Behind Antivirus

With various antivirus adding up additional features trending up now a days, the look and handles of security programs changed dramatically.A good antivirus program is definitely  as a result of smart viruses.Is not it?.We done some online research regarding the various antivirus techniques  techniques applied now a days and idea behind building an antivirus.Although we didn’t catch up deeply , likes to share some mere ideas behind an antivirus.

Very Often there is some debate about who can be credited with the first anti-virus software, the most popular opinion is that a man named Bernt Fix developed the first anti-virus package back in 1987 to stop the Vienna virus Just three years later, 19 different products were developed for similar purposes, including well known McAfee and Norton AntiVirus.Since it’s introduction Antivirus techniques had a constant change as now a days it’s tending towards Cloud antivirus and Online Scanning.

EICAR  was formed  to have a deep research on this security programs.An antivirus software typically uses a variety of strategies in detecting and removing viruses, worms and other malware programs.Fact is that  Companies that sell anti-virus software seem to have a financial incentive for viruses to be written and to spread, and for the public to panic over the threat.

Various Antivirus techniques

Signature-based detection (Dictionary approach)
Most commonly employed method ,searching for known patterns of virus within a given file. Every antivirus software will carry  a dictionary/list of sample malware codes called signatures in it’s database(Which is constantly Updated Online). Whenever a file is examined, the antivirus refers to the dictionary of sample codes present within it’s database and compares the same with the current file. If the piece of code within the file matches with the one in it’s dictionary then it is flagged and proper action is taken immediately so as to stop the virus from further replicating.
To go further, Once an AV vendor identifies a new virus, they assign it a signature, which is generated using an algorithm and a hash. A hash is a unique set of characters generated by an algorithm being run against a particular object. This hash is what makes up the virus signature. The signature is then distributed to the clients who are running the AV software through updates. This is why it’s so important to keep your AV software updated, because hundreds if not thousands of new threats are identified daily, so that’s a lot of threats you’re leaving yourself open to if you don’t turn on your automatic updates in your AV software configuration page.
Of course, to be identified and have a hash created, a virus must first be found. AV vendors devote a lot of effort to locating and identifying new threats before they infect users, but a lot of new threats are identified because users are infected by the yet to be discovered virus and the AV product sends information on the new virus to the vendor.But now  polymorphic(also metamorphic/oligomorphic) viruses  are spread out ,that can encrypt its malicious code or modify its code to look like a valid software and so as to not match virus signatures in the dictionary.

Heuristic-based detection
Unlike the signature based approach, here the antivirus doesn’t attempt to identify known viruses, but instead monitors the behavior of all programs.Here are a few of the common heuristic/behavioral scanning techniques:

  • File Analysis: Think of this method as the suspected file having to go through airport security (complete with carry-on check). File analysis involves the software taking an in-depth look at the file and trying to determine its intent, destination, and purpose. Perhaps the file has instructions to delete certain files, and should be considered a virus.
  • Generic Signature Detection: This technique is particularly designed to locate variations of viruses. Several viruses are re-created and make themselves known by a variety of names, but essentially come from the same family (or classification). Genetic detection uses previous antivirus definitions to locate these similar “cousins” even if they use a slightly different name or include some unusual characters. The best way to illustrate this idea is with identical twins. They may have slightly different fingerprints, but their DNA is identical
  • File Emulation: Also known as “sandbox testing” or dynamic scanning, file emulation allows the file to run in a controlled virtual system (or “sandbox”) to see what it does. Think of this approach as watching the virus in a sterile testing room with a two-way mirror. If the file acts like a virus, it’s deemed a virus.

Overall a simple antivirus solution includes following Programs built in it (from old to new techniques)

  • Scanner (conventional scanner, command-line scanner, on-demand scanner) – a program that looks for known viruses by checking for recognizable patterns (‘scan strings’, ‘search strings’,’signatures’ [a term best avoided for its ambiguity]).
  • TSR scanner – a TSR (memory-resident program) that checks for viruses while other programs are running. It may have some of the characteristics of a monitor and/or behavior blocker.
  • VxD scanner – a scanner that works under Windows
  • Monitor/Behavior Blocker – a TSR that monitors programs while they are running for behavior which might denote a virus.
  • Cryptographic Checksummers use an encryption algorithm to lessen the risk of being fooled by a virus which targets that particular check summer.

Common classification of antivirus programs  includes

  • AntiAd/Spyware protects you against spyware and adware
  • AntiPhishing protects you against identity theft attacks
  • AntiRootkit keeps you safe from hidden malware
  • WebGuard keeps you away from malicious websites
  • MailGuard scans all your incoming and outgoing emails
  • P2P File Sharing Protection -The software will scan P2P files that are downloaded from the web for viruses.

Building an Antivirus
Developing Anti-Virus is not so much easy and in words we can express it easy but behind the scenes it’s difficult , Some steps to be in notes are:

  • you have to study algorithm structure of like scanning the whole drive then all of those file must convert into binary to be match on your database(signature file), this database is composed of Pattern which will be match to the file that had been converted to binary.Fact is that Every Anti-Virus has there own algorithm structure and varies.
  • To have to build an antivirus , you have deal with viruses and must know how viruses operates or work.You need to determine, for each kind of virus, how it infects executable s, what to look for to determine that the executable has been infected (just looking for changes to that executable isn’t enough because the user may simply have upgraded their software), and you need to do that for all executable file types ,which can contain executable code, including Windows bugs that may or may not be known about.Learn about malware analysis and reverse engineering.
  • And overall you should categories various system dependent files from preventing them identifies as ” false positive”(A “false positive” is when antivirus software identifies a non-malicious file as a virus)
  • You need to be aware of viruses that change their patterns to avoid detection and also there are viruses out there that employ anti-detection techniques.Then you need to determine if the executable can be fixed or if the virus has overwritten critical program code that cannot be restored without reinstalling the program.
  • To actually find the virus you must know a lot of assembly language and how it is coded.Anti-virus products plug into the lower levels of the operating system, including the filesystem and network protocol stacks. Thus, they’re generally running within the kernel, and are hence native code, written in C (sometimes C++/C#/Python/VB/Java).Also knowledge in DLL files,scripting language and DBMS Preferred
  • Good knowledge of TCP/IP layer Network Communication
  • Good Research on other virus scanners
  • Before building an antivirus you got to do have  a knowledge on underlying structure of Basic OS(Although various development  frameworks makes it easy )
  • For an effective security solution ,BIOS protection is also necessary ,so Anti-virus software should be effective at protecting firmware
  • Finally you should optimize the code to compete with system resources(CPU/RAM/GPU)
  • Download Open Source antivirus like ClamWin Free Antivirus and study the code
  • Go through sites like,, EICAR etc..
  • Knowledge on Boot scan technology   (for eg:avast antivirus),Macro virus heuristics
  • ICSA Certification:  The ICSA is an independent organization that has set criteria for certifying antivirus software. Various Antivirus manufacturers submitted their software to be tested and passed the ICSA certification.Also there are certifications such as VB 100% Certified,W.C.L. Level 1 & 2Certified
  • Also having research on current trends such as Integrate different antivirus engines into a single software package/Cloud AV,Intel  Hardware-Based Antivirus &Open CL+GPU based antivirus

Note:Share your knowledge with comments , Did we miss any?


About Technology Timely

Aimed on updated tech news

Posted on March 29, 2011, in Security, Technews. Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: