Comprehensive introduction to new active defense technologies in anti-virus software

Good anti-virus software is important in the excellent engine. The larger the virus database, the lower the anti-virus speed. Because the virus database antivirus process, the engine delivers the judgment capability to the virus database and compares and judges the virus database with the specified file.

I. Relationship between anti-virus software engine and virus Database

In fact, the virus database has no direct relationship with the Anti-Virus engine. The task and function of the Anti-Virus engine are very simple, that is, to determine whether the specified file or program is legal. The virus database is just a supplement to the Anti-Virus engine. The process is that the Anti-Virus engine judges files or programs. If you understand this, you should know that good anti-virus software is important in the excellent engine. The larger the virus database, the faster the anti-virus speed will definitely decrease. Because the virus database antivirus process, the engine delivers the judgment capability to the virus database and compares and judges the virus database with the specified file.

2. shelling and shelling

1. What is shelling?

The so-called shelling is a process of modifying the encoding of executable program files or dynamically linked library files through a series of mathematical operations (currently, some shelling software can compress and encrypt the driver ), to reduce the file size or encryption program code.

When the shelled program runs, the shell program is first executed, and then the shell program is responsible for extracting the user's original program in the memory, and returning the control to the real program after shelling. All operations are automatically completed, and you do not know how the shell program runs. In general, Shell programs run the same result as those without Shell programs.

How can I determine whether an executable file is shelled? There is a simple method (the effect on Chinese software is obvious ). Open an executable file in Notepad. If you can see the prompt information of the software, it is generally not shelled. If it is completely garbled, it is mostly shelled.

Why can hackers use shell technology to combat anti-virus software? As we all know, anti-virus software primarily relies on pattern technology to scan and kill viruses. Since the shelling software compresses and deformation the source files, the signatures before and after encryption are completely different.

Anti-Virus Software with poor shelling capabilities requires two different feature records after the virus is shelled. If a hacker shells a shell tool, it is a new virus for these anti-virus software. New feature records must be added for scanning and removal. If the anti-virus software has strong shelling capabilities, you can first shell the virus files and then scan and kill them. In this way, you only need one record to kill these viruses, it not only reduces the occupation of system resources by anti-virus software, but also greatly improves its virus detection and removal capabilities.

2. shelling

Vest "can be worn or detached. Correspondingly, there will also be shelling (also called shelling ). There are two main methods for shelling: Hard shelling and dynamic shelling.

The first is hard shelling. This refers to finding the shelling algorithm of the shelling software and writing the reverse algorithm, just like compression and decompression. Currently, many "shells" are encrypted and deformed, and the code generated by each shell addition is different. Hard Shell removal is powerless, but it is still used by some anti-virus software due to its low technical threshold.

The second is dynamic shelling. Because the shelling program must be restored to the original form when running the program, that is, the shelling program will automatically remove the "vest" during running ". Currently, there is a shelling method that crawls (Dump) images in the memory and re-forms the Standard execution file. Compared with the hard shelling method, this shelling method has better processing effects on self-encrypted and deformed shells.
Iii. VUE Technology

If a virus is run, the user's computer will be infected with the virus. Therefore, a new idea was proposed to construct a simulated environment for the virus and trick the virus into taking off its "vest ". In addition, the "virtual environment" is isolated from the user's computer, and virus operations on the virtual machine will not have any impact on the user's computer.

The "Virtual Machine shelling" technology has become the most effective tool recognized by the global security industry in recent years to solve this problem. However, writing a virtual machine system must solve the difficulties of virtual cpu, virtual peripheral hardware devices, and virtual drivers.

Iv. heuristic Antivirus

The difference between a virus and a normal program can be reflected in many aspects. Common examples include: an application's initial commands, it is to check whether the command line input has parameters, clear the screen, save the original screen display, and so on, and the virus program does not do this, generally, its initial commands are to write or decode commands directly, or to search for executable programs and other related operation commands in a specific path. These notable differences make it easy for a skilled programmer to get a glance at the debugging status. Heuristic code scanning technology is actually to transplant this experience and knowledge into a specific program for virus scanning.

Heuristic refers to the "self-discovery ability" or "using some method or Method to Determine the knowledge and skills of things ." A virus detection software using heuristic scanning technology is actually a dynamic high-altitude or anti-compiler implemented in a specific way, through the decompilation of the instruction sequence, we can gradually understand and determine the real motives of the sequence. For example, if a program starts in the following sequence: mov ah, 5/INT, 13 h, that is, the BIOS Instruction Function for disk formatting is called, then this program is highly suspicious and worth warning, especially if this command does not have the command line execution Parameter options, and does not require interactive user input to continue the operation command, you can think of it as a virus or a malicious program.

Heuristic anti-virus technology represents an inevitable trend in the future development of anti-virus technology. It is a anti-virus technology with the characteristics of artificial intelligence, shows us the possibility of a general virus detection technology and product that does not need to be upgraded (which is less urgent or independent from the upgrade. Because of the powerful advantages that many traditional technologies cannot match, they will surely be widely applied and rapidly developed. The Application of pure heuristic code analysis technology (without any prior research and understanding of the tested target virus sample) has achieved a virus detection rate of more than 80%, however, the false positive rate is easily controlled below 0.1%, which is a traditional virus scanning software that extracts "feature strings" based on known viruses, is unimaginable, a qualitative leap. As new viruses and variants emerge and the number of viruses continues to surge, the emergence and application of this new technology is of special significance.

V. Concept of active defense technology

Active Defense Technology is a hot concept. In terms of concept, it refers to the prevention of unknown viruses and the prevention of virus operation before virus samples are obtained. Currently, the active defense technology is mainly designed to defend against unknown viruses. That is to say, some people say: identify whether a virus is a virus and handle it through the behavior characteristics of the virus. Virus Behavior Blocking Technology extracts the common characteristics of computer viruses, such as modifying the registry, self-replication, and constantly connecting to the network to determine whether these virus behavior characteristics are viruses.

Jiang Min's anti-virus experts said that core active defense technologies include virtual machine technology, and virus Behavior Blocking Technology. Virtual Machine technology uses a software virtual CPU environment to activate a virus, determine whether it is a virus, and clear it.

Rising virus experts say that "active defense" is to identify most of the unintercepted unknown viruses and variants through "behavior judgment" technology in terms of unknown viruses and unknown programs. On the other hand, by monitoring the vulnerability attack behavior, this can prevent viruses from using system vulnerabilities to attack other computers, thus preventing the outbreak of viruses.