BOAZ, Yet Another Layered Evasion Tool: Evasion Tool Evaluations and AV Testing

Abstract

In the rapidly evolving landscape of cybersecurity, there has been an increasing deployment of evasion techniques in organizational vulnerability assessments and found post-discovery of security incidents, owing to the more sophisticated defense mechanisms. However, there is no consensus on how antivirus (AV) performance against evasion methods and techniques can be methodically evaluated.

Antivirus (AV) solutions, serving as the last line of defense on users' endpoint devices, have evolved into highly complex entities, often operated as 'black boxes' from the user's perspective due to proprietary and security reasons. This dynamic places researchers and attackers in similar positions. While malware authors can fingerprint AV detection mechanisms through various evasion techniques, researchers can employ similar methods to identify improvement opportunities in security products.

Our study aims to bridge the gap in empirical research on the performance of up-to-date antivirus solutions against evasion frameworks and methods in the latest Windows environment with all defense features enabled. As a by-product of this study, I developed a custom evasion framework named BOAZ, which served as an additional and flexible AV evaluation tool. This framework is complemented by a comprehensive suite of 17 evasion tools, evaluated against 71 online AV engines and 14 carefully selected desktop AV solutions. The experiment results revealed significant insights: the successful compromise of contemporary AVs can be achieved by understanding the building blocks of evasion detections and strategically combining existing evasion methods, without requiring advanced programming skills or zero-day exploits. Moreover, the study revealed the iterative relationship between signature and behavioural detections across detection phases.