Improving antivirus accuracy with hypervisor assisted analysis

摘要

Modern malware protection systems bring an especially difficult problem to antivirus scanners. Simple obfuscation methods can diminish the effectiveness of a scanner significantly, often times rendering them completely ineffective. This paper outlines the usage of a hypervisor based deobfuscation engine that greatly improves the effectiveness of existing scanning engines. We have modified the Ether malware analysis framework to add the following features to deobfuscation: section and header rebuilding and automated kernel virtual address descriptor import rebuilding. Using these repair mechanisms we have shown as high as 45% improvement in the effectiveness of antivirus scanning engines.