Antivirus Evasion -> Exclusions
- by Vince
-
in Blog
-
Hits: 1080
In the real world, systems have endpoint protection installed and a lot of the tools we'd like to drop on the system will get detected. Loading in memory is definitely an option but let's say we want to drop some tools onto the file system. One option is to look at what is installed to hopefully find a product that has endpoint exclusions. For example, Desktop Central from Manage Engine requires exclusions and if we can use that directory for our files, we can evade endpoint protection.
For our test, we're going to use the EICAR test file. Some background in case you're unfamiliar with this test file: ' The European Institute for EICAR developed the EICAR antimalware test file. The EICAR test file is a legitimate DOS program that is detected as malware by antivirus software. When the test file runs successfully (if it is not detected and blocked), it prints the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!". '