Defender detects file copy pasted, avred doesnt #9
Comments
|
Thats probably the AV emulator. Avred checks against/with AMSI, there may be more checks being done by the AV when actively on the system. If what you scan is a shellcode loader, you can try adding an anti-AV-emulation technique. See my slides , 24-44. |
|
Thanks for help. Yes it is shellcode loader, i have added the anti-av techniques. It has been working great for a couple of months, now every av is detecting it in static analysis. I have tried garble, packers, even obfuscating function calls and AST. Can you please guide me to some project or modifying AVRed where file should be scanned either if its detected by AMSI or not, really appreciate the details and working this project has. |
|
I recommend to add an anti-emulation to your loader, like from supermega And i talked about it in My first and last shellcode loader, |
AvRed logs show that file isnt detected by antivirus, but if i copy paste the executable onto AV machine it gets detected instantly. Any guidance ?
The text was updated successfully, but these errors were encountered: