Hard Disk and memory detection provides four methods to detect viruses

[News collection on the IT168 Forum] There are many ways to detect viruses. Today we will teach you four tips!

Search Method

This method scans the specific strings contained in each virus. If a specific byte string is found in the detected object, the virus represented by the byte string is found. Foreign countries refer to this virus scanning software working by search method as "virus ". This virus scanning software consists of two parts: a virus code base containing specially selected computer virus code strings, and a scanning program using this code base, the number of computer viruses that a virus scanner can recognize depends entirely on the number of virus types contained in the virus code base. The selection of virus code strings is very important. The short virus code contains more than one hundred bytes, And the length is only 10 KB. Be sure to select the most representative feature after careful analysis of the program, which is enough to distinguish the virus from other viruses and other variants of the virus code string. Generally, a code string consists of several consecutive bytes, but some scanning software uses a variable long string, that is, the string contains one to several "fuzzy" bytes. When the scanning software encounters such a string, as long as the strings except the "fuzzy" byte can be well matched, the virus can also be identified. In addition, the feature string must also be able to associate the virus with a normal non-virus program area, otherwise there will be "false reports, false positives ".

Feature Word Recognition

This method is developed based on the feature string scanning method. It runs fast and has a low false positive rate. The Feature Word Recognition Method only extracts a few key features from the virus to form a feature font. Because few bytes need to be processed and string matching is not required, the recognition speed is greatly improved. This method is suitable when the processed program is large. Because the Feature Word Recognition Method pays more attention to the computer virus's "program activity", it reduces the possibility of error reporting. The virus scanning software method based on the feature string scanning method is the same as the virus scanning software method based on the Feature Word Recognition Method. As long as the virus scanning program is run, the known virus can be checked out. The use of these two methods requires constant expansion of the virus database. Once the virus is captured, the feature is extracted and added to the virus database, the virus lookup program can check for a new virus.

Analytical Method

This method can identify whether the observed disk boot area and program contain viruses, and identify the type and type of viruses to determine whether the system is a new virus, in addition, you can also figure out the general structure of the virus body, extract the byte string or feature word used for feature recognition, and add it to the virus code base for virus scanning and recognition programs. At the same time, the detailed analysis of virus code also helps to develop the corresponding anti-virus solution. Different from the first three methods of virus detection, in addition to relevant knowledge, analysis tools such as Debug and Proview and dedicated testing computers are also required to detect viruses using analysis methods. Because even very well-versed virus technicians, using well-performing analysis software cannot completely ensure that the virus code is clearly analyzed in a short time; the virus may continue to infect or even attack during the analysis phase, and the data in the floppy disk and hard disk is completely destroyed. Therefore, the analysis work must be carried out on a dedicated test PC, not afraid of data corruption. Do not start analysis unless necessary. Many computer viruses use self-encryption, anti-tracking, and other technologies, making the analysis of viruses often lengthy and boring. In particular, the source code of some file-type viruses can reach more than 10 KB, which is deeply involved with the system, making detailed analysis very complicated. Virus detection analysis is an indispensable technology in anti-virus work. The development and development of any high-performance anti-virus system is inseparable from the detailed and serious analysis of various viruses by dedicated personnel.

The analysis method can be static or dynamic. Static analysis refers to the use of Debug and other disassembly programs to print virus code into a list of disassembly programs for analysis, to see which modules of the virus are divided, which system calls are used, and which techniques are used, how to flip the virus infection file process to clear the virus, repair the file process, which code can be used as a pattern, and how to defend against the virus. The higher the quality of analysts, the faster the analysis process and the deeper understanding. Dynamic analysis uses debugging and other program debugging tools to dynamically track viruses when the memory is infected with viruses, observe the specific working process of the virus to further understand the working principle of the virus on the basis of static analysis. Dynamic analysis is not required when the virus code is relatively simple. However, when a virus uses many technical means, a dynamic and static analysis method must be used to complete the entire analysis process.

In summary, the method of comparing the original backup with the program to be detected is suitable for situations where no special software is needed and exceptions can be found. It is a simple and basic virus detection method; the method for scanning feature strings and recognizing feature words is more suitable for PC users, which is convenient and fast. However, new viruses may be missed, it must be used in combination with analysis and comparison.

By taking technical and management measures, computer viruses can be completely prevented.

Viruses must be infected, leaving traces. The same is true for biomedical viruses. To detect computer viruses, you need to go to the virus parasitic site to check for abnormal conditions, and then identify "health" to confirm the existence of computer viruses. Static computer viruses are stored in

Hard disks reside in the memory when they are activated. Therefore, detection of computer viruses can be divided into hard disks and memory.

When detecting a virus on a hard disk, it is required that the memory do not contain a virus, because some computer viruses will report false information to the tester. For example, when the "4096" virus is in the memory, you can view the file infected with it, and the length of the file does not change. When there is no virus in the memory, the file length has increased by 4096 bytes. For example, when the "DIR2" virus is in the memory and the Debug program is used to view the infected file, the code of the "DIR2" virus is invisible, many detection programs have therefore missed infected files, as well as the "Pakistan smart sac" virus in the boot zone, when it is active in the memory, check the boot area to see the virus program and the normal boot sector. Therefore, only when a virus type is required to be identified and analyzed and researched can the virus be detected in the memory. Starting from the original, uninfected DOS system floppy disk ensures that the memory does not contain viruses. The boot must be powered on, rather than the hot boot with the Alt + Ctrl + Del key on the keyboard, because some viruses can intercept the keyboard and stop themselves in the memory. Detects viruses on the hard disk. The DOS version number of the boot system floppy disk must be equal to or higher than the DOS version number of the hard disk. If the hard disk uses the hard disk management software DM, ADM, hard disk compression storage management software Stacker, DoubleSpace, and so on, when starting the system floppy disk, the driver of these software should be included on the floppy disk, and write them into config. in the sys File, otherwise, after boot with a system floppy disk, you will not be able to access all the partitions on the hard disk, so that the virus hiding in it will escape the inspection.

Detection of viruses in a hard disk can be divided into Detection of boot zone viruses and detection of file viruses. The two detection methods are the same in principle, but the detection methods are different because of the different virus storage methods. It is mainly based on the following four methods: Comparison of the detected object and the original backup method; search by using the virus feature code string; search for the Characteristic Word Recognition Method at a specific location in the virus body; analysis of detected objects using disassembly technology to determine whether the objects are viruses.

Comparison Method

This method compares the original backup with the detected boot sector or detected file. You can use the printed code list (such as the Debug D command output format) for comparison, it can also be compared by programs (such as dos diskcomp, COMP, PCTOOLS, and other software ). The comparative method does not require specialized virus scanning programs. You only need to use tools such as common DOS software and PCTOOLS. In addition, you can find computer viruses that cannot be found by existing anti-virus software. Because the virus is spreading fast, new viruses are emerging one after another. At present, no common programs can be found for all viruses, or code analysis can be used to determine whether a program contains virus detection programs, therefore, only the comparative method and analytical method, or the combination of the two methods, can be used to discover new viruses. Check the primary boot area of the hard disk or the DOS Boot Sector, and use the comparative method to check whether the program source code has changed. It is very important to keep the original backup because of the need for comparison. Backup must be performed in a computer-free environment. The created backup must be properly kept, tagged, and protected. The advantage of the comparative method is that it is simple and convenient, and no special software is required. The disadvantage is that the virus type name cannot be confirmed. In addition, the cause of the difference between the tested program and the original backup still needs to be further verified to find out whether the computer virus is the cause or the DOS data is accidentally caused, such as sudden power outages, program runaway, and malicious programs. These analysis methods will be used later to check the nature of the changed part of the code to confirm whether there is a virus.