How does process termination work?

When malware attempts to terminate the process of a well-known security app, how does it figure out which process to terminate?

Does it search for the default process name like antivirus.exe and/or does it terminate the process based on its checksum?

Thanks!

 

Many virus authors try many different methods to disable anti-virus software. Mostly they search for file/process-names, but there are virii what terminates AV by using the IFEO method.

IFEO stands for "image file execution options". This technology can redirect execution of a file. For example, if you want to run ABC.exe, the computer can be made to run XYZ.exe instead of ABC.exe.
This is done because IFEO has an item in the Windows registry as HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ABC.exe
that tells it to run XYZ.exe instead.
Example:
The virus created an item in the Windows registry as
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe.
In this case, avp.exe is a key in the Windows registry, and avp.exe is also the filename of Kaspersky's anti-virus software.
Now, if you want to run Kaspersky's anti-virus software, the computer runs the specified .exe file instead of avp.exe.

More information about this technology you find in this Blog