Articles:
[1] Эксплуатация драйвера ThrottleStop с целью отключения процессов антивирусов | Securelist
[2] RDP i słabe hasła przyciągają cyberprzestępców – AV Killer w nowym wydaniu oraz potrzeba wielowarstwowego zabezpieczenia » AVLab.pl

In the case analyzed by Kaspersky researchers, the attacked company lost access to its IT systems due to insufficient security measures. The attackers gained access to an SMTP server located in Belgium using the RDP protocol—the admin account login did not have sufficient security measures configured. As a result, with high privileges in the system, the criminals launched Mimikatz, then obtained the login details of other users to the remaining systems and began spreading encryption to other computers: by disabling the antivirus solution on several devices and servers in the company’s network, they managed to launch the MedusaLocker ransomware.

Researchers report that cybercriminals created user accounts with different names for each system. To do this, they added a number at the end of each new user name (e.g., User1, User2, and so on, up to UserN). However, the password for all created users was the same.

Next, with access to the server and admin privileges, they placed a set of malicious files, including AV Killer, in the “C:\Users\Administrator\Music” location. Later, these files were transferred along with the ransomware to other systems, but to the “C:\Users\UserN\Pictures” folder. Initially, Windows Defender blocked the encryptor on some devices immediately after it was saved in the target location, but the antivirus protection was eventually disabled.

The analyzed AV Killer threat allowed us to extract certain keywords from the malware code that attacked the processes of specific antivirus programs: Avast, AVG, Bitdefender, CrowdStrike, Eset, Kaspersky, McAfee, Microsoft, Quick Heal, Symantec, Panda, SentinelOne, and Sophos. It should be noted once again that most reputable solutions have safeguards in place to prevent the termination of their own processes, files, and registry entries, even with administrator privileges. Depending on the configuration of the workstations, the Microsoft Defender system may automatically start if the Defender service detects that other antivirus software has been disabled. Hence the alarm raised by Microsoft Defender and its disabling by AV Killer.

This attack highlights the importance of using multi-layered protection. Although the attacked company used an antivirus solution (the type of which was not disclosed, and Microsoft Defender can start automatically if other software stops working), the effects of the attack could have been avoided by implementing BASIC security measures in the form of strong passwords, multi-factor authentication, and, of course, blocking access to RDP services from public IP addresses.

——————————————————————————————————————————-
;tldr; The question is: is your antivirus program protected against such: ‘AV- bypass’ attacks? About two years ago, I noticed that after launching a certain application, Avast shut itself down. I was confused. It turned out to be a virus that Avast had failed to detect. Protection is better now, but I still wonder about the effectiveness of security measures – even websites dedicated to testing antivirus programs publish articles about cases where antivirus protection has been bypassed.