{"id":10663,"date":"2022-07-08T02:22:35","date_gmt":"2022-07-08T02:22:35","guid":{"rendered":"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/?post_type=session&#038;p=10663"},"modified":"2023-05-26T07:36:51","modified_gmt":"2023-05-26T07:36:51","slug":"cracking-the-shield-analyzing-and-reverse-engineering-antivirus-signatures","status":"publish","type":"session","link":"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/session\/cracking-the-shield-analyzing-and-reverse-engineering-antivirus-signatures\/","title":{"rendered":"Cracking the Shield: Analyzing and Reverse Engineering Antivirus Signatures"},"content":{"rendered":"<p style=\"text-align: justify;\">Antivirus software are a black-box that are still used in every company as part of their defense infrastructure.\u00a0 <strong>We&#8217;ve created a tool to analyze and reverse engineer antivirus signatures.<\/strong>\u00a0The motivation behind it is to better understand how antivirus software works and how it can be circumvented.<\/p>\n<p style=\"text-align: justify;\">By reverse engineering antivirus signatures, we gain valuable insight into the workings of these systems and can develop more effective methods to evade detection. It allows RedTeamers to pinpoint weak parts of signatures so to make their tools undetectable by applying the minimal amount of effort.<\/p>\n<p style=\"text-align: justify;\">I will give an overview of the ideas and architecture of the software. For this we will also also dive deep into the file format of the most common initial attack vectors, and the challenges they provided. At the end we will discuss the <strong>results of analyzing a large amount of signatures from Microsoft Defender to judge its effectiveness<\/strong>, common problems with signatures, and how to do better in the future.<\/p>\n","protected":false},"template":"","class_list":["post-10663","session","type-session","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Cracking the Shield: Analyzing and Reverse Engineering Antivirus Signatures - HITBSecConf2023 - Phuket<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/session\/cracking-the-shield-analyzing-and-reverse-engineering-antivirus-signatures\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cracking the Shield: Analyzing and Reverse Engineering Antivirus Signatures - HITBSecConf2023 - Phuket\" \/>\n<meta property=\"og:description\" content=\"Antivirus software are a black-box that are still used in every company as part of their defense infrastructure.\u00a0 We&#8217;ve created a tool to analyze and reverse engineer antivirus signatures.\u00a0The motivation behind it is to better understand how antivirus software works and how it can be circumvented. By reverse engineering antivirus signatures, we gain valuable insight [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/session\/cracking-the-shield-analyzing-and-reverse-engineering-antivirus-signatures\/\" \/>\n<meta property=\"og:site_name\" content=\"HITBSecConf2023 - Phuket\" \/>\n<meta property=\"article:modified_time\" content=\"2023-05-26T07:36:51+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/session\/cracking-the-shield-analyzing-and-reverse-engineering-antivirus-signatures\/\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/session\/cracking-the-shield-analyzing-and-reverse-engineering-antivirus-signatures\/\",\"name\":\"Cracking the Shield: Analyzing and Reverse Engineering Antivirus Signatures - HITBSecConf2023 - Phuket\",\"isPartOf\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/#website\"},\"datePublished\":\"2022-07-08T02:22:35+00:00\",\"dateModified\":\"2023-05-26T07:36:51+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/session\/cracking-the-shield-analyzing-and-reverse-engineering-antivirus-signatures\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/session\/cracking-the-shield-analyzing-and-reverse-engineering-antivirus-signatures\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/session\/cracking-the-shield-analyzing-and-reverse-engineering-antivirus-signatures\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Session\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/session\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Cracking the Shield: Analyzing and Reverse Engineering Antivirus Signatures\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/#website\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/\",\"name\":\"HITBSecConf2023 - Phuket\",\"description\":\"August 22 - 26 @ InterContinental\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cracking the Shield: Analyzing and Reverse Engineering Antivirus Signatures - HITBSecConf2023 - Phuket","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/session\/cracking-the-shield-analyzing-and-reverse-engineering-antivirus-signatures\/","og_locale":"en_US","og_type":"article","og_title":"Cracking the Shield: Analyzing and Reverse Engineering Antivirus Signatures - HITBSecConf2023 - Phuket","og_description":"Antivirus software are a black-box that are still used in every company as part of their defense infrastructure.\u00a0 We&#8217;ve created a tool to analyze and reverse engineer antivirus signatures.\u00a0The motivation behind it is to better understand how antivirus software works and how it can be circumvented. By reverse engineering antivirus signatures, we gain valuable insight [&hellip;]","og_url":"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/session\/cracking-the-shield-analyzing-and-reverse-engineering-antivirus-signatures\/","og_site_name":"HITBSecConf2023 - Phuket","article_modified_time":"2023-05-26T07:36:51+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/session\/cracking-the-shield-analyzing-and-reverse-engineering-antivirus-signatures\/","url":"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/session\/cracking-the-shield-analyzing-and-reverse-engineering-antivirus-signatures\/","name":"Cracking the Shield: Analyzing and Reverse Engineering Antivirus Signatures - HITBSecConf2023 - Phuket","isPartOf":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/#website"},"datePublished":"2022-07-08T02:22:35+00:00","dateModified":"2023-05-26T07:36:51+00:00","breadcrumb":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/session\/cracking-the-shield-analyzing-and-reverse-engineering-antivirus-signatures\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/session\/cracking-the-shield-analyzing-and-reverse-engineering-antivirus-signatures\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/session\/cracking-the-shield-analyzing-and-reverse-engineering-antivirus-signatures\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/"},{"@type":"ListItem","position":2,"name":"Session","item":"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/session\/"},{"@type":"ListItem","position":3,"name":"Cracking the Shield: Analyzing and Reverse Engineering Antivirus Signatures"}]},{"@type":"WebSite","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/#website","url":"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/","name":"HITBSecConf2023 - Phuket","description":"August 22 - 26 @ InterContinental","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/wp-json\/wp\/v2\/session\/10663"}],"collection":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/wp-json\/wp\/v2\/session"}],"about":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/wp-json\/wp\/v2\/types\/session"}],"wp:attachment":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023hkt\/wp-json\/wp\/v2\/media?parent=10663"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}