Methods of detecting computer viruses

If the virus is to be transmitted, it must leave traces. Biomedical viruses are the same, so are computer viruses. Detection of computer viruses, it is necessary to go to the site of the virus to check, find abnormal situation, and then identify "in", confirm the existence of computer viruses. The computer virus is stored in the hard disk while it is active and resides in memory, so the detection of computer virus can be divided into the detection of the hard disk and the memory.

In general, the virus detection of the hard drive requires no virus in memory, because some computer viruses will report false cases to the tester. For example, when the "4096" virus is in memory, looking at the file that it infects, you will not find that the length of the file has changed, and when there is no virus in memory, the file length has increased by 4096 bytes; For example, "DIR2" virus in memory, with the debug program to view infected files, The code for the "DIR2" virus is not seen at all. Many of the detection programs have missed the infected files, as well as the boot zone's "Pakistan think tank" virus, when it is active in memory, check the boot area can not see the virus program and only see the normal boot sector. Therefore, only when the identification of a type of virus and its analysis, research, can be in memory with the poison in the case of detection work. Boot from the original, virus-less-infected DOS system floppy disk to ensure no virus in memory. The boot must be a hot boot on the power off instead of pressing the "Alt+ctrl+del" triple key on the keyboard, because some viruses can be interrupted by intercepting the keyboard and hosting themselves in memory. Detect the virus in the hard drive, boot system floppy disk DOS version number should be equal to or higher than the DOS system in the hard drive version number. If you use the hard Disk Management software DM, ADM, hard disk compressed storage management software stacker, DoubleSpace, etc., boot system floppy disk should be included in these software drivers on a floppy disk, and write them into the Config.sys file, otherwise the system floppy boot, you will not be able to access all partitions on the hard drive, so that the hidden virus escaped detection.

Detection of viruses in the hard drive can be divided into detecting boot zone viruses and detecting file-type viruses. The principles of the two Tests are the same, but the detection method is different because of the way the virus is stored. It is mainly based on the following four methods: Comparing the detected object with the original backup comparison method, searching by using the virus characteristic code string, searching the characteristic character recognition method of specific location in the virus, and using the disassembly technology to analyze the object and confirm whether it is the virus analysis method.

Comparison method

This is a method of comparing the original backup with the detected boot sector or detected files, which can be compared using a printed code list (such as the Debug D command output format), or a program to compare (such as Dos diskcomp, comp, or PCTools, and other software). The comparison method does not require a dedicated virus detection program, as long as the use of conventional DOS software and pctools tools such as software can be carried out, but also can be found in those who are not yet found by the existing anti-virus software virus.　Because the virus spreads fast, new viruses are emerging, and there is no common program to detect all viruses, or through code analysis, you can determine whether a program contains virus detection procedures, so only by comparison and analysis, or combination of these two methods to discover new viruses. Check the main boot area of the hard disk or the boot sector of DOS to find out whether the program source code has changed in the comparison method. Because of the comparison, it is important to keep the original backup. Make a backup must be in the environment without computer viruses, make good backup must be properly kept, write a good label, paste good write protection. The advantage of the comparison method is simple, convenient, no special software; The disadvantage is the inability to confirm the name of the type of virus. In addition, the reason for the difference between the detected program and the original backup needs to be further validated to find out whether it was a computer virus or if the DOS data was accidentally caused, such as a sudden blackout, a program out of control, a malicious program, and so on. These will be used for later analysis, to see the nature of the changed part of the code to confirm that there is a virus.

Search method

This method primarily scans for specific strings that each virus contains, and if a particular byte string is found inside a detected object, it indicates that the virus represented by that byte string is found. The virus scanning software that works according to the search method is called "Scanner" abroad. This virus scanning software consists of two parts: part of this is the virus code base, which contains code strings that have been specially selected for a variety of computer viruses, and a scanning program that uses the code base for scanning, and the number of computer viruses that the virus scanner can identify depends entirely on the type of virus contained within the virus code base. The choice of the virus code string is very important, the short virus code only has more than 100 bytes, and the length is only 10KB bytes. Be sure to select the most representative feature after careful analysis of the program, enough to distinguish the virus from other viruses and other variants of the virus. In general, a code string is made up of several consecutive bytes, but some scanning software uses a variable length string that contains one to several "fuzzy" bytes in the string. When scanning software encounters this kind of string, as long as except "The Fuzzy" byte the string all can match perfectly, can also distinguish the virus. In addition, the feature string must also be able to virus and normal non-virus program area, otherwise there will be "false, false positives."