Evasion and Anti-Analysis
Malware authors know defenders will analyze and detect their work, so they build in evasion: packing and obfuscation to defeat static analysis, sandbox-detection to stay dormant under observation, and defense-tampering to blind EDR and logging. Understanding these techniques keeps a defender from being fooled — by a file that looks clean because it is packed, or benign because it detected the sandbox.
This is the adversary's counter-move to the whole detection stack, and — the key insight — the evasion leaves its own tells, which a defender can turn into high-fidelity detections.
Obfuscation and Packing
Packing encrypts or compresses the real code so static analysis sees noise until runtime. A packed binary with almost no readable strings is not reassuring — it is itself a signal, because legitimate software rarely needs to hide its own code. Unpacking, usually via dynamic analysis (Chapter 8), reveals the payload the packing was protecting.
Sandbox and Analysis Evasion
Malware checks for the artifacts of a virtual machine or sandbox, waits out short analysis windows, or requires user interaction before detonating — so a naive dynamic analysis sees nothing. Modern sandboxes counter with anti-evasion, realistic environments, and longer windows, and this back and forth is the static-versus-dynamic arms race: each side adapts to the other's last move.
Defense Evasion on the Host
On the host, malware tries to disable or blind EDR and antivirus — unhooking, tampering, bring-your-own-vulnerable-driver — clears logs, and lives off the land to avoid dropping detectable files (Chapters 5 and 7). These are the techniques that turn a detectable intrusion into a quiet one, which is exactly why tamper protection and off-host logging matter so much.
Detecting the Evasion Itself
The crucial reframe: evasion leaves tells that are themselves high-fidelity detections, precisely because legitimate software rarely does them. A packed binary, an attempt to query VM artifacts, an EDR tamper event, cleared logs — each is a strong signal. Meridian's stack holds up under evasion through tamper-protected EDR (Chapter 7), off-host logging so cleared local logs do not erase the evidence (Chapters 10 and 11), and behavioral detection that catches the technique even when the file is obfuscated.
- Trusting a "clean" static scan of a packed binary — the absence of readable malicious content is itself suspicious, not reassuring.
- Running dynamic analysis in an obvious, short-windowed sandbox that evasive malware simply waits out or detects.
- Keeping logs and EDR only on the host, so an attacker with privileges clears the evidence and blinds the sensor.
- Ignoring evasion tells — tamper events, log clearing, VM-detection attempts — that are among the highest-fidelity signals available.
- Assuming obfuscation means "nothing found" instead of "look harder, dynamically."
- Treat packing, obfuscation, and sandbox-evasion attempts as signals in themselves, not obstacles that mean "nothing found."
- Use anti-evasion sandboxes with realistic environments and longer windows, combined with static unpacking.
- Enable EDR tamper protection and ship logs off-host immediately, so evasion cannot erase the record (Chapters 10 and 11).
- Lean on behavioral and TTP detection that survives obfuscation, and alert on defense-evasion techniques directly.
- Alert specifically on log clearing, tamper events, and VM-detection attempts as high-fidelity detections.
Knowledge Check
A static scan of a file finds almost no readable strings because it is packed. How should a defender read that?
- The packing is itself a suspicious signal, warranting dynamic analysis
- The file is confirmed clean because no malicious strings appeared at all
- The packing means the file is unable to execute at runtime
- Packed files are always corrupted and can safely be ignored
Why are evasion attempts often high-fidelity detection opportunities?
- Legitimate software rarely tampers with EDR at all
- Evasion techniques reliably fail against all modern tools
- Evasion only ever happens on internet-facing servers
- Only signature engines are able to detect evasion attempts
Why does shipping logs off-host help against defense evasion?
- Clearing local logs can't erase the copy sent off-host
- Off-host logs conveniently run the antivirus scanner for you
- Local host logs simply cannot be cleared by any attacker
- Off-host logging automatically encrypts the malware for you
You got correct