Bypassing AV

At its core, a modern AV is fueled by signature updates fetched from the vendors signature database. Those signature definitions are stored in the AV's local database.

Anti Virus Components

A modern antivirus is typically designed around the following components:

File Engine: Responsible for both scheduled and real-time file scans. Parses the entire file system and sends each file's metadata or data to the signature engine
Memory Engine: Inspects each process's memory space at runtime for well-known binary signatures or suspicious API calls
Network Engine: Inspects the incoming and outgoing network traffic on the local network interface. If a signature is matched, it might attempt to block that connection.
Emulator/Sandbox: Loads files into sandbox, closes environment that emulates execution. This can counteract malware encryption / obfuscation.
Disassembler: Responsible for translating machine code into assembly language, reconstructing the original program code section, and identifying any encoding/decoding routine.
Browser Plugin: Modern AVs often employ browser plugins to get better visibility and detect malicious content that might be executed inside the browser. Protected by Sandbox.
Machine Learning Engine: A vital part of current AVs as it enables detection of unknown threats by relying on cloud-enhanced computing resources and algorithms.

Detection Methods

Modern antivirus use the following methods:

Signature-based Detection: Filesystem is scanned for known malware signatures and if any are detected, the offending files are quarantined.
Heuristic-based Detection: Relies on various rules and algorithms to determine whether or not an action is considered malicious. Searches for various patterns and program calls that may be considered suspicious.
Behavioral Detection: Searching for behaviors or actions that are considered malicious. Often times by emulating in a small virtual machine / sandbox environment.
Machine Learning Detection: Uses machine learning algorithms and models to collect additional data on behavior or program.

NOTE: Microsoft Windows Defender has two ML components: the client ML engine, which is responsible for creating ML models and heuristics, and the cloud ML engine, which is capable of analyzing the submitted sample against a metadata-based model comprised of all the submitted samples

Bypassing AV

To have highly effective antivirus evasion requires anti-reversing, anti-debugging, virtual machine emulation detection, direct / indirect use of syscalls, IAT hiding & obfuscation, packing & crypting.

Reference:

Packers:

PreviousFetch DLL from Web Server NextString Hashing

Last updated 6 months ago

Anti Virus Components

A modern antivirus is typically designed around the following components:

File Engine: Responsible for both scheduled and real-time file scans. Parses the entire file system and sends each file's metadata or data to the signature engine

Memory Engine: Inspects each process's memory space at runtime for well-known binary signatures or suspicious API calls

Network Engine: Inspects the incoming and outgoing network traffic on the local network interface. If a signature is matched, it might attempt to block that connection.

Emulator/Sandbox: Loads files into sandbox, closes environment that emulates execution. This can counteract malware encryption / obfuscation.

Disassembler: Responsible for translating machine code into assembly language, reconstructing the original program code section, and identifying any encoding/decoding routine.

Browser Plugin: Modern AVs often employ browser plugins to get better visibility and detect malicious content that might be executed inside the browser. Protected by Sandbox.

Machine Learning Engine: A vital part of current AVs as it enables detection of unknown threats by relying on cloud-enhanced computing resources and algorithms.

Detection Methods

Modern antivirus use the following methods:

Signature-based Detection: Filesystem is scanned for known malware signatures and if any are detected, the offending files are quarantined.

Heuristic-based Detection: Relies on various rules and algorithms to determine whether or not an action is considered malicious. Searches for various patterns and program calls that may be considered suspicious.

Behavioral Detection: Searching for behaviors or actions that are considered malicious. Often times by emulating in a small virtual machine / sandbox environment.

Machine Learning Detection: Uses machine learning algorithms and models to collect additional data on behavior or program.