Powerful Tool in hand: analysis of five anti-virus Engines

The following describes the anti-virus engines of various vendors. Some of the articles are sourced from public technical materials, and some are sourced from the anti-virus forum which has been regarded as a classic, some of them are from the introduction by the technical staff of the manufacturer (both official and private ).


1. NORTON: This is the most familiar one. Norton's anti-virus software is not very good at preventing detection. Many virus programs often refer to the code that has crashed Norton in the subroutine section, in the new version, we hope that Norton can adopt stronger protection technologies. Norton's engine should be completely self-contained and closed. There is no evidence that Norton has purchased or used other anti-virus engines. It is rumored that many companies have referred to Kaspersky's leaked version engine design during design, so they once asked this question when chatting online in the Microsoft community. I agree that it is unnecessary for Norton to learn from Kaspersky's Anti-Virus engine, and its own engine is quite good. A guy named fenssa even replied that he did not consider the virus database. Norton's Anti-Virus engine is quite advanced and the comprehensive protection performance is very good. At Microsoft, except for mcafee, Norton is used (I believe that it is rare to see other anti-software programs used by Microsoft ). From the Norton Technical Documentation description and an article by 29A, a guy circulating on the virus Forum, is called the step-by-step tracing and anti-encoding of Norton's working process in a virtual machine environment, norton's Anti-Virus engine should be a perfect combination of traditional static code correspondence and real-time monitoring, and there should be some improved Virtual Machine technologies in it (Norton's people do not advocate virtual machine technology ). Norton's anti-virus speed is slow because Norton uses a large amount of static code, which is related to the traditional check method. Personally, I like Norton's isolation mechanism very much. I think deletion should not be used until the correct processing method is determined. A highly handwritten virus should be related to system processes as much as possible. In this case, the advantages of isolation are immediately apparent. The Norton resource usage is large, but the following design goals are achieved: processes that recognize other viruses and that are identified as viruses can be correctly handled, there will be no misjudgment on the 'virus body' that is no longer likely to cause damage, and it will not happen again and again after processing a virus and then detecting it as a virus.


Many people think that the engine used by Norton Enterprise Edition is exactly the same as that used by the personal board. In fact, the Enterprise Edition has improved its personal board technology. Zdnet published an article stating that the core rules of the Enterprise Edition and the individual edition engine are the same, but the Enterprise Edition is better than that of the individual edition, and the Enterprise Edition uses more API interfaces. The article said that the Enterprise Edition is superior to the individual edition in large-scale file scanning. In addition, due to the use of Load Technology, Enterprise Edition resources usage is even better. In addition, it is said that the Enterprise Edition supports multiple network-based load technologies.


2. Mcafee: I have read an article about mcafee's acquisition of another anti-virus software engine design company. According to the reply, it is known as Solomon. Technical documents on mcafee's Anti-Virus engine are rarely seen on the Internet. However, according to his own materials, mcafee has thoroughly studied virtual machine technology and real-time monitoring. For example, he recently promoted the technology to prevent application overflow (roughly this name), which should be a combination of virtual machine technology and real-time monitoring technology without considering the hardware platform, despite frequent error overflow detection (the software-level overflow technology is indeed not stable ). Mcafee has a certain speed advantage when processing a large number of files (this problem is discussed in the Microsoft community ). According to a message from the mcafee Forum, mcafee is studying more advanced intelligent code scanning technology, and it is estimated that it is better than Eastern guard. According to the reply from the group leader, McAfee has been focusing on the new security field of "Forward threat prevention" since the release of VSE8.0i, and NORTON is also in this direction. There are two parts in the "preemptible attack prevention", one of which is the application part.FirewallIn addition, the intrusion detection technology effectively blocks the transmission sources of viruses, so that the virus cannot be transmitted in a large area at the early stage of transmission, reducing the hazard. The second is to rely on its powerful pattern detection technology (Extra. dat) detects the behavior and feature code of viruses, and relies on its powerful R & D team and strategic alliance partners to make it unique in this field. Norton can also add some originalFirewall. Send an email asking Norton's researchers why they didn't adopt the pattern antivirus technology. In response, a perfect pattern scanning technology should be able to add specific files as viruses according to user's designation, that is, when you specify an activity program as a virus, the anti-virus software engine can define a signature for the activity program according to its own rules, and when controlling the activity program, it can effectively cut off its association with normal processes of the system. Without this level, Norton will not use pattern technology on a large scale. From the perspective of mcafee's technical documentation, mcafee is only experimenting with the technology to a limited extent and applying it in a more confident place. In fact, there is still a long way to go between the two companies.


3. Kaspersky: anti-virus software that is overly mythical on this forum. I personally respect Kaspersky's high standards, but to be honest, without considering resource occupation, Kaspersky does not have enough reason for me to give up Norton, there is no difference between the two levels. In terms of stability, Kaspersky is worse than Norton. Because Kaspersky's engine leaked in earlier years (in fact, the leaked source code is not the initial source code, but the leaked engine can be easily decompressed ), therefore, you can find a lot of detailed technical analysis on the Kaspersky engine on the Internet, especially the German virus handwritten article on how to optimize the Kaspersky Antivirus Engine, it is considered to be one of the articles that all anti-virus software vendors that use the Kaspersky engine must read, how does VB100 test anti-virus software written by Americans? (based on the test results in recent years, the authors speculate on the possible virus types and proportions of VB100 during testing) it is the same article that antivirus software vendors must read before sending their own software for testing. According to a large number of analysis documents on the Internet, Kaspersky's virtual machine technology is excellent. However, someone posted last year that Kaspersky's good performance came from its huge virus database and sound upgrade speed, its Anti-Virus engine design level is no higher than that of other companies. Kaspersky's engine adopts the so-called single-form rule judgment. We all know that Norton is based on classification rules. Kaspersky's engine is considered to have good performance when comparing file identifiers with the virus database, making full use of the processing capabilities of the processor. "But what's worrying is that, the company did not fully pay attention to the latest technologies (comments by the British Computer magazine at the end of last year), whether it was to thoroughly improve the original engine or to use a large number of new technologies, no one knows. Kaspersky's engine has a so-called "over and short file code" problem. To put it bluntly, sometimes it will throw the corpse, and its researchers say it is improving. Some time ago, someone posted a post stating that the virus writers only accept Kaspersky. To be honest, they read many Forum documents, as if no strong person said so. Kaspersky follows a major R & D path with American manufacturers. Kaspersky seldom references the technologies developed by other companies, but is constantly deepening and improving its Anti-Virus engine, according to some comments, Kaspersky's engine represents the highest level in the industry, but not all. Kaspersky is a good anti-virus software, but it is not a god. It should be said that, like Norton and mcafee, they all stand at the top of anti-virus software.


In China, there have been rumors that Jiangmin's anti-virus software uses the Kaspersky engine. To be honest, a considerable number of anti-virus software in the industry refer to its engine design, even in China, there is not enough information to prove that Jiang min only referred to its engine design. Many people use a variety of virus packages to test Kaspersky and Jiang min. The test results are exactly the same. To be honest, this test has no credibility, and almost all anti-virus software tests on fossil spore have the same results. There are only two ways to explain the engine of the two: 1. send the two software to VB100 or a similar authority for testing. If the two test results for unknown viruses are the same (the results are not published and the vendor buys them by themselves, that's nothing. It is almost impossible for two different engine mechanisms to show the same detection results when dealing with the same large unknown virus database. Unfortunately, Jiang did not participate in the VB100 test, and it seems that it is unlikely that the individual has a large enough unknown virus database for detection. 2. Adopt a method similar to the Cracking Method for anti-encoding, analyze the working mechanism of the entire software, and think about the workload. No one has ever seen such research. Therefore, I personally can only think that Jiang min may (to a large extent) refer to Kaspersky's Anti-Virus engine design, but from the sensitivity of the two anti-virus software, anti-virus speed and many other aspects, even if Jiang min adopted Kaspersky's engine, Jiang Min should make a lot of source code modifications or optimizations. In addition, it was reported that Jiang min added some self-developed technologies to the engine, the implementation method is similar to the digital code technology. If the source code of the two software is published, no one may see the relationship between the two. In fact, when we find that Jiangmin's software does not use Kaspersky's virus database, we should know that even if we have used it for reference, they can already be considered as different anti-virus engines. Probably on win3.x, the two were very similar. But today we are using winxp. even if Jiang did use Kaspersky's engine, it can be said that Jiang has developed this engine in some aspects, although this development may not be consistent with the original R & D direction. However, from whatever perspective, I think Jiangmin's anti-virus software is still outstanding. After all, if you look back at anti-virus software vendors in China, there is only one such flag in the real technology R & D field that occasionally flies. After a step-by-step process, Jiangmin still has technological progress. In the purely technical aspect, if Jiang min adopted Kaspersky's engine, then today the two manufacturers are developing the original engine in different directions. This is not necessarily a bad thing, as long as it is not fixed, we seem to have no need to argue whether the two companies are an original ancestor. What we fear is that they stop when others are moving forward, which is no different from self-destruction. Although the market is the first element of anti-virus software vendors, don't forget that technology is the decisive force for the survival of anti-virus software.


4. The fourth one is pandatv. Haha, this Spanish Dongdong is the world's first automatic upgrade. The engine of other people is also quite good. The speed is absolutely first-class, and the detection and removal are complete, however, the virus database is a bit European, so it is not very easy to use in China and occupies a large amount of memory. Kingsoft seems to be protecting pandatv now. It does not seem to be monitoring, and anti-virus and upgrade are protecting pandatv, kingsoft monitoring is very spam, and you will know it when using it.


5. DR. WEB is also a Russian engine. It was developed by the Russian National Emy of sciences and is dedicated to the military and the Kremlin. It is basically the same as Kabbah, but the engine and technology are different. It is a product adopted by the Russian official team and the military. Most businesses and individuals use Kabbah in two versions. There is only one outside world, and its technology is backed by the Russian National Emy of sciences. This anti-virus software company is not aiming to make money, purely for technology, so there is no Chinese version now, it never sends binary viruses and cannot do