Automatically detecting malware that kills processes?

There are several different ways to detect a particular process.
For example it could be done from the executable's path, file size, executable strings, code signing certificate, etc.. & not just the title.

You would also probably find that the malware was only checking the process on launch, and not checking it again once it was up and running.

You would also probably find that the malware was only checking the process on launch, and not checking it again once it was up and running.

agreed. I've never seen a malware check constantly for running processes. It might of course exist, but that must be very rare.

If it usually does that by looking at the window title of each program, would it be possible to run a small program across the network with psexec that simply changes its window title in order to see if it can trick malware into killing it before its done? That would turn self-defending malware against itself…

Sure, for this particular type of malware, that might work. I've seen malware that looks for processes by name, rather than window title; as such, the technique you've described would not work.

Another means that you might consider is to identify those "security" programs that are installed and running on all systems within your domain. For example, if you know that your infrastructure uses McAfee or Symantec for AV, you can use WMI to query the status of the specifically named process on all active systems. You can do the same for the Security Center…some AV specifically registers with the Security Center, so you can see if the firewall and AV are up and running. This would simply be an alternative approach that you could use, rather than pushing something new to all the systems to be run.

HTH

Great answers, thanks guys!