Kaspersky memory resident Virus Detection Method

I. detection method:

In the AVP virus database, there are several feature records, one of which is the memory feature. This is the feature set that AVP is used to detect and kill the memory resident virus, AVP uses some independent detection methods for memory resident infections.

AVP scans the infected viruses resident in the memory by the scan method and address offset recorded in the virus database. The AVP performs byte-by-byte matching starting from the address offset. When it matches byte, that is: Segm: Offset + byte offset = record: Byte. Then, AVP starts to calculate the pattern of the specified length of the database record. If it exactly matches the records in the database, the corresponding virus message is displayed, at the same time, the memory is repaired Based on the repair length specified by the database repair record and the content in the repair byte to ensure that the original virus is no longer active after the repair.

Caifan Ansoft Exchange Center

The record structure contains the following fields:

Virus name

Search Method: absolute address scan, dedicated module...

Address offset: Segment + offset

Match byte

Feature length

Features

Dedicated process: Obj_Link

Handle offset addresses

Processing Byte Length: generally less than 10

Fixed byte

Ii. search methods:

We can see from the above that AVP can ensure fast processing. A key factor is AVP's search method. In fact, AVP has many built-in search methods, these methods are applicable to systems such as MSDOS, WIN9X, WINNT/2000/XP. AVP can use a variety of Memory search methods to process a virus. The difference is that the method is more efficient.

1. Absolute address:

AVP uses an absolute address scan method to scan for viruses. The scanner reads the corresponding address records from the database records to the memory for matching. After matching, the scanner performs repair.

2. segment scan:

AVP increases cyclically from a memory segment to a single byte, starting from scanning to the end of the segment.

3. All scans:

AVP starts from the memory address 0x00000000h and continues to scan for full-memory matching.

4. Dedicated modules:

This is a method for some specific "cunning" viruses. When the normal scan and detection methods defined by AVP cannot be correctly identified, a dedicated processing module is used to detect and clear the virus. After this module is compiled, files compiled in obj format are stored in AVP library records.

Caifan Ansoft Exchange Center

5. Interrupt tracking:

This is mainly the AVP For DOS scan method. By interrupting the system INT21 and INT13, it locates the virus code residing in the memory and modifies the code near these commands, the virus becomes inactive.