HAL will be down for maintenance from Friday, June 10 at 4pm through Monday, June 13 at 9am. More information
Skip to Main content Skip to Navigation
Conference papers

Are current antivirus programs able to detect complex metamorphic malware? An empirical evaluation.

Abstract : In this paper, we present the design of a metamorphic engine representing a type of hurdle that antivirus systems need to get over in their ght against malware. First we describe the two steps of the en- gine replication process : obfuscation and modeling. Then, we apply this engine to a real worm to evaluate current antivirus products detection ca- pacities. This assessment leads to a classication of detection tools, based on their observable behavior, in two main categories: the rst one, rely- ing on static detection techniques, presents low detection rates obtained by heuristic analysis. The second one, composed of dynamic detection programs, focuses only on elementary suspicious actions. Consequently, no products appear to reliably detect the candidate malware after appli- cation of the metamorphic engine. Through this evaluation of antivirus products, we hope to help defenders understand and defend against the threat represented by this class of malware.
Document type :
Conference papers
Complete list of metadata

Contributor : Myriam Andrieux Connect in order to contact the contributor
Submitted on : Wednesday, December 16, 2009 - 3:51:26 PM
Last modification on : Tuesday, February 2, 2021 - 2:52:22 PM


  • HAL Id : hal-00441581, version 1



Jean-Marie Borello, Eric Filiol, Ludovic Mé. Are current antivirus programs able to detect complex metamorphic malware? An empirical evaluation.. 18th EICAR Annual Conference, May 2009, France. 19 p. ⟨hal-00441581⟩



Record views