Antivirus Evasion -> Exclusions

by Vince
in Blog
Hits: 995

In the real world, systems have endpoint protection installed and a lot of the tools we'd like to drop on the system will get detected.  Loading in memory is definitely an option but let's say we want to drop some tools onto the file system.  One option is to look at what is installed to hopefully find a product that has endpoint exclusions.  For example, Desktop Central from Manage Engine requires exclusions and if we can use that directory for our files, we can evade endpoint protection.

For our test, we're going to use the EICAR test file.  Some background in case you're unfamiliar with this test file:  ' The European Institute for EICAR developed the EICAR antimalware test file. The EICAR test file is a legitimate DOS program that is detected as malware by antivirus software. When the test file runs successfully (if it is not detected and blocked), it prints the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!". ' 

This is what the test string looks like:



Again, we're hunting around the file system, we notice Desktop Central, we do some Googling, and we come across the recommended exclusion:



We drop our test file into the exclusion directory:



The test file goes undetected:



If we were to drop this into any other directory, it would immediately get detected but not in the exclusion directory which makes it a perfect place to drop our tools.