Kaspersky Anti-Virus software (Kaspersky Antivirus), formerly known as Antiviral Toolkit Pro (AVP), out of habit and simplicity, is called AVP or Kav.
Learning the significance of the detection of AVP is one aspect of AVP's detection method is a theoretical and practical test of the scientific and reasonable method, another DOS friends over the anti-virus has had such experience: "The machine infected with the virus?" OK, please use the clean and non-toxic system disk to start, and then the whole killing. "And I remember cih rampage that would, a friend asked me to help him clean up the virus, said the virus is a well-known domestic AV newspaper, launched the AV killed again, and the AV own monitoring report himself also infected with the CIH, I listened to tell him to use a clean boot disk to start the system overall killing. While this is a solution, the fact is that anti-virus software does not directly allow memory detection and removal of viruses. And this is completely achievable, for memory detection/removal of the resident virus method, as I know the earliest AVP began to use.
First, detection methods:
In the AVP virus library, there are several feature records, one of which is the memory characteristics, this is AVP used to detect the memory-resident virus feature set, AVP on the memory-resident infection virus using a number of separate detection methods.
AVP scans the memory-resident infection virus by scanning methods and address offsets recorded in the virus library, starting with the address offset byte-by-bit match, when matched to a matched byte, that is: Segm:offset + byte offset=record:byte, Then AVP begins to compute the signature of the specified length by the library record, if the records in the library are matched, the corresponding virus message is displayed, and the memory repair is performed based on the repair length specified by the library's repair record, and the contents of the repair byte, ensuring that the original virus is inactive after the repair is made.
Card rice and Soft exchange center
The following fields are included in this record structure:
Virus name
Search method: Absolute address scan, special module ...
Address Offset: Segment + offset
Match byte
Feature length
Characteristics
Dedicated process: Obj_link
Processing offset addresses
Processing byte length: generally less than 10
Fix bytes
Second, search methods:
There can be seen above, AVP can ensure rapid processing, a key factor is the AVP search method, in fact, AVP built a number of search methods, these methods apply to Msdos, Win9x, WINNT/2000/XP and other systems. AVP can use a variety of memory search methods to deal with a virus, and the difference is which method is more efficient.
1, Absolute Address:
AVP uses the absolute address scanning method to scan some viruses, the scanner reads the corresponding address record from the library record, carries on the matching in the memory, after the match, carries on the repair processing process.
2, Segment scanning:
AVP is incremented from one memory segment to a single byte loop, from the beginning to the end of the segment.
3, all scan:
AVP starts with the memory address 0x00000000h, loops incrementally, and carries out a full memory matching scanning method.
4. Special module:
This is a method for some specific "cunning" viruses. When AVP's own definition of normal scanning and detection methods can not be correctly identified, the use of a dedicated processing module to detect the removal of the virus, the module is completed, compiled into obj format files, stored in the AVP library records.
Card rice and Soft exchange center
5, Interrupt tracking:
This is the AVP for DOS scanning method, through the interruption of the system INT21, INT13 to locate the memory of the virus code, through the code around these instructions to modify, so that the virus is inactive.
This article originates from: http://bbs.pcunit.cn