Improving antivirus accuracy with hypervisor assisted analysis
Modern malware protection systems bring an especially difficult problem to antivirus scanners. Simple obfuscation methods
can diminish the effectiveness of a scanner significantly, often times rendering them completely ineffective. This paper outlines
the usage of a hypervisor based deobfuscation engine that greatly improves the effectiveness of existing scanning engines.
We have modified the Ether malware analysis framework to add the following features to deobfuscation: section and header rebuilding
and automated kernel virtual address descriptor import rebuilding. Using these repair mechanisms we have shown as high as
45% improvement in the effectiveness of antivirus scanning engines.