Sign In
Create Account
0
Hi,
I wondered how does av software know that something is a virus? what does it do to a file to determin if it is infected or not?
thanks
Back to top
#2
Posted 26 October 2009 - 04:32 PM
-
- Honorary Members
-
- 816 posts
Elite Member
Hi
Hope the foll. info will be helpful:
Please post if you have any doubts.
What is a Virus Signature?
In the antivirus world, a signature is an algorithm or hash (a number derived from a string of text) that uniquely identifies a specific virus. Depending on the type of scanner being used, it may be a static hash which, in its simplest form, is a calculated numerical value of a snippet of code unique to the virus. Or, less commonly, the algorithm may be behavior-based, i.e. if this file tries to do X,Y,Z, flag it as suspicious and prompt the user for a decision. Depending on the antivirus vendor, a signature may be referred to as a signature, a definition file, or a DAT file.
A single signature may be consistent among a large number of viruses. This allows the scanner to detect a brand new virus it has never even seen before. This ability is commonly referred to as either heuristics or generic detection. Generic detection is less likely to be effective against completely new viruses and more effective at detecting new members of an already known virus 'family' (a collection of viruses that share many of the same characteristics and some of the same code). The ability to detect heuristically or generically is significant, given that most scanners now include in excess of 250k signatures and the numbers of new viruses being discovered continues to increase dramatically year after year.
The recurring need to update
Each time a new virus is discovered that is not detectable by an existing signature, or may be detectable but cannot be properly removed because its behavior is not totally consistent with previously known threats, a new signature must be created. After the new signature has been created and tested by the antivirus vendor, it is pushed out to the customer in the form of signature updates. These updates add the detection capability to the scan engine. In some cases, a previously provided signature might be removed or replaced with a new signature to offer better overall detection or disinfection capabilities.
Depending on the scanning vendor, updates may be offered hourly, or daily, or sometimes even weekly. Much of the need to provide signatures varies with the type of scanner it is, i.e. with what that scanner is charged with detecting. For example, adware and spyware are not nearly as prolific as viruses, thus typically an adware/spyware scanner may only provide weekly signature updates (or even less often). Conversely, a virus scanner must contend with thousands of new threats discovered each month and therefore, signature updates should be offered at least daily.
Of course, it's simply not practical to release an individual signature for each new virus discovered, thus antivirus vendors tend to release on a set schedule, covering all of the new malware they have encountered during that time frame. If a particularly prevalent or menacing threat is discovered between their regularly scheduled updates, the vendors will typically analyze the malware, create the signature, test it, and release it out-of-band (which means, release it outside of their normal update schedule).
To maintain the highest level of protection, configure your antivirus software to check for updates as often as it will allow. Keeping the signatures up to date doesn't guarantee a new virus will never slip through, but it does make it far less likely.
Malware Detection Methods
Malicious software comes in many different forms: viruses, worms, trojans, and advertising-related spyware and adware are the most common categories. But each category is also composed of many different types of threats. For example, within worms there are autorun worms, network worms, Internet worms, email worms, etc. There are equally as many different methods of combating malware; most of today's anti-malware scanners combine several of these techniques. Following are four of the more commonly encountered approaches used in consumer-focused malware protection.
1. Signature Scanning
In the antivirus world, a signature is an algorithm or hash (a number derived from a string of text) that uniquely identifies a specific virus. Signature scanners look for known threats, i.e. malware that has previously been analyzed and identified. They also offer some limited protection against unknown threats, by employing generic signatures that trigger on commonalities typical of previously seen malware.
2. Behavior Blocking
In its simplest form, behavior blocking monitors file activities, preventing certain modifications to the operating system or related files. For example, behavior blockers may monitor the system registry, and warn users accordingly if a file being executed is attempting to modify it. Some programs, of course, do this legitimately, i.e. a SETUP program. Other files, however, may have malicious intent. The key benefit to a behavior blocker is that it questions whether the action was expected and whether the user wants to allow it.
3. Whitelisting
Signature scanners work from a blacklist approach, i.e. blocking any known bad code. Whitelisting does the opposite - identifying all known good items and allowing only those to run on a system. Whitelisting is seldom seen as a standalone solution - most view the practice as too expensive and time consuming in standalone form to be practical. However, when whitelists is used as an exception list (for example, to exclude known good files from signature scanning), a whitelist can streamline performance.
4. Host Intrusion Prevention System (HIPS)
A host intrusion prevention system (HIPS) monitors each activity a program attempts and (depending on configuration) prompts the user for action or responds based on pre-defined criteria. HIPS is application-level control; and while it offers very granular control over the system, it is best suited for experienced users who have both the knowledge and the patience to answer the prompts and make the proper configuration choices.
Hope the foll. info will be helpful:
Please post if you have any doubts.
What is a Virus Signature?
In the antivirus world, a signature is an algorithm or hash (a number derived from a string of text) that uniquely identifies a specific virus. Depending on the type of scanner being used, it may be a static hash which, in its simplest form, is a calculated numerical value of a snippet of code unique to the virus. Or, less commonly, the algorithm may be behavior-based, i.e. if this file tries to do X,Y,Z, flag it as suspicious and prompt the user for a decision. Depending on the antivirus vendor, a signature may be referred to as a signature, a definition file, or a DAT file.
A single signature may be consistent among a large number of viruses. This allows the scanner to detect a brand new virus it has never even seen before. This ability is commonly referred to as either heuristics or generic detection. Generic detection is less likely to be effective against completely new viruses and more effective at detecting new members of an already known virus 'family' (a collection of viruses that share many of the same characteristics and some of the same code). The ability to detect heuristically or generically is significant, given that most scanners now include in excess of 250k signatures and the numbers of new viruses being discovered continues to increase dramatically year after year.
The recurring need to update
Each time a new virus is discovered that is not detectable by an existing signature, or may be detectable but cannot be properly removed because its behavior is not totally consistent with previously known threats, a new signature must be created. After the new signature has been created and tested by the antivirus vendor, it is pushed out to the customer in the form of signature updates. These updates add the detection capability to the scan engine. In some cases, a previously provided signature might be removed or replaced with a new signature to offer better overall detection or disinfection capabilities.
Depending on the scanning vendor, updates may be offered hourly, or daily, or sometimes even weekly. Much of the need to provide signatures varies with the type of scanner it is, i.e. with what that scanner is charged with detecting. For example, adware and spyware are not nearly as prolific as viruses, thus typically an adware/spyware scanner may only provide weekly signature updates (or even less often). Conversely, a virus scanner must contend with thousands of new threats discovered each month and therefore, signature updates should be offered at least daily.
Of course, it's simply not practical to release an individual signature for each new virus discovered, thus antivirus vendors tend to release on a set schedule, covering all of the new malware they have encountered during that time frame. If a particularly prevalent or menacing threat is discovered between their regularly scheduled updates, the vendors will typically analyze the malware, create the signature, test it, and release it out-of-band (which means, release it outside of their normal update schedule).
To maintain the highest level of protection, configure your antivirus software to check for updates as often as it will allow. Keeping the signatures up to date doesn't guarantee a new virus will never slip through, but it does make it far less likely.
********************************************************************************
Malware Detection Methods
Malicious software comes in many different forms: viruses, worms, trojans, and advertising-related spyware and adware are the most common categories. But each category is also composed of many different types of threats. For example, within worms there are autorun worms, network worms, Internet worms, email worms, etc. There are equally as many different methods of combating malware; most of today's anti-malware scanners combine several of these techniques. Following are four of the more commonly encountered approaches used in consumer-focused malware protection.
1. Signature Scanning
In the antivirus world, a signature is an algorithm or hash (a number derived from a string of text) that uniquely identifies a specific virus. Signature scanners look for known threats, i.e. malware that has previously been analyzed and identified. They also offer some limited protection against unknown threats, by employing generic signatures that trigger on commonalities typical of previously seen malware.
2. Behavior Blocking
In its simplest form, behavior blocking monitors file activities, preventing certain modifications to the operating system or related files. For example, behavior blockers may monitor the system registry, and warn users accordingly if a file being executed is attempting to modify it. Some programs, of course, do this legitimately, i.e. a SETUP program. Other files, however, may have malicious intent. The key benefit to a behavior blocker is that it questions whether the action was expected and whether the user wants to allow it.
3. Whitelisting
Signature scanners work from a blacklist approach, i.e. blocking any known bad code. Whitelisting does the opposite - identifying all known good items and allowing only those to run on a system. Whitelisting is seldom seen as a standalone solution - most view the practice as too expensive and time consuming in standalone form to be practical. However, when whitelists is used as an exception list (for example, to exclude known good files from signature scanning), a whitelist can streamline performance.
4. Host Intrusion Prevention System (HIPS)
A host intrusion prevention system (HIPS) monitors each activity a program attempts and (depending on configuration) prompts the user for action or responds based on pre-defined criteria. HIPS is application-level control; and while it offers very granular control over the system, it is best suited for experienced users who have both the knowledge and the patience to answer the prompts and make the proper configuration choices.
#3
Posted 27 October 2009 - 01:55 PM
-
- Members
-
- 6 posts
New Member
this info is great thanks, learnt alot
am
am
#4
Posted 28 October 2009 - 08:25 AM
-
- Honorary Members
-
- 816 posts
Elite Member
You are always welcome.
Glad to hear that your doubt is cleared.
Glad to hear that your doubt is cleared.
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
