How does an antivirus program work?
Results 1 to 9 of 9

Thread: How does an antivirus program work?

  1. #1
    Senior Member Spekter1080's Avatar
    Join Date
    Oct 2005
    Location
    Iowa
    Posts
    101

    How does an antivirus program work?

    I have searched google, but nothing worth while comes up, and I've searched the forums, but I haven't found an answer to this question: How does an antivirus program actually work?

    If someone knows of a thread or tutorial/lecture that has the answer, please post it(I like to learn/figure things out on my own most times. However, this time I think I need a hint or two, he he). Otherwise, if one of you has the answer, that would be greatly appreciated too. Thanks for your time.
    there's always a way in...

  2. #2
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    OK,

    1. Pattern or signature matching................looking for strings in the code.
    2. Heuristics................looking for potentially harmful instructions in the code, or even the prescence of executables such as macros.
    3. Behavioural analysis.................waiting for it to try to "do" something and intercepting that.
    4. Sandboxing......................making stuff run in an environment where it cannot access critical parts of the system. Deleting everything on logoff.
    5. Checksumming..................detecting changes to existing files, basically length and date last altered.
    6. New arrivals analysis...........basically looks for new processes, startups, services etc. This is similar to #3 but is more aimed at stuff with time & date triggers, that #3 would miss.

    Now if you want to talk about "Security Suites", which is what you see these days more than the traditional AV products, I could add quite a few more.

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  3. #3
    Senior Member Spekter1080's Avatar
    Join Date
    Oct 2005
    Location
    Iowa
    Posts
    101
    wow! thank you so much, that really makes a lot of sense now.
    there's always a way in...

  4. #4
    Junior Member
    Join Date
    Sep 2004
    Location
    26.55 N 75.52 E
    Posts
    25
    hey nihil thx for the information but i have a ques , how antiviruses search for strings in the code and perform Heuristics scan in an .exe file, from where they get code.

    _____________________________________________________________

    "Knowing how to do something that might be harmful is not the same as causing harm."
    Last edited by Alokpatidar; November 18th, 2006 at 11:43 AM.

  5. #5
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    Hi Alok,

    You really have two questions there?

    1. String searching.

    If you take an executable file in Windows (pick a small one) you have an "executable".............. these are not just .exe extensions by the way, .com .reg .scr and so on, are all executable if you have the correct program linked to them.

    Copy the file and change the extension to .txt, then open it in notepad. You will be looking at the binary executable. You will see bits in plain English, so you can see that it would be easy to spot something like "rat scabies and the runnin s0rez reking krew" for example. This would obviously be in exactly the same position within the virus code, so the search would be quick.

    Other strings would be calls and commands associated with the virus' activities.

    Other clues would be IP addresses and telephone numbers hard coded into the virus?

    This is coupled with whether the virus is known to append, prepend or insert.

    Append: would be GOOD CODEvirus
    Prepend: virusGOOD CODE
    Insert: GOODvirusCODE

    So you would know at exactly which positions to look for particular characters.

    2. Heuristics

    Now, we know that we will get the nasty as a binary executable, which has been compiled from a more understandable higher level programming language?

    The HLL doesn't really matter, as we are passing the actual instructions in machine code? so if I create the instruction to fdisk c:\ that will look the same in binary, no matter where it came from at the higher level?

    Heuristics look for instructions that are out of place or potentially harmful, this would include file changes, Registry edits, registering services, starting services, and so on.

    That is a very lightweight answer, but I cannot write a several thousand word paper on a forum
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  6. #6
    Junior Member
    Join Date
    Sep 2004
    Location
    26.55 N 75.52 E
    Posts
    25
    hey Nihil
    i have opened so many executable files in notepad and found most lines unreadable . .. It means av perform search like dis . .. ur information is quite interesting i didnt knw tht, but i wondered how av finds anything in an executable file.
    tnks alot for sharin9.

    _____________________________________________________________

    "The Time is always right to do what is right."

  7. #7
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    AV products dont use notepad for scanning, they use something more like

    THIS

    try looking threw some files usin the differant flags
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  8. #8
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    Hi Alok as I said, that was a lightweight answer................. Tedob1 is quite correct, the AV uses proper programming tools.

    The reason I suggested notepad was that it shows you the compiled binary (which looks like a load of nonsense) and the comments and metadata in plain text, so they sort of stand out? I just wanted you to get a general idea of what non-essential strings looked like.

    Whilst I am on the subject, viruses are generally a bundle of software that does a variety of things. AVs frequently find "common code" such as droppers, which virus authors re-use.

    I will tell you a little story about notepad...............

    A number of years ago I was working on a site where I felt that security was not being taken seriously, if at all.

    So I wrote this little .reg file (4 lines as I recall) and attached it to their logon script one morning..............it modified their Registries so that certain executables would open by default in notepad.

    A few months later, the "Lovebug" or "I love you" virus came out, and spread Worldwide? ..............I received several telephone calls asking about this "strange stuff on their screens".............I told them they had just opened a virus attachment in their e-mail, and they all asked what they should do......my reply was:

    "Correct the little pillock's spelling mistakes, beef up the payload, and send it to someone who really deserves it"

    I got a reputation for being somewhat "kewl"
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  9. #9
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Hehe, Nihil wasn't clear...he was kind of making an analogy. Opening executables in Notepad won't show you much of anything useful. The idea is the AV scanner looks at the data looking for strings it knows are suspect or malicious (signatures) or commands, functions, or instructions that are "questionable".

    That was a lightweight answer. If you really want to get further into it, you'll have to get some serious experience and education.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides