How much do you know about high inspiration?

Let's review the knowledge with everyone when the website doesn't move. Because today we see that the 360 firewall also has a dedicated engine system, which is highly inspiring, therefore, we need to integrate the highly inspiring knowledge in detail. We should be familiar with avira. He is the famous little red umbrella and is also the mainstream tool to kill software. Because of his high inspiration, sometimes even a good disguised virus can be used. it's easy to find and kill, however, false positives are relatively serious. Of course, this is also a common feature of highly-inspired anti-virus software. So first, we need to understand what is high inspiration: as the name suggests, high inspiration means a high level of discrimination. Why? In fact, high inspiration is also called broad-spectrum pattern scanning and removal. Similar to our genes, we all know that human genes are very rich and have basically all of your physiological characteristics. The same principle applies to this gene, he can construct multiple forms of the same type of viruses to better identify them. If the pattern is a one-to-one relationship, genes are many-to-one, that is, one gene can inspire multiple viruses. Here, I will mention the GEN gene. AVIRA has made it tailored to the gray pigeon, because the gray pigeon has a big impact, so it has made a gene directly, so now, in addition to the source code, the gray pigeon has made new changes. Basically, some small changes won't be able to beat the soft ones on the market. The reason why the gray pigeon gradually leaves the stage is also here. Next, let's talk about avria's determination of viruses. The following is a detailed explanation of AVRIA's terminology on the official website. You can check what problems HEUR/Malware is when the virus is killed. test programs used to detect common threat features. Antivir uses the AHeAD technology to detect unknown threat programs. For this purpose, Avira has completed innovative structural analysis technologies. Based on the composition of a file, a significant code sequence or sequence based on a specific behavior pattern can inspire a high probability to determine whether it is dealing with harmful or toxic files. GOOGLE translation is quite awkward. I understand that on the basis of pattern matching, we also need to analyze the behavior of this program, there is a code in his behavior sequence that harms computers, so we can be very sure that he is a virus. For example, if we write a program to modify the startup Item or embed the driver process, the high inspiration is probably because of these dangerous behaviors to determine that your program is a virus. Even a false positive. It should be understandable, my own point of view. These analysis behaviors are carried out in a virtual environment built by itself. That is to say, in this virtual system, the target program is a file. Let's let it run and see what he wants to do, therefore, the shelling method obviously does not play a role here, which is why there is currently no shell that can effectively scan and kill highly-inspired viruses. HEUR/Crypted is a testing program used to detect common threat features. Antivir uses the AHeAD technology to detect unknown threat programs. For this purpose, Avira has completed innovative structural analysis technologies. In the grass-roots structure of a file, there is a high probability that the order of meaningful code or based on special behavioral characteristics can inspire whether the file is harmful or contains viruses. HEUR/Crypt will specifically point out programs with suspicious structures. Normally such files are encrypted and often generate other files to try to hide their real functions after running. Based on his description, we can know that this genetic feature HEUR/Crypt was found to be a shell virus during virus detection and removal. Similar to these below are all broad-spectrum No. name Type Danger Added on1. TR/Crypt. FSPM. gen Trojan 01 Mar 20072. TR/Crypt. XDR. gen Trojan 01 Mar 20073. TR/Crypt. PEC2X. gen Trojan 01 Mar 20074. TR/Crypt. ULPM. gen Trojan 05 Feb 20075. TR/Crypt. XPACK. gen Trojan 05 Feb 20076. worm/P2P. kapucen. gen Worm 15 Dec 20067. TR/Dldr. mondo. gen Trojan 15 Dec 20068. TR/Crypt. PCMM. gen Trojan 05 Dec 20069. TR/Dldr. DNSChanger. gen Trojan 24 No v 200610. DR/Dldr. DNSChanger. gen Dropper 24 Nov 200611. BDS/Optix. gen Backdoor Server 21 Nov 200612. TR/AntiHosts. gen Trojan 21 Nov 200613. TR/Diamin. gen Trojan 08 Nov 200614. TR/Crypt. YCM. gen Trojan 08 Nov 200615. TR/Crypt. NSPM. gen Trojan 08 Nov 200616. TR/Crypt. ntpacker. gen Trojan 08 Nov 200617. TR/Crypt. s. gen Trojan 08 Nov 200618. TR/Spy. viking. gen Trojan 08 Nov 200619. TR/PolyCrypt. gen Trojan 08 Nov 20 0620. TR/Dldr. administration. gen Trojan 26 Oct 200621. TR/Wimad. a. gen Trojan 19 Oct 200622. TR/Dldr. swizzor. gen Trojan 13 Oct 200623. worm/Feebs.1.Gen. 5 Worm 02 Oct 200624. TR/Clicker. small. FU. gen Trojan 01 Oct 200625. TR/Dldr. conHook. gen Trojan 01 Oct 200626. TR/Crypt. np. gen Trojan 01 Oct 200627. BDS/Hupigon. gen Backdoor Server 01 Oct 200628. worm/Stration. gen Worm 01 Oct 200629. DR/Zlob. gen Dropper 19 Sep 200630. TR/Spy. banker. gen Trojan 19 Sep 200631. TR/Dldr. zlob. gen Trojan 19 Sep 200632. TR/Crypt. FKM. gen Trojan 19 Sep 200633. TR/Proxy. horst. gen Trojan 19 Sep 200634. TR/Rootkit. gen Trojan 19 Sep 200635. DR/Shelled. gen Dropper 19 Sep 200636. TR/Java. downloader. gen Trojan 19 Sep 200637. TR/Delphi. downloader. gen Trojan 19 Sep 200638. TR/Crypt. f. gen Trojan 19 Sep 200639. DR/Delphi. gen Dropper 19 Sep 200640. TR/Vundo. gen Trojan 19 Sep 200641. HTML/Feebs. gen Malware 09 Feb 200642. worm/Sober. gen Worm 30 Jan 200643. worm/Bagle. gen Worm 29 Jan 200644. worm/Roron. gen Worm 15 Jun 200445. w95/Hybris. gen.3 Malware 15 Jun 200446. w95/Hybris. gen.2 Malware 15 Jun 200447. w95/Hybris. gen.1 Malware 15 Jun 2004 there are still a lot to be removed from the list. You can go to the official website to find the relevant information. The above information can be clearly identified based on their gene suffixes, it seems like the full-shot idea in discrete mathematics that we just learned. If the virus is reported by red umbrella, you can quickly query the addresses of unknown viruses. http://www.avira.com/zh-cn/support-for-home-knowledgebase-search One of the key points I want to talk about is the working principle of the High-Inspiration virus. One is to avoid high-Inspiration virus scanning and killing Trojans, that is, to avoid high-Inspiration virus killing. I remember when I was a child, my computer was always infected with viruses. I liked to buy computer fans because he sent CDs... Anti-virus: Jiang min was popular at the time. He published a signature on the Internet, and then the user entered the detection and removal system on his own, the method that the system finds itself is also a bumpy path to the anti-virus of signatures. Why is it rough? If the location of the signature code is not effective and the customer's response is poor, the software will be replaced and Jiang Min will gradually exit the stage. It's just a bit lyrical .. Let's continue to talk about the problem that I want to avoid interference with little red umbrella, because he is highly inspired and often finds that all the unit files generated are killed, which is very embarrassing, sometimes it will be processed again in a loop. In the end, you do not know which is the signature. If the above problem occurs, it is basically disturbed by him. I think there may be a mechanism to determine that you are targeting the virus, because there will be a lot of module files during anti-virus, these files will certainly attract the attention of the cloud, therefore, they will also take appropriate measures to disturb you. For example, you can delete the files with the same file name in your log record and locate the files with the same file name generated. 1. if you fill a normal file (not killed) with 0 or other characters in a section or a large area, 360 will report QVM2, the content of the three sections in the Trojan horse appears at the same time, and the QVM is reported. The sections 1 and 2 do not report the virus at the same time, and the sections 2 and 3 do not report the virus at the same time, the first and third sections do not report viruses at the same time, and the third sections report viruses at the same time. 3. change the attribute of the first segment (code segment, text, or code) to writable. The 360 message is QVM4. change the entry point to any segment Other than the code segment and report the error "QVM5." when the network is disconnected, the same file name, frequently changed content, deliberately does not stop analyzing from the first and second articles for the time being. I think you should understand that it is impossible to locate the pattern positioner because it will fill in a large area, filling in a normal file will turn into a pattern. Solution: Find a normal file. The partition table structure should be similar to that of a Trojan, trim the physical size in C32 to the same size as the trojan, and change the size of the image and the physical size of the partition to a reasonable value, (if the virtual address + virtual size of your last segment is greater than the image size, your file is invalid and 360 won't be killed, in the section table, the offsets and sizes must be connected between the front and back). After adjustment, use 360 to check whether the sample can be used as a kill-free auxiliary tool, manually copy the content of each section to the corresponding section of the Trojan. You can determine the section where the trojan is killed by 360, And Then narrow down the position until you find the signature. Note the Interference Method in article 4. Finally, do not forget to replace the whole PE Header to determine whether the PE Header is killed. From the analysis of Article 3 and Article 4, you will understand that if your encryption code is written in a code segment, your section attributes must be set to writable files before execution, if it is set to writable, it will be killed. If the encryption code is written to another segment, it will be killed if the entry point is not in the segment. Solution: Write the encryption code to the data segment, because the data segment attribute is writable by default. The entry point is still in the code segment, jump to the data segment to execute the encryption code, and then jump back to the code segment. Note that if you want to hide the input table, the partition attribute of the input table is not writable. You can hide the input table as it is not writable, and the file can be executed normally, if you change the partition attribute of the input table to writable, 360 will be killed. Of course, we all know that the Section attribute is written in the PE Header. These are some of the experiences we have shared with others. Generally, we choose multiccl for accurate and non-interfering positioning. However, when using MYCCL for locating, we are used to positioning the starting position as 1000, but when we locate the red umbrella separately, we need to change it until it can be uninterrupted, for example, the start position uses 350 or 600, for filling, you can change 00 to 90. The NOP skipping corresponding to 90 has no effect on the program. Sometimes you need to select reverse positioning, because he may be killed in the input table. If you start from the input table directly, he will be there and will definitely not let you properly locate it. So these are my little experiences when I was using little red umbrella. I would like to share them with you. If your remote control is inspired by little umbrella, please try it ~ I feel that my website is a little inactive. I suggest you continue to study and study. The article is a bit long. Please watch it.