A customer was developing a Windows service process, and it is important to them that the service keep running on their servers. They wanted to know if there was a way they could prevent users who connect to the server from terminating the service. In particular, they wanted to make sure that the user couldn’t use the anti-malware software to terminate their service, either by mistake or maliciously.

The fact that they made it to asking about anti-malware software tells me that they have already locked down the more obvious access points. For example, they’ve already set the appropriate permissions on their service so that only administrators can Stop the service.

But how do you protect your process from anti-malware software?

The answer, of course, is that you can’t.

Because if you could inoculate yourself against being terminated by anti-malware software, then malware would do it!

Anti-malware software runs with extremely high levels of access to the system. They have components that run in kernel mode, after all. Even if they can’t terminate your process, they can certainly make it so that your process can’t accomplish anything (say, by preventing its threads from being scheduled to execute). And if anti-malware software goes awry, the entire system can be rendered catastrophically broken.

The customer will have to work with the anti-malware software that runs on their server to see if there is a setting or other way to tell the anti-malware software never to terminate their critical service. (Of course, it means that genuine malware might masquerade as their critical service and elude detection. This is a risk assessment trade-off they will have to make.) And if their service runs on client-configured servers, where they don’t control what anti-malware software the client uses, then they’ll have to work with all of the anti-malware software (or at least all the major ones) and see if they can arrange something.¹

But Windows can’t help you. The anti-malware software is more powerful than you.

¹ For example, maybe they digitally sign their service process and give the public key to the anti-malware software, saying, “Please don’t terminate processes signed by this key.” Of course, the real question is whether the anti-malware vendors will accept that.