Sign In with your
Trend Micro Account

若您需要技術支援,請 按此建立案件。

Trend Micro Update on "Terminator" AV/EDR Bypass

    • 更新於:
    • 5 Jun 2023
    • 產品/版本:
    • 作業系統:
Updated 6/5/2023:  Added Behavior Monitoring Information

Trend Micro is aware of and is actively researching claims of a tool, dubbed "Terminator," that has been promoted by a suspected threat actor on underground forums.  This tool is reported to have the ability to terminate any major commercial antivirus (AV), XDR or EDR endpoint security agent, including those from Trend Micro.
From various research sources, the use of this "tool" requires that a user with malicious intent must have already acquired administrative privileges on the target machine. Alternatively, the attacker must entice a victim with administrative privilege to run the tool and accept a User Account Control (UAC) pop-up that will appear. Therefore, the most basic, and strongest mitigation against exploitation at this time is to ensure that credentials (especially for sensitive accounts) are properly secured - as damage extending far beyond disabling security clients is possible with administrative privileges.

Using Trend Micro Products for Investigation, Detection & Protection

The following highlights several post-exploitation detections and remediation technology that can be used by customers to investigate and help with potential remediation in a customer’s environment.

Trend Vision One™

Trend Vision One customers benefit from XDR detection capabilities of the underlying products such as Apex One.  The following outline some of the components of Trend Vision One that can used for investigation.

XDR Threat Investigation > Detection Model Management

Trend Micro has added a new Detection Model titled "Suspicious Service Installation for Disabling AV Security Product using Zemana Anti-Malware Driver" which can used for investigation in the environment.


Trend Micro Server & Endpoint Products Utilizing Behavior Monitoring (e.g. Apex One, Cloud One - Workload Security, Deep Security, Worry-Free Business Security, etc.)

Trend Micro has released some updated detections for server and endpoint protection products that utilize Behavior Monitoring protection:
  • 2911T - Anti-AV/Anti-EDR by abusing Zemana AntiLogger Vulnerable Driver
  • SEN2054S - Malicious Driver Dropping

This article will continue to be updated with additional information as needed.
Remove a Malware / Virus



若您需要協助,請聯繫對應的技術支援窗口. 聯絡我們

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.