(YARA) YARA_disable_antivirus
import "pe"
rule disable_antivirus
{
meta:
author = "x0r"
description = "Disable AntiVirus"
strings:
$p1 = "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun" nocase
$p2 = "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\" nocase
$p3 = "SOFTWARE\\Policies\\Microsoft\\Windows Defender" nocase
$c1 = "RegSetValue"
$r1 = "AntiVirusDisableNotify"
$r2 = "DontReportInfectionInformation"
$r3 = "DisableAntiSpyware"
$r4 = "RunInvalidSignatures"
$r5 = "AntiVirusOverride"
$r6 = "CheckExeSignatures"
$f1 = "blackd.exe" nocase
$f2 = "blackice.exe" nocase
$f3 = "lockdown.exe" nocase
$f4 = "lockdown2000.exe" nocase
$f5 = "taskkill.exe" nocase
$f6 = "tskill.exe" nocase
$f7 = "smc.exe" nocase
$f8 = "sniffem.exe" nocase
$f9 = "zapro.exe" nocase
$f10 = "zlclient.exe" nocase
$f11 = "zonealarm.exe" nocase
condition:
($c1 and $p1 and 1 of ($f*)) or ($c1 and $p2) or 1 of ($r*) or $p3
}
Associated Techniques
No associated technique found so far.
Matching Samples 10 most recent
| Sample Name | Matching Techniques | First Seen | Last Seen |
|---|---|---|---|
| DarkComet.exe | 8 | 2025-04-25 | 6 months ago |
| putty-64bit-0.81-installer.msi | 2 | 2024-11-25 | 11 months ago |
Created
June 20, 2022
Last Revised
June 20, 2022