Using words such as hidden signatures to barely explain this strange phenomenon.

Talking about the basis of anti-virus software, some friends may feel disdain shares, but it is this seemingly simple anti-virus software principle, but contains the key to solve the mystery. We know that an anti-virus software is far more complex than viruses and Trojans, and it is natural that the principle is more complex. In general, an anti-virus software is composed of scanners, virus database and virtual machine, scanner is the core of anti-virus software, used to detect viruses, but antivirus software does not exist only this one scanner! Most software is a combination of several scanners (or scanning algorithms), although the basic idea of anti-virus software is signature matching, but unfortunately, in fact, most of the anti-virus software now has its own unique scanner. Signature scanning technology is only the mainstream of the first-generation scanning technology, and it has already ushered in the popularization of second-generation scanning technology.

We take the most typical Kaspersky, in fact, it has rarely seen the signature matching shadow, now Kaspersky application of the mainstream scanning technology is called "password checksum" a unique scanning algorithm, it is different from our usual understanding of the checksum technology, his idea is through a certain file characteristics, This determines the checksum of an offset region, which results in two values, which can be said to be the final signature. And through experiments, it is not difficult to find that this checksum algorithm for the case of the interchange between the line and the line between the performance is not sensitive, which directly led to our work to avoid the challenge of more challenges.

As early as 6.0 version of the technology has been enabled by Kabbah, so led to some of the strange phenomenon of killing, some of the industry's friends mostly with hidden features and other words to reluctantly explain this strange phenomenon. Here is my inference, little brother This is opinion, if there is a wrong place also hope that you more correct.

First of all, the special scanning method must accompany with special signature code, Kaspersky's password check and locate the "signature" volume is usually relatively large, because it has a certain anti-jamming nature, so it will cause some simple modification will not work, and will cause each signature location of the difference is very large and so on. In order to effectively interfere with the value of the checksum, it is often modified several seemingly irrelevant places to get the effect of eliminating the killing, so as to draw the conclusion of "hidden characteristic code".

In fact, if we think about the reverse, we will find that "hidden signature" is an unlikely implementation of the technology, if the signature is implied, then antivirus software in the detection of its existence, is the report of poison or not to report poison? If the drug is reported, it cannot be called an "implied signature". If you do not report poison, then there must be a mechanism to trigger it, if so, there is another explanation-the interference code. If it is found that the original should have the signature of the place if the entire 00 coverage to anti-positioning, then the anti-virus software will activate the interference code (a false signature), resulting in our last few steps to avoid the failure.

So saying "hidden signatures" should be a false notion that what really causes this is what we know or don't know about scanning algorithms, such as Kaspersky's password checksum scanning algorithm.

Therefore, the square feeling if you want to study the anti-killing technology, you should first understand the principle of antivirus software. As mentioned above, the question of just one scanning algorithm reveals some of our previous misconceptions, so the square believes that it is wise to consider some of the problems of the anti-killing system through the principle of antivirus software.

Http://wenda.tianya.cn/question/19hmt2rg02d8dbbv606ahv4e1damo92lsuj9s
Http://wenda.tianya.cn/question/19hmt70a02t9m2p5jq1mqrtma9c1okulbsj28
Http://wenda.tianya.cn/question/19hmt91no38bb445ovcb11rkes94m894vkhcl
Http://wenda.tianya.cn/question/19hmtqs1o6v8e4csoo37msk90sgnk4mk50hi5
http://wenda.tianya.cn/question/19hmtrs9075a0m9tbvf4sn4m12vkqk26a2h0d
http://wenda.tianya.cn/question/19hmttvl879avvhkeaa5fibj5spn7c5e2qj2l
Http://wenda.tianya.cn/question/19hmucs78fp91fk536eqom5n6f7bq5v3hkjv5
http://wenda.tianya.cn/question/19hmudmj0frbc8nole13gmli5t99ag24lah6v
Http://wenda.tianya.cn/question/19hmueguoiv927o2gptee7kvb5r9m68q8aj81

Using words such as hidden signatures to barely explain this strange phenomenon.