Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Introduction to Virus Scanners

2,010 views

Published on

An introduction to virus scanners and the basics to implement a signature-based virus scanner.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Introduction to Virus Scanners

  1. 1. Antivirus Software Computer & Network Security KHL 2010 – 2011
  2. 2. Overview • • • • • Introduction How does a virus scanner work? Virus scanner implementation Final thoughts Conclusion
  3. 3. Overview • • • • • Introduction How does a virus scanner work? Virus scanner implementation Final thoughts Conclusion
  4. 4. Introduction • Motive • Definitions
  5. 5. Introduction • Motive – Wide-spread software: • At one hand it is often taken for granted • At the other the impact of malware is too often underestimated – Personal interest : • How do they work? • Is it possible to create your own antivirus program?
  6. 6. Introduction • Definitions * – Virus • “A virus is a man-made computer program that infects a file or program on our computers. Each time the infected program is run, the virus is also triggered. It replicates or spreads itself by infecting other programs on the same computer. (...)” [GUARD2010] * There are many definitions on the web, these are just some them
  7. 7. Introduction • Definitions – Antivirus software • “Antivirus or anti-virus software is used to prevent, detect, and remove computer viruses, worms, and trojan horses. It may also prevent and remove adware, spyware, and other forms of malware. (...)” [WIKI01]
  8. 8. Overview • • • • • Introduction How does a virus scanner work? Virus scanner implementation Final thoughts Conclusion
  9. 9. How does a virus scanner work? • Detection strategies – Signature based – Heuristics – Identifying suspicious behaviour – Sandbox
  10. 10. How does a virus scanner work? • Detection strategies – Signature based • “In the virus dictionary approach, when the antivirus software examines a file, it refers to a dictionary of known viruses that have been identified by the author of the anti-virus software. If a piece of code in the file matches any virus identified in the dictionary, then the anti-virus software can try to solve the problem (...)” [ANTIVa] • This approach will be demonstrated
  11. 11. How does a virus scanner work? • Detection strategies – Heuristics • “Many viruses start as a single infection and through either mutation or refinements by other attackers, can grow into dozens of slightly different strains, called variants. Generic detection refers to the detection and removal of multiple threats using a single virus definition.” (...)
  12. 12. How does a virus scanner work? • “(...) While it may be advantageous to identify a specific virus, it can be quicker to detect a virus family through a generic signature or through an inexact match to an existing signature; (...) using wildcard characters where differences lie. • These wildcards allow the scanner to detect viruses even if they are padded with extra, meaningless code. A detection that uses this method is said to be ‘heuristic detection’.” [WIKI01]
  13. 13. How does a virus scanner work? • Detection strategies – Identifying suspicious behaviour • “The suspicious behavior approach (...) monitors the behavior of all programs. If one program tries to write data to an executable program, for example, this is flagged as suspicious behavior and the user is alerted to this, and asked what to do.” • “(...) the suspicious behavior approach therefore provides protection against brand-new viruses that do not yet exist in any virus dictionaries. However, it also sounds a large number of false positives, and users probably become desensitized to all the warnings. (...)” [ANTIVa]
  14. 14. How does a virus scanner work? • Detection strategies – Sandbox • “A sandbox emulates the operating system and runs the executable in this simulation. After the program has terminated, the sandbox is analysed for changes which might indicate a virus. Because of performance issues this type of detection is normally only performed during on-demand scans.” [ANTIVa]
  15. 15. How does a virus scanner work? • When an infected file is detected, we can choose to : – Delete the file; • We will use this option in the demonstration. – Quarantine it so that the file is inaccessible to other programs and its virus is unable to spread; – Attempt to repair the file by removing the virus itself from the file.
  16. 16. Overview • • • • • Introduction How does a virus scanner work? Virus scanner implementation Final thoughts Conclusion
  17. 17. Virus scanner implementation • • • • Introduction Virus definitions Scanning Dealing with infected files
  18. 18. Virus scanner implementation • Introduction – Now that we have an idea of how the antivirus software may work, let us see if we can make our own – Searching online I eventually found a tutorial on how to make a virus scanner in Visual Basic
  19. 19. Virus scanner implementation • Virus definitions – A list of apparently over 70.000 virus definitions was included in the tutorial [JAMESG2010] – I have looked for additional, updated virus definition lists, but unfortunately I haven’t found much useful • Professional virus scanners download these definitions from websites that require authentication [GFI2010]
  20. 20. Virus scanner implementation • Scanning 1. In the Visual Basic code we import all the virus definitions 2. De last found file from the “FileSystemWatcher” is read 3. The hash is created 4. The hash is compared to the virus definitions
  21. 21. Virus scanner implementation 1. 2. 3. 4.
  22. 22. Virus scanner implementation • Dealing with infected files – To keep things simple we will ask the user delete detected files
  23. 23. Virus scanner implementation Deleting the infected file
  24. 24. Overview • • • • • Introduction How does a virus scanner work? Virus scanner implementation Final thoughts Conclusion
  25. 25. Final thoughts • Our virus scanner is far from perfect, but illustrates the basic concepts of signature based detection
  26. 26. Final thoughts • While searching online I came across some things that might be worth mentioning: – “Companies that sell anti-virus software seem to have a financial incentive for viruses to be written and to spread, and for the public to panic over the threat.” [ANTIVa] – “Free virus scanners are performing as well as commercial virus scanners (...) During the traditional, signature-based test, the commercial ones detected 96.2% of all malware instances; the free products achieved acreditable 95.7%.” [SECNL2010] – ...
  27. 27. Overview • • • • • Introduction How does a virus scanner work? Virus scanner implementation Final thoughts Conclusion
  28. 28. Conclusion • What did we learn from this assignment? – Some of the different techniques antivirus software apply to deal with virusses and other malware – The basics on how to implement our very own virus scanner using the virus dictionary approach
  29. 29. References • Internet – [GUARD2010] • http://www.guard-privacy-and-online-security.com/computer-virus-definition – [WIKI01] • http://en.wikipedia.org/wiki/Antivirus_software – [ANTIVa] • http://www.antivirusworld.com/articles/antivirus.php – [KUENNING2002] • http://www.scientificamerican.com/article.cfm?id=how-does-acomputer-virus – [SECNL2010] • http://www.security.nl/artikel/35288/1/Gratis_virusscanner_even_go ed_als_commercieel_pakket.html – [GFI2010] • http://kbase.gfi.com/showarticle.asp?id=KBID002885
  30. 30. References • Video – [JAMESG2010] • • • • http://www.youtube.com/watch?v=HxjGR6GQhRc http://www.youtube.com/watch?v=AtfNcefh_Lk http://www.youtube.com/watch?v=IRHHDihFjhc http://www.youtube.com/watch?v=PUniAps7bVM

×