Malware vaccination tricks: blue pills or red pills

Malware vaccination tricks: blue pills or red pills

First, let me explain what I mean by malware vaccination tricks. Most of you will have heard about some of these. Vaccination tricks are in fact techniques that use safety checks done by malware against that same malware. The malware checks for the presence of certain files or registry keys as a sign that the machine should not be infected. And users make sure those keys or files are present as a security measure.

Examples of safety checks

  • A lot of malware contains routines to check whether it is running on a Virtual Machine (VM), sandbox or with a debugger. They do this to avoid being detected by many of the automated systems the AV industry uses to deal with the large numbers of malware that surface every second of the day.
  • Some malware check the default language installed on the affected system or the keyboard language. They do this because they shy away from infecting systems in certain countries, or quite the opposite because they target certain countries.
  • Certain types of malware check whether they have already infected a certain machine by creating a certain registry key or dropping a certain file. They do this to avoid problems, conflicts, and monitoring. Especially certain families of ransomware are known to do this.
  • Online checks are another form of testing whether a machine could be run by analysts. The most famous example must be WannaCry.
  • Canary file checks are another type of check, mostly done by ransomware. In these cases, the canary files are files that trigger an alarm as soon as they are being changed. They are designed to alert users that there might be an active ransomware infection, which is encrypting files.
  • Software checks are done to avoid infecting machines that might be recording, debugging, or sending telemetry. Some exploit kits, for example, do not infect machines that are running Malwarebytes to avoid showing up in our telemetry. Other popular software they avoid is Wireshark, which is often used by analysts to capture network traffic.

So how could we use this knowledge?

Red pills

  • Installing security software like Malwarebytes and others is obviously a good idea because it not only scares away some malware, but it is foremost an excellent security software.
  • If you can live with the lowered specs that are a result of using virtual machines and sandboxes, this is another good idea to enhance your security. If you use your VM right you can go back to a recent image in case of an emergency. And sandboxes can keep accidents contained within a limited environment.

Blue pills

  • Changing your default language is an option that I would not recommend for people that are not fluent in the language they are installing. From personal past experiences, using different languages side by side on a Windows system can cause Babylonian language confusions on your system.
  • Adding certain registry keys if you are afraid of a particular infection doesn’t hurt your system much, but they are no guarantee for permanent vaccination. If we all start adding HKEY_CURRENT_USERSoftwareLocky to our registry, the malware authors will soon design another check and none of us would be protected anymore after they changed it.
  • Adding a keyboard layout that you never plan on using, is a rather harmless method unless you have a tendency to hit two adjoining keys on regular bases (Ctrl+Shift changes the keyboard layout to the next option you have installed). Besides that, most malware use more refined methods to check where you are from.


Some knowledge is good to have and we would like to thank all the researchers for sharing what they found. But the methods that some vaccines require are of no real use unless you are especially afraid of one certain type of malware. There are so many ways for malware to check whether it is running on a VM that it is almost impossible to “fake” all of them so you would have to know what type of check the malware, you are afraid of most, is using. IMHO the same is true for putting all kinds of files on your system that will supposedly stop ransomware from encrypting your files. Some of these vaccines are so much work they would require automation IMHO, like putting a malformed image in every directory holding files which you don’t want to be encrypted by Cerber.


Sometimes vaccines against certain malware are offered by researchers that point out a method you can use to protect against a particular form or variant of malware. We are not saying that these methods do not work, but we would like to point out that applying all these vaccines can easily turn into a full-time job and you still wouldn’t be protected adequately. It is better to make sure your systems are really protected and easily restored than to clutch at every little straw you are offered.

Hint for those that didn’t get the pills reference: “What would Neo do?”

Take care out there and safe surfing.

Pieter Arntz


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.