This talk presents research results on the internals of Antiviruses (AVs). The main goal is to demystify AVs operation and to clarify the impact of AV’s project decisions to the security of users and companies. To do so, I analyzed multiple real, commercial AVs targeting the Windows, Linux, and Android platforms. Based on that, I present new attacks and defensive stratgies.
I start by distinguishing AV engines from AV products and following this delve into AV engines to show their structure. I further discuss how these components are used in different detection steps. Some actions are only performed when static detection are in place, whereas others are performed dynamically. I discuss how to configure the monitoring levels and show how configurations are often present in AV backend but they are not available in the AVs GUI. For instance, I show a case of an AV that has an embedded unpacker but that the unpacker configuration is not accessible to users.
Later I demystify the use of whitelists and blacklists by AV software. Whereas many claim that these techniques are obsolete or not used anymore, I show disassembly and database excerpts to demonstrate whitelist invocation by AV components. I show that there are even companies specialized in selling information for whitelist database generation. Further I demystify the use of signatures. I developed an algorithm to identify the detection of samples via signatures, the extraction of these signatures, and a map of their sizes. With that, I discovered that around 30-40% of all AV detections are performed some kind of static pattern matching.
I will discuss that the use of whitelists, signatures, or any other technique is a matter of trade-offs. AV companies cannot implement all existing detection possibilities, thus they make judgements about what is more probable to happen. I extend this discussion to show that trade-offs also apply to real time monitoring. AVs do not monitor all file locations at the same time. Also, I shed light into the implicit assumptions made by AVs that are not explicited to the users. In terms of network monitoring, I show how AVs set proxies in the system, perform man-in-the-middle to scan the packets, replace SSL certificates to be transparent to the user, and change JS/DOM content to intercept requests. I also show a case in which the VIPRE AV uses standard SNORT rules in the endpoint to detect known attacks. Another critical aspect of AV operation is their updates. However, little information is known about that. In my investigation, I present an analysis of the update frequency of a real AV.