Presented at
DeepSec 2014 „Do you want to know more?“,
Unknown date/time
(Unknown duration).
Based on my work about antivirus evasion techniques (see link below), I started using antivirus evasion techniques for testing the effectivity of antivirus engines. I researched the internal functionality of antivirus products, especially the implementation of heuristics by sandboxing and emulation and succeeded in evasion of these.
A result of my research are tests, if a shellcode runs within a x86 emulation engine. One test works by encrypting the payload, which is recognized as malicious normally. When the payload is recognized by the antivirus software, chances are high, that x86 emulation was performed.
Further test techniques I developed are, for example:
- Windows API calls
- using enhanced CPU features, as FPU, MMX registers etc.
- 64bit payloads
At the time of this writing I developed 36 different techniques as proof of concept code and tested them against 8 different products. More techniques and engines are pending.
Together with documentation, papers and talks from other researchers, this gives a deeper understanding for the functionality of antivirus software and shows, where it is failing generally and in particular.
Presenters:
-
Daniel Sauder
Daniel Sauder, OSCP, SLAE, CCNA, CompTIA Security+ and MCP has about 10 years experience in the IT business. Currently working as a penetration tester with a
focus to Web Application Testing, Mobile Application Testing and IT Infrastructure Testing, he also has a strong background in Windows, Linux and Network
Administration.
Links:
Similar Presentations: