From various research sources, the use of this "tool" requires that a user with malicious intent must have already acquired administrative privileges on the target machine. Alternatively, the attacker must entice a victim with administrative privilege to run the tool and accept a User Account Control (UAC) pop-up that will appear. Therefore, the most basic, and strongest mitigation against exploitation at this time is to ensure that credentials (especially for sensitive accounts) are properly secured - as damage extending far beyond disabling security clients is possible with administrative privileges.
 

Using Trend Micro Products for Investigation, Detection & Protection

The following highlights several post-exploitation detections and remediation technology that can be used by customers to investigate and help with potential remediation in a customer’s environment.

Trend Vision One™

Trend Vision One customers benefit from XDR detection capabilities of the underlying products such as Apex One.  The following outline some of the components of Trend Vision One that can used for investigation.

XDR Threat Investigation > Detection Model Management

Trend Micro has added a new Detection Model titled "Suspicious Service Installation for Disabling AV Security Product using Zemana Anti-Malware Driver" which can used for investigation in the environment.
 

Trend Micro Server & Endpoint Products Utilizing Behavior Monitoring (e.g. Apex One, Cloud One - Workload Security, Deep Security, Worry-Free Business Security, etc.)

Trend Micro has released some updated detections for server and endpoint protection products that utilize Behavior Monitoring protection:

• 2911T - Anti-AV/Anti-EDR by abusing Zemana AntiLogger Vulnerable Driver
• SEN2054S - Malicious Driver Dropping

This article will continue to be updated with additional information as needed.