Evasion detection
Definition
Malware logic that checks whether the execution environment is a real host or an analysis sandbox. Checks may query hardware identifiers, count CPU cores, inspect running processes, or measure elapsed time, and the malware suppresses its payload if it detects an analysis environment.
Related terms
- API hooking
- A monitoring technique in which the sandbox intercepts calls the malware makes to operating-system API functions. Each intercepted call is logged with...
- Behavioural analysis
- The examination of what a program does at runtime rather than what its code says at rest. Behavioural analysis captures the actual...
- MITRE ATT&CK mapping
- The process of classifying observed malware behaviours against the MITRE ATT&CK framework's taxonomy of adversary tactics and techniques. Sandbox platforms increasingly produce...
- Network indicator
- A network-based artefact produced by malware at runtime, such as a DNS query, an IP address contacted, an HTTP request path, a...
- Sandbox
- An isolated execution environment, typically a virtual machine, where a malware sample runs under full instrumentation. The sandbox logs all system calls,...
Explained in
- Dynamic Malware Analysis and Sandbox EnvironmentsMalware logic that checks whether the execution environment is a real host or an analysis sandbox. Checks may query hardware identifiers, count CPU cores, insp...