December 9th, 2003, 10:00 AM
nihil is right, the best AV products have to now use the sandbox technique to determine exactly what certain files are doing. Sandboxes are having to be used now because more and more viruses are becoming polymorphic, stealthy and all together unplesent.
It is impossible to write a definative signiture for a virus that changes the way that it does an operation, only writes itself in file cavities, and actively tries to hide itself.
For a virus that needs a variable to have a value of 55 there are hundreds upon thousands of ways that it can declare this eg.
50 + 5
60 - 5
25 * 3 - 20
It would not be feasible to write a signiture for something like this, but it does work if you know what the variable value of 55 is for, and therefore you can watch for a file to try and use that value on something on the system. By doing this in a sandbox the actual machine doesnt get affected, and the virus actually thinks its running and doesnt get spooked and try to do anything else.
However a new technique will have to be developed soon, as some viruses have already started to try and detect when they are being run in a 'normal' environment and when they are being run in a 'sandbox'