Understanding Antivirus Sandbox limitations

The most advanced antiviruses fight against malware with different techniques, like signature-based detection and heuristic analysis. In case those two are bypassed by the malware, there is still the Sandbox environment which executes the malware in a safe environment in order to detect suspicious behaviours.

Let us now suppose that a malware in some way fools the AV Sandbox avoiding runnig the malicious code.

At this stage, is the malware the winner by executing the malicious code in the system?

Is the AV capable of doing something outside the Sandbox, or it is impossible to detect the malware at this stage??

Would an anti-virus software make any other processes consume more CPU?

Would an anti-virus software make any other processes that it scans to consume more CPU?

We recently switched to a new Next-Gen, AI based Anti-Virus software. On couple of our Linux servers that runs Java processes, there has been frequent high spikes in CPU usage recently. Apparently, it is Java that is the highest consumer of CPU while the anti-virus process isn’t using a lot. I am pretty sure that it is not the anti-virus behind the higher CPU usage since the these spikes started a couple of days before even the AV software was installed. So, right now, I am in the process on convincing others that it is not the anti-virus (trust me, no one is believing what they see at top -c) . Before I go back to the team, I would like to make sure that when anti-virus scans every single file that gets opened by other processes, the resultant CPU usage would show up against the anti-virus process and not against the process that opens the file. Is this how it will appear in CPU usage stats?

Server run Amazon Linux and the Anti-Virus is Crowdstrike Falcon.

Does antivirus software detect scrceen grabbing functionality in a running program?

Let’s say a malicious actor publishes a piece of software that calls a screenshot function (e.g. Graphics.CopyFromScreen() or the UIAutomation Framework in .NET) every so often, but doesn’t notify the user of that. I download and install that software.

Assuming that the software is signed with a valid publisher certificate, I have a few questions around that:

  • Would that screengrabbing behaviour be detected by an(y) Antivirus solution?
  • If yes, do legitimate screengrabbing programs need exceptions in an antivirus program to allow that behaviour?
  • If no, will at least the exfiltration of the data be detected by the AntiVirus software? (I guess the exfiltration can happen in so many different ways that it’s a bit of an arms race to see that bytes are being sent that encapsulate/encode the screengrab and not some form of telemetry, for example)

I’ve been googling for a while but can’t seem to find anything on the topic.

Why to disable McAfee Antivirus before updating Operating System to windows 10? – McAfee Antivirus

The reason why one should disable McAfee before updating operating system to windows 10 is that it might get the software into compatibility issues and can thus corrupt the system functioning and also the antivirus, therefore, it is necessary to get the software disabled while updating the operating system to windows 10. If you still need more help or support then, in that case, connect with the team of trained and certified experts.


Sophos Antivirus or other Firewall/AV blocking Tomcat or AmazonS3Client listObjects() method?

I have a pair of Java/Tomcat web applications running on a third party (customer) server, and of late, those applications can no longer list or download objects from AmazonS3.

This is a “nothing changed” situation, where I got a bug report out of the blue on what were stable systems. Our other users hosting the software on their own Windows networks don’t have this issue, and the instances we host on Amazon EC2 likewise also have no issue. I was able to identify the date it stopped working, but Customer IT likewise says “nothing changed”. I do see Sophos software running on the machine in question, but not sure if that’s the issue, and it appears to have been installed a while before this occurred.

To reiterate, I have two (2) applications running on this server that interact with S3, and they both started failing the exact same time. Of note, they interact via SQS messages. One app posts to SQS (this works) and another polls SQS (this works).

To debug this, I have attempted the following:

  • Install AWS CLI on problem server and attempt to list-objects. This worked.
  • Point my own development environment (outside customer network) at the problem server’s DB (available via VPN) to verify properties/config setup. This worked.
  • Hardcode the references to S3 resources and redeploy, to verify the issue isn’t app initialization/failure to resolve config. This still fails, but logs are outputting the correct bucket and key, so config/setup does not appear to be the issue.
  • Put explicit log statements all around the failing methods to iso the exact line that fails. This is a call to AmazonS3’s listObjects(string, string) method.
  • Checked Sophos McsAgent.log and McsClient.log to see if anything obviously related to my applications was popping up.
  • Tried to run a unit test within the application’s code base on the problem server that also invokes the listObjects() method. This worked.

In the live/running failure case, do not get an exception thrown by the listObjects method. It simply appears to execute indefinitely, after I set the browser timeouts that reproduce this to be fairly long = 9000000 ms

At this point I am not sure what the next debugging step would be, but I believe the evidence strongly points to an issue related to Tomcat making this request from within their four walls.