Binary Removal Protection

[rrlocksmith]

Besides requiring root/admin on a system, are there any considerations for protecting the removal of the binary? Say with a password or rsa key pair?

if that's a silly question then apologies in advance, all I can think of is the times I have seen Threat Actors disable/uninstall security products.

[scudette]

This is a very valid concern actually. currently we rely on the OS permissions model to prevent removal but as you say if the TA elevates to system they can bypass those. The next level of protection is by using a signed kernel driver which we might be able to implement in future but currently we dont have kernel components.