In this post, I will cover How
Avira Antivirus Software works, starting from the void we can find some nodes, there are two main approaches to antivirus research. both ultimately need to lead to the same result which is always bypassing software and running malicious on the user’s endpoint. Antivirus software is intended to detect and prevent the spread of malicious files and processes within the Os but over time av engines have improvements and become smarter,
the majority of AV is based on just a few engines
- Static engines
- Dynamic engines
- Heuristic engines
later we can also check if we can bypass av detection for our malicious file.
while gathering leads to conduct antivirus research we also need to understand which registry values the antivirus software has added to help us figure out which files and registry values it has added together with this information, I am going to use the regshot tool to snapshot my windows registry the I will compare it with after installing a program
obviously, in order to gather juice information if I search this location of registry values, there is mainly EXE and DLL files and if you check there you get more valuable results.
C:\Program Files (x86)\Avira this is the present dir of avira
let’s run process monitoring tools to check which process starts with Avira without any user involvement, processor monitor is a tool that can be used to observe the behavior of each process in the operating system.
here we found so many processes that are associated with
avira with the file description and location,
|Avira Service Host||Launcher|
|Avira System Speed Up||System Speed Up|
the services / Driver, I still didn’t figure out is
avdevprot, and others.
I also found many files with the
.sys extension that files must be loaded with device drivers.
and if you monitor web traffic using Wireshark or any other tool you found that Avira tries to connect with remote address
188.8.131.52, and many more on 443 port. this much information is enough to start research on Avira