研究期間:10208~10307;In the near several decades, the arms race between malware writers and antivirus programmers has become more and more severe. The simplest way for a computer user to secure her/his computer is to install antivirus software on her/his computer. As antivirus software becomes more sophisticated and powerful, evading the detection of antivirus software becomes an important part of malware. As a result, malware writers have developed various approaches to increase the survivability and stealth of their malware. One of these technologies is to terminate antivirus software right after the execution of the malware. In this project, we plan to propose a mechanism, called ANtivirus Software Shield (ANSS), to prevent antivirus software from being terminated without the consciousness of the antivirus software users. ANSS uses SSDT (System Service Descriptor Table) hooking to intercept specific Windows APIs and analyzes them to filter out hazardous API calls that will terminate antivirus software. After implementing our system, we will use diverse pieces of malware that can terminate various brands of antivirus applications to test the effectiveness of ANSS and the performance overhead of ANSS.
