Can anyone point me to a resource about how Anti-Virus software works

Discussion in 'Anti-Virus' started by Sky, Oct 28, 2003.

  1. Sky

    Sky Guest

    Specifically, how Anti-Virus software "recognizes" a virus/trojan. I
    am researching on "variants" of popular viruses such as the recent
    MSBlaster, and how the hell authors can modify the original to bypass
    Anti-Virus software. I've done countless searches but could not find
    any info. I've heard that Anti-Virus software looks at the header of
    files or certain strings to identify. Would love to know the details.

    Sky, Oct 28, 2003
    1. Advertisements

  2. Sky

    Ian Kenefick Guest

    Hi Sky,

    I can answer your question. A virus signature is comprised of benign
    code taken from different parts of the original virus code. This is used
    to detect the 'known' virii. However should a virus writer use for
    example 'UPX compression' on the original Virus Code creating a
    'variant' shrinking the virus from 106496 bytes to 52224 bytes as in the
    case of Swen.B, this can make it undetectable to some antivirus
    programs. The method by which the original code was modified, the
    quality of the 'Siganature' and the 'Scanning engine' governs the
    requirement for additions signatures. In some cases Heuristic analysis
    detects these varients, in others the original signature does & in
    others a new signature is required.



    Ian Kenefick
    Webmaster - Researcher
    "your problems, my solutions, No Problem!"
    Mobile: +353879116187
    Ian Kenefick, Oct 28, 2003
    1. Advertisements

  3. Sky

    Jason Guest

    Nowdays, virus scanners do a lot more than just scanning. Here is a list of
    some modules you might find in a scanner, it's just an example, to show the
    sort of things that are going on in the software. Don't take any of it as
    given, a search engine will turn up more information on how virus scanners
    work. Some papers are available from the manufacturers, and patents are
    available online.

    1a) string scanner

    Given a set up input bytes, searches for known virus patterns.

    2b) state machine recogniser

    In conjunction with the emulator below (4), recognises states based on
    activity, and or contents of reqisters to match known state signatues.

    3) A decompressor

    Decompresses archives, .zip. lhz, rar, upx etc, etc. before scanning takes

    4) A code emulator

    Emulates code withing executable files, upto a given point, so as to
    determine the likelyhoos of a virus, and to persuade encrypted viruses to
    decrypt themselvs

    5) A cleaning engine

    A cleaning engine will be able to generically clean many viruses given basic
    information such as a viruses length, otherwise part of the "virus
    signature" may contain a sciprt that will clean up a specific virus, and ir
    will be executed by the scripting engine (7)

    6) A filter or heristic descriminator

    To tetermine, what sort of object is being checked, where a virus may be
    able to reside, and, more importantly, where a virus will not be found. This
    ofcourse improoves speed dramatically. For exaple PE executables have non
    executable data sections, so usualy a scanner won't have to consider these
    sections. - Also, macro viruses can only reside in specific places of a word
    ..doc file, so the entire file does not have to be scanned.

    7) A scripting engine.

    Preforming actions, calling on functions built into the anti-virus engine to
    do such things that are necessary to clean a specific virus.

    The actual string scanner (1a), then, is only a small, but essential cog in
    the wheel. --- and that list doesn't even cover email scanning.

    There is some C++ code for a simple string scanner here (1a)

    Simple string scanners alone havn't been used as virus scanners, since, I
    don't know, about the early 1990's I would guess.
    Jason, Oct 29, 2003
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.