A V O I D I N G D E T E C T I O N
When you are performing a penetration test, nothing is
more embarrassing than being caught by antivirus soft-
ware. This is one of those little details that can be over-
looked quite easily: If you don’t make plans to evade
detection by antivirus software, watch out, because your
target will quickly be alerted that something fishy is going on. In this chapter,
we’ll cover situations in which antivirus software might be an issue and discuss
possible solutions.
Most antivirus software uses
signatures
to identify aspects of malicious
code that are present in a sampling of malicious software. These signatures
are loaded into antivirus engines and then used to scan disk storage and run-
ning processes for matches. When a match is found, the antivirus software
takes certain steps to respond to the situation: Most quarantine the binary
or kill the running process.
As you might imagine, this model has scaling issues. For one, the amount
of malicious code in the wild means that an antivirus product loaded with
signatures can check files only so quickly for matching signatures. Also, the