How Antivirus works?

Printable View

March 4th, 2003, 05:44 PM
ACHT_2003

How Antivirus works?

What is in a virus that defines it to a virus scanner?
eg. Size, Name..........
March 4th, 2003, 06:00 PM
tampabay420

AntiVirus software uses things called "signatures" ... Most Virii / Worms will have signature (within the code) that will alert the anti-virus...

These signatures are virii specific, so updates are mandatory to keep your system clean!
March 4th, 2003, 06:33 PM
DragonK

Re: How Antivirus works?

Quote:

Originally posted here by ACHT_2003
What is in a virus that defines it to a virus scanner?
eg. Size, Name..........

Like tampabay420 said, there are this signatures which basically work like this:

|------------------------------------------------------------------|
| Executable .... | attached virus .. 01 02 03 04 05 ...|
|------------------------------------------------------------------|

What I am trying to say by this pathetic drawing is that the virus attached to the executable has one CONSTANT string 01 02 ... which can be always found in every infected file... That is the signature.

Of course, there are polymophic viruses, which modify themselves with each generation, so finding a signature for them is (nearly) impossible... To find them AV had developed Code Emulation Systems and heuristical methods... Look on Google, you'll find lots of infos.
March 5th, 2003, 02:56 AM
ACHT_2003

Is there a way to make that sig change bases upon like time or somthing?
March 5th, 2003, 08:00 AM
phaza7

Well basically the scanner trys to read code of program for info that its contain inside to make it copy itself to other progs. That why some virii use encrpytion techinques to defeat this but if it is polymorphic then it looks for the decrpytor within the code beening spreaded to other progs. The signatures carry other known techinques of other virii that are not in the wild.

Oh yea, check for updates as the last ? dunno:|
June 5th, 2003, 06:19 AM
Jimminy Pete

Actually, signature scanners only find viruses that are already known or very similar and derivative of known viruses. Viruses in the wild, or on the "wild list" should be found by all major antivirus programs signature scanners. Heuristic engines are the methods that have problems with encrypted viruses.
December 6th, 2003, 10:52 PM
ali1

Once I got a virus that even infected my own Norton Anti Virus.I wonder how that happened........
December 6th, 2003, 11:05 PM
Gump

Most worms and Virii go for vulnerabilities in running services or software programs. Most often worms are a buffer overflow of some kind and Virii are executables that install themselves once they are activated. There are more ways to activate them than I really care to list right now but use your imagination, they run from a user clicking on something to open it to scheduled events, to being called by other services Etc, Etc, Etc....

Any way if your Norton was Infected then either someone used a known vulnerability in one of the Symantec services that run in the background, or it was coded to look for default Norton directories and files when it was activated.
December 7th, 2003, 10:08 PM
ali1

I guess you're right.Whatever it was,it sucked!
December 7th, 2003, 11:16 PM
nihil

The method of virus detection that has not been mentioned is "behavioural". This method looks at what an unknown is about to do (e.g. write to the Registry). Some sophisticated methods will put the suspected item in a "sandbox", let it run, and see what it tries to do. :)

The main point is that IMHO you cannot rely on a firewall and AV alone.....you need secondary defences.

http://www.winpatrol.com
http://www.diamondcs.com.au

Try Win Patrol and Registry Prot

Good Luck :D
December 9th, 2003, 10:00 AM
tsunami

nihil is right, the best AV products have to now use the sandbox technique to determine exactly what certain files are doing. Sandboxes are having to be used now because more and more viruses are becoming polymorphic, stealthy and all together unplesent.

It is impossible to write a definative signiture for a virus that changes the way that it does an operation, only writes itself in file cavities, and actively tries to hide itself.

For a virus that needs a variable to have a value of 55 there are hundreds upon thousands of ways that it can declare this eg.
50 + 5
60 - 5
25 * 3 - 20
etc
It would not be feasible to write a signiture for something like this, but it does work if you know what the variable value of 55 is for, and therefore you can watch for a file to try and use that value on something on the system. By doing this in a sandbox the actual machine doesnt get affected, and the virus actually thinks its running and doesnt get spooked and try to do anything else.

However a new technique will have to be developed soon, as some viruses have already started to try and detect when they are being run in a 'normal' environment and when they are being run in a 'sandbox'