Cracking the Shield: Analyzing and Reverse Engineering Antivirus Signatures


August 24, 2023




Track 1

Antivirus software are a black-box that are still used in every company as part of their defense infrastructure.  We’ve created a tool to analyze and reverse engineer antivirus signatures. The motivation behind it is to better understand how antivirus software works and how it can be circumvented.

By reverse engineering antivirus signatures, we gain valuable insight into the workings of these systems and can develop more effective methods to evade detection. It allows RedTeamers to pinpoint weak parts of signatures so to make their tools undetectable by applying the minimal amount of effort.

I will give an overview of the ideas and architecture of the software. For this we will also also dive deep into the file format of the most common initial attack vectors, and the challenges they provided. At the end we will discuss the results of analyzing a large amount of signatures from Microsoft Defender to judge its effectiveness, common problems with signatures, and how to do better in the future.

Penetration Tester

Raiffeisen Schweiz

Dobin was a penetration tester for many years, and then switched to be a SOC analyst. Currently he is leading the RedTeam at Raiffeisen Schweiz