Chapter 12: Bypassing Antivirus Applications Quiz

Questions and Answers

What is the main difference between static analysis and dynamic analysis in antivirus programs?

• Static analysis compares potentially dangerous code to rules and patterns while dynamic analysis tests for malicious activity. (correct)
• Static analysis matches known malicious code while dynamic analysis looks for virus signatures.
• Static analysis tests for malicious activity while dynamic analysis compares code to a set of patterns.
• Static analysis updates antivirus definitions regularly while dynamic analysis uses fast pattern matching techniques.

How do antivirus programs detect viruses through signature-based detection?

• By trying to replace every file on the hard drive every 30 seconds.
• By looking for digital signatures embedded in the virus code.
• By searching for large sections of the virus code within files.
• By comparing the analyzed object with a database of signatures. (correct)

What is the potential issue with using small virus signatures in antivirus scanners?

• It may not be able to search for encrypted viruses.
• It may slow down the scanning process significantly.
• It could lead to false positives. (correct)
• It could miss simple variants of viruses.

Why are encrypted viruses more difficult to detect by antivirus programs?

Because the main body of the program is encrypted which makes the virus code meaningless until decrypted. (A)

What is the significance of polymorphic and metamorphic viruses?

Both are difficult to detect due to having few fixed characteristic patterns in their codes. (D)

In antivirus software, what is a 'false positive'?

When no intrusion occurs but an alarm is triggered. (A)

Which firewall is enabled by default in Windows 10 and Windows 11?

Windows Defender Firewall (B)

What type of firewall is the Windows Defender Firewall?

Stateful firewall (D)

What change did Microsoft Defender Antivirus make in 2015?

Moved away from using a static signature-based engine (D)

Which command can be used in PowerShell to see Windows Defender information?

Get-MpComputerStatus (C)

What is one way to see which antivirus solutions will flag a program as malicious?

Upload the file to VirusTotal (D)

What is the primary purpose of an encoder in the context of exploits?

To obfuscate the payload to avoid detection (D)

What kind of malware appears to perform a useful task but also has negative consequences?

Trojan (C)

Which tool allows embedding a Metasploit payload inside a legitimate binary?

Msfvenom (C)

What is the purpose of the -k flag in Msfvenom?

Keep the executable template intact (A)

Which hash function is suggested for checking Trojans due to concerns about MD5 hash collisions?

SHA-2 (C)

What does a one-way hash function produce as output?

A fixed-size message digest (A)

In Fred Cohen's example virus, what does the 'trigger-pulled' subroutine do?

Cause damage under certain conditions (B)

What does compression-enabled filesystem monitoring help detect?

Viruses (D)

What concept refers to the various ways viruses can insert themselves into computer code?

'Degrees of Complication' (D)

What is the primary purpose of a polymorphic virus?

To encrypt the virus program body using a different key for each copy (D)

What is the main technique used by metamorphic viruses to avoid detection?

Changing the code structure and signature with each new version (C)

What is the primary purpose of the quarantine feature in antivirus software?

To isolate suspicious files in a secure folder for further analysis and action (C)

Which of the following techniques is NOT mentioned as a way to bypass antivirus detection?

Polymorphic encryption: using a different encryption key for each copy of the virus (A)

What is the relationship between Windows Defender and Microsoft Security Essentials?

Microsoft Security Essentials was an earlier version of Windows Defender, which later replaced it (C)

What is the purpose of using encoders in Msfvenom?

To make the payload more difficult for antivirus programs to detect (B)

Which encoder is considered to have an excellent rank and is even polymorphic in nature?

x86/shikata_ga_nai (C)

What is the purpose of using multi-encoding when creating a malicious executable with Msfvenom?

To bypass more antivirus programs by applying multiple layers of encoding (D)

In the context of creating an encoded malicious executable, what does the '-x' option in Msfvenom represent?

The legitimate executable file to embed the payload into (A)

What is the purpose of the 'evasion modules' introduced in Metasploit 5?

To implement techniques for evading antivirus detection (D)

Which of the following statements is true about the 'windows_defender_exe' evasion module in Metasploit?

It encodes the payload and adds junk data to bypass Windows Defender (B)

What is one of the best ways to avoid antivirus programs altogether?

Avoiding traditional payloads and mimicking functionality with Windows APIs (C)

What is the purpose of using a code-signing certificate when creating a malicious executable?

To make the executable appear more legitimate and bypass antivirus detection (D)

Which of the following statements is true about the '-a' and '--platform' options in Msfvenom when creating a multi-encoded executable?

'-a' specifies the architecture (e.g., x86, x64), and '--platform' specifies the target operating system (A)

In the context of the text, what does the term 'polymorphic' refer to?

A technique where the payload is constantly changing to avoid detection (C)