Results 1 to 8 of 8

Thread: how does an antivirus work??

  1. #1

    how does an antivirus work??

    yeah... i know it has its virus definitions and it checks the files against them.. but i was just wondering.. how does it actually identify if some trojan or a keylogger is encountered...??

    for example if i write a program for a keylogger on my own and then try to use it.. would the antivirus program detect tht its a key logger... if yes how...??

    lets say im using it on my own machine.. and the keylogger just stores the keypresses in a log file on the same machine only...there is not internet activity involved... would it still be detected...??

    please enlighten ...
    [shadow][gloworange]there are 10 types of people in this world,
    those who understand binary...and those who dont.[/gloworange][/shadow]

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Well,

    Anti Virus products are not that good at detecting trojans and even worse at keyloggers. Remember keyloggers can be legitimate security software.

    If the program was not spotted by its pattern, the next most likely detection would be heuristics......what does the code tell the proggy to do.

    Finally there is the behavioural/sandbox methodology. Here new programs are monitored for what they try to do.................like writing keystrokes to a log.

    Those are the basic methods


  3. #3
    Yeah, what you're asking is more down the lines of spyware detection rather than anitvirus.

  4. #4
    tht means .. it can very well be detected ( at least theoritically) .

    so is there a way i can make it by-pass...

    i have norton.. and it does detect key loggers....i tried downloading a few frm antionline also.. but it detected... so i wanted to program a new one which would not be identified..

    should i try to develop some new logic so tht it writes to a file, but not directly.. so tht the antivirus doesnt get it...
    [shadow][gloworange]there are 10 types of people in this world,
    those who understand binary...and those who dont.[/gloworange][/shadow]

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Might I suggest you try something else first. The downloads at AO are rather old, and may well be examples of Malware, so they WOULD be detected?

    If you do a Google search for "security freeware" you will get loads of sites come up.........look for a SECURITY keylogger and see if that gets detected..........try several.

    What I am saying is that a lot of trojans have keyloggers as a part of them, maybe it is the trojan that is getting detected, not the keylogging?

    A good test is if your AV spots the software with heuristics turned off............if it does, it is malware that it is detecting via the pattern file.

    As I mentioned you can buy keylogging software that will run with the AV on, so they don't all get detected.


  6. #6
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    I am currently running Perfect Keylogger Lite and my Symantec AV does not detect it. However Adware 6 does pick it up.

    Cheers:
    DjM

  7. #7
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Let's take this from the top.

    AV software (signatured based) looks for something that is unique in the virus. Typically it is a line of code that clearly identifies it as such. Signatures come in many forms but this is how they all basically work.

    Now, skilled virus/worm/trojan "developers" know this and they also know that eventually a signature will come along and clean the infection.

    How do you get around this? You develop a virus/worm/trojan that cannot be uniquely identified with a signature. This explanation in itself could fill a book, but stay with me...

    Now, hueristics look at the bahavior and compare it against an algorythum such as if X and Y and Z but not A or B then this is a virus. Again, a highly simplified view here but the idea is that a signature alone wont be able to peg this as a virus/worm/trojan.

    Does this give you a better idea of how this works? If you want a detailed technical explanation, let me know but based on your question, I think this explanation fits.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  8. #8

    Thumbs up

    thanks for the info...

    that answers my question .. but now u have increased my curiousity.. it sounds good.. i would like to know more about the working and hopefully find out the ways to by pass..
    [shadow][gloworange]there are 10 types of people in this world,
    those who understand binary...and those who dont.[/gloworange][/shadow]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •