Skip to content

Malware detection

Signature

Malware detection by signature can be achieved in several ways :

  • Comparison with a known malware hash (sha256, sha512, md5, ...)
  • The program matches multiple conditions or "rules" (like Yara rules)
    • Looking for strings, regex, opcodes sequence
    • Comparaison of imports table
    • Hashes small sections of the file to check against the database

Behavioral

The potentially malicious program is run in a sandbox and its behaviour is analysed.

List of well-known sandbox : any.run, cuckoo, joe sandbox, ...

The purpose of the sandbox is to detect malicious behaviour, like :

  • Unpacking of malicious code
  • Modifying configuration files or Windows registry
  • Observing key strokes
  • Spawning subprocess like cmd.exe
  • Data exfiltration
  • Attempting to persist on the host
  • ...

AMSI - Anti-Malware Scan Interface

AMSI is essentially a feature of Windows that scans scripts as they enter memory. It doesn't actually check the scripts itself, but it does provide hooks for AV publishers to use -- essentially allowing existing antivirus software to obtain a copy of the script being executed, scan it, and decide whether or not it's safe to execute.