Description: Blog post link http://computer-forensics.sans.org/blog/2012/04/09/is-anti-virus-really-dead-...
For more checkout http://pauldotcom.com
Tags:
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
here is the blog post : http://computer-forensics.sans.org/blog/2012/04/09/is-anti-virus-really-dead-a-real-world-simulation-created-for-forensic-data-yields-surprising-results
Well lets see
I would like to point out that, from my point of view, pentesters these days focus a lot on company security. When they are talking about security they have in mind large corporate networks and stuff like that. I find that kinda lame and boring but I think its true.
Now when we are talking about attacks of this magnitude, obviously the attackers are more sofisticated. Therefore bypassing Antivirus might indeed be an easy task.
If we put that aside, from my experience in securitytube there is an unspoken conclusion that bypassing AV requires some thiking. If I reckon armitage1989's video used a rather clever technique to bypass AV proving that its not THAT easy.
I have also looked at some papers regarding the matter and I understood that it requires some knowledge of debugging code,assembly and then some clever coding/encoding.
So, I don't know, does this guy take these into consideration? Because he mentioned metasploit and msvenom/msfencode and these tools by no means help you bypass antiviruses these days.
From my perspective, being newb to pentesting bypassing AV is a... challenging issue. As I said he is probably talking about sofisticated attacks so he is most likely right about those.
What do you guys think
Hey,
first I want do say "thank your for the video j0k3r" :)
I also think that it is often not that easy as he think it is. But maybe we really see it only from a non professional view. If I would be a professional pentester and infiltrate company networks day after day I think I would also think that this isnĀ“t any problem.
For me as a interested amateur who at work only have a administrative overview about the companies security settings this is not that easy...
I know there are possibility's to bypass AVs (msfencode, concatenate the payload to a existing program, etc) and even to deactivate them when I'm on the target system (using a shell to deactivate the startup process of the AV - like Vivek did it in his metasploit megaprimer :))
But I do not think that this is that easy. Especially the encoding of the payload does not work against every AV...
But for a professional attacker (also an amateur) it is definitely easier only to bypass the AV, than to bypass a firewall, being undetectable from IDS/IPS and then attacking successfully a client over the network.
Never the less the guy in the video is right, that many companys invest a lot of their money in Firewalls, IDS, IPS, etc but do not look close enough on what the employee is doing and how to avoid employees misconduct :)