Anti-Virus Software killing Principle

Core tips:This article describes how anti-virus software judges a file that is toxic and how to scan and kill it, including: pattern, checksum, behavior, and software simulation. Based on different principles, these methods have different overhead and different detection ranges ....

Anti-Virus Software killing Principle

What is anti-virus software based on? Before talking about this problem, we should first find out how anti-virus software detects viruses. In the fight against viruses, it is important to detect viruses as soon as possible. Early detection and early processing can reduce losses. Virus Detection Methods include pattern, checksum, behavior, and software simulation. Based on different principles, these methods have different overhead and different detection ranges.

I. Signature Method

The pattern method was used in scanning, cpav, and other famous virus detection tools. Foreign experts believe that the pattern method is the simplest and least costly method to detect known viruses.

The steps for implementing the signature method are as follows:

1. The extracted code is special and is unlikely to match the normal program code.
2. The extracted code should be of an appropriate length. On the one hand, the uniqueness of the signature should be maintained, and on the other hand, there should be no overhead of space and time. If a virus pattern is enhanced by one byte, to detect 3000 viruses, the increased space is 3000 bytes. When the uniqueness is maintained, try to make the signature shorter.
When Scanning files, anti-virus software searches for files that contain virus patterns in the database. If a virus pattern is found, the pattern corresponds to the virus one by one, and it can be determined as a virus. The signature here is divided into two parts: the first is the position of the signature; the second is the narrow sense of the signature.

When antivirus software uses a pattern scan to identify a file as a virus, the file must meet two conditions:
1. A location in the file corresponds to a location in the antivirus software virus database.
2. The Code stored in this location is the same as the code defined in this location in the virus database.

Detection tools that adopt the virus pattern method must be updated continuously in the face of emerging new viruses. Otherwise, detection tools will become aging and gradually lose practical value. The virus pattern method cannot detect new viruses because it does not know their signatures.
The pattern method has the following advantages: accurate and fast detection, recognizable virus name, low false alarm rate, and detoxification Based on detection results. The disadvantage is that it cannot detect unknown viruses and collect signatures of known viruses, which results in high cost and low efficiency on the Network (on the network server, the entire network performance may deteriorate due to long searches ). There are two types of signatures: file signatures and memory signatures. The memory pattern is the pattern generated after the program is loaded into the memory, which cannot be found in non-running state. For more information about signatures, see the following sections.
Features:
A. Slow speed. As the number of virus types increases, the retrieval time becomes longer. If you search for 5000 viruses, you must check the 5000 virus signatures one by one. If the number of viruses is increasing, the time overhead of virus detection will become very high.
B. low false positive rate.
C. The polymorphism virus cannot be checked. The pattern method cannot detect polymorphism viruses. Foreign experts believe that the polymorphism virus is the lifeblood of the virus pattern method.
D. cannot deal with hidden viruses. If the hidden virus enters the memory before the time when the detection tool runs, the virus code in the file to be checked has been removed before the tool is scanned, when the detection tool is running, it is checking a false "good file", so it will not trigger an alarm and will be cheated by hidden viruses.
Ii. checksum Method
Verify and calculate the content of a normal file, and save the content in the file or other files. During File Usage, check regularly or irregularly whether the checksum calculated by the current content of the file is consistent with the original checksum. Therefore, it is concluded whether the file is infected. This method is called checksum, it can detect known viruses and unknown viruses. In the later versions of scan and cpav tools, in addition to the virus pattern method, the checksum method is also included to improve its detection capability.

You can use the checksum method to query viruses in three ways:
1. Add the checksum Method to the virus detection tool to calculate the checksum of the normal state of the object file to be queried, and write the checksum value to the file to be queried or to the detection tool, then compare.
2. In the application, add the checksum method self-check function to write the normal file checksum into the file itself. Whenever the application starts, compare the current checksum with the original checksum. Implement application self-detection.
3. Check the program resident memory. When the application starts to run, the system automatically checks the pre-saved checksum in the application or other files.
The Checksum method can detect both known viruses and unknown viruses, but does not recognize viruses or report virus names. Virus Infection is not the only cause of file content changes. Normal programs may also change the file content. Therefore, the checksum method often reports false alarms. This method also affects the file running speed. Therefore, it is not the best method to detect viruses by monitoring the file checksum.
If the software version is updated, the password is changed, and the running parameters are modified, the checksum method will trigger an alarm.
In addition, the checksum method does not work for hidden viruses. After the hidden virus enters the memory, the virus code in the infected program will be automatically stripped, so that the checksum method is cheated, and the normal checksum is calculated for a toxic file.

Features of the checksum method:
Advantage: The method is simple, and unknown viruses can be detected, as can minor changes to the file to be queried. Disadvantages: Release normal checksum of traffic records, false alerts, unrecognized virus names, and inability to handle concealed viruses.
Iii. Behavior Monitoring
The behavior monitoring method is used to detect viruses based on the specific behavior characteristics of viruses. Through years of observation and research on viruses, some behaviors are common and special. These behaviors are rare in normal programs. When the program runs, it monitors its behavior. If Virus behavior is detected, an alarm is triggered immediately.

These behavior patterns are as follows:
A. occupies INT 13 H
All Boot viruses attack the boot sector or the primary Boot Sector. When the system is started, but the boot sector or the Main Boot Sector obtains the execution right, the system has just started. Generally, Boot viruses occupy the INT 13 H function, because other system functions are not configured and cannot be used. Boot viruses occupy the INT 13 H function and place the Code required by the virus.
B. Total memory size changed from the DOS system to the data Zone
After the virus is resident in the memory, to prevent the DOS system from overwriting it, you must modify the total system memory.
C. Write the COM and exe files
To infect viruses, you must write COM and exe files.
D. switching between virus programs and host programs
The infected program is running. Run the virus first and then run the Host Program. There are many feature behaviors when switching between the two.
Features of Behavior Monitoring:
Strengths of the Behavior Monitoring Method: it can detect unknown viruses and accurately predict the majority of unknown viruses. Short points of the Behavior Monitoring Method: it may be difficult to trigger an alarm by mistake, identify the virus name, and implement it.
4. Software Simulation Method
Each infection of a polymorphism virus changes its virus password. To deal with the virus, the feature code method becomes invalid. Because the code of the polymorphism virus is encrypted, and each time the key is used is different, the infected virus code is compared with each other, and the same Code may not be found as the stable code of the feature. Although the behavior detection method can detect the polymorphism virus, it is difficult to completely clear the virus because it does not know the type of the virus.
Features of Software Simulation:
Advantages of the software simulation method: the most powerful judgment capability on viruses (because of a variety of detection methods ).
Software Simulation Method: scanning is slow and virus detection is often inaccurate.
V. Summary
After learning about the above detection methods, the final conclusion is: currently, anti-virus software mainly relies on pattern recognition technology to detect viruses. That is to say, the pattern is the special code extracted from the virus itself by anti-virus software to determine the virus (the virus always has its own characteristics like humans) our kill-free model specifically targets these signatures, which means that anti-virus software can achieve the purpose of eliminating the virus by failing to find these signatures. However, it should be emphasized that the functions of the file itself cannot be damaged, that is, the files without killing should be exactly the same as those of the original file. Only in this way can it be regarded as an effective kill-free solution.

Note: This article is excerpted from Ji Liang, author of "password to death ".