How do AV programs work?

  • Thread starter Thread starter William W. Plummer
  • Start date Start date
W

William W. Plummer

Is there a "standard" algorithm for anti virus programs? How about a
standard for the signature files? I'm impressed by how fast AVs are --
they can't be searching every file for 1000 different strings, so there must
be some sort of trick involved. Please explain it to me if you know!
 
William said:
Is there a "standard" algorithm for anti virus programs?
Click to expand...

No - they all work differently. The underlying principles are similar
however.
How about a standard for the signature files?
Click to expand...

There is no such thing either.
I'm impressed by how fast AVs are -- they can't be searching every
file for 1000 different strings, so there must
be some sort of trick involved.
Click to expand...

They could if they wanted to. There are some multiple pattern matching
algorithms the speed of which does not depend on the number of strings
they search for. (One of them is called Aho-Corasick for example. It's
pretty easy to understand in theory.) Or they could use hashing.

Then, they don't search the entire files, but only parts of it. And they
don't search for all viruses in all files. It wouldn't make sense to
search for Mydoom in the boot sector. :-)

Actually, the reason why "they can't be searching every file for 1000
different string" is not speed, but detection reliability. Viruses
aren't detected with simple strings anymore, because some of them change
their appearance. To detect all possible variants of a complex virus one
would have to add thousands of different signatures, and that is still
an optimistic estimate!

An important feature of modern scanners is the emulator, i.e. scanners
execute programs (and thus the viruses that they contain) in a safe
environment in order for the virus to reveal information about itself
and decrypt itself if it's encrypted.
Then they can proceed with the identification of the virus using
checksumming or maybe even with search strings.

In fact modern anti-virus programs are quite complex, so from a purely
technical point of view we should forgive them if they happen to miss a
virus from time to time. ;-)
 
In fact modern anti-virus programs are quite complex, so from a purely
technical point of view we should forgive them if they happen to miss a
virus from time to time. ;-)
Click to expand...

Much as I distrust av reports and wish for improvements, I've never
ceased to marvel at what they do. The good ones, anyway :)


Art
http://www.epix.net/~artnpeg
 
Much as I distrust av reports and wish for improvements, I've never
ceased to marvel at what they do. The good ones, anyway :)
Click to expand...

We need a scrore card showing what each AV program can detect, or at least
what approaches it uses.
 
We need a scrore card showing what each AV program can detect, or at least
what approaches it uses.
Click to expand...

I suppose some techniques are proprietary for competitive reasons. You
also wouldn't want to reveal your techniques to authors of malware.

Insofar as what each av can detect, that's a very broad question. To
narrow it down, you might start with ten scanners in thirty categories
of detection. Then you have to specify the operating system you're
talking about, and whether you want realtime or on-demand. Then you
have to find a current independent test report somewhere that
satisfies your requirement. Lotsa luck :(

Vendors are adding categories of detection and improving on them all
the time. For example, many antivirus products now detect Trojans, and
continually improve in this category.


Art
http://www.epix.net/~artnpeg
 
William,

A couple of options for you;

Try and lay your hands on some of the Virus Bulletin white papers .. that
may give you an insight under the hood... These are in a more public forum,
so the content should have been cleared by each AV company for their
employee to go talk about it... These will discuss challenges of new threats
and how things are having to be developed or modified to fight the good
fight... could be useful.

Its unlikely any AV employee who wants to keep all their digits will divulge
the crown jewels of their AV engine. The actual deep information on how it
works, and where the competitive benefits lie from a technology point of
view will undoubtedly be under the category which finishes "...but now I
have to shoot you..." :)

Alternatively,

You could try and see if there is anything in Open Source... The very nature
of the beast means their approach would allow them to provide you with more
information on their specific approach than the commercial vendors.

A search on Google gave this: here: http://www.openantivirus.org/ . I have
zero info on this group, so cannot recommend or vouch for them... but they
may be able to help.
 
William W. Plummer said:
Is there a "standard" algorithm for anti virus programs?
Click to expand...

No, not really. Some may do the same things, but they have found
differing ways to do them.
How about a standard for the signature files?
Click to expand...

Same applies here, and you are not likely to find specific information
about any particular developer's method due to the security through
obscurity paradigm.
I'm impressed by how fast AVs are --
they can't be searching every file for 1000 different strings, so there must
be some sort of trick involved. Please explain it to me if you know!
Click to expand...

Some AVs do a form of integrity checking so that they only
have to scan files that have changed since the last time that
they were scanned. Also, some sort of 'divide and conquer'
method can be used so that only malware relevant to that
particular filetype is actually looked for.

You might find this Adobe Acrobat document interesting:

http://www.sophos.com/sophos/docs/eng/papers/sav-overview.pdf
 
I have another document that might interest you, but it took a
while for me to locate it 'online'. Mind you, it is pretty ancient
(not quite the Dead Sea Scrolls, but AV gets ancient quickly).

If you are into OOL programming you might get something out
of this document:

ftp://coast.cs.purdue.edu/pub/doc/viruses/kumar-spaf-scanner.ps.Z
 
Back
Top