Chapter 12: Bypassing Antivirus Applications Quiz

Questions and Answers

What is the main difference between static analysis and dynamic analysis in antivirus programs?

• Static analysis compares potentially dangerous code to rules and patterns while dynamic analysis tests for malicious activity. (correct)
• Static analysis matches known malicious code while dynamic analysis looks for virus signatures.
• Static analysis tests for malicious activity while dynamic analysis compares code to a set of patterns.
• Static analysis updates antivirus definitions regularly while dynamic analysis uses fast pattern matching techniques.

How do antivirus programs detect viruses through signature-based detection?

• By trying to replace every file on the hard drive every 30 seconds.
• By looking for digital signatures embedded in the virus code.
• By searching for large sections of the virus code within files.
• By comparing the analyzed object with a database of signatures. (correct)

What is the potential issue with using small virus signatures in antivirus scanners?

• It may not be able to search for encrypted viruses.
• It may slow down the scanning process significantly.
• It could lead to false positives. (correct)
• It could miss simple variants of viruses.

Why are encrypted viruses more difficult to detect by antivirus programs?

Because the main body of the program is encrypted which makes the virus code meaningless until decrypted. (A)

What is the significance of polymorphic and metamorphic viruses?

Both are difficult to detect due to having few fixed characteristic patterns in their codes. (D)

In antivirus software, what is a 'false positive'?

When no intrusion occurs but an alarm is triggered. (A)

Which firewall is enabled by default in Windows 10 and Windows 11?

Windows Defender Firewall (B)

What type of firewall is the Windows Defender Firewall?

Stateful firewall (D)

What change did Microsoft Defender Antivirus make in 2015?

Moved away from using a static signature-based engine (D)

Which command can be used in PowerShell to see Windows Defender information?

Get-MpComputerStatus (C)

What is one way to see which antivirus solutions will flag a program as malicious?

Upload the file to VirusTotal (D)

What is the primary purpose of an encoder in the context of exploits?

To obfuscate the payload to avoid detection (D)

What kind of malware appears to perform a useful task but also has negative consequences?

Trojan (C)

Which tool allows embedding a Metasploit payload inside a legitimate binary?

Msfvenom (C)

What is the purpose of the -k flag in Msfvenom?

Keep the executable template intact (A)

Which hash function is suggested for checking Trojans due to concerns about MD5 hash collisions?

SHA-2 (C)

What does a one-way hash function produce as output?

A fixed-size message digest (A)

In Fred Cohen's example virus, what does the 'trigger-pulled' subroutine do?

Cause damage under certain conditions (B)

What does compression-enabled filesystem monitoring help detect?

Viruses (D)

What concept refers to the various ways viruses can insert themselves into computer code?

'Degrees of Complication' (D)

What is the primary purpose of a polymorphic virus?

To encrypt the virus program body using a different key for each copy (D)

What is the main technique used by metamorphic viruses to avoid detection?

Changing the code structure and signature with each new version (C)

What is the primary purpose of the quarantine feature in antivirus software?

To isolate suspicious files in a secure folder for further analysis and action (C)

Which of the following techniques is NOT mentioned as a way to bypass antivirus detection?

Polymorphic encryption: using a different encryption key for each copy of the virus (A)

What is the relationship between Windows Defender and Microsoft Security Essentials?

Microsoft Security Essentials was an earlier version of Windows Defender, which later replaced it (C)

What is the purpose of using encoders in Msfvenom?

To make the payload more difficult for antivirus programs to detect (B)

Which encoder is considered to have an excellent rank and is even polymorphic in nature?

x86/shikata_ga_nai (C)

What is the purpose of using multi-encoding when creating a malicious executable with Msfvenom?

To bypass more antivirus programs by applying multiple layers of encoding (D)

In the context of creating an encoded malicious executable, what does the '-x' option in Msfvenom represent?

The legitimate executable file to embed the payload into (A)

What is the purpose of the 'evasion modules' introduced in Metasploit 5?

To implement techniques for evading antivirus detection (D)

Which of the following statements is true about the 'windows_defender_exe' evasion module in Metasploit?

It encodes the payload and adds junk data to bypass Windows Defender (B)

What is one of the best ways to avoid antivirus programs altogether?

Avoiding traditional payloads and mimicking functionality with Windows APIs (C)

What is the purpose of using a code-signing certificate when creating a malicious executable?

To make the executable appear more legitimate and bypass antivirus detection (D)

Which of the following statements is true about the '-a' and '--platform' options in Msfvenom when creating a multi-encoded executable?

'-a' specifies the architecture (e.g., x86, x64), and '--platform' specifies the target operating system (A)

In the context of the text, what does the term 'polymorphic' refer to?

A technique where the payload is constantly changing to avoid detection (C)

Flashcards

Static Analysis

Compares code to known rules and patterns

Dynamic Analysis

Tests code by running it to detect malicious behavior

Signature-based Detection

Detects viruses by matching code to a database of known virus signatures

False Positive

May cause incorrect identification of safe files as viruses

Encrypted Viruses

Difficult to detect due to encryption of the main code body

Polymorphic/Metamorphic Viruses

Evolve to avoid detection by changing their code

Windows Defender Firewall

Enabled by default in Windows 10 and 11, a stateful firewall

Get-MpComputerStatus

Command to view Windows Defender information in PowerShell

VirusTotal

Tool to check if antivirus programs flag a file as malicious

Encoder

Obfuscates payload code to avoid antivirus detection

Trojan

Malware that pretends to be useful but causes harm

Msfvenom

Embeds a Metasploit payload inside a legitimate binary

Msfvenom -k flag

Keeps the executable template intact

SHA-2

Recommended hash function for checking Trojans

One-way Hash Function

Produces a fixed-size message digest as output

'trigger-pulled' Subroutine

Causes damage under certain conditions

Compression-Enabled Filesystem Monitoring

Helps detect the spread of viruses

Degrees of Complication

Ways a virus inserts itself into computer code

Polymorphic Virus

Encrypts the virus body using a different key for each copy

Metamorphic Virus

Changes code structure and signature with each new version

Quarantine

Isolate suspicious files in a secure folder

Encoders in Msfvenom

Make the payload more difficult for antivirus programs to detect

x86/shikata_ga_nai

Considered to have an excellent rank even polymorphic in nature

Multi-Encoding

Bypass more antivirus programs by applying multiple layers of encoding

Msfvenom's '-x' option

The legitimate executable file to embed the payload into

Evasion Modules

Implement techniques for evading antivirus detection

windows_defender_exe' evasion module

Encodes the payload and adds junk data to bypass Windows Defender

Avoid antivirus programs

Avoiding traditional payloads and mimicking functionality with Windows APIs

Code-signing certificate

make the executable appear more legitimate and bypass antivirus detection

Polymorphic

A technique where the payload is constantly changing to avoid detection