I believe that all my friends who have been able to scan and kill have experienced a "depressing" phenomenon. Even if I upgrade the virus library of the software to the latest version, some powerful viruses or Trojans cannot be effectively detected and killed. In fact, if you understand the working principle of anti-virus software and the Anti-Virus engine technology, your doubts will naturally be solved!
I. Anti-Virus Software Workflow
For an anti-virus software, a successful virus scanning and removal process usually involves virus identification, virus alerts, virus cleanup, file or system recovery. Many complicated technologies are used in each process, but the most important of them is the Anti-Virus engine technology. In a broad sense, it refers to real-time monitoring behaviors such as file and web page monitoring, the file recognition technology is used to scan, identify, alert, clear, and even defend against viruses. Therefore, the engine technology determines the advantages and disadvantages of anti-virus software, among the many technologies contained in the engine, virus recognition is the top priority.
2. Essential Shelling Process
Virus and Trojan shells are already very common. Currently, there are two main shelling technologies: algorithm shelling and dynamic shelling. Currently, mainstream anti-virus software has introduced virtual machine technology, although this will occupy a certain amount of system resources, but make the shell virus files run on the virtual machine, not only can better identify various shells, but also can effectively prevent the virus from truly infecting files.
Algorithm shelling: This method is based on the decryption algorithm of the shelling program to shell the virus. Although it has the advantages of high speed and low resource consumption, it also has the disadvantages of being unable to Shell deformation. However, many anti-virus software can still send alerts to users to make up for the shortcomings that cannot be shelled.
Dynamic shell removal: As we all know, the cost can be restored only when a program with a shell is enabled. To prevent system files from being infected after the program is run, the virtual machine technology is introduced, virtualize a computer environment for a shell virus program to run in a virtual environment. Although this method has obvious advantages, it also consumes a lot of system resources. Therefore, having its own mature virtual machine technology will greatly improve the detection speed.
Iii. methods to identify viruses
How to identify viruses is very important and core for any anti-virus software. The ability to identify viruses often determines the virus scanning and removal capabilities of this antivirus software. If the virus cannot be identified, of course, the virus cannot be properly handled. Virus Detection methods include the feature code method, checksum method, behavior monitoring method, and software simulation method. The security vendors can measure the detection and removal effects and operation overhead among different methods, then, based on the technical characteristics, select the corresponding virus identification method. Here we only introduce the advantages and disadvantages of various methods. The specific implementation steps are beyond the scope of cainiao.
Feature code method: This method identifies virus files based on the differences between normal programs and virus program code. Some people think that this method is the simplest and most direct method for known viruses. Its advantages and disadvantages are all very prominent.
Advantage: the detection accuracy is high and the false positive rate is low.
Disadvantage: the scanning and removal speed is slow. As more and more viruses are known, the virus pattern is also increased, so the scanning and removal speed will be slower and slower. Unknown and polymorphism viruses and concealed viruses cannot be detected. In addition, this detection method is not suitable for anti-virus software on the Internet, because it consumes valuable network resources.
Checksum method: This method calculates the file checksum (as long as you know it is an algorithm) and saves it. You can compare the checksum regularly or when calling the file to determine whether the file is infected with viruses. Although this method can detect unknown viruses, it is gradually unavailable due to its high false positive rate.
Advantage: unknown viruses can be detected.
Disadvantage: the virus name cannot be reported, and the false positive rate is high. When the software is updated, the password is modified, or the file content is modified, the checksum method may report false positives, this method cannot distinguish whether changes in file content are caused by normal program usage.
Behavior Monitoring: This method identifies viruses based on the behavior characteristics of viruses, which requires detailed classification and Research on virus behavior, analysis of common behavior of those viruses, and rare behavior of Normal programs, virus identification and warning are performed based on the running behavior of the program.
Advantage: because of its generalization and summarization of the common characteristics of various viruses, unknown viruses can be found, which is very effective for prediction of most unknown viruses.
Disadvantage: the virus of unknown behavior cannot be effectively detected, and a false positive also exists. The virus name cannot be identified for the unknown virus, therefore, normal users cannot effectively clear unknown viruses.
Software Simulation Method: This method detects Virus Characteristics by simulating virus running. Because the pattern method cannot detect the polymorphism virus, although the behavior monitoring method can detect the virus, the virus name cannot be determined, therefore, the software simulation method is generated.
Advantage: it can identify unknown viruses, accurately locates viruses, and has a low false positive rate.
Disadvantage: the detection speed is affected, and the system resource consumption is high.
Each of the preceding detection methods has its own strengths. Generally, it is not possible to simply use one method to detect and trigger alarms for large-scale viruses, use corresponding detection methods based on actual conditions and application scenarios.
4. Clear viruses and file Restoration
After identifying the virus correctly, you need to clear it. At this time, there are two situations. For viruses that are not infected with files or that are destructive, the antivirus engine simply deletes files. However, the most common problem is virus infection. In this case, the antivirus engine checks the damage to the current system environment and recovers the virus behavior recorded in the virus feature database. For files infected with viruses, the Anti-Virus engine must identify and clear the parasitic part of the virus code in the file based on certain algorithms. This process must be very cautious, otherwise, the direct consequence is that the original file is damaged, and this anti-virus method is meaningless (many of my friends may have encountered a large number of infected system files, the system cannot be started normally, because the system file is broken during virus detection and removal !). For non-file-type Trojans and malicious programs, because they tamper with the system registry or system files in various ways, so as to load themselves (also known as self-starting, after removing these viruses, the Anti-Virus engine needs to accurately and effectively restore the damaged system environment, which is also the biggest challenge to the Anti-Virus engine. For viruses with unrecognized names, although they cannot be precisely cleared, many anti-virus software can also put them in the "virus isolation zone ", prohibit the virus from spreading and spreading.
The virus hiding technology has simply loaded a single startup item from the beginning, it has evolved to today's multi-startup items, process mutual protection, thread monitoring, remote injection, Executable File Association, Service Project loading, driver loading, and many other methods, and even adopted a combination of methods, this makes it very difficult to scan and kill files. Even if a file is missing and cannot be cleared, the virus can make a comeback. Therefore, how to effectively and accurately identify and repair the damaged environment, it is also the key to measuring whether the anti-virus engine technology is mature.
V. The path to the future
Currently, technologies such as virtual machines, real-time monitoring, and active defense have gradually become mainstream. In addition, there are two new technologies in the trial phase, namely, intelligent code identification technology and behavior interception technology.
Intelligent code identification technology: this technology is like allocating a unique ID to various programs. In this way, it is much easier to deal with illegal Trojans, backdoors, and other programs, even if files or programs are infected with viruses, anti-virus software can intercept and block them based on the smart identification code. At present, this technology is still in the theoretical stage, and no security company's products have included this technology module.
Behavior interception technology: in terms of concept, this advantage is similar to the concept of active defense. Here, behavior interception refers to real-time monitoring of application behavior and interception of malicious program activity. If necessary, you can even block the system's APIs, but it also shows a negative impact. If an error intercepts normal execution of a legal program, this will cause system operation exceptions. Some functions of the system may not be used, and heavy operations may cause system paralysis. This is especially important for users who know little about the operating system. Although many software (such as NOD32 and avast) have begun to use this technology, there is a lot of research to be done.
Recently, many Chinese anti-virus software vendors have used various media to publicize that they have passed the XX certification. Although they have passed the certification from some authoritative organizations, they can be used as evidence of their own product quality, maybe this can only prove the past. In the face of endless viruses and ever-changing attacks, it is equally important to constantly improve existing technologies and develop new research technologies. In fact, anti-virus software should be referred to as "anti-virus software", because more and more products are moving towards the idea of anti-virus. Anti-Virus refers to the ability to prevent viruses from intruding into computer systems. By taking anti-virus measures, accurate and real-time monitoring and warning should be carried out through network or file transmission in a variety of ways; the possibility of virus intrusion into the system is an alarm, and records the files carrying viruses to immediately clear the viruses.
Conclusion: many users feel at a loss when selecting anti-virus software. In fact, the engine Implementation Technology of anti-virus software is nothing more than that. Do not focus only on the interface and manufacturers' publicity, the R & D capabilities and service efficiency of security vendors are also worth considering.