Security-powered anti-virus software engine-related technologies

Virus and Anti-Virus products are born enemies. Due to the endless existence of viruses, this field of Anti-Virus products will naturally be divided by many vendors, as a result, multiple Anti-Virus engine technologies have been developed.

The Anti-Virus engine is the key to determining whether the anti-virus software technology is mature and reliable. What is the Anti-Virus engine? In short, it is a set of technical mechanisms to determine whether a specific program behavior is a virus program or a suspicious program. The engine not only needs to be able to detect viruses, you must also have sufficient Virus Cleaning and environment restoration technologies. If a antivirus product can detect viruses but cannot clear them, or the system environment damaged by the virus cannot be restored successfully, it can only be a chicken rib. For the purpose of virus detection and removal, the Anti-Virus engine itself must implement behaviors that are more vulnerable to viruses than viruses. For example, in order to timely obtain the monitoring data of environmental changes, some anti-virus engines use the DLL Hook Technology to inject themselves into the system process, which is the same as the DLL Trojan. In order to successfully intercept and kill the driver-level Trojan Rootkit, the Anti-Virus engine needs to run part of itself as a driver to enter the system kernel ...... Speaking of this, users with low computer configurations should be able to understand why their computer speed slows down after installing anti-virus software. This is mostly due to the "file monitoring" and other functions of anti-virus software, because the implementation principle of this function is the same as the parasitic process of the file-type virus, but the file-type virus is waiting in the memory to infect every open file, the "file monitoring" function is always stationed in the memory to check whether there is a virus in each opened file. The consequence of both is that the program loading time increases, the performance of low-configuration computers is obvious.

1. Hold every level-program behavior capture

Each program must perform various interactions, such as sending and receiving network data, responding to a trigger event, and reading and writing files. These interactions are called "actions ), this cycle can be tracked and recorded. This is the first step that the Anti-Virus engine must interfere with. When the anti-virus software environment monitoring module is started, it will be embedded into the system operation interface, so that any non-core program and program other than anti-virus software itself will be monitored in real time. This technology is usually implemented through Hook Technology and driver layer mounting, each antivirus software vendor has predefined a set of virus behavior judgment specifications, that is, to determine whether the relevant operations are legal under a given range and confidence level. For example, if a code is found to write itself into the program file body that the user requests to execute, or perform specific copy operations and add registry operations, the code can be suspected as a virus, the second step of the drug detection process is to judge and process the data.

Some vendors, due to their cooperation with operating system vendors, have obtained the operating system privilege higher than other manufacturers' Anti-Virus products. Therefore, they adopt the solution based on the core drive of the underlying system, this implementation method is the safest, or the most advanced implementation method. So far, only Norton has gained this privilege. As the virus technology gradually penetrated into the Rootkit layer, the Hook Technology in the past was gradually unable to cope with the problem. As a result, the antivirus vendor began to transfer the solution to the driver. Of course, because it was not authorized by the operating system vendor, they cannot implement the underlying core driver solution, so the antivirus vendor compiled a middleware called "software driver" to generate a virtual hardware in the system. As we all know, in an operating system, only the driver module can reach the underlying system through a "Hardware Abstraction Layer (HAL)" communication interface, nowadays, the popular Rootkit trojan also uses the drive form to enter the core of the system. Therefore, the anti-virus vendor uses the "software-driven" method to achieve underlying monitoring, which is more effective than the general Hook Technology, however, this will inevitably lead to some problems. If this "software-driven" has defects or is terminated abnormally by some programs (such as unexpected errors ), in an environment without any protection measures at the underlying layer of the system, the most direct consequence is that the blue screen of the system crashes, resulting in possible losses.

Knowledge: Several "layers" of the system"

As a complex operating system, an operating system must implement functional modules for division of labor and cooperation. These functional modules are stacked layer by layer like a pyramid, it forms several "layers" of the system, including the system core layer, hardware abstraction layer, and user layer.

The system Kernel Layer is located at the bottom of the entire operating system and is responsible for the basic operation of the system. All actions at this Layer are implemented by the built-in commands of the system, all external factors will not affect this behavior. There are not many programs that can directly access this layer of interaction. In addition to the operating system itself, third-party vendors must establish cooperation with system vendors to work directly at this layer, you can use the interface functions provided by the system vendor to access. Currently, the anti-virus software that can work directly at this level is Symantec's Norton AntiVirus.

The Hardware Abstraction Layer (Hardware Abstraction action Layer) is an idea proposed by Microsoft to facilitate the transplantation of the operating system on different Hardware structures, HAL implements "Hardware independence" for the system, that is, the interaction between the hardware and the operating system will not be different on different hardware platforms. As a result, hardware manufacturers can greatly reduce the difficulty of developing drivers. HAL hides the hardware interface details and provides a standard hardware interaction interface for the operating system, currently, all hardware drivers work at this level. When the external hardware has command requests, the driver responds to the request and converts the command to a command that can be understood by the system core layer through HAL to be executed by the kernel. If the corresponding driver type is not found, it is treated as "Default Hardware". What is "Default Hardware? The simplest example is to enter the security mode. At this time, most drivers will not be loaded, and the system will work on the "Default Hardware. Most anti-virus software that uses the "software-driven" solution virtualizes a hardware on the HAL layer to achieve interaction with the core layer, such as McAfee and Kaspersky, rising 2006 also implements kernel interaction through this solution.

The User Layer is what we usually see directly. For example, on the desktop, most anti-virus software runs on this Layer. It is mainly used for User interface interaction and sending commands to the Anti-Virus engine. Generally, the behavior of programs running on Ring3 is also generated here. The instructions produced by an application must be first transmitted to the HAL layer. The HAL layer interprets the commands as a string that can be recognized by the core layer, then, the command processing cycle is submitted to the core layer and finally enters the CPU. After the CPU completes processing, the result is reversely sent back to the application on the user layer, and the calculation result is obtained.

2. Core of detection-engine-based rule judgment

This step can be called the core stage of virus judgment. A good anti-virus engine can identify a large number of viruses at this stage. Its principle is to build a part of virus feature code in the engine, it is called "static Scanning Technology Based on signatures", that is, the Anti-Virus engine directly searches for its own feature code in the file.

3. Go through the Hanlin dictionary-interaction between engines and virus feature Libraries

Due to the above reasons, today's anti-virus software has to use external database connection methods to identify viruses. The virus feature code database stores behavior identifiers and static code of various viruses in a specific format, during work, the Anti-Virus engine needs to convert the captured program behavior into its own identifiable behavior identifiers and static code, then go to the virus feature code database to query and expect it to return the query results. Therefore, this step is the slowest in the whole anti-virus process, but it is undeniable that, the current anti-virus software identifies a large number of viruses at this stage. Therefore, a large enough virus database can often make up for the shortcomings of the Anti-Virus engine. However, today's virus becomes more complex and numerous. In the long run, virus feature libraries will one day become too bloated and lead to adverse consequences, to solve this problem, we can only try to implement Virus Detection in step 2 on the core technology. Unfortunately, we still have no anti-virus engine technology that can achieve this idea, therefore, today's anti-virus software relies more or less on a dozens of MB virus feature library to maintain its work, virus Updates released when no key changes are made to the core of the Anti-Virus engine by the anti-virus manufacturer are designed to add the latest detected virus data to the feature database for virus detection and removal.

The biggest weakness of the pattern-Based Static scanning technology is that it cannot detect and kill "undisclosed" or "excluded" viruses, because most of its judgments come from virus-specific code databases, anti-virus software is powerless once a user is infected with "0-day" or "private backdoor" in the virus, even the virus stops running. Of course, because of the anti-virus software's own validation mechanism, there is usually no virus stupid enough to infect anti-virus software, but if a anti-virus software is terminated by the virus, it will not be able to implement virus protection for users' computers, but how to determine how to prevent the virus from sending a close command does not affect the user's normal click on the "exit" function provided by anti-virus software itself, this is also a problem.

Some anti-virus engines use their own virus behavior judgment rules to "Suspect" some programs not included in the database are viruses, and ask the user what solutions they need. Generally, the default solution of anti-virus software compromise is to back up a suspicious program file to a folder called "quarantine", and then destroy the original file. This may achieve the purpose of killing unknown viruses, but we cannot ignore the possible serious consequences, such as virus infection of a key file or important document, if anti-virus software can't help but eliminate it, it is likely to cause system crashes or even economic losses, because a sound and secure killing process and environmental recovery are very important.

4. babybox-virus detection and removal and system environment restoration

When the Anti-Virus engine detects a virus, it must be divided into two situations: first, the virus that has not yet had time to infect or destroy the behavior, in this case, the Anti-Virus engine only needs to delete files, but in daily operations, the most common problems are the system environment that has been infected by viruses and damaged by viruses, in this case, the Anti-Virus engine must, after appropriate methods are used to scan and kill viruses, intelligently judge and restore the damage to the current system environment based on the virus behavior recorded in the virus feature database, for example, for files infected with viruses, the Anti-Virus engine must identify and clear the parasitic part of the virus code in the file based on certain algorithms. This process must be very cautious, otherwise, the direct consequence is that the original file is damaged, so the anti-virus is meaningless. For non-file Trojans and malicious programs, because they tamper with the system registry and even system files in various ways to load themselves, whether the Anti-Virus engine can accurately and effectively restore the damaged system environment after removing these viruses is the biggest challenge to the Anti-Virus engine. The virus hiding technology has simply loaded a single startup item from the beginning, it has evolved to today's multi-startup items, process mutual protection, thread monitoring, remote injection, Executable File Association, Service Project loading, driver loading, and many other methods, and even adopted a combination of methods, this makes it very difficult to scan and kill files. Even if a file is missing and cannot be cleared, the virus can make a comeback. Therefore, how to effectively and accurately identify and repair the damaged environment, it is also the key to measuring whether the anti-virus engine technology is mature.

The above is the principle of the complete working process of the Anti-Virus engine. So what technologies does it adopt? Currently, there are two mainstream technologies: Virtual Machine Technology and real-time monitoring technology. In addition