dobin
Defender detects file copy pasted, avred doesnt
AvRed logs show that file isnt detected by antivirus, but if i copy paste the executable onto AV machine it gets detected instantly. Any guidance ?
Thats probably the AV emulator. Avred checks against/with AMSI, there may be more checks being done by the AV when actively on the system.
If what you scan is a shellcode loader, you can try adding an anti-AV-emulation technique. See my slides , 24-44.
Thanks for help. Yes it is shellcode loader, i have added the anti-av techniques. It has been working great for a couple of months, now every av is detecting it in static analysis. I have tried garble, packers, even obfuscating function calls and AST.
Can you please guide me to some project or modifying AVRed where file should be scanned either if its detected by AMSI or not, really appreciate the details and working this project has.
I recommend to add an anti-emulation to your loader, like from supermega
And i talked about it in My first and last shellcode loader, and blog article how edr works
For future reference, I also ran into this issue today. In my case, it was because MDE Cloud Protection was detecting the file, while the local component did not detect it. Apparently when scanning through AMSI, the Cloud Protection detection was not triggered. Due to @dobin's comment, I first assumed that this was due to emulation-based detection. However, in the end, it was in fact a static signature in MDE Cloud Protection. I found the signature by performing a similar binary search to AVRed, but by dropping the files on disk instead of using AMSI.
For the future, it would be nice to be able to perform this approach using AVRed, but some major changes are necessary for this. The most important one would be that AVRed should be more async to be able to handle the long waiting times for detection (up to 5 minutes), I suspect that this would require a major change to the scanning approach.
I dont know what MDE Cloud Protection does, but its good. Seems to download more IOCs, depending on previous (there is no sending files to cloud).
Avred doesnt care how the scanning is performed actually - avred_server is just an oracle, saying yes/no (detected or not). Currently by sending the blob to the installed AV via AMSI.
It is possible to change avred-server to drop the file to disk, and then wait a bit to see if it gets removed by the AV (or even EDR) after a few seconds. This would make it AMSI independant. This was actually how avred-server worked initially, but it was unbearably slow - as in hours or days. The reducer algo in avred is not built for paralell operation. As its recursive and dependant on previous results, its also non-trivial to make it work more paralell, sadly.
In my fork I have changed the algorithm to be more parallellizable, namely, by dividing the binary into more than two parts. If these parts can be scanned in parallel (by making avred more async) this will allow finding matches more quickly.
Nice commits!
And i was thinking: in recursive _scanDataPart(), each case where there are two _scanDataPart() invocations (like when both parts are detected), could just do both branches in a new thread at the same time. The longer the scan takes, the more branches it takes, the more paralell it would be.
I would suggest using async to run the invocations in parallel instead of threads. Since the waiting time is almost 100% in the avred server. So first run all _scanDataPart invocations, and then wait until they are all complete.