Posted on

Common AntiVirus bypass techniques

Hello, aspiring ethical hackers. In this blogpost, you will learn about the antivirus bypass techniques used by hackers and pen testers alike in real -world. In our previous blogpost on Antivirus, you learnt about various techniques used by Antivirus to detect malware. Please read that article before to better understand the Antivirus bypass techniques explained here.

Why AntiVirus bypass is important?

In any organization nowadays, every computing device is protected by Antivirus nowadays. Hence, it is very important to understand various techniques of Antivirus bypass for pen testers and Blue Teams alike.

Techniques for AntiVirus bypass

Here are the various techniques used in Antivirus bypass.

  1. Encryption
  2. Obfuscation
  3. Packing
  4. Protectors
  5. Memory Injection

Let’s learn about each of these techniques in detail.

1. Encryption:

This is a technique that cryptographically changes the code of the payload. In our previous blogpost on encryption, you can learn in detail about cryptography & encryption and their role in cybersecurity. After the code of the payload is encrypted, a decrypting stub is created that decrypts and executes the code of that payload. Usually, this stub is hidden and it goes undetected by the AntiVirus.

The program that is used to encrypt the code of the payload is known as cryptor. Coding cryptors that create FUD payloads is a booming business in dark web.

2. Obfuscation:

Obfuscation is an evasion technique in which the code of the payload is changed and reorganized in such a way that it becomes difficult to understand. This made the reverse analysis of the payload difficult.

3. Packing:

Packing is the process in which the code of the payload is transformed into a different format. This reduces the size of the payload and makes a new binary.

4. Protector:

Software vendors use protection to prevent the code of the software from being reverse engineered. This is normally used to prevent software from being pirated. However, malware creators also use it to prevent the code of the payload from being reverse engineered.

5. Memory Injection:

If you have noticed, as soon as you drop a malicious payload on your system, (even msfvenom payload) the Antivirus immediately quarantines it. So, most malware creators code their payloads to run in memory instead of running on the hard disk to prevent Antivirus from detecting it.

Follow Us