27. In evasion, how can one bypass domestic antivirus software? What exactly are antivirus products detecting? Why can the same methods not bypass foreign antivirus software such as Kaspersky?
Localised signatures: Domestic security software may tailor its virus database and detection logic based on the domestic user environment and attack trends. This means they might have more granular detection rules for common local attack techniques.
Detection technology: Security software typically uses heuristic analysis, behavioural monitoring, static and dynamic analysis, etc., to identify malware. This includes checking file hashes, strings, and file behaviour.
Evasion strategies: To bypass these detections, attackers use various evasion strategies, such as modifying malicious code, using encryption or encoding to alter its characteristics, or executing code only in memory.
Regional differences: Foreign security software, like Kaspersky, may focus more on global threat intelligence, and their detection logic and response teams may differ from domestic ones. Consequently, certain evasion techniques effective domestically may not work against foreign security products.
Split evasion: In evasion technology, split evasion refers to dividing malicious code into multiple parts stored in different locations and combining them only at runtime for execution. This reduces the probability of being detected by a single detection point.
Monolithic evasion: In contrast to split evasion, monolithic evasion means the malicious code exists as a single, self‑contained unit, with the whole being modified to achieve evasion.
Exploitation of vulnerabilities for initial compromise: The question “What vulnerability is commonly used for initial compromise?” may relate to exploiting specific system vulnerabilities during the evasion process to help the malware bypass security software detection.
Mainstream methods: Currently, further modification and compilation of shellcode has become the mainstream approach for MSF evasion. Many online resources use languages such as C, C#, and Python to re‑encode shellcode to achieve evasion.