2

I'd like to verify that my payload won't get caught by any AVs and ideally EDRs. One way to do this is of course uploading it to VirusTotal and having it scan / check against popular anti virus engines.

Of course, the risk here is that submitting a sample to VT might blow your cover and have your sample end up in those very AV databases. Most evasion tools such as veil evasion or hyperion advise against submitting to VT.

One option is to purchase a subscription to each AV you're interested in testing against, installing them on a VM and scanning your sample with the network connection disabled. I assume someone has made a tool for this and I don't need to do this myself.

I've search and both Malice and MalwareMultiScan are tools to do just this. However, both are no longer maintained. In fact, MalwareMultiScan mentions in its readme that is was created because Malice is no longer functional.

VirusTotal does seem to offer a private scan but apparently this doesn't actually give you the AV verdicts:

Note that private analyses won't contain antivirus verdicts, they will contain only the output of all the other characterization and contextualization tools that we run, including sandboxes.

So that's useful, but not quite what we're looking for. I'd even be fine if it submitted the sample after a few days. After all, I'm not looking to develop malware that stays undetected indefinitely (although it would be nice if it did) and I accept this is inevitably a cat and mouse game.

There's a similar question here but many of the tools suggested are similarly maintained. I suspect this may have to do with them being abused by the actual bad guys? Or maybe it's just that security folks aren't super interested in maintaining tools like this long term. There's definitely an ethical question of whether providing this sort of capability to anyone helps the "bad guys" more than the "good guys" but I think you can ask that question about most tools a red team would use. Is there something ethically different about maintain an AV scanner than there is maintaining a tool to evade AVs? Regardless:

How do the legit red team or pentesters do it? How do the bad guys do it? Surely their methods can't differ too much. Is spinning up VMs with your AV of choice the way to go? That does seem like the most fool / future proof method of testing a payload's detection.

Improve this question
7
  • 1
    I see a flaw in your logic… if you scan it and it gets caught, then you’ll have to improve it to stop it being caught… which mean it’ll be different to the one in the AV’s database.
    – security_paranoid
    Commented Nov 16, 2024 at 2:27
  • Regardless, if you do edit it, you'll want to test it again. If that testing results in the sample getting into the AV's DB, you have the same problem. Provided scanning does result in your sample ending up in the DB, the only solution is to not test it. Obviously that's an option, but the question is how to test without submitting it to an antivirus database.
    – klvs
    Commented Nov 16, 2024 at 2:34
  • Yes, but when you finally do get it to a point of being able to pass, it won’t end up in the database.
    – security_paranoid
    Commented Nov 16, 2024 at 2:38
  • Ah I see what you're saying. So for a red-team, we don't really need to worry about it getting retroactively flagged? It still seems like a bad idea to submit your sample. VT may eventually figure out it's malicious and flag it. My understanding is that submissions get extra scrutiny even if they pass. No? Otherwise these tools like veil-evasion wouldn't ask you not to submit, right?
    – klvs
    Commented Nov 16, 2024 at 3:25
  • 1
    Well I could be wrong, maybe it is better to still-not submit it, in which case this question makes sense. I am not doubting you, just pointing out what I thought you might have missed.
    – security_paranoid
    Commented Nov 16, 2024 at 3:50

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.