(November 13, 2022, 01:22 AM)Managarmr Wrote: (November 12, 2022, 10:17 PM)pooragelol Wrote: This doesn't stop whoever you're infecting from putting the executable or whatever inside an archive like a .rar or .zip. I'd assume if someone knows about VirusTotal, they might be able to figure that out. I wouldn't rely on a large file to combat this.
would you care to provide a method to bypass those methods for other users to read
Well, I'm not super experienced in programming at all, but here is what I sorta know.
If your methods of delivery is putting it in an archive, and it's submitted to VirusTotal as an archive, it will avoid being sandboxed because the sandboxes aren't sure what to do with archives, from what I know. If you're reusing some other popular thing, it might have been uploaded Virus Total or AV software VirusTotal uses that recognizes its archived signature as well. I'm not really sure how you'd get around signature comparison, but I could probably relay you whatever I find on Google if you'd like me to.
If it hasn't been detected by the AV software VirusTotal uses with the file's signature, then you should only have to worry about evading detection from automatic analysis/sandboxing. So called 'sandbox evasion'. VirusTotal uses a number of sandboxes. With newer versions of Windows, Windows Defender even includes a sandbox, but I think that's a setting that has to be enabled. There was a talk at Defcon 27 about sandbox evasion and there are some good videos about it on YouTube about it. I'm not sure about it besides that.
Feel free to correct me if I'm wrong, but signature comparison and sandboxing should be the only thing you have to worry about. Hope this is helpful.
