how do they work?
Results 1 to 5 of 5

Thread: how do they work?

  1. #1

    Question how do they work?

    well i was just getting a bit curious about how antivirus works.well for example norton can detect any keylogger that is available on net.ok so if i make my own keylogger would it be able to detect that it is a keylogger and by the way how do they detect whether it is a virus or a not (i mean if someone wanna make his own antivirus how can he do it ).plz give me somelinks to antivirus programs or books bye for now.

  2. #2
    Senior Member
    Join Date
    Nov 2002
    Posts
    482
    um, try google.com it good.

    i dont really know this but as far as i know.

    the AV (antivirus) programs reads the binary or hex of each file. and a virus inserts itself into the algorithm and makes it do something bad....thats why viruses are bad. :P anyways, each Viruses algorithm is been taught to the AV progie, so when it finds a virus, it knows which part of the file is the virus cause of the definition file that tells the AV progie which part it is. this is also why an AV prog can tell you whats the name of the virus.

    hoped i helped...

    try searching AO too, im sure there is heaps of stuff there
    - Trying is the first step towards failure. the moral is never try.
    - It\'s like something out of that twilighty show about that zone.
    ----Homer J Simpson----

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    AFAIK, most virus checkers are fairly stupid.

    They have thousands of "signatures" which are either small pieces of code or hashes of bits of code (not sure which), which they can efficiently compare any new binary against.

    At the AV company, humans analyse the binary of a new virus (or other malware, f.e. keylogger), determine a part of it which is fairly unique (its "signature") and add that signature to the next update of the virus checker.

    The virus checkers won't detect:

    - An existing piece of mal-ware which has been manually altered such that the signature is no longer the same
    - An existing mal-ware which has been recompiled from source with compiler options sufficiently different that its signature is different
    - A new piece of mal-ware, even if it's similar in function to many existing ones
    - Worms like Code Red which never write themselves to disc (Code Red is very clever because it exists entirely in memory, hence the scanners can't touch it)

    Hence you should not rely on a virus checker to tell you that a binary is safe.

    Some work heuristically, they try to detect that a program is bad from its actions. This is unreliable because:

    1. In order to do that, you have to run the program, by the time you detect it might have already done bad things
    2. "Bad things" are very similar to "Good things"
    3. In a server environment, mis-detecting a legit program as a virus will definitely cause denial of service

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Slarty: I might be wrong but it was always my impression that if an AV solution utilizes real time heuristics, (Norton's Bloodhound is an example), then it intercepts all code prior to execution and examines it for such things as disk access that bypasses the standard API's etc. indicating that it may be trying to avoid any built in safeguards in the API's.

    Logically, if real time heuristic scanning didn't take place prior to code execution there would be no point to it at all.

    As an aside I remember using Frisk's FProt when he basically was the first to be using heuristics, (yes, I'm old.... Yes, I smell bad I'm sooo old..... ), and it tended to be a pain in the @$$ and it wasn't even real time.... It called almost every program "questionable" until you told it that this one is a good one...... It took a lot of time on the first couple of scans to make your list of acceptable programs. It really was a bit clunky but it was effective for it's time.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    thanks for reply friends still i can't find two things in these replies i.e. somebook in AV programming or some good online link basically i wanna prepare a AV for my minor project in VC++.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •