November 18th, 2006, 12:24 AM
How does an antivirus program work?
I have searched google, but nothing worth while comes up, and I've searched the forums, but I haven't found an answer to this question: How does an antivirus program actually work?
If someone knows of a thread or tutorial/lecture that has the answer, please post it(I like to learn/figure things out on my own most times. However, this time I think I need a hint or two, he he). Otherwise, if one of you has the answer, that would be greatly appreciated too. Thanks for your time.
there's always a way in...
November 18th, 2006, 12:58 AM
1. Pattern or signature matching................looking for strings in the code.
2. Heuristics................looking for potentially harmful instructions in the code, or even the prescence of executables such as macros.
3. Behavioural analysis.................waiting for it to try to "do" something and intercepting that.
4. Sandboxing......................making stuff run in an environment where it cannot access critical parts of the system. Deleting everything on logoff.
5. Checksumming..................detecting changes to existing files, basically length and date last altered.
6. New arrivals analysis...........basically looks for new processes, startups, services etc. This is similar to #3 but is more aimed at stuff with time & date triggers, that #3 would miss.
Now if you want to talk about "Security Suites", which is what you see these days more than the traditional AV products, I could add quite a few more.
November 18th, 2006, 04:31 AM
wow! thank you so much, that really makes a lot of sense now.
there's always a way in...
November 18th, 2006, 12:39 PM
hey nihil thx for the information but i have a ques , how antiviruses search for strings in the code and perform Heuristics scan in an .exe file, from where they get code.
"Knowing how to do something that might be harmful is not the same as causing harm."
Last edited by Alokpatidar; November 18th, 2006 at 12:43 PM.
November 18th, 2006, 02:37 PM
You really have two questions there?
1. String searching.
If you take an executable file in Windows (pick a small one) you have an "executable".............. these are not just .exe extensions by the way, .com .reg .scr and so on, are all executable if you have the correct program linked to them.
Copy the file and change the extension to .txt, then open it in notepad. You will be looking at the binary executable. You will see bits in plain English, so you can see that it would be easy to spot something like "rat scabies and the runnin s0rez reking krew" for example. This would obviously be in exactly the same position within the virus code, so the search would be quick.
Other strings would be calls and commands associated with the virus' activities.
Other clues would be IP addresses and telephone numbers hard coded into the virus?
This is coupled with whether the virus is known to append, prepend or insert.
Append: would be GOOD CODEvirus
Prepend: virusGOOD CODE
So you would know at exactly which positions to look for particular characters.
Now, we know that we will get the nasty as a binary executable, which has been compiled from a more understandable higher level programming language?
The HLL doesn't really matter, as we are passing the actual instructions in machine code? so if I create the instruction to fdisk c:\ that will look the same in binary, no matter where it came from at the higher level?
Heuristics look for instructions that are out of place or potentially harmful, this would include file changes, Registry edits, registering services, starting services, and so on.
That is a very lightweight answer, but I cannot write a several thousand word paper on a forum
November 18th, 2006, 06:32 PM
i have opened so many executable files in notepad and found most lines unreadable . .. It means av perform search like dis . .. ur information is quite interesting i didnt knw tht, but i wondered how av finds anything in an executable file.
tnks alot for sharin9.
"The Time is always right to do what is right."
November 18th, 2006, 07:51 PM
AV products dont use notepad for scanning, they use something more like
try looking threw some files usin the differant flags
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
November 19th, 2006, 02:07 AM
Hi Alok as I said, that was a lightweight answer................. Tedob1 is quite correct, the AV uses proper programming tools.
The reason I suggested notepad was that it shows you the compiled binary (which looks like a load of nonsense) and the comments and metadata in plain text, so they sort of stand out? I just wanted you to get a general idea of what non-essential strings looked like.
Whilst I am on the subject, viruses are generally a bundle of software that does a variety of things. AVs frequently find "common code" such as droppers, which virus authors re-use.
I will tell you a little story about notepad...............
A number of years ago I was working on a site where I felt that security was not being taken seriously, if at all.
So I wrote this little .reg file (4 lines as I recall) and attached it to their logon script one morning..............it modified their Registries so that certain executables would open by default in notepad.
A few months later, the "Lovebug" or "I love you" virus came out, and spread Worldwide? ..............I received several telephone calls asking about this "strange stuff on their screens".............I told them they had just opened a virus attachment in their e-mail, and they all asked what they should do......my reply was:
"Correct the little pillock's spelling mistakes, beef up the payload, and send it to someone who really deserves it"
I got a reputation for being somewhat "kewl"
November 19th, 2006, 03:32 AM
Hehe, Nihil wasn't clear...he was kind of making an analogy. Opening executables in Notepad won't show you much of anything useful. The idea is the AV scanner looks at the data looking for strings it knows are suspect or malicious (signatures) or commands, functions, or instructions that are "questionable".
That was a lightweight answer. If you really want to get further into it, you'll have to get some serious experience and education.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore