{"id":10663,"date":"2022-07-08T02:22:35","date_gmt":"2022-07-08T02:22:35","guid":{"rendered":"https:\/\/conference.hitb.org\/hitbincyber2024\/?post_type=session&#038;p=10663"},"modified":"2023-05-26T07:36:51","modified_gmt":"2023-05-26T07:36:51","slug":"cracking-the-shield-analyzing-and-reverse-engineering-antivirus-signatures","status":"publish","type":"session","link":"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/cracking-the-shield-analyzing-and-reverse-engineering-antivirus-signatures\/","title":{"rendered":"Cracking the Shield: Analyzing and Reverse Engineering Antivirus Signatures"},"content":{"rendered":"<p style=\"text-align: justify;\">Antivirus software are a black-box that are still used in every company as part of their defense infrastructure.\u00a0 <strong>We&#8217;ve created a tool to analyze and reverse engineer antivirus signatures.<\/strong>\u00a0The motivation behind it is to better understand how antivirus software works and how it can be circumvented.<\/p>\n<p style=\"text-align: justify;\">By reverse engineering antivirus signatures, we gain valuable insight into the workings of these systems and can develop more effective methods to evade detection. It allows RedTeamers to pinpoint weak parts of signatures so to make their tools undetectable by applying the minimal amount of effort.<\/p>\n<p style=\"text-align: justify;\">I will give an overview of the ideas and architecture of the software. For this we will also also dive deep into the file format of the most common initial attack vectors, and the challenges they provided. At the end we will discuss the <strong>results of analyzing a large amount of signatures from Microsoft Defender to judge its effectiveness<\/strong>, common problems with signatures, and how to do better in the future.<\/p>\n","protected":false},"template":"","class_list":["post-10663","session","type-session","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Cracking the Shield: Analyzing and Reverse Engineering Antivirus Signatures - HITB (in)Cyber 2024 - Abu Dhabi<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/cracking-the-shield-analyzing-and-reverse-engineering-antivirus-signatures\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cracking the Shield: Analyzing and Reverse Engineering Antivirus Signatures - HITB (in)Cyber 2024 - Abu Dhabi\" \/>\n<meta property=\"og:description\" content=\"Antivirus software are a black-box that are still used in every company as part of their defense infrastructure.\u00a0 We&#8217;ve created a tool to analyze and reverse engineer antivirus signatures.\u00a0The motivation behind it is to better understand how antivirus software works and how it can be circumvented. By reverse engineering antivirus signatures, we gain valuable insight [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/cracking-the-shield-analyzing-and-reverse-engineering-antivirus-signatures\/\" \/>\n<meta property=\"og:site_name\" content=\"HITB (in)Cyber 2024 - Abu Dhabi\" \/>\n<meta property=\"article:modified_time\" content=\"2023-05-26T07:36:51+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/cracking-the-shield-analyzing-and-reverse-engineering-antivirus-signatures\/\",\"url\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/cracking-the-shield-analyzing-and-reverse-engineering-antivirus-signatures\/\",\"name\":\"Cracking the Shield: Analyzing and Reverse Engineering Antivirus Signatures - HITB (in)Cyber 2024 - Abu Dhabi\",\"isPartOf\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/#website\"},\"datePublished\":\"2022-07-08T02:22:35+00:00\",\"dateModified\":\"2023-05-26T07:36:51+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/cracking-the-shield-analyzing-and-reverse-engineering-antivirus-signatures\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/cracking-the-shield-analyzing-and-reverse-engineering-antivirus-signatures\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/cracking-the-shield-analyzing-and-reverse-engineering-antivirus-signatures\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Session\",\"item\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Cracking the Shield: Analyzing and Reverse Engineering Antivirus Signatures\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/#website\",\"url\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/\",\"name\":\"HITB (in)Cyber 2024 - Abu Dhabi\",\"description\":\"May 14 - 16, Etihad Arena \",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/conference.hitb.org\/hitbincyber2024\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cracking the Shield: Analyzing and Reverse Engineering Antivirus Signatures - HITB (in)Cyber 2024 - Abu Dhabi","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/cracking-the-shield-analyzing-and-reverse-engineering-antivirus-signatures\/","og_locale":"en_US","og_type":"article","og_title":"Cracking the Shield: Analyzing and Reverse Engineering Antivirus Signatures - HITB (in)Cyber 2024 - Abu Dhabi","og_description":"Antivirus software are a black-box that are still used in every company as part of their defense infrastructure.\u00a0 We&#8217;ve created a tool to analyze and reverse engineer antivirus signatures.\u00a0The motivation behind it is to better understand how antivirus software works and how it can be circumvented. By reverse engineering antivirus signatures, we gain valuable insight [&hellip;]","og_url":"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/cracking-the-shield-analyzing-and-reverse-engineering-antivirus-signatures\/","og_site_name":"HITB (in)Cyber 2024 - Abu Dhabi","article_modified_time":"2023-05-26T07:36:51+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/cracking-the-shield-analyzing-and-reverse-engineering-antivirus-signatures\/","url":"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/cracking-the-shield-analyzing-and-reverse-engineering-antivirus-signatures\/","name":"Cracking the Shield: Analyzing and Reverse Engineering Antivirus Signatures - HITB (in)Cyber 2024 - Abu Dhabi","isPartOf":{"@id":"https:\/\/conference.hitb.org\/hitbincyber2024\/#website"},"datePublished":"2022-07-08T02:22:35+00:00","dateModified":"2023-05-26T07:36:51+00:00","breadcrumb":{"@id":"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/cracking-the-shield-analyzing-and-reverse-engineering-antivirus-signatures\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/conference.hitb.org\/hitbincyber2024\/session\/cracking-the-shield-analyzing-and-reverse-engineering-antivirus-signatures\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/cracking-the-shield-analyzing-and-reverse-engineering-antivirus-signatures\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/conference.hitb.org\/hitbincyber2024\/"},{"@type":"ListItem","position":2,"name":"Session","item":"https:\/\/conference.hitb.org\/hitbincyber2024\/session\/"},{"@type":"ListItem","position":3,"name":"Cracking the Shield: Analyzing and Reverse Engineering Antivirus Signatures"}]},{"@type":"WebSite","@id":"https:\/\/conference.hitb.org\/hitbincyber2024\/#website","url":"https:\/\/conference.hitb.org\/hitbincyber2024\/","name":"HITB (in)Cyber 2024 - Abu Dhabi","description":"May 14 - 16, Etihad Arena ","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/conference.hitb.org\/hitbincyber2024\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-json\/wp\/v2\/session\/10663"}],"collection":[{"href":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-json\/wp\/v2\/session"}],"about":[{"href":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-json\/wp\/v2\/types\/session"}],"version-history":[{"count":2,"href":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-json\/wp\/v2\/session\/10663\/revisions"}],"predecessor-version":[{"id":12284,"href":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-json\/wp\/v2\/session\/10663\/revisions\/12284"}],"wp:attachment":[{"href":"https:\/\/conference.hitb.org\/hitbincyber2024\/wp-json\/wp\/v2\/media?parent=10663"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}