how do they work?

[ajit]

well i was just getting a bit curious about how antivirus works.well for example norton can detect any keylogger that is available on net.ok so if i make my own keylogger would it be able to detect that it is a keylogger and by the way how do they detect whether it is a virus or a not (i mean if someone wanna make his own antivirus how can he do it ).plz give me somelinks to antivirus programs or books bye for now.

[Trust_Not_123]

um, try google.com it good.

i dont really know this but as far as i know.

the AV (antivirus) programs reads the binary or hex of each file. and a virus inserts itself into the algorithm and makes it do something bad....thats why viruses are bad. :P anyways, each Viruses algorithm is been taught to the AV progie, so when it finds a virus, it knows which part of the file is the virus cause of the definition file that tells the AV progie which part it is. this is also why an AV prog can tell you whats the name of the virus.

hoped i helped...

try searching AO too, im sure there is heaps of stuff there

[slarty]

AFAIK, most virus checkers are fairly stupid.

They have thousands of "signatures" which are either small pieces of code or hashes of bits of code (not sure which), which they can efficiently compare any new binary against.

At the AV company, humans analyse the binary of a new virus (or other malware, f.e. keylogger), determine a part of it which is fairly unique (its "signature") and add that signature to the next update of the virus checker.

The virus checkers won't detect:

- An existing piece of mal-ware which has been manually altered such that the signature is no longer the same
- An existing mal-ware which has been recompiled from source with compiler options sufficiently different that its signature is different
- A new piece of mal-ware, even if it's similar in function to many existing ones
- Worms like Code Red which never write themselves to disc (Code Red is very clever because it exists entirely in memory, hence the scanners can't touch it)

Hence you should not rely on a virus checker to tell you that a binary is safe.

Some work heuristically, they try to detect that a program is bad from its actions. This is unreliable because:

1. In order to do that, you have to run the program, by the time you detect it might have already done bad things
2. "Bad things" are very similar to "Good things"
3. In a server environment, mis-detecting a legit program as a virus will definitely cause denial of service

[Tiger Shark]

Slarty: I might be wrong but it was always my impression that if an AV solution utilizes real time heuristics, (Norton's Bloodhound is an example), then it intercepts all code prior to execution and examines it for such things as disk access that bypasses the standard API's etc. indicating that it may be trying to avoid any built in safeguards in the API's.

Logically, if real time heuristic scanning didn't take place prior to code execution there would be no point to it at all.

As an aside I remember using Frisk's FProt when he basically was the first to be using heuristics, (yes, I'm old.... Yes, I smell bad I'm sooo old..... ), and it tended to be a pain in the @$$ and it wasn't even real time.... It called almost every program "questionable" until you told it that this one is a good one...... It took a lot of time on the first couple of scans to make your list of acceptable programs. It really was a bit clunky but it was effective for it's time.....

[ajit]

thanks for reply friends still i can't find two things in these replies i.e. somebook in AV programming or some good online link basically i wanna prepare a AV for my minor project in VC++.