Behavioral detection based on uninstaller modification or removal

摘要

To evade heuristic detection, malware is often designed to trick users into installing the malware by being packaged in a standard installer known to the user's computer for typically installing legitimate software. To prevent removal of the malware, the malware modifies or removes its uninstaller. A security module manages this type of evasion technique by monitoring and detecting installations performed on a computer. The module detects attempts to remove or modify the uninstaller for the application to render the uninstaller incapable of uninstalling the application. The module can intercept and block such attempts, and then analyze the application for malicious code. Where the application is determined to be malware, the module prevents malicious activity. The module can also use the malware's own uninstaller to uninstall the malware from the computer.