Malware detection

Signature

Malware detection by signature can be achieved in several ways :

• Comparison with a known malware hash (sha256, sha512, md5, ...)
• The program matches multiple conditions or "rules" (like Yara rules)
• Looking for strings, regex, opcodes sequence
• Comparaison of imports table
• Hashes small sections of the file to check against the database

Behavioral

The potentially malicious program is run in a sandbox and its behaviour is analysed.

List of well-known sandbox : any.run, cuckoo, joe sandbox, ...

The purpose of the sandbox is to detect malicious behaviour, like :

• Unpacking of malicious code
• Modifying configuration files or Windows registry
• Observing key strokes
• Spawning subprocess like cmd.exe
• Data exfiltration
• Attempting to persist on the host
• ...

AMSI - Anti-Malware Scan Interface

AMSI is essentially a feature of Windows that scans scripts as they enter memory. It doesn't actually check the scripts itself, but it does provide hooks for AV publishers to use -- essentially allowing existing antivirus software to obtain a copy of the script being executed, scan it, and decide whether or not it's safe to execute.