Keeping sample undetected from antivirus engine: Antivirus detection technology work with combination of various engines. Few common technique are as follows
1. Malicious Code/Strings: Reverse engineer debug the file code and identify anomaly and add those in virus definition. it also include detection on the basis of Polymorphism of file. these definitions used by AV engine.
2. Static PE attributes: A Heuristic technique to detect file on the basis of combination of unusual static and PE attribute. E.g calculate entropy of file(to identify packed), Entry point in non .txt section, execution characteristics on Non .txt section, Digital signature, etc.
3. API calling sequence: It is also Heuristic technique, On the basis of previous malware analysis reverse engineers build tree with API calling sequence for malicious activity.
4. Behavioral based detection: Modifications made by the samples. registry or file load points creation. Registry modification, Process injection. Copy location, etc.
Most of the Deepfreeze software avoid modification of system basic configuration and protect physical media . Mostly it’s work of File system table.
Many common mechanism to avoid detection is antidebugging, VMaware, polymorphism, use of packers , etc.. are outdated and antivirus found solution on it.
I already work on Antivirus engines development and well knows about these technique. Which really helpful in this project.
To discuses more Please contact me.