What is your first impulse when you see a fence? Well, we can’t speak for you, but we like to look for weak spots, holes, and ways to climb it. The same is true for filters of all kinds. Let’s see what one can do to bypass them. Anti-virus software is a good example. At DeepSec 2014 Daniel Sauder explained how malware filters/detectors fail. Daniel was kind to provide an article for the special edition „In Depth Security – Proceedings of the DeepSec Conferences“:
„Based on my work about antivirus evasion techniques, I started using antivirus evasion techniques for testing the effectivity of antivirus engines. I researched the internal functionality of antivirus products, especially the implementation of heuristics by sandboxing and emulation and succeeded in evasion of these. A result of my research are tests, if a shellcode runs within a x86 emulation engine. One test works by encrypting the payload, which is recognized as malicious normally. When the payload is recognized by the antivirus software, chances are high, that x86 emulation was performed.“
Thanks to Daniel for the effort and the research.