Automating the Detection of Evasive Windows Malware: An Evaluated YARA Rule Library for Anti-VM and Anti-Sandbox Techniques
Abstract
1. Introduction
- RQ1: To what extent can anti-analysis techniques in Windows malware be reliably detected using static YARA signatures?
- RQ2: Which classes of evasion techniques are most amenable to static detection, and which remain difficult due to implementation variability or benign overlap?
- RQ3: How does large-scale empirical validation refine rule reliability and reveal limits of static detection?
2. Related Work
2.1. Evasion and Anti-Analysis Studies
2.2. Static Detection and YARA-Based Methods
3. Methodology
3.1. Technique Discovery
- Academic literature: peer-reviewed papers from leading cybersecurity journals and conference proceedings, with particular emphasis on works that explicitly document evasion or anti-analysis mechanisms.
- Threat intelligence (CTI) sources: repositories and feeds from platforms such as VirusTotal, MISP, and open-source CTI aggregators.
- Vendor and community resources: whitepapers, GitHub projects, and technical blogs maintained by antivirus and EDR vendors.
3.2. Technique Classification Framework
- 1.
- Detailed Examination of Each Technique: Each entry was analyzed in depth to determine its primary evasion mechanism (e.g., CPU instruction probe, timing measurement, file or registry artifact lookup, API hook inspection, hardware or BIOS query, network or WMI query, user-interface interaction).
- 2.
- Provisional Grouping: Techniques sharing similar indicators were grouped into provisional clusters. For example, instructions leveraging CPUID or SIDT were placed under CPU fingerprinting, whereas high-resolution timing checks were grouped under timing-based heuristics.
- 3.
- Resolution of Ambiguities: Ambiguous techniques combining multiple indicators (e.g., measuring time while reading BIOS data) were reviewed and assigned to the category corresponding to their most distinctive detection mechanism.
- 4.
- Iterative Consolidation and Validation: Clusters were merged, split, or renamed through multiple refinement rounds until all techniques mapped unambiguously to a single, stable category.
3.3. YARA Rule Development
- Metadata: including descriptive and traceability information such as a human-readable description of the technique, author, creation date, rule version, an internal identifier, and references to external documentation. This metadata structure supports reproducibility, facilitates rule maintenance, and enables integration with automated analysis workflows by providing contextual information about the intent and origin of each rule.
- Strings and Patterns: ASCII/Unicode literals, hexadecimal sequences, or regular expressions characteristic of the technique’s implementation.
- Conditional Clauses: filters such as file size bounds, section name constraints, or entropy thresholds to reduce false positives.
3.4. Dataset Collection
- 1.
- Malware Corpus (): 459,508 Windows PE samples collected from the Bazaar repository [9] (February 2020–December 2024), spanning diverse families including Trojans, Backdoors, Ransomware, and Infostealers.
- 2.
- Goodware Corpus (): 92,508 benign Windows executables from the Assemblage datasets [10], comprising:
- 62,869 system and application binaries representing common Windows software.
- 29,639 vcpkg packages representing third-party libraries widely used in Windows environments.
3.5. Automated Rule Testing
- : number of malware samples matched.
- : number of benign binaries matched.
- : normalized true positives.
- : normalized false positives.
- .
3.6. Rule Refinement and Validation
- Pattern tightening: refining string literals or hexadecimal sequences to focus on distinctive instruction patterns or constant values directly associated with the technique, while removing ambiguous substrings that may occur in benign contexts;
- Constraint adjustment: introducing or modifying contextual conditions such as file size limits, section names, entropy thresholds, or required co-occurrence of multiple indicators to reduce matches in benign binaries;
- Generic pattern elimination: removing or replacing patterns that rely on broadly used APIs or common programming constructs without sufficient contextual specificity, which were found to generate high false-positive rates;
- Rule consolidation: merging rules that targeted equivalent or closely related implementations of the same technique in order to reduce redundancy and improve maintainability of the rule set;
- Iterative validation feedback: analyzing false-positive and true-positive samples after each evaluation round to identify systematic sources of error, and incorporating these observations into subsequent refinements.
- Accurate: .
- Marginal: .
- Unreliable: (excluded from the final library).
3.7. Result Analysis
- The most prevalent evasion techniques ( ranking);
- Correlations between categories and malware families;
- Temporal trends in evasion behaviors (2020–2024);
- Recurring false-positive motifs in benign binaries.
3.8. Consolidated YARA Rule Library
4. Identification and Characterization of Anti-Virtual-Machine and Anti-Sandbox Techniques
4.1. Classification Framework
- 1.
- Instruction-Based Checks: Instruction-based checks exploit CPU opcodes or specialized instructions whose behavior differs under virtualization. For example, the CPUID instruction can reveal a hypervisor vendor string or set a “hypervisor present” bit when executed on a virtual platform. The “Red Pill” technique uses SIDT/LIDT to read the Interrupt Descriptor Table (IDT) base, which is relocated in many hypervisors. Additional checks include IN-port accesses to magic values (e.g., VMware’s I/O port 0x5658), execution of undefined or privileged opcodes (which may fault differently in a VM), and inconsistencies when executing MMX/SSE instructions. These checks typically rely on a single, deterministic instruction or small sequence that directly exposes virtualization artifacts at the CPU level.
- 2.
- Timing-Based Evasions: Timing checks measure execution delays or clock skew introduced by virtualization or sandbox instrumentation. Common approaches include comparing high-resolution timers (RDTSC, QueryPerformanceCounter) against lower-resolution APIs (GetTickCount/GetTickCount64), detecting Sleep acceleration or bypassing, and scheduling deferred execution that exceeds automated analysis lifetimes. Cross-referencing multiple timing sources or inserting repeated delays helps identify latency overhead imposed by hypervisors or monitors. This category also includes date/time gating to evade short-term analyses.
- 3.
- File and Registry Artifacts: Techniques that search for static indicators of virtualization or sandbox platforms in the file system or registry (e.g., hypervisor drivers like VBoxGuest.sys, sandbox DLLs such as sbiedll.dll, uninstall entries, product-specific paths, or analysis-tool executables). These checks rely on artifacts often unique to particular hypervisors or sandbox products.
- 4.
- Hardware Fingerprinting: Direct interrogation of hardware properties that differ between physical machines and virtual instances (e.g., disk geometry, virtual NIC OUIs, BIOS/SMBIOS vendor strings, RAM size, core counts, ACPI contents, GPU identifiers). Discrepancies versus expected physical values indicate virtualization.
- 5.
- API and Process Hooking: Detection of instrumentation introduced by dynamic analysis frameworks or sandbox hooks (e.g., IAT integrity for ntdll.dll, scanning function prologues for trampolines, comparing on-disk vs in-memory stubs, anomalous DLL load order, code caves, kernel/user callbacks). The aim is to uncover API interception or inline patching.
- 6.
- OS and System-Call Interrogation: Use of undocumented structures or direct system calls to reveal hypervisor/sandbox artifacts at kernel or system level (e.g., NtQuerySystemInformation for driver lists, SSDT or HAL inspection, executive callbacks, virtualization-specific exception codes). This category also includes VMware I/O port probing (e.g., port 0x5658 magic value), which we place here to reflect its reliance on system-level I/O semantics.
- 7.
- Network and WMI Queries: This category consolidates techniques that query management and network interfaces to uncover virtualization or sandbox characteristics. We intentionally group WMI and networking together, as both are frequently employed through overlapping code paths and share underlying system dependencies such as RPC/DCOM and CIM providers. In practice, WMI is used not only for local configuration queries but also for retrieving network-related data (e.g., adapter characteristics, IP configuration, BIOS metadata), making it analytically consistent to treat these sources jointly. Moreover, sandbox and hypervisor environments often instrument WMI and network APIs using common interception layers, which can introduce correlated anomalies detectable by malware. Additional checks rely on WMI to infer system uptime, process creation, or network reset times, which can reveal snapshot restores and other transient sandbox behaviors.
- 8.
- UI and Human-Interaction Checks: Evidence of real user activity or graphical rendering absent in automated sandboxes (e.g., GetCursorPos/GetLastInputInfo activity, invisible UI controls requiring clicks, GUI rendering latencies, window focus changes, scroll events, recent document history). These distinguish human-operated systems from fully automated analysis platforms.
- 9.
- Firmware and BIOS Checks: Interrogation of system-level tables for virtualization-specific entries (e.g., GetSystemFirmwareTable or NtQuerySystemInformation to read DMI/SMBIOS strings like “VMware” or “innotek GmbH”; UEFI variable namespaces; ACPI fields). Many virtual platforms emulate BIOS/UEFI data that can be recognized reliably.
4.2. Identified Techniques
- Instruction-Based Checks:
- –
- Hypervisor brand via CPUID instruction: The CPUID instruction provides processor and feature information, including a hypervisor vendor string when run under virtualization.
- –
- Hypervisor existence via CPUID instruction: The CPUID instruction can detect a hypervisor by checking the “hypervisor present” flag in ECX.
- –
- MMX support via CPUID instruction: Malware may use MMX instructions as a test; failure or exception behavior can indicate an emulated environment lacking full MMX support.
- –
- The Red Pill: Uses SIDT/LIDT to read the Interrupt Descriptor Table base, which is relocated by many hypervisors.
- –
- No Pill: Reads the Local Descriptor Table Register (LDTR); a nonzero limit often indicates a VM.
- –
- Execution of illegal instructions-VirtualPC: Issues undefined or privileged opcodes whose fault behavior differs in VirtualPC versus physical hardware.
- –
- VPCEXT Instruction Detection: Invokes the VPCEXT instruction, which exists only under VirtualPC, to confirm virtualization.
- –
- Bochs Emulator Detection via CPU Artifacts: Examines CPU artifacts (e.g., CPUID leafs) that reveal the Bochs emulator.
- Timing-Based Evasions:
- –
- Simple Delaying Operation: Inserts a long Sleep or loop to exceed the maximum analysis time of a sandbox.
- –
- Deferred Execution via Task Scheduler: Schedules a task for delayed execution, evading sandboxes that only run samples briefly.
- –
- Delayed Malicious Actions Until Reboot: Uses Windows startup scripts or services so the payload runs only after a reboot, bypassing short-lived analysis.
- –
- Date-Specific Execution: Executes payload only on predefined dates, avoiding sandboxes that lack those date conditions.
- –
- Parallel delays using different methods: Uses multiple delay APIs (e.g., SetWaitable Timer and Sleep) to measure real elapsed time and detect sleep-skipping indicative of a sandbox.
- –
- Multi-source clock comparison: Cross-checks time readings from RDTSC, GetTickCount, and QueryPerformanceCounter to detect virtualization-induced drift.
- –
- Sleep-skipping detection via timing discrepancies: Cross-checks elapsed time using QueryPerformanceCounter, GetTickCount64, and KUSER\SHARED\DATA ticks to detect discrepancies caused by sandbox sleep-skipping.
- –
- Multi-Method System Time Check: Compares system time from GetSystemTimeAsFileTime and NtQuerySystemInformation to detect discrepancies from sandbox sleep-skipping.
- –
- Delay value integrity check: Verifies that Sleep is actually delayed for the intended duration rather than being fast-forwarded by a sandbox.
- –
- Absolute Timeout Detection: Uses NtDelayExecution with absolute timeouts to detect sandboxes that mishandle absolute delays, revealing sleep-skipping.
- –
- Cross-Process Time Comparison: Compares elapsed time between two processes; significant discrepancies reveal sandbox sleep-skipping.
- –
- External Time Source Verification: Retrieves current time from an external source (e.g., NTP or HTTP header) to detect sandbox clock manipulation and bypass internal VM time overrides.
- –
- RDTSC and RDTSCP Timing Discrepancy Detection: Measures cycle counts with RDTSC/RDTSCP (often bracketed by CPUID) around operations like GetProcessHeap or CloseHandle; significant timing variations reveal virtualization.
- –
- Last Boot Time Discrepancy Detection: Compares system last-boot time via WMI against BIOS counters; VM snapshot restores can create anomalies.
- –
- Expiration Date-Based Evasion: Embeds a future activation date in the binary so the sample remains dormant until after typical analysis periods.
- –
- API Hammering: Repeatedly invokes benign APIs (e.g., printf) to delay payload execution and outlast the sandbox’s analysis time.
- –
- Short System Uptime Detection: Checks system uptime via GetTickCount, GetTickCount64, or NtQuerySystemInformation; unusually short uptime indicates a freshly initialized sandbox.
- File and Registry Artifacts:
- –
- Specific files’ existence: Checks for known sandbox or VM binary files (e.g., VMMouse.sys, VBoxGuest.sys) that reside only in virtual environments.
- –
- Specific directories existence: Detects directories (e.g., C:\Sandbox) unique to sandbox implementations.
- –
- Executables launched from specific directories: Verifies if the sample’s parent process path matches known sandbox-injection directories.
- –
- Full path executables containing specific strings: Scans the full executable path for substrings (e.g., “_SAND_”) used by sandbox environments.
- –
- Executable files with specific names present in physical disk drives’ root: Looks for filenames that sandboxes commonly drop in the root for instrumentation.
- –
- Specific registry paths’ existence: Probes registry paths used by virtualization tools.
- –
- Specific registry keys containing particular values: Reads registry values (e.g., “VMTools”); presence suggests virtualization.
- –
- VBAWarning enabled: Checks Office VBA security settings in the registry; sandboxes often disable warnings to auto-run macros.
- –
- Recently Opened Documents Check: Reads “RecentDocs” entries in the registry; lack of user history suggests a sandbox.
- –
- Browser History URL Count Check: Counts URLs in browser history; a near-empty history suggests an analysis environment.
- –
- Installed Software Package Check: Enumerates installed programs via registry; missing typical software (e.g., antivirus) can indicate a sandbox.
- –
- Any.Run Sandbox Detection: Searches for artifacts (e.g., ANYRUN\CAPTURE) left by the Any.Run platform.
- –
- Goat File Detection in Defender AV Emulator: Checks for the presence of known “goat files” used by Defender’s emulator.
- –
- Default Wallpaper Detection: Reads the current desktop wallpaper path; generic or missing wallpaper often occurs in VM templates.
- Hardware Fingerprinting:
- –
- Common MAC addresses: Enumerates adapters via GetAdaptersAddresses/GetAdaptersInfo and checks OUIs linked to VMware/VirtualBox.
- –
- Specific network adapters name existence: Identifies adapter names tied to VMs (e.g., “VirtualBox Host-Only Network”).
- –
- Low RAM Detection: GetMemoryStatusEx shows unusually low RAM (e.g., <1 GB) indicative of sandbox/VM.
- –
- Unusual Screen Resolution Detection: GetSystemMetrics/GetMonitorInfo reveals atypical resolutions for physical hosts.
- –
- Low Processor Count Detection: GetSystemInfo, PEB, or KUSER\SHARED\DATA show very low core counts.
- –
- Low Monitor Count Detection: EnumDisplayMonitors or SM_MONITORS indicates single/absent monitors typical of VMs.
- –
- Small Disk Size and Free Space Detection: DeviceIoControl, IOCTL_DISK_GET_LENGTH_INFO and GetDiskFreeSpaceExA/W show unusually small volumes.
- –
- Virtual Hard Disk Boot Detection: IsNativeVhdBoot confirms OS booted from VHD.
- –
- Specific Virtual Device Detection: Attempts to open/query device names (e.g., \.\vmmem) via NtCreateFile.
- –
- Specific HDD Name Detection: SetupDi* APIs reveal HDD model strings (e.g., “VBOX HARDDISK”).
- –
- Specific HDD Vendor ID Detection: IOCTL_STORAGE_QUERY_PROPERTY returns vendor IDs like “VMware”/“QEMU.”
- –
- Audio Device Absence Detection: No enumerated audio devices suggests virtual/sandboxed hosts.
- –
- CPU Temperature Availability Detection: Temperature queries fail or return zero on VMs.
- –
- Physical Display Adapter Detection: Direct3DCreate9/GetAdapterIdentifier indicates generic/software adapter only.
- –
- Printer Detection: No installed printers via EnumPrinters.
- –
- USB Drive Detection: No mounted USB drives via SetupDi or GetLogicalDrives.
- –
- CPU Core and Hyperthreading Detection: Core/HT flags from PEB/CPUID suggest underprovisioned VM.
- –
- Odd CPU Thread Count Detection: Odd thread counts (e.g., 3) indicate VM manipulation.
- API and Process Hooking:
- –
- Specific libraries loaded in the process address space: GetModuleHandle checks for analysis-injector DLLs.
- –
- Specific functions present in particular libraries: GetProcAddress/LdrGetProcedureAddress locate sandbox-specific exports.
- –
- Certain libraries safely loaded: LoadLibraryA/W behavior on rare/fake DLLs reveals emulation quirks.
- –
- Specific artifacts present in the process address space - Sandboxie: NtQueryVirtualMemory scans for Sandboxie stubs.
- –
- Unbalanced Stack Detection: Precise stack layout detects corruption by hooks.
- –
- System Function Hook Detection: Prologue comparison for trampolines in critical Nt* APIs.
- –
- Mouse Click Detection via Hooks: SetWindowsHookEx/GetAsyncKeyState expect real user input.
- –
- Incorrect Hook Detection: Argument/validation anomalies in hooked Nt* paths expose sandboxes.
- OS and System-Call Interrogation:
- –
- Specific processes and services running: Presence of known monitoring services (e.g., “VBoxService”).
- –
- Specific User Name Existence: GetUserNameA/W matches typical sandbox accounts.
- –
- Specific Host Name Existence: GetComputerNameExA/W matches typical sandbox hostnames.
- –
- Specific Global Mutex Detection: CreateMutex/OpenMutex for VM-created mutexes.
- –
- Specific Global Pipe Detection: CreateFile on named pipes typical of VMs.
- –
- Specific Global Object Detection: NtOpenDirectoryObject/NtQueryDirectoryObject list VM-specific global objects.
- –
- Specific Window Class Name Detection: EnumWindows/FindWindow detect classes like VBoxTrayToolWndClass.
- –
- Low Top-Level Window Count Detection: EnumWindows reveals unusually few windows.
- –
- Debug Privilege Detection: Attempt to enable debug privilege and perform privileged actions.
- –
- Wine Detection: Probe Wine-specific inconsistencies or exports.
- –
- Invalid Argument Detection for Delay Functions: NtDelayExecution with invalid/unaligned timeouts.
- –
- VMware I/O Port Detection: Query VMware-specific I/O ports (e.g., 0x5658) and check for VMXh magic value.
- –
- Active Directory Domain Membership Check: Compare LogonServer/ComputerName.
- –
- BuildCommDCBAndTimeouts Device String Validation: Failure semantics for bogus device strings.
- Network and WMI Queries:
- –
- Specific provider’s name for network shares: Shares revealing sandbox domains.
- –
- Networks belonging to security perimeters: Isolated/corporate subnets typical of sandboxes.
- –
- NetValidateName result based anti-emulation: NetValidateName anomalies in sandboxes.
- –
- WMI Process Creation Evasion: Win32_Process.Create to bypass CreateProcessInternalW hooks.
- –
- WMI Task Scheduler Evasion: Win32_ScheduledJob.Create for deferred execution.
- –
- Last Boot Time Anomaly Detection: WMI-based last boot time inconsistencies.
- –
- Network Adapter Last Reset Time Check: WMI-reported adapter reset times across snapshots.
- UI and Human-Interaction Checks:
- –
- Mouse Movement Detection: Repeated GetCursorPos polling for real input.
- –
- User Interaction Request: MessageBox gating on human click.
- –
- Invisible Button Evasion: Transparent button requiring real click.
- –
- Scroll-Triggered Payload Activation: Requires scroll event prior to activation.
- –
- User Activity Detection: GetLastInputInfo inactivity threshold.
- Firmware and BIOS Checks:
- –
- Firmware Table String Detection: SMBIOS/DMI strings exposing vendors such as “SeaBIOS,” “VMware,” or “innotek GmbH.”
- –
- SMBIOS firmware table string detection: NtQuerySystemInformation extraction of DMI/SMBIOS strings indicating virtual hardware.
5. YARA Detection of Anti-Virtual-Machine and Anti-Sandbox Techniques
- API Hammering.
- Bochs Emulator Detection via CPU Artifacts.
- Cross-Process Time Comparison.
- Delay Value Integrity Check.
- Delayed Malicious Actions Until Reboot.
- Expiration Date-Based Evasion.
- External Time Source Verification.
- Incorrect Hook Detection.
- Invisible Button Evasion.
- Odd CPU Thread Count Detection.
- Scroll-Triggered Payload Activation.
- User Interaction Request.
6. Discussion of the Results
6.1. Overall Rule Performance
- 77 rules yielded at least one match on malware samples.
- 5 rules produced zero matches; no false positives were observed, and manual inspection confirmed the patterns were valid but absent from the corpus.
- 42 rules (51.22%) were labeled Accurate, achieving precision above 75%.
- 16 rules (19.51%) were labeled Marginal, with precision between 50% and 75%.
- 24 rules (29.27%) were labeled Unreliable, with precision below 50%, and thus excluded from the final repository.
6.2. Top-Performing and Underperforming Rules
6.3. Category-Level Observations
- Timing-Based Evasions. This category produced the largest number of total matches (595,557 hits) but exhibited moderate precision, averaging 53.78%. Timing discrepancies, sleep-skipping, and clock skew detection remain pervasive in malware, yet their static signatures overlap significantly with legitimate application behavior (e.g., scheduling, benchmarking).
- –
- Implication: Timing checks are widespread but inherently difficult to capture with static signatures alone.
- –
- Recommendation: Combining static detection with short, lightweight dynamic execution (e.g., confirmation of timing anomalies) could enhance confidence while retaining scalability.
- Firmware and BIOS Checks. Although comparatively rare, this category achieved the highest mean precision (92.87%). Rules targeting SMBIOS or UEFI vendor strings (e.g., “SeaBIOS,” “VMware”) proved highly reliable indicators of virtualization.
- –
- Implication: Firmware- and BIOS-level detections yield high-confidence signals with minimal false positives.
- –
- Recommendation: These rules are well-suited for operational deployment in triage or attribution pipelines.
6.4. Temporal Trends in Technique Usage
7. Conclusions and Future Work
- RQ1 is answered by showing that a substantial portion of anti-analysis behavior can be detected statically: more than half of the implemented rules achieved reliable precision, demonstrating that static YARA signatures can capture many implementation-stable evasion patterns. At the same time, sample-level analysis shows that these patterns tend to co-occur more densely in malware, reinforcing their relevance as indicators of structured evasion logic.
- RQ2 is clarified through the observed variability in rule performance: hardware- and artifact-based checks proved highly amenable to static detection, whereas timing logic and environment-sensitive triggers remained difficult due to benign overlap and implementation diversity.
- RQ3 is supported by the large-scale validation process itself, which revealed both the achievable reliability limits of static detection and the importance of iterative refinement using mixed malware and goodware corpora. In particular, empirical testing exposed rule brittleness, redundancy, and contextual dependencies that would not have been evident from design alone.
Author Contributions
Funding
Data Availability Statement
Acknowledgments
Conflicts of Interest
Abbreviations
| YARA | Yet Another Recursive Acronym |
| VM | Virtual Machine |
| CTI | Cyber Threat Intelligence |
| EDR | Endpoint Detection and Response |
| PE | Portable Executable |
| TP | True Positive |
| FP | False Positive |
| CPU | Central Processing Unit |
| API | Application Programming Interface |
References
- Or-Meir, O.; Nissim, N.; Elovici, Y.; Rokach, L. Dynamic malware analysis in the modern era—A state of the art survey. ACM Comput. Surv. (CSUR) 2019, 52, 1–48. [Google Scholar] [CrossRef]
- Vasilescu, M.; Gheorghe, L.; Tapus, N. Practical malware analysis based on sandboxing. In Proceedings of the 2014 RoEduNet Conference 13th Edition: Networking in Education and Research Joint Event RENAM 8th Conference; IEEE: New York, NY, USA, 2014; pp. 1–6. [Google Scholar]
- Sihwail, R.; Omar, K.; Ariffin, K.Z. A survey on malware analysis techniques: Static, dynamic, hybrid and memory analysis. Int. J. Adv. Sci. Eng. Inf. Technol. 2018, 8, 1662–1671. [Google Scholar] [CrossRef]
- Gao, Y.; Lu, Z.; Luo, Y. Survey on malware anti-analysis. In Proceedings of the Fifth International Conference on Intelligent Control and Information Processing, Dalian, China, 18–20 August 2014; pp. 270–275. [Google Scholar] [CrossRef]
- VirusTotal. YARA Documentation. 2025. Available online: https://yara.readthedocs.io/en/stable/ (accessed on 7 November 2025).
- Mahdi, R.H.; Trabelsi, H. Detection of malware by using yara rules. In Proceedings of the 2024 21st International Multi-Conference on Systems, Signals & Devices (SSD); IEEE: New York, NY, USA, 2024; pp. 1–8. [Google Scholar]
- Naik, N.; Jenkins, P.; Cooke, R.; Gillett, J.; Jin, Y. Evaluating automatically generated YARA rules and enhancing their effectiveness. In Proceedings of the 2020 IEEE Symposium Series on Computational Intelligence (SSCI); IEEE: New York, NY, USA, 2020; pp. 1146–1153. [Google Scholar]
- Lockett, A. Assessing the effectiveness of yara rules for signature-based malware detection and classification. arXiv 2021, arXiv:2111.13910. [Google Scholar] [CrossRef]
- VX-Underground. Bazaar Sample Collection. Available online: https://vx-underground.org/Samples/Bazaar%20Collection (accessed on 7 November 2025).
- Liu, C.; Saul, R.; Sun, Y.; Raff, E.; Fuchs, M.; Southard Pantano, T.; Holt, J.; Micinski, K. Assemblage: Automatic binary dataset construction for machine learning. Adv. Neural Inf. Process. Syst. 2024, 37, 58698–58715. [Google Scholar]
- Jadhav, A.; Vidyarthi, D.; Hemavathy, M. Evolution of evasive malwares: A survey. In Proceedings of the 2016 International Conference on Computational Techniques in Information and Communication Technologies (ICCTICT); IEEE: New York, NY, USA, 2016; pp. 641–646. [Google Scholar]
- Biondi, F.; Given-Wilson, T.; Legay, A.; Puodzius, C.; Quilbeuf, J. Tutorial: An overview of malware detection and evasion techniques. In Proceedings of the International Symposium on Leveraging Applications of Formal Methods; Springer: Berlin/Heidelberg, Germany, 2018; pp. 565–586. [Google Scholar]
- Afianian, A.; Niksefat, S.; Sadeghiyan, B.; Baptiste, D. Malware dynamic analysis evasion techniques: A survey. ACM Comput. Surv. (CSUR) 2019, 52, 1–28. [Google Scholar] [CrossRef]
- Galloro, N.; Polino, M.; Carminati, M.; Continella, A.; Zanero, S. A Systematical and longitudinal study of evasive behaviors in windows malware. Comput. Secur. 2022, 113, 102550. [Google Scholar] [CrossRef]
- D’Elia, D.C.; Invidia, L.; Palmaro, F.; Querzoni, L. Evaluating dynamic binary instrumentation systems for conspicuous features and artifacts. Digit. Threat. Res. Pract. (DTRAP) 2022, 3, 1–13. [Google Scholar] [CrossRef]
- Filho, A.S.; Rodríguez, R.J.; Feitosa, E.L. Evasion and countermeasures techniques to detect dynamic binary instrumentation frameworks. Digit. Threat. Res. Pract. (DTRAP) 2022, 3, 1–28. [Google Scholar] [CrossRef]
- Gavrila, R.; Zacharis, A. Advancements in Malware Evasion: Analysis Detection and the Future Role of AI. In Malware: Handbook of Prevention and Detection; Springer: Berlin/Heidelberg, Germany, 2024; pp. 275–297. [Google Scholar]
- Mills, A.; Legg, P. Investigating anti-evasion malware triggers using automated sandbox reconfiguration techniques. J. Cybersecur. Priv. 2020, 1, 19–39. [Google Scholar] [CrossRef]
- Botacin, M.; da Rocha, V.F.; de Geus, P.L.; Grégio, A. Analysis, anti-analysis, anti-anti-analysis: An overview of the evasive malware scenario. In Proceedings of the Anais do XVII Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais, Brasilia, Brazil, 6–9 November 2017; pp. 250–263. [Google Scholar]
- Kim, M.; Cho, H.; Yi, J.H. Large-scale analysis on anti-analysis techniques in real-world malware. IEEE Access 2022, 10, 75802–75815. [Google Scholar] [CrossRef]
- Chen, P.; Huygens, C.; Desmet, L.; Joosen, W. Advanced or not? A comparative study of the use of anti-debugging and anti-VM techniques in generic and targeted malware. In Proceedings of the IFIP International Conference on ICT Systems Security and Privacy Protection; Springer: Berlin/Heidelberg, Germany, 2016; pp. 323–336. [Google Scholar]
- Mirza, M.M.; Alsuwat, R.S.; Alqurashi, Y.M.; Alharthi, A.A.; Alsuwat, A.M.; Alasamri, O.M.; Hussain, N.A. DIGITRACKER: An Efficient Tool Leveraging Loki for Detecting, Mitigating Cyber Threats and Empowering Cyber Defense. J. Cybersecur. Priv. 2026, 6, 25. [Google Scholar] [CrossRef]
- Cao, V.L.; Dai Nguyen, D. Bypassing anti-emulation methods for malware detection. J. Comput. Sci. Cybern. 2024, 40, 233–248. [Google Scholar] [CrossRef]
- Bhattacharjee, S.; Patil, P.; Patil, V.; Nage, P. Hybrid Multi-Stage Framework for Advanced Malware Detection: Enhancing Accuracy & Resilience. In Proceedings of the 2025 7th International Conference on Energy, Power and Environment (ICEPE); IEEE: New York, NY, USA, 2025; pp. 1–6. [Google Scholar]
- Fukushima, Y.; Sakai, A.; Hori, Y.; Sakurai, K. A behavior based malware detection scheme for avoiding false positive. In Proceedings of the 2010 6th IEEE Workshop on Secure Network Protocols; IEEE: New York, NY, USA, 2010; pp. 79–84. [Google Scholar]
- Check Point Research. Evasions Cheatsheet. 2024. Available online: https://evasions.checkpoint.com/ (accessed on 22 February 2026).
- DarkCoderSc and fr0gger_. UnprotectProject. 2024. Available online: https://unprotect.it/ (accessed on 22 February 2026).
- Branco, R.R.; Barbosa, G.N.; Neto, P.D. Scientific but not academical overview of malware anti-debugging, anti-disassembly and anti-vm technologies. Black Hat 2012, 1, 1–27. [Google Scholar]




| Category | Count | Percentage |
|---|---|---|
| Instruction-Based Checks | 9 | 9.6% |
| Timing-Based Evasions | 16 | 17.0% |
| File and Registry Artifacts | 14 | 14.9% |
| Hardware Fingerprinting | 18 | 19.1% |
| API and Process Hooking | 8 | 8.5% |
| OS and System-Call Interrogation | 15 | 16.0% |
| Network and WMI Queries | 7 | 7.4% |
| UI and Human-Interaction Checks | 5 | 5.3% |
| Firmware and BIOS Checks | 2 | 2.1% |
| Total | 94 | 100% |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2026 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license.
Share and Cite
Kanj, S.; Vila, G.; Pegueroles, J. Automating the Detection of Evasive Windows Malware: An Evaluated YARA Rule Library for Anti-VM and Anti-Sandbox Techniques. J. Cybersecur. Priv. 2026, 6, 69. https://doi.org/10.3390/jcp6020069
Kanj S, Vila G, Pegueroles J. Automating the Detection of Evasive Windows Malware: An Evaluated YARA Rule Library for Anti-VM and Anti-Sandbox Techniques. Journal of Cybersecurity and Privacy. 2026; 6(2):69. https://doi.org/10.3390/jcp6020069
Chicago/Turabian StyleKanj, Sebastien, Gorka Vila, and Josep Pegueroles. 2026. "Automating the Detection of Evasive Windows Malware: An Evaluated YARA Rule Library for Anti-VM and Anti-Sandbox Techniques" Journal of Cybersecurity and Privacy 6, no. 2: 69. https://doi.org/10.3390/jcp6020069
APA StyleKanj, S., Vila, G., & Pegueroles, J. (2026). Automating the Detection of Evasive Windows Malware: An Evaluated YARA Rule Library for Anti-VM and Anti-Sandbox Techniques. Journal of Cybersecurity and Privacy, 6(2), 69. https://doi.org/10.3390/jcp6020069

