August 27th, 2003, 10:13 PM
How do companys like semantic identify so many new viruses?
I read on some sites that they are detecting so many new viruses per day. How do they discover all these new viruses and worms? Do they have servers set up signed up to all sorts of mailing list and then filter through them for malicious code? I have always wondered about this. Anyone have any ideas?
August 27th, 2003, 10:30 PM
Well, I do not work for one of them, but Im thinking they go and do searches for Viruses online like any script kiddie could. Also most viruses have something in the source code that shows they are a bad proggie. Antivirus people find the "engines" the viruses use and write to find them. Also I think some may just write them themselves so people continue to buy the product. And also I think you are right about the mailing lists. Any company worth there code would want to know as soon as possible when a new one was released or written so they would be the first to protect against it and therefore gain more money from people buying the product they offer instead of a competitor. Lets not forget though, if more people used Linux than Windows we Tuxers would probably be dealing with more viruses as well. If you wrote a virus and wanted to make an impact, you would target the platform that most use. Well, Windows is what most people use, and some people honestly think all computers run Windows. So in short, Windows, which already has a not to good security model up untill recently, is targeted. Wow that was a long post, sorry about that.
"When in doubt, use Brute Force."
Never argue with an idiot. They'll drag you down to their level, then beat you with experience.
August 27th, 2003, 10:34 PM
Their scanning program looks for virus like activity. When it finds something that looks like one of its virus signatures, it captures that file in a quarantine. Then you can choose whether to send the file to Symantec or not.
N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)
August 27th, 2003, 11:11 PM
They also rely on users submitting malicious as files...and analysing them
guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;
August 28th, 2003, 01:31 AM
Many elite universitys have classes where they create viruses but are supposed to destroy them on disk by using a simple microwave so they are not to be exposed to the world wide web but the ones that get out im sure they report after they see this they report new viruses to such companys
this can account for some
August 28th, 2003, 10:38 AM
Curiously enough, many of the viruses that they have signatures for were actually sent to them by the authors.
In a lot of cases, the viruses never get out "into the wild" - the authors just do it for kudos
I don't work for an AV company, but I have spoken to people who do.
August 28th, 2003, 11:01 AM
AV companies pan through source code looking for something that is "static" so they can build a signature for it (if they aren't given the signature upfront by the authur).
The AV realtime engine sits at the application layer (typically as a process) and intercepts all read to memory and write to disk calls and determines if they match any signature that the AV engine has. If not, then it lets the operation take place, if it matches, then it performs the actions setup by the user (clean, delete, quarentine, etc.). However, if a virus manages to infect a box before the signature update is done, then get ready to use a manual removal tool to get rid of it. Many of the latest viruses are aware of how AV engines operate and they have incorporated methods of remaining on the box even when they have been identified by the AV engine.
The other method that AV engines use is hueristics. These are (usually) complex calculations that are used to determine if a series of seemingly normal behaviors are actually the work of a virus. While they are neat and sometimes handy, I find that they generate more false positives than I like to see.
This is a pretty basic explanation of the process, but it is enough to give you an understanding.
Hope this helps!
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden