A book explains the dynamics of the techniques to bypass the Antivirus defense solutions and how these techniques are able to evade the lines of defense on endpoints.
It is called Antivirus Bypass Techniques by Nir Yehoshua and Uriel Kosayev, and it is the book that allows the reader to understand what the dynamics behind security solutions are and what we always tell you on Cyber Ducks: that you are never safe.
The book provides detailed solutions through a guided path designed to first understand what makes defense security solutions vulnerable and then learn the bypass techniques.
The book is practical with examples followed with links to PoC videos that demonstrate the antivirus solutions which are bypassed by both researchers, Nir Yehoshua and Uriel Kosayev.
We recommend this reading to all those curious people who are interested in understanding an evolving sector and also to professionals who are interested in understanding how security solutions such as antivirus and EDR can be bypassed and to be strengthened by understanding the probelms and apply a better solution such as better secure coding practices and detection capabilities.
Today we are very proud to present our interview with the authors of this amazing book, Nir Yehoshua and Uriel Kosayev.
1) When was the passion and interest for cyber security born?
Uriel: My passion for cybersecurity started from a young age and formed with time-based on a lot of fundamentals topics that I had an interest in them such as programming, how a computer is built, network communication, and more.
Nir: My passion for cybersecurity started at a young age, when I was a child I knew I wanted to pursue a career in computers in general. Over time, I’ve familiarized myself with networking and software development practices and I've realized that this is what I want to do, research and develop.
2) How was the idea of your book born? When did you realize it would be a useful tool?
Nir: I was working in an antivirus software company and I’ve realized that antivirus software is not the best security solution for endpoints, so I’ve decided to start researching one of the antivirus engines and discovered a lot of interesting stuff. I contacted Uriel Kosayev because I knew he has the skills, experience, and knowledge that I need and we started performing research on 40 different antivirus software, and part of what we’ve discovered you can find in the book.
Uriel: I’ve also worked in an antivirus company, but unlike Nir, the antivirus software that I’ve worked on was focused on macOS threats. While working in the company, I’ve discovered how antivirus really works not only on macOS but also on Windows and Linux. While Nir was already doing his own antivirus research, my recommendation was to start writing a book, and after a while, we started to write the book and the rest is history.
3) How has your career path influenced the writing of this book?
Uriel: I was working a lot as a reverse engineer of different kinds of products, malware, and the development of defense systems and detection capabilities. I’ve realized that there is a great need for a book that covers some antivirus bypass techniques followed by some security best practices and tips.
Nir: I always liked to think differently, and reading technical books. After I read several books, I’ve realized that most of the security research books are about well-known stuff like malware analysis, exploitation, reverse engineering, etc.
When I researched different kinds of antivirus software, I’ve noticed that there is no book that explains and demonstrates antivirus bypass techniques.
4) What are 3 fundamental focus of your book?
Nir and Uriel: To research, to bypass, and to make security solutions better.
5) What characteristics must have the reader who approaches yours text?
Nir and Uriel: The book is for security researchers, malware analysts, reverse engineers, antivirus vendors, and other enthusiasts.
6) What's your favorite technique for bypassing an antivirus?
Uriel: The technioque that we like to call “Memory Bombing”.
Nir: There is no specific technique that I prefer over others, but in general, I like vulnerabilities that are not function-based problems but flow design ones.
For example, in the book, you can read about the antivirus bypass technique which utilizes a PowerShell payload that when executed from a .PS1 file it is detected and quarantined, but when you’re executing the payload directly from the memory, it will bypass the antivirus.
When I approached one of the antivirus vendors and presented this type of bypass, they were amazed at how their antivirus software can be bypassed and asked for more details, and of course, they fixed the issue.
7) How do you see the future of cybersecurity and EDR solutions?
Nir and Uriel: We think that is a losing battle in which the attackers will always have the upper hand. There are groups in some companies and governments in the world whose sole goal is to find zero-day vulnerabilities on operating systems and antivirus alike, and the odds of detecting and preventing such bypasses and exploitation attempts are impossible. Antivirus software is a good solution for well-known vulnerabilities, exploits, and malware.
