One of the common questions that I receive when teaching for SANS is how to bypass AV. I thought it would be fun to take a few moments and share some of the best articles I have read recently on the topic and share a couple of pitfalls to avoid during the process.
First, if you are testing an organization that is using product X, buy product X. Many testers believe the best way to check and see if their payload is going to get detected is to use Virus Total. Virus Total is great for checking if a piece of software is malware, but it is horrible for testing purposes. There are a couple of reasons for this. First, for many vendors it does not represent what the real product would do on a real system. For example, there is a signature match called Suspicious. Insight that for Symantec that will show as a hit on Virus Total but wont do a damn thing in the real world. Further, there are different AV products that will use more in-depth “Heuristic” checks that are not being used with Virus Total. Finally, and this is the big one, Virus Total will share your samples with the AV vendors. This means you may bypass the AV product of choice today, but they are quickly creating a signature to mess up your test tomorrow.
So, instead we recommend you actually buy the product you are testing. I know that $50+ dollars seems like a lot to swing for a $25K engagement, but I think if you search your office couch you might be able to pull it off.

cash in the cushion.jpg

This couch does things for its money.. Horrible, degrading, things.

Next, if you have to test for multiple products use No Virus Thanks instead.
On to the articles. There are two mains ones I would like to share. Both have outstanding explications and are going to show you why this is not a point and click endeavor.
The first up is from ScriptJunkie. This is an outstanding write-up.
Next, mihi has what can be described as the closest thing to a step-by-step walkthrough available.
Please remember this is a process that is not easy and will change constantly. But that is a good thing. It keeps our jobs from simply becoming Nessus/Metasploit/SET do da, do da.
-strandjs

About the author

Leave a Reply