first, the composition of anti-virus software
Anti-virus software consists of three parts: application, anti-virus engine and virus database.
A) The main function of the application is to provide scanning objects to the engine for virus scanning, providing anti-virus software and user interface.
B) The main function of the engine is to format and virus scan the incoming scan object of the application and return the scanned intermediate result to the application through the application callback interface and handle it according to the return result of the application. The engine itself is responsible for loading, managing, traversing, and uninstalling the virus database.
ii. Development History of anti-virus engine
The development course of engine check and anti-virus technology
A) DOS antivirus engine.
b) macro virus Avira engine - signature matching.
c) script virus engine, mail, mailbox, compressed package split engine, anti-virus virtual machine - run feature matching.
d) Location virus behavior determination technology and virtual shelling technology.
iii. architecture of anti-virus engine
A) changes in engine architecture
b) Modular Design method
c) The object-oriented design approach, based on C + + design ideas to enhance the engine reliability and ease of maintenance
D) The design idea of COM components was introduced into the engine design, which realized the object and component of the engine, and enhanced the ease of use, expansibility, maintainability and portability of the engine.
Iv. Technical characteristics of anti-virus engine
A) mail, mailbox, compression package splitting technology
Engine mail, mailbox, compressed package object in the engine is called compound file object, in the latest engine compound file object to take the virtual file system technology and the compound file object as a file system (also can be understood as a directory), in this way can be convenient for mail, mailbox, compressed package management, more flexible handling.
b) The combination of virtual and real shelling technology
Virtual shelling technology is a special technique, which uses virtual machine to perform virtual execution of program, and determines whether the file is shelled by the return result.
Real shelling is an algorithm for Shell-making after analysis.
c) script engine token feature extraction technology
The previous script was very slow, mainly because the scripting engine used the floating feature string matching method, so the file needs to be full-text matching. As the virus records increase and the number of matches increases, resulting in slower speed, the new scripting engine uses the techniques of compiling to parse the script according to the characteristics of the script virus, thus reducing the number of matches.
d) Trojan fingerprint feature technology
The use of Intelligent Code Analysis Technology (that is, based on the code characteristics of the typical virus and the execution process of analysis to extract classic virus typical code features and logic features and as a feature string of the virus) can be used to extract fingerprint information Trojan. With fingerprints, the engine can quickly exclude normal files.
e) Perform feature extraction techniques using the executable engine
Characteristics:
1. An "instruction execution virtual machine" is simulated in the machine virtual memory when the virus is detected.
2. Execute the poison file in the virtual machine environment.
3. In the implementation process, from the virtual machine environment to intercept the file data, if it contains the virus code can be antivirus after the virus to restore to the file, so that the various types of executable files within the antivirus.
4. This method can deal with the encryption type, deformation type, the program self-compression of the virus in the new file.
f) macro virus decoding and avira related technologies.
The use of macro fingerprint to distinguish between different macro files, reduce the number of virus signature matches, thereby speeding up antivirus.
g) memory scanning and memory monitoring technology.
h) Unknown macro virus virtual execution technology.
i) Unknown script virus fingerprint feature determination technique.
j) Behavioral Determination techniques
The model is tracked and recorded, and the behavior of the model program is identified and judged.
Closer to manual analysis, high intelligence, high accuracy, but slow speed.
Five, the development trend of the engine
A) multi-layered three-dimensional protection system
b) Further development of detection techniques for unknown viruses
c) Active Repair technology
d) More reliable data backup and disaster recovery technologies
e) Linkage with other safety products
f) Perfect Emergency response system
The role of anti-virus engine in antivirus software