hi
I attach pdf papers about AV bypass (pwn2kill) contest launched by the French engineer school ESIEA (IAWACS.zip)
As a simple pdf, an overview of the results (even imperfect, DrWeb self-protection was the less vulnerable http://www.docstoc.com/docs/89374475/An ... ge-Results , but i guess that the students have used known methods and had only a few minutes to do it).
According to kamarade lieutenant colonel Eric Filiol, another kill contest will occur at the end of this month, but i doubt that foreigners are admitted
http://cvo-lab.blogspot.fr/2012/08/pers ... lable.html
If it is permitted, a few words about the right terminology.
An antivirus is often evaded, sometimes eluded, the same for an Network based IDS
A firewall and an HIPS are often bypassed...
Now if the challenge is the self-protection and not the pattern file detection (polymorphism, oligomorphysm etc) then the HIPS terminology (Bypass) can also be used.
The easiest way to deactivate an AV is to add a routine that change system date, as most of them do not restrict some privileges.
As a challenge, HIPS (mostly Sandboxie and DefenseWall for the personal market) appears more interesting.
Regarding the test environment, i do not see the need of a VM, i prefer disk imaging, or reborn PCI card http://www.juzt-reboot.com/
As the GIGN special French police who practise the Trust Shoot against each other to have real training conditions (http://www.gign-historique.com/wp-conte ... 994-02.jpg ), testing must also be done in real life environments (does the average user run the OS in a VM? )...
rgds
I attach pdf papers about AV bypass (pwn2kill) contest launched by the French engineer school ESIEA (IAWACS.zip)
As a simple pdf, an overview of the results (even imperfect, DrWeb self-protection was the less vulnerable http://www.docstoc.com/docs/89374475/An ... ge-Results , but i guess that the students have used known methods and had only a few minutes to do it).
According to kamarade lieutenant colonel Eric Filiol, another kill contest will occur at the end of this month, but i doubt that foreigners are admitted
http://cvo-lab.blogspot.fr/2012/08/pers ... lable.html
If it is permitted, a few words about the right terminology.
An antivirus is often evaded, sometimes eluded, the same for an Network based IDS
A firewall and an HIPS are often bypassed...
Now if the challenge is the self-protection and not the pattern file detection (polymorphism, oligomorphysm etc) then the HIPS terminology (Bypass) can also be used.
The easiest way to deactivate an AV is to add a routine that change system date, as most of them do not restrict some privileges.
As a challenge, HIPS (mostly Sandboxie and DefenseWall for the personal market) appears more interesting.
Regarding the test environment, i do not see the need of a VM, i prefer disk imaging, or reborn PCI card http://www.juzt-reboot.com/
As the GIGN special French police who practise the Trust Shoot against each other to have real training conditions (http://www.gign-historique.com/wp-conte ... 994-02.jpg ), testing must also be done in real life environments (does the average user run the OS in a VM? )...
rgds
Attachments
a summary of the av kill contest
(702.12 KiB) Downloaded 70 times
(702.12 KiB) Downloaded 70 times
several pdf files related to AV evasion methods
(5.13 MiB) Downloaded 96 times
(5.13 MiB) Downloaded 96 times
Security? Yeah But Well: http://www.ouaismaisbon.ch/ )