CPR evasion encyclopedia: The Check
Point evasion repository|
By Check Point Team
March 4, 2020
As malicious threats evolve, the necessity in automated solutions to analyze such threats emerges. Itís a very common case when malware samples are executed in some kind of virtualized environment.
differ from usual host systems by a huge amount of artifacts:
non-common files, registry keys, system objects, etc. By examining
such artifacts malware samples are able to say if they are run in a
If the latter was the case, we say that malware has successfully applied evasion technique, or simply evasion.
In this encyclopedia we have attempted to gather all the known ways to detect virtualized environment grouping them into big categories. Some categories are inactive on main page: it means that content will be added later. If it isnít stated explicitly which operating system is described, Windows is meant by default.
Within each category the reader will find the following information:
A lot of solutions with implemented techniques exist in open-source community. These solutions are used throughout the encyclopedia in the form of code excerpts from them. We are giving credits to open-source projects from where code samples were taken:
Itís important to add that Check Point researchers have produced their own open-source tool called InviZzzible.
If you want to contribute to this encyclopedia, youíre more than welcome to create pull requests in its github.
Please do check out all the repositories, browse through evasions encyclopedia and enjoy the journey!