Antivirus Bypass Techniques: Learn practical techniques and tactics to combat, bypass, and evade antivirus software

by Nir Yehoshua, Uriel Kosayev

Length: 242 pages
Edition: 1
Language: English
Publisher: Packt Publishing
Publication Date: 2021-07-16
ISBN-10: 1801079749
ISBN-13: 9781801079747
Sales Rank: #1236841 (See Top 100 Books)

0 ratings

Print Book Look Inside

Develop more secure and effective antivirus solutions by leveraging antivirus bypass techniques

Key Features

Gain a clear understanding of the security landscape and research approaches to bypass antivirus software
Become well-versed with practical techniques to bypass antivirus solutions
Discover best practices to develop robust antivirus solutions

Book Description

Antivirus software is built to detect, prevent, and remove malware from systems, but this does not guarantee the security of your antivirus solution as certain changes can trick the antivirus and pose a risk for users. This book will help you to gain a basic understanding of antivirus software and take you through a series of antivirus bypass techniques that will enable you to bypass antivirus solutions.

The book starts by introducing you to the cybersecurity landscape, focusing on cyber threats, malware, and more. You will learn how to collect leads to research antivirus and explore the two common bypass approaches used by the authors. Once you’ve covered the essentials of antivirus research and bypassing, you’ll get hands-on with bypassing antivirus software using obfuscation, encryption, packing, PowerShell, and more. Toward the end, the book covers security improvement recommendations, useful for both antivirus vendors as well as for developers to help strengthen the security and malware detection capabilities of antivirus software.

By the end of this security book, you’ll have a better understanding of antivirus software and be able to confidently bypass antivirus software.

What you will learn

Explore the security landscape and get to grips with the fundamentals of antivirus software
Discover how to gather AV bypass research leads using malware analysis tools
Understand the two commonly used antivirus bypass approaches
Find out how to bypass static and dynamic antivirus engines
Understand and implement bypass techniques in real-world scenarios
Leverage best practices and recommendations for implementing antivirus solutions

Who this book is for

This book is for security researchers, malware analysts, reverse engineers, pentesters, antivirus vendors looking to strengthen their detection capabilities, antivirus users and companies that want to test and evaluate their antivirus software, organizations that want to test and evaluate antivirus software before purchase or acquisition, and tech-savvy individuals who want to learn new topics.

Introduction to the Security Landscape
Before Research Begins
Antivirus Research Approaches
Bypassing the Dynamic Engine
Bypassing the Static Engine
Other Antivirus Bypass Techniques
Antivirus Bypass Techniques in Red Team Operations
Best Practices and Recommendations

Antivirus Bypass Techniques
Recommendation 
Contributors
About the authors
Reviewer
Preface
    Who this book is for
    What this book covers
    To get the most out of this book
    Code in Action
    Download the color images
    Conventions used
    Disclaimer
    Get in touch
    Reviews
Section 1: Know the Antivirus – the Basics Behind Your Security Solution
Chapter 1: Introduction to the Security Landscape
    Understanding the security landscape
    Defining malware
        Types of malware
    Exploring protection systems
    Antivirus – the basics
    Antivirus bypass in a nutshell
    Summary
Chapter 2: Before Research Begins
    Technical requirements
    Getting started with the research
    The work environment and lead gathering
        Process 
        Thread
        Registry 
    Defining a lead
    Working with Process Explorer
    Working with Process Monitor
    Working with Autoruns
    Working with Regshot
    Third-party engines
    Summary
Chapter 3: Antivirus Research Approaches
    Understanding the approaches to antivirus research
    Introducing the Windows operating system 
    Understanding protection rings 
    Protection rings in the Windows operating system
    Windows access control list
    Permission problems in antivirus software
        Insufficient permissions on the static signature file
        Improper privileges
    Unquoted Service Path
    DLL hijacking
    Buffer overflow
        Stack-based buffer overflow
        Buffer overflow – antivirus bypass approach
    Summary
Section 2: Bypass the Antivirus – Practical Techniques to Evade Antivirus Software
Chapter 4: Bypassing the Dynamic Engine
    Technical requirements
    The preparation
        Basic tips for antivirus bypass research
    VirusTotal
    VirusTotal alternatives
    Antivirus bypass using process injection
        What is process injection?
        Windows API
        Classic DLL injection
        Process hollowing
        Process doppelgänging
        Process injection used by threat actors
    Antivirus bypass using a DLL
        PE files
        PE file format structure
        The execution
    Antivirus bypass using timing-based techniques
        Windows API calls for antivirus bypass
        Memory bombing – large memory allocation
    Summary
    Further reading
Chapter 5: Bypassing the Static Engine
    Technical requirements
    Antivirus bypass using obfuscation
        Rename obfuscation
        Control-flow obfuscation
        Introduction to YARA
        How YARA detects potential malware
        How to bypass YARA
    Antivirus bypass using encryption
        Oligomorphic code
        Polymorphic code
        Metamorphic code
    Antivirus bypass using packing
        How packers work
        The unpacking process
        Packers – false positives
    Summary
Chapter 6: Other Antivirus Bypass Techniques
    Technical requirements
    Antivirus bypass using binary patching
        Introduction to debugging / reverse engineering
        Timestomping
    Antivirus bypass using junk code
    Antivirus bypass using PowerShell
    Antivirus bypass using a single malicious functionality
    The power of combining several antivirus bypass techniques
        An example of an executable before and after peCloak
    Antivirus engines that we have bypassed in our research
    Summary
    Further reading
Section 3: Using Bypass Techniques in the Real World
Chapter 7: Antivirus Bypass Techniques in Red Team Operations
    Technical requirements
    What is a red team operation?
    Bypassing antivirus software in red team operations
    Fingerprinting antivirus software
    Summary
Chapter 8: Best Practices and Recommendations
    Technical requirements 
    Avoiding antivirus bypass dedicated vulnerabilities
        How to avoid the DLL hijacking vulnerability
        How to avoid the Unquoted Service Path vulnerability
        How to avoid buffer overflow vulnerabilities
    Improving antivirus detection
        Dynamic YARA
        The detection of process injection
        Script-based malware detection with AMSI
    Secure coding recommendations
        Self-protection mechanism
        Plan your code securely
        Do not use old code
        Input validation
        PoLP (Principle of Least Privilege)
        Compiler warnings
        Automated code testing
        Wait mechanisms – preventing race conditions
        Integrity validation
    Summary
    Why subscribe?
Other Books You May Enjoy
    Packt is searching for authors like you
    Leave a review - let other readers know what you think

Computers & Technology

Groupware Hacking Internet Privacy & Online Safety Telecommunications Viruses

Donate to keep this site alive

To access the Link, solve the captcha.

How to download source code?

1. Go to: https://github.com/PacktPublishing

2. In the Find a repository… box, search the book title: Antivirus Bypass Techniques: Learn practical techniques and tactics to combat, bypass, and evade antivirus software, sometime you may not get the results, please search the main title.