I am writing an installer process (.exe). My installer deploys different components. It will add registry entries, copy files, copy files over the network, remote execute, remote PowerShell, local Powershell, etc.
Sometimes, antivirus DLLs are injected into my process and harm my installer function flow causing it to fail (blocking it, killing it, etc).
Questions
- Are there any best practices or guidelines out there to detect this?
- Are there any best practices or guidelines out there to eliminate this problem? (FYI, we signed the DLLs/EXE.)
An example approach:
- Start the installer, when its up and running, Use procmon or ListDLLs, get the loaded DLLs list and check if any of the DLL belongs to known antivirus or EDR suite. If so, disable it.
I'm looking for a highly reliable way to figure out if antivirus or EDR is interfering with my process. All my .exe and DLLs are signed.