top of page
  • Writer's pictureotw

Evading Antivirus: How Antivirus Works

Updated: Dec 28, 2022

Welcome back my aspiring cyberwarriors!

Before beginning on the journey to learn to how to evade AV, it is critical to first understand how AV works. In this brief post, we will examine the primary methods that antivirus developers use to detect malware

Most antivirus products today use one of just a few engines. Each of these engines have specific goals. The four primary engines are;

  1. A Static Engine

  2. Dynamic Engine

  3. Heuristic Engine

  4. Unpacking Engine

Static Analysis

Each of these engines has a specific goal and each comes with its own strengths and weaknesses. For instance, static engines which most people are familiar with, simply look for signatures of known malware. The best known of these are the YARA signatures that are updated almost daily.

The static engine simply compares files against a database of signatures of known malware. This can be more challenging that it might seem as it is relatively simple to make alterations to malware (creating a different signature) and thereby evading this static analysis.

Dynamic Analysis

Dynamic analysis is bit more advanced. It identifies the malware by its behavior. The first behavior that dynamic analysis looks for are API (application programming interface) calls. Dynamic analysis uses system hooks to look for malicious behavior. In addition, dynamic analysis uses sandboxing. The AV software creates a virtual environment separate from the host's memory and executes the suspicious malware. In this way, the AV application can analyze the suspicious file in safe environment without risk to the physical host.

Heuristic Analysis

Most AV applications now use a heuristic engine. To simplify, heuristics use the old rule "if it walks like duck and if quacks like duck, it's probably a duck". The AV application creates a score for each file based upon various factors and then by statistical analysis determines the probability of it being malware. For instance, heuristics will look for processes that interact with the LSASS.exe process, processes with a signature from a reputable software vendor, a process that tries make itself persistent, and a process that tries to communicate out to a C&C server. The biggest downside to heuristics are the false positives where the AV application determines that a file is malicious when it is not.

Un-Packed Analysis

One of the major ways that malware developers use to evade AV applications is to pack or compress their code. In this way, they can evade static detection by creating a different signature not recognized by the AV application in the signature/static analysis. The AV vendor must develop an unpacker for each and every packer available to the malware developers. This can be a very slow and tedious process but one that is necessary if the AV is to detect malicious files that are packed.


Critical to developing techniques to evade AV is a good understanding of how antivirus works. Now that you have a good idea has these systems work, you are ready to begin to evade AV.

For more on antivirus evasion, check out;

  1. Anatomy of ClamAV

  2. Evading AV with OWASP-ZSC

  3. Evading AV with Veil-Evasion

  4. Metasploit Evasion modules


Recent Posts

See All
bottom of page