Does antivirus software detect scrceen grabbing functionality in a running program?


Let’s say a malicious actor publishes a piece of software that calls a screenshot function (e.g. Graphics.CopyFromScreen() or the UIAutomation Framework in .NET) every so often, but doesn’t notify the user of that. I download and install that software.

Assuming that the software is signed with a valid publisher certificate, I have a few questions around that:

  • Would that screengrabbing behaviour be detected by an(y) Antivirus solution?
  • If yes, do legitimate screengrabbing programs need exceptions in an antivirus program to allow that behaviour?
  • If no, will at least the exfiltration of the data be detected by the AntiVirus software? (I guess the exfiltration can happen in so many different ways that it’s a bit of an arms race to see that bytes are being sent that encapsulate/encode the screengrab and not some form of telemetry, for example)

I’ve been googling for a while but can’t seem to find anything on the topic.