How do some processes in Windows get the PsProtectedSignerAntimalware flag set for them? Meaning how does windows decide which processes should have this flag set when they are created?
More info regarding this flag :
I doubt that Microsoft has hardcoded the list of AntiViruses somewhere and decides which processes should get this flag based on the certificate, so how does windows decide which processes should get this flag?
Lets say i already have a driver loaded, is there anyway i can force my user-mode processes to have this flag?
It seems to be related to the EKUs of the certificate used to sign the binary. Take a look at this presentation by Alex Ionescu, at slides 11 and 19:
https://nosuchcon.org/talks/2014/D3_05_Alex_ionescu_Breaking_protected_processes.pdf
And also to the third part of the URL you mentioned:
Anyway, I haven't been able to find the exact value of the EKU that is required, but I think that if you are interested, Microsoft can help you with that.