How antiviruses work. Malware detection methods

How do modern anti-virus programs work and what methods do attackers use to fight them? This is what today's article is about.

How do anti-virus companies replenish their databases?

In relation to modern antivirus technologies, the very concept of “antivirus” is more a tribute to fashion than a term that correctly reflects the essence of things. Classic file viruses, that is, malicious programs that can infect executable files or dynamic libraries and spread without user intervention, are very rare today. The vast majority of malware currently found in the wild are Trojans that are incapable of either infecting file objects or self-replicating. Worms fall into the hands of analysts a little less often: these programs can create copies of themselves on removable media or network drives, “crawl” over a network or e-mail channels, but they cannot infect files. All other traditional categories of malware differ from each other only in the basic set of functions. You can download 360 Total Security for Mac OS at the https://install.download/mac-os/360-total-security 

How do malware samples get into virus labs? Anti-virus companies traditionally have several channels for receiving new samples. First of all, these are online services like VirusTotal, that is, servers on which any anonymous user can check the detection of an arbitrary file by ten of the most popular anti-virus engines at once. Each downloaded sample, regardless of the results of the check, is automatically sent to vendors for a more detailed study.

It is obvious that a huge stream of garbage arrives from such resources to virus laboratories, including completely harmless text files and pictures, so it is filtered at the input by specially trained robots and only after that it is transferred further along the conveyor. The same services are successfully used by small companies that want to save money on maintaining their own virus laboratories. They stupidly copy other people's detections into their databases, which is why they regularly experience epic fails, when some vendor, as a joke or by misunderstanding, puts an infected verdict on one or another component of such an antivirus, after which it happily quarantines its own library and crashes, causing butthurt from users and hysterical laughter from competitors.

The second channel is “spontaneous”, suspicious files that users transfer to viruslab through the website of an antivirus company, at the request of a support service, or unload from quarantine. The third channel is honeypots, special lures for virus makers in the form of virtual servers with ports open to the outside and passwords like root / root, where some bot growers happily upload their creations, marveling at the clumsiness of admins. Finally, the fourth way is to exchange databases between the vendors themselves, but in recent years, due to increased competition in the market and a narrowing food supply, cooperation between antivirus companies has practically disappeared.

After the sample enters the virus laboratory, it is sorted by file type and examined by automatic analytics tools that can establish a verdict based on formal or technical criteria, such as the packer. And only if the robots fail to crack the malware, it is transferred to virus analysts for instrumental or manual analysis.

Anatomy of an antivirus

Anti-virus programs from different manufacturers include a different number of components, and even more than that, the same company can release several versions of an anti-virus that include a certain set of modules and are targeted at different market segments. For example, some antiviruses have a parental control component that allows you to restrict the access of underage computer users to certain categories of sites or regulate their time in the system, while some do not. One way or another, modern antivirus applications usually have the following set of functional modules:

• anti-virus scanner - a utility that searches for malware on disks and in the device's memory at the user's request or according to a schedule;
• resident monitor - a component that monitors the state of the system in real time and blocks attempts to download or run malicious programs on the protected computer;
• firewall (firewall) - a component that monitors the current connection, including analysis of incoming and outgoing traffic, as well as checking the source and destination addresses in each packet of information transmitted from the computer and arriving at the computer - data coming from the external environment to the computer protected by the firewall without pre-request, tracked and filtered. From a functional point of view, the firewall acts as a kind of filter that controls the flow of information transmitted between the local computer and the Internet, a protective barrier between the computer and the rest of the information space;
• web anti-virus - a component that prevents the user from accessing dangerous resources that distribute malware, phishing and fraudulent sites using a special database of addresses or a rating system;
• email antivirus - an application that checks for the security of attachments to e-mail messages and (or) links sent by e-mail;
• anti-rootkit module — a module designed to fight rootkits (malicious programs that have the ability to hide their presence in an infected system);
• preventive protection module - a component that ensures the integrity of data vital for system performance and prevents dangerous actions of programs;
• update module - a component that ensures timely updating of other anti-virus modules and virus databases;
• Quarantine is a centralized secure repository where suspicious (in some cases definitely infected) files and applications are placed before a final verdict is issued on them.

Depending on the version and purpose of the anti-virus program, it may include other functional modules, such as components for centralized administration, remote control.

Signature detection

Modern anti-virus programs use several malware detection techniques in various combinations. The main one is signature-based threat detection.

This malware detection method is based on the creation of so-called signatures — unique digital file identifiers, which are a special set of bytes and are obtained based on the contents of the file under investigation. In fact, a signature is a kind of “fingerprint” of a file: with the help of a signature, one or another file or application can be uniquely identified. File hashes, such as SHA-1 or SHA-256, are structured similarly, whereby hashing in this case refers to the transformation of the contents of a file using a one-way mathematical function (cryptographic hashing algorithm), which results in a unique set of hexadecimal characters. Such a function is called one-way because it is very easy to get a hash from a file, but it is no longer possible to restore the original file from the hash. The virus signature is somewhat more complicated: in addition to the hash, it also contains a number of unique features of the file.

Signatures are collected in a block of data called virus databases. Virus databases of anti-virus programs are periodically updated to include signatures of new threats that have been investigated since the last update.

The anti-virus program examines files stored on disks (or downloaded from the Internet) and compares the results of the study with the signatures recorded in the anti-virus database. If it matches, the file is considered malicious. This technique itself has a significant flaw: an attacker only needs to change the structure of a file by a few bytes, and its signature will change. Until a new malware sample reaches the virus laboratory and its signature is added to the databases, the antivirus will not be able to recognize and eliminate this threat.

Sponsor Ads

• Ad Space Available - Rent it Now!

Report this Page

Created on Dec 25th 2022 08:22. Viewed 160 times.

Share on APSense

Comments