Disabling Security Tools

Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting. You can read more about this attacker technique at https://attack.mitre.org/wiki/Technique/T1089.

The Veramine sensor resists being killed or disabled. While the limited demo version of the sensor can be easily uninstalled, the sensor versions provided to customers can be uninstalled either from the Veramine portal or by supplying the customer-unique password via the installer's uninstall command. Without that password, the sensor will resist all attempts to unload the driver or stop the service. Customers under contract may request more information about the Veramine sensor protection mechanisms.