance critical software, (hint: cl.exe) or really any software that doesn’t do bog standard things is better off being excluded from AV scans.

I still cannot decide if malware or the anti-malwere is the bigger practical problem in Windows today 🙂
- Sigge Mannen March 24, 2026
  
  I guess the problem is that a user can control anti-malware software and therefore can use it to escalate their privileges and use it as a sledge hammer to kill other applications.
  The service is probably some surveillance service which they don’t want users to mess with.
  The solution should be to not allow user control of malware software or move the stuff into the cloud!
  - Martin Ba March 27, 2026
    
    “… it is important to them that the service keep running on their servers …” – rather sounds that the AV is randomly messing with the uptime of the service.
Valts Sondors March 24, 2026

The nuclear/mad-scientist option: write your own kernel driver which then runs your code in the usermode (or maybe even kernel mode) essentially completely bypassing the regular process scheduler.
Matthew van Eerde March 23, 2026

Why do they want to prevent the anti-malware software from stopping their service?
- Simon Farnsworth March 27, 2026
  
  I've seen cases where the anti-malware is mandated by the IT department, and cannot be removed or disabled (not even allowlisting the service in question) due to executive fiat, but it's also business-critical that the service does not stop, else a different department (not IT) stops working.
  
  All it takes is a bit of dysfunctional management, and you get here. The same company, FWIW, employed people to write Windows device drivers, but required IT to install the driver on test systems each time they made a change they wanted to test - there wasn't sufficient understanding to realize that if you...
  Read more
  I’ve seen cases where the anti-malware is mandated by the IT department, and cannot be removed or disabled (not even allowlisting the service in question) due to executive fiat, but it’s also business-critical that the service does not stop, else a different department (not IT) stops working.
  
  All it takes is a bit of dysfunctional management, and you get here. The same company, FWIW, employed people to write Windows device drivers, but required IT to install the driver on test systems each time they made a change they wanted to test – there wasn’t sufficient understanding to realize that if you give someone the ability to run code at kernel level, refusing to give them an account with local administrator privileges on a test system wasn’t a meaningful improvement in security.
  
  Read less
- Simon Geard March 23, 2026
  
  Because the difference between anti-malware and malware can be pretty slim sometimes… even when we’re talking about legitimate solutions, they tend to do a lot of horrible stuff to try to identity the actual malware, and this often causes almost as many problems as the malware does.
- Joshua Hudson March 23, 2026 · Edited
  
  I have faced this actual issue. The answer was the anti-malware was *broken*. We were empowered by the customer to make our product work by any means necessary, and if the anti-malware software stopped working it was an acceptable loss.
  
  Standard tricks:
  1) kill the anti-malware with task manager; this usually works (just because you can kill it with task manager doesn't mean you can write code to kill it...I found several cases where ibprocman could not but task manager could)
  2) rename the anti-malware's installation directory; this would cause it to fail to launch on the next reboot.
  3) boot...
  Read more
  I have faced this actual issue. The answer was the anti-malware was *broken*. We were empowered by the customer to make our product work by any means necessary, and if the anti-malware software stopped working it was an acceptable loss.
  
  Standard tricks:
  1) kill the anti-malware with task manager; this usually works (just because you can kill it with task manager doesn’t mean you can write code to kill it…I found several cases where ibprocman could not but task manager could)
  2) rename the anti-malware’s installation directory; this would cause it to fail to launch on the next reboot.
  3) boot safe mode and take out the anti-malware
  4) use gpedit to ban the anti-malware
  5) distrust the anti-malware’s signing key locally (doesn’t work on Windows Defender for the obvious reason)
  6) boot rescue media and take out the anti-malware
  
  Note that essentially none of this is code you can ship as a package, as it should be.
  
  If the anti-malware is being pushed out by group policy, after removing it create a directory named the same thing as its kernel mode component. It won’t bug you again. Note that we’ve taken the same position as the kernel debugger: “the local administrator has more authority as the domain administrator”.
  
  Organizations are better organized than they once were; usually it doesn’t get this far anymore, and the offending anti-malware will be dealt with without our direct intervention.
  
  Read less