Trend Micro is aware of and is actively researching claims of a tool, dubbed "Terminator," that has been promoted by a suspected threat actor on underground forums. This tool is reported to have the ability to terminate any major commercial antivirus (AV), XDR or EDR endpoint security agent, including those from Trend Micro.
Using Trend Micro Products for Investigation, Detection & Protection
The following highlights several post-exploitation detections and remediation technology that can be used by customers to investigate and help with potential remediation in a customer’s environment.
Trend Vision One™
Trend Vision One customers benefit from XDR detection capabilities of the underlying products such as Apex One. The following outline some of the components of Trend Vision One that can used for investigation.
XDR Threat Investigation > Detection Model Management
Trend Micro has added a new Detection Model titled "Suspicious Service Installation for Disabling AV Security Product using Zemana Anti-Malware Driver" which can used for investigation in the environment.
Trend Micro Server & Endpoint Products Utilizing Behavior Monitoring (e.g. Apex One, Cloud One - Workload Security, Deep Security, Worry-Free Business Security, etc.)
Trend Micro has released some updated detections for server and endpoint protection products that utilize Behavior Monitoring protection:
- 2911T - Anti-AV/Anti-EDR by abusing Zemana AntiLogger Vulnerable Driver
- SEN2054S - Malicious Driver Dropping
This article will continue to be updated with additional information as needed.