Contact
  • Home
  • Techniques for evading/bypassing antivirus software
Back

Les techniques d'évasion / bypass sur les antivirus

Image Slider

June 22, 2021

By Adrien C., Cybersecurity Expert

Avast Antivirus, Kaspersky, McAfee... An essential tool for the cautious internet user, antivirus software is one of the defenses we have to protect ourselves from the various dangers lurking on the internet. But how effective is it? Are there ways to bypass the protections it puts in place? Today, I invite you to explore this question with me in this article.

Antivirus software: protective software?

As its name suggests, this is software initially designed to identify, neutralize, and destroy malware (of which computer viruses are just one category among many).

The latter may exploit security vulnerabilities to achieve their ends, but they may also be software that modifies or deletes files, whether they are user documents stored on the infected computer or files essential to the proper functioning of the computer (most often those of the operating system). Another example is ransomware, which encrypts folders and files to hold your data hostage.

In general, antivirus software regularly scans files and emails, boot sectors ( to detect viruses that affect the boot process), as well as the computer's RAM, removable media (USB drives, CDs, DVDs, etc.), data transmitted over networks (including the internet), etc.

Three detection methods...

There are three possible methods for detecting malware:

  • The main method, and undoubtedly the most common, is to identify the virus signature found in an infected file. When new malware emerges, its virus signature (defined by part of its code) is isolated and added to a database. It is then regularly compared with the code of files on the computer.
  • The heuristic method, known to be relatively effective, studies potential malicious code through its behavior. The antivirus executes the code or script of the file to be analyzed in a "sandbox" environment while simultaneously analyzing the program's instructions to determine its behavior, isolating the code of the suspicious file from the actual machine.
    If the antivirus detects suspicious instructions such as file deletion or the launch of multiple processes, the file in question will be identified as a virus and the user will be alerted. However, the heuristic method can sometimes generate false positives.
  • Finally, there is the form analysis method, which relies on filtering based on regexp or other rules stored in a junk file. This last method is known to be effective in certain specific areas, such as email servers that support postfix-type regexp, since it does not rely on a signature file.

In terms of the scope to be monitored, antivirus programs can scan the contents of a hard drive, but also the computer's RAM.
The most modern versions work upstream of the machine, scanning file exchanges with the outside world, both downstream (downloads) and upstream (uploads).

In an ideal world, one might think that the methods outlined above are 100% reliable and guarantee us good protection in all circumstances...

" But that would be forgetting the first commandment of cybersecurity:
There is no such thing as zero risk!"

... Limited!

Over time, cybercriminals have developed a set of techniques to bypass the protections offered by antivirus software, including the following non-exhaustive list:

Code compression/encryption
Most modern malware is compressed and encrypted. The malicious code is deeply modified without changing its behavior, allowing it to evade detection by its virus signature. Antivirus programs are therefore forced to add new decompression/decryption methods or new signatures for each sample of malware identified.

Rootkits
Stealth technologies, or "rootkits," are software programs that can intercept and replace OS system functions in order to make the infected file invisible to the operating system and antivirus software. In addition, the registry branches where the Trojan horse and other system files are stored can also be hidden.

Blocking antivirus software and antivirus database updates
Instead of playing it safe, some attackers prefer to directly disable their victim's antivirus software before compromising their machine.
Many types of malware that infect networks actively search for antivirus software in the list of active processes on the targeted computer.

The malicious program then attempts to perform a series of actions such as:

  • Block the antivirus software
  • Modify the viral base to become invisible
  • Interfere with the proper functioning of antivirus software update processes

To defend against this technique, antivirus software must protect itself by regularly checking the integrity of its databases and hiding its processes.

In conclusion, we can only marvel at the ingenuity of both sides (antivirus developers and attackers) in developing detection methods and ways to circumvent them.

Read more ⤵

https://theexpert.squad.fr/theexpert/digital/la-steganographie-une-technique-souvent-oubliee/
https://theexpert.squad.fr/theexpert/security/splunk-la-meilleure-solution-siem-adrien-c-fait-son-retour-dexperience/