Many users, upon acquiring a paid antivirus, feel more protected and even dare to download dubious content, open emails without worrying too much about potential risks, or even open attachments received on WhatsApp without concern, because “my digital bodyguard” is there to protect me.
It is true that since July 2017, almost all well-known antiviruses on the market have become more meticulous in analyzing possible malware (programs that cause some damage to our computers when executed) in files executed on your computer or smartphone. Many have started to analyze behavior, especially backstage actions based on powershell (Microsoft’s scripting language present in all its more modern operating systems), generating alerts and immediate blocks at the slightest sign of administrative privilege escalation of a process (when an executable tries to perform functionalities normally reserved for an administrator) or even a process migration (a common malware procedure in an attempt to blend in with internal processes of your operating system). However, keep in mind that antiviruses still need to evolve a lot. They mostly analyze code signatures, that is, with each discovery of malicious code, a hash of this villain is generated synthesizing the potential cause of destruction in a unique signature, which is quickly distributed as “persona non grata” to all users of that antivirus. Just by a programmer with average experience altering a line of code and implementing some data obfuscation routine (a kind of encryption of malicious code) makes the antivirus no longer recognize the code that it once cataloged as a threat and notified all users of a certain malware combat product. This is because its signature (Hash) was changed, and therefore, a new uncatalogued virus.
I recently conducted a test in my laboratory with a C# code to create a reverse shell (malware that connects to an attacker whenever it is executed so that he has control of the victim’s equipment) by obfuscating the malicious code, running on Windows 7, 8, and 10 operating systems with the most varied market antiviruses, whether paid or free. Naturally, simpler obfuscations were promptly detected, but with a little creativity, it was possible to bypass ALL THE ANTIVIRUSES tested. It is worth mentioning that all antiviruses were updated before conducting this proof of concept.
Therefore, do not make things easy: the best defense against potential viruses is not to execute files of dubious origin. Keep your antiviruses always updated and the correction patches of your operating system (those famous and fateful Windows updates) always up-to-date.
I’m not saying that we should abandon the use of these tools, quite the contrary, but remember that even in movies, as much as the bodyguard is willing to take a bullet for their protected, they will never be infallible!
