Book Image

Antivirus Bypass Techniques

By : Nir Yehoshua, Uriel Kosayev
Book Image

Antivirus Bypass Techniques

By: Nir Yehoshua, Uriel Kosayev

Overview of this book

Antivirus software is built to detect, prevent, and remove malware from systems, but this does not guarantee the security of your antivirus solution as certain changes can trick the antivirus and pose a risk for users. This book will help you to gain a basic understanding of antivirus software and take you through a series of antivirus bypass techniques that will enable you to bypass antivirus solutions. The book starts by introducing you to the cybersecurity landscape, focusing on cyber threats, malware, and more. You will learn how to collect leads to research antivirus and explore the two common bypass approaches used by the authors. Once you’ve covered the essentials of antivirus research and bypassing, you'll get hands-on with bypassing antivirus software using obfuscation, encryption, packing, PowerShell, and more. Toward the end, the book covers security improvement recommendations, useful for both antivirus vendors as well as for developers to help strengthen the security and malware detection capabilities of antivirus software. By the end of this security book, you'll have a better understanding of antivirus software and be able to confidently bypass antivirus software.
Table of Contents (13 chapters)
1
Section 1: Know the Antivirus – the Basics Behind Your Security Solution
5
Section 2: Bypass the Antivirus – Practical Techniques to Evade Antivirus Software
9
Section 3: Using Bypass Techniques in the Real World

Antivirus bypass using encryption

Encrypting code is one of the most common ways to succeed with a bypass and one of the most efficient ways to hide the source code.

Using encryption, the malicious functionality of the malware will appear as a harmless piece of code and sometimes seem to be completely irrelevant, meaning the antivirus software will treat it as such and will allow the malware to successfully run on the system.

But before malware starts to execute its malicious functionality, it needs to decrypt its code within runtime memory. Only after the malware decrypts itself will the code be ready to begin its malicious actions.

The following diagram shows the difference between an EXE file with and without encryption:

Figure 5.10 – Malware before and after encryption took place

In order to use code encryption techniques correctly, there are a few basic sub-techniques to be familiar with that we used while writing this book. Here are these...