top of page
  • Writer's pictureotw

Evading Antivirus: How Antivirus Works

Updated: Dec 28, 2022

Welcome back my aspiring cyberwarriors!

Before beginning on the journey to learn to how to evade AV, it is critical to first understand how AV works. In this brief post, we will examine the primary methods that antivirus developers use to detect malware

Most antivirus products today use one of just a few engines. Each of these engines have specific goals. The four primary engines are;

  1. A Static Engine

  2. Dynamic Engine

  3. Heuristic Engine

  4. Unpacking Engine

Static Analysis

Each of these engines has a specific goal and each comes with its own strengths and weaknesses. For instance, static engines which most people are familiar with, simply look for signatures of known malware. The best known of these are the YARA signatures that are updated almost daily.

The static engine simply compares files against a database of signatures of known malware. This can be more challenging that it might seem as it is relatively simple to make alterations to malware (creating a different signature) and thereby evading this static analysis.

Dynamic Analysis

Dynamic analysis is bit more advanced. It identifies the malware by its behavior. The first behavior that dynamic analysis looks for are API (application programming interface) calls. Dynamic analysis uses system hooks to look for malicious behavior. In addition, dynamic analysis uses sandboxing. The AV software creates a virtual environment separate from the host's memory and executes the suspicious malware. In this way, the AV application can analyze the suspicious file in safe environment without risk to the physical host.

Heuristic Analysis

Most AV applications now use a heuristic engine. To simplify, heuristics use the old rule "if it walks like duck and if quacks like duck, it's probably a duck". The AV application creates a score for each file based upon various factors and then by statistical analysis determines the probability of it being malware. For instance, heuristics will look for processes that interact with the LSASS.exe process, processes with a signature from a reputable software vendor, a process that tries make itself persistent, and a process that tries to communicate out to a C&C server. The biggest downside to heuristics are the false positives where the AV application determines that a file is malicious when it is not.

Un-Packed Analysis

One of the major ways that malware developers use to evade AV applications is to pack or compress their code. In this way, they can evade static detection by creating a different signature not recognized by the AV application in the signature/static analysis. The AV vendor must develop an unpacker for each and every packer available to the malware developers. This can be a very slow and tedious process but one that is necessary if the AV is to detect malicious files that are packed.


Critical to developing techniques to evade AV is a good understanding of how antivirus works. Now that you have a good idea has these systems work, you are ready to begin to evade AV.

For more on antivirus evasion, check out;

3,475 views2 comments

Recent Posts

See All



i know of a very good hacker that can help you with any type of hacking, either phones or computers. My husband was so smooth at hiding his infidelity so I had no proof for months, I was referred to some hacker and decided to give him a try.. the result was incredible because all my cheating husband’s text messages, emails , facebook and even phone conversations was wired directly to my cellphone. Computerguru helped me put a round-the-clock monitoring on him and I got concrete evidence of his escapades..if you think your spouse is an expert at hiding his cheating adventure, you can contact them too at HENRYCLARKETHICALHACKER@GMAIL.COM on whatsapp12622367526.


You can hire Henryclarkethicalhacker for all your hacking needs which include clearing of criminal and driving records, credit hack fix, college grade changes, cloning phones, spying on anyone, hacking all social media accounts, etc,. Reach him via Henryclarkethicalhacker @ gmail com,

Text him,, Whatsapp,,+1 8 1 3 4 2 1 1 3 2 6.

bottom of page