{"id":112157,"date":"2026-03-23T07:00:00","date_gmt":"2026-03-23T14:00:00","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/oldnewthing\/?p=112157"},"modified":"2026-03-23T08:01:00","modified_gmt":"2026-03-23T15:01:00","slug":"20260323-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20260323-00\/?p=112157","title":{"rendered":"How can I make sure the anti-malware software doesn&#8217;t terminate my custom service?"},"content":{"rendered":"<p>A customer was developing a Windows service process, and it is important to them that the service keep running on their servers. They wanted to know if there was a way they could prevent users who connect to the server from terminating the service. In particular, they wanted to make sure that the user couldn&#8217;t use the anti-malware software to terminate their service, either by mistake or maliciously.<\/p>\n<p>The fact that they made it to asking about anti-malware software tells me that they have already locked down the more obvious access points. For example, they&#8217;ve already set the appropriate permissions on their service so that only administrators can Stop the service.<\/p>\n<p>But how do you protect your process from anti-malware software?<\/p>\n<p>The answer, of course, is that you can&#8217;t.<\/p>\n<p>Because if you could inoculate yourself against being terminated by anti-malware software, then malware would do it!<\/p>\n<p>Anti-malware software runs with extremely high levels of access to the system. They have components that run in kernel mode, after all. Even if they can&#8217;t terminate your process, they can certainly make it so that your process can&#8217;t accomplish anything (say, by preventing its threads from being scheduled to execute). And <a href=\"https:\/\/en.wikipedia.org\/wiki\/2024_CrowdStrike-related_IT_outages\"> if anti-malware software goes awry, the entire system can be rendered catastrophically broken<\/a>.<\/p>\n<p>The customer will have to work with the anti-malware software that runs on their server to see if there is a setting or other way to tell the anti-malware software never to terminate their critical service. (Of course, it means that genuine malware might masquerade as their critical service and elude detection. This is a risk assessment trade-off they will have to make.) And if their service runs on client-configured servers, where they don&#8217;t control what anti-malware software the client uses, then they&#8217;ll have to work with <i>all<\/i> of the anti-malware software (or at least all the major ones) and see if they can arrange something.\u00b9<\/p>\n<p>But Windows can&#8217;t help you. The anti-malware software is more powerful than you.<\/p>\n<p>\u00b9 For example, maybe they digitally sign their service process and give the public key to the anti-malware software, saying, &#8220;Please don&#8217;t terminate processes signed by this key.&#8221; Of course, the real question is whether the anti-malware vendors will accept that.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>You&#8217;ll have to ask nicely.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[25],"class_list":["post-112157","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-code"],"acf":[],"blog_post_summary":"<p>You&#8217;ll have to ask nicely.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/112157","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=112157"}],"version-history":[{"count":1,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/112157\/revisions"}],"predecessor-version":[{"id":112158,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/112157\/revisions\/112158"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=112157"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=112157"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=112157"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}