Why Anti-virus Software Fails

Jul 19, 2015 · 2 min read · antivir antivirus fail evasion ·

Why Anti-virus Software Fails

Daniel Sauder

published in Magdeburger Journal zur Sicherheitsforschung (2015, #10, p. 540-546)

Info

Based on my work about antivirus evasion techniques, I started using antivirus evasion techniques for testing the effectivity of antivirus engines. I researched the internal functionality of antivirus products, especially the implementation of heuristics by sandboxing and emulation and succeeded in evasion of these. A result of my research are tests, if a shellcode runs within a x86 emulation engine. One test works by encrypting the payload, which is recognized as malicious normally. When the payload is recognized by the antivirus software, chances are high, that x86 emulation was performed. This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences“. Edited by Stefan Schumacher and René Pfeiffer

Downloads

Download: https://d-nb.info/1077974663/34
Mirror at Codeberg: https://codeberg.org/0xKaishakunin/Publikationen/src/branch/main/MagdeburgerJournalSicherheitsforschung/MJS_037_Sauder_Antivir.pdf

BibTeX-Entry für mjs:Sauder:Antivir

 1@article{mjs:Sauder:Antivir,
 2  author = {Daniel Sauder},
 3  title = {Why Anti-virus Software Fails},
 4  pages = {540-546},
 5  year = {2015},
 6  journaltitle = {Magdeburger Journal zur Sicherheitsforschung},
 7  issn = {2192-4260},
 8  url = {https://d-nb.info/1077974663/34},
 9  codeberg = {https://codeberg.org/0xKaishakunin/Publikationen/src/branch/main/MagdeburgerJournalSicherheitsforschung/MJS_037_Sauder_Antivir.pdf},
10  issue = {2},
11  volume = {10},
12  urldate = {2015-07-19},
13  keywords = {mjsarticle,ds15,antivir,antivirus,fail,evasion},
14  abstract = {Based on my work about antivirus evasion techniques, I started using antivirus evasion techniques for testing the effectivity of antivirus engines. I researched the internal functionality of antivirus products, especially the implementation of heuristics by sandboxing and emulation and succeeded in evasion of these. A result of my research are tests, if a shellcode runs within a x86 emulation engine. One test works by encrypting the payload, which is recognized as malicious normally. When the payload is recognized by the antivirus software, chances are high, that x86 emulation was performed. This article appears in the special edition „In Depth Security – Proceedings of the DeepSec Conferences“. Edited by Stefan Schumacher and René Pfeiffer},
15}

AsciiDoc citation commands

1. citenp:[mjs:Sauder:Antivir]
2. cite:[mjs:Sauder:Antivir]
3. bibitem[mjs:Sauder:Antivir]

LaTeX citation commands

1. \textcite{mjs:Sauder:Antivir}
2. \parencite{mjs:Sauder:Antivir}
3. \cite{mjs:Sauder:Antivir}

generated at Mon May 12 10:48:34 2025