The Infona portal uses cookies, i.e. strings of text saved by a browser on the user's device. The portal can access those files and use them to remember the user's data, such as their chosen settings (screen view, interface language, etc.), or their login data. By using the Infona portal the user accepts automatic saving and using this information for portal operation purposes. More information on the subject can be found in the Privacy Policy and Terms of Service. By closing this window the user confirms that they have read the information on cookie usage, and they accept the privacy policy and the way cookies are used by the portal. You can change the cookie settings in your browser.
This chapter discusses how we can use static analysis techniques to discover vulnerabilities in antivirus software. It focuses on the de facto tool for static analysis, IDA. As an example, the chapter shows us how to manually audit an old version of F‐Secure Anti‐Virus for Linux with the aim of discovering some vulnerability that we could exploit remotely, such as a bug in the file format parsers...
Dynamic analysis techniques are performed on computer software and hardware by executing the program or programs in a real or virtualized environment in order to gather behavioral information from the target. This chapter focuses on two techniques: fuzzing and code coverage. Fuzzing is probably the most used technique to find bugs in computer programs because it is relatively easy to discover bugs...
Local exploitation techniques are used to exploit a product, or one of its components, when we have access to the computer being targeted. These techniques usually exploit the following kinds of bugs: Memory corruptions, Bad permissions and Logical vulnerabilities. This chapter discusses how local vulnerabilities can be exploited, by showing some actual, but old, vulnerabilities in antivirus products...
This chapter explains why exploiting an antivirus remotely is much more complex than local exploitation. It then covers how to write remote exploits for antivirus software and also contains many useful tips to make exploitation easier. The chapter begins with a discussion on the remote exploitation of client‐side antivirus components. Client‐side components are mitigated against exploitation by various...
Antivirus evasion techniques are used by malware writers, as well as by penetration testers and vulnerability researchers, in order to bypass one or more antivirus software applications. In their software solutions, antivirus companies use various systems for statically and dynamically detecting both known and unknown malware. A key part of antivirus evasion is determining how malware is detected...
Evading signatures of antivirus (AV) products is one of the most common tasks for both bad guys (such as malware writers) and good guys (such as penetration testers). File‐format‐aware signatures, such as those specific to portable executable (PE) files, do not rely on a single detected evidence in a fixed‐size buffer at a specific offset. The same applies to Microsoft Office‐supported file formats,...
This chapter explains how to evade both static scanners (which only focus on files that are on disk) and dynamic scanners (which focus on the behavior of the program or that perform memory analysis). It presents some tricks that can be used to evade many antivirus scanners. The chapter lists various anti‐emulation tricks that are generic for Windows PE files, for any x86‐based program, and for the...
This chapter covers the various types of heuristic engines, which may be implemented in userland, kernel‐land, or both. Learning about various heuristic engines will facilitate the process of bypassing and evading them. Similarly, the AV engineers can get some insights into how attackers are evading detection and therefore can improve the detection engine accordingly. There are three different types...
The attack surface of any software is the exposed surface, which can be used by unauthorized users to discover and exploit vulnerabilities. The attack surface can be divided into two groups: local and remote. This chapter discusses how to identify the attack surface of antivirus software. To some extent, we can apply the techniques and tools described in the chapter to any software when determining...
Both local and remote denial‐of‐service (DoS) attacks against antivirus software are possible; indeed, one of the most common attacks is aimed at disabling AV protection. This chapter covers some common DoS vulnerabilities and how to discover such bugs. There are many different types of local DoS attacks, with the following ones being the most common: Compression bombs, Bugs in file format parsers,...
The target audience of consumers for antivirus software can be divided into four major groups: home users, small to medium‐sized companies, governments and big companies, and the targets of governments. This chapter discusses the current trends and the protection levels offered by the antivirus industry to its major target audience groups and what each group should expect. It explains the various...
The current protection levels provided by most antivirus solutions are not as good as one would expect from an industry that deals with security products. This chapter discusses some strategies that the security industry may adopt to increase the effectiveness of its products. It provides ideas about how to improve the protection and quality of antivirus products. The chapter also provides some ideas...
This chapter covers what antivirus (AV) software is and how it works. It offers a brief history of AV software and a short analysis of how it evolved over time. The chapter talks about the various components of an AV, namely, the kernel, command‐line scanner, graphical user interface (GUI) scanner, daemons or system services, file system filter drivers, network filter drivers, and any other support...
This chapter discusses how you can reverse‐engineer the core of an antivirus product, and what features are interesting from an attacker's viewpoint. It describes some techniques to make the reverse‐engineering process easier, especially when the antivirus software tries to protect itself against being reverse‐engineered. The chapter explains how to use Python to write a standalone tool that interfaces...
This chapter covers some loading implementations of typical antivirus plug‐ins and analyzes the loading process. Heuristic‐based detection algorithms, emulators, and script‐based plug‐ins are also covered. The chapter explains the working of plug‐in loaders, and analyzes a plug‐in's code. The heuristic engine uses all of the information to determine that the buffer or file under analysis is "suspicious"...
This chapter covers the various signature database types, their strengths and weaknesses, when they are best used, and how they can be circumvented. Some algorithms that are used to generate signatures can have a high false‐positive ratio but are extremely fast. The chapter covers the most notable signatures and discusses the advantages and disadvantages of each one. The simplest form of an antivirus...
Set the date range to filter the displayed results. You can set a starting date, ending date or both. You can enter the dates manually or choose them from the calendar.