background image

A V O I D I N G   D E T E C T I O N

When you are performing a penetration test, nothing is 
more embarrassing than being caught by antivirus soft-
ware. This is one of those little details that can be over-
looked quite easily: If you don’t make plans to evade 
detection by antivirus software, watch out, because your

target will quickly be alerted that something fishy is going on. In this chapter, 
we’ll cover situations in which antivirus software might be an issue and discuss 
possible solutions.

Most antivirus software uses 

signatures

 to identify aspects of malicious 

code that are present in a sampling of malicious software. These signatures 
are loaded into antivirus engines and then used to scan disk storage and run-
ning processes for matches. When a match is found, the antivirus software 
takes certain steps to respond to the situation: Most quarantine the binary 
or kill the running process.

As you might imagine, this model has scaling issues. For one, the amount 

of malicious code in the wild means that an antivirus product loaded with 
signatures can check files only so quickly for matching signatures. Also, the