Download - Introduction to Virus Scanners
![Page 1: Introduction to Virus Scanners](https://reader036.vdocuments.us/reader036/viewer/2022081412/540691718d7f72b90a8b4627/html5/thumbnails/1.jpg)
Antivirus Software
Computer & Network Security
KHL 2010 – 2011
![Page 2: Introduction to Virus Scanners](https://reader036.vdocuments.us/reader036/viewer/2022081412/540691718d7f72b90a8b4627/html5/thumbnails/2.jpg)
Overview
• Introduction• How does a virus scanner work?• Virus scanner implementation• Final thoughts• Conclusion
![Page 3: Introduction to Virus Scanners](https://reader036.vdocuments.us/reader036/viewer/2022081412/540691718d7f72b90a8b4627/html5/thumbnails/3.jpg)
Overview
• Introduction• How does a virus scanner work?• Virus scanner implementation• Final thoughts• Conclusion
![Page 4: Introduction to Virus Scanners](https://reader036.vdocuments.us/reader036/viewer/2022081412/540691718d7f72b90a8b4627/html5/thumbnails/4.jpg)
Introduction
• Motive• Definitions
![Page 5: Introduction to Virus Scanners](https://reader036.vdocuments.us/reader036/viewer/2022081412/540691718d7f72b90a8b4627/html5/thumbnails/5.jpg)
Introduction
• Motive– Wide-spread software:
• At one hand it is often taken for granted• At the other the impact of malware is too often
underestimated– Personal interest :
• How do they work?• Is it possible to create your own antivirus program?
![Page 6: Introduction to Virus Scanners](https://reader036.vdocuments.us/reader036/viewer/2022081412/540691718d7f72b90a8b4627/html5/thumbnails/6.jpg)
Introduction
• Definitions *– Virus
• “A virus is a man-made computer program that infects a file or program on our computers. Each time the infected program is run, the virus is also triggered. It replicates or spreads itself by infecting other programs on the same computer. (...)” [GUARD2010]
* There are many definitions on the web, these are just some them
![Page 7: Introduction to Virus Scanners](https://reader036.vdocuments.us/reader036/viewer/2022081412/540691718d7f72b90a8b4627/html5/thumbnails/7.jpg)
Introduction
• Definitions– Antivirus software
• “Antivirus or anti-virus software is used to prevent, detect, and remove computer viruses, worms, and trojan horses. It may also prevent and remove adware, spyware, and other forms of malware. (...)” [WIKI01]
![Page 8: Introduction to Virus Scanners](https://reader036.vdocuments.us/reader036/viewer/2022081412/540691718d7f72b90a8b4627/html5/thumbnails/8.jpg)
Overview
• Introduction• How does a virus scanner work?• Virus scanner implementation• Final thoughts• Conclusion
![Page 9: Introduction to Virus Scanners](https://reader036.vdocuments.us/reader036/viewer/2022081412/540691718d7f72b90a8b4627/html5/thumbnails/9.jpg)
How does a virus scanner work?
• Detection strategies– Signature based– Heuristics– Identifying suspicious behaviour– Sandbox
![Page 10: Introduction to Virus Scanners](https://reader036.vdocuments.us/reader036/viewer/2022081412/540691718d7f72b90a8b4627/html5/thumbnails/10.jpg)
How does a virus scanner work?
• Detection strategies– Signature based
• “In the virus dictionary approach, when the anti-virus software examines a file, it refers to a dictionary of known viruses that have been identified by the author of the anti-virus software. If a piece of code in the file matches any virus identified in the dictionary, then the anti-virus software can try to solve the problem (...)” [ANTIVa]
• This approach will be demonstrated
![Page 11: Introduction to Virus Scanners](https://reader036.vdocuments.us/reader036/viewer/2022081412/540691718d7f72b90a8b4627/html5/thumbnails/11.jpg)
How does a virus scanner work?
• Detection strategies– Heuristics
• “Many viruses start as a single infection and through either mutation or refinements by other attackers, can grow into dozens of slightly different strains, called variants. Generic detection refers to the detection and removal of multiple threats using a single virus definition.” (...)
![Page 12: Introduction to Virus Scanners](https://reader036.vdocuments.us/reader036/viewer/2022081412/540691718d7f72b90a8b4627/html5/thumbnails/12.jpg)
How does a virus scanner work?
• “(...) While it may be advantageous to identify a specific virus, it can be quicker to detect a virus family through a generic signature or through an inexact match to an existing signature; (...) using wildcard characters where differences lie.
• These wildcards allow the scanner to detect viruses even if they are padded with extra, meaningless code. A detection that uses this method is said to be ‘heuristic detection’.” [WIKI01]
![Page 13: Introduction to Virus Scanners](https://reader036.vdocuments.us/reader036/viewer/2022081412/540691718d7f72b90a8b4627/html5/thumbnails/13.jpg)
How does a virus scanner work?
• Detection strategies– Identifying suspicious behaviour
• “The suspicious behavior approach (...) monitors the behavior of all programs. If one program tries to write data to an executable program, for example, this is flagged as suspicious behavior and the user is alerted to this, and asked what to do.”
• “(...) the suspicious behavior approach therefore provides protection against brand-new viruses that do not yet exist in any virus dictionaries. However, it also sounds a large number of false positives, and users probably become desensitized to all the warnings. (...)” [ANTIVa]
![Page 14: Introduction to Virus Scanners](https://reader036.vdocuments.us/reader036/viewer/2022081412/540691718d7f72b90a8b4627/html5/thumbnails/14.jpg)
How does a virus scanner work?
• Detection strategies– Sandbox
• “A sandbox emulates the operating system and runs the executable in this simulation. After the program has terminated, the sandbox is analysed for changes which might indicate a virus. Because of performance issues this type of detection is normally only performed during on-demand scans.” [ANTIVa]
![Page 15: Introduction to Virus Scanners](https://reader036.vdocuments.us/reader036/viewer/2022081412/540691718d7f72b90a8b4627/html5/thumbnails/15.jpg)
How does a virus scanner work?
• When an infected file is detected, we can choose to :– Delete the file;
• We will use this option in the demonstration.
– Quarantine it so that the file is inaccessible to other programs and its virus is unable to spread;
– Attempt to repair the file by removing the virus itself from the file.
![Page 16: Introduction to Virus Scanners](https://reader036.vdocuments.us/reader036/viewer/2022081412/540691718d7f72b90a8b4627/html5/thumbnails/16.jpg)
Overview
• Introduction• How does a virus scanner work?• Virus scanner implementation• Final thoughts• Conclusion
![Page 17: Introduction to Virus Scanners](https://reader036.vdocuments.us/reader036/viewer/2022081412/540691718d7f72b90a8b4627/html5/thumbnails/17.jpg)
Virus scanner implementation
• Introduction• Virus definitions• Scanning• Dealing with infected files
![Page 18: Introduction to Virus Scanners](https://reader036.vdocuments.us/reader036/viewer/2022081412/540691718d7f72b90a8b4627/html5/thumbnails/18.jpg)
Virus scanner implementation
• Introduction– Now that we have an idea of how the antivirus
software may work, let us see if we can make our own
– Searching online I eventually found a tutorial on how to make a virus scanner in Visual Basic
![Page 19: Introduction to Virus Scanners](https://reader036.vdocuments.us/reader036/viewer/2022081412/540691718d7f72b90a8b4627/html5/thumbnails/19.jpg)
Virus scanner implementation
• Virus definitions– A list of apparently over 70.000 virus
definitions was included in the tutorial [JAMESG2010]
– I have looked for additional, updated virus definition lists, but unfortunately I haven’t found much useful
• Professional virus scanners download these definitions from websites that require authentication [GFI2010]
![Page 20: Introduction to Virus Scanners](https://reader036.vdocuments.us/reader036/viewer/2022081412/540691718d7f72b90a8b4627/html5/thumbnails/20.jpg)
Virus scanner implementation
• Scanning1. In the Visual Basic code we import all the
virus definitions2. De last found file from the
“FileSystemWatcher” is read3. The hash is created4. The hash is compared to the virus
definitions
![Page 21: Introduction to Virus Scanners](https://reader036.vdocuments.us/reader036/viewer/2022081412/540691718d7f72b90a8b4627/html5/thumbnails/21.jpg)
Virus scanner implementation
1.
2.
3.
4.
![Page 22: Introduction to Virus Scanners](https://reader036.vdocuments.us/reader036/viewer/2022081412/540691718d7f72b90a8b4627/html5/thumbnails/22.jpg)
Virus scanner implementation
• Dealing with infected files– To keep things simple we will ask the user
delete detected files
![Page 23: Introduction to Virus Scanners](https://reader036.vdocuments.us/reader036/viewer/2022081412/540691718d7f72b90a8b4627/html5/thumbnails/23.jpg)
Virus scanner implementation
Deleting the infected file
![Page 24: Introduction to Virus Scanners](https://reader036.vdocuments.us/reader036/viewer/2022081412/540691718d7f72b90a8b4627/html5/thumbnails/24.jpg)
Overview
• Introduction• How does a virus scanner work?• Virus scanner implementation• Final thoughts• Conclusion
![Page 25: Introduction to Virus Scanners](https://reader036.vdocuments.us/reader036/viewer/2022081412/540691718d7f72b90a8b4627/html5/thumbnails/25.jpg)
Final thoughts
• Our virus scanner is far from perfect, but illustrates the basic concepts of signature based detection
![Page 26: Introduction to Virus Scanners](https://reader036.vdocuments.us/reader036/viewer/2022081412/540691718d7f72b90a8b4627/html5/thumbnails/26.jpg)
Final thoughts• While searching online I came across some
things that might be worth mentioning:– “Companies that sell anti-virus software seem to have
a financial incentive for viruses to be written and to spread, and for the public to panic over the threat.” [ANTIVa]
– “Free virus scanners are performing as well as commercial virus scanners (...) During the traditional, signature-based test, the commercial ones detected 96.2% of all malware instances; the free products achieved acreditable 95.7%.” [SECNL2010]
– ...
![Page 27: Introduction to Virus Scanners](https://reader036.vdocuments.us/reader036/viewer/2022081412/540691718d7f72b90a8b4627/html5/thumbnails/27.jpg)
Overview
• Introduction• How does a virus scanner work?• Virus scanner implementation• Final thoughts• Conclusion
![Page 28: Introduction to Virus Scanners](https://reader036.vdocuments.us/reader036/viewer/2022081412/540691718d7f72b90a8b4627/html5/thumbnails/28.jpg)
Conclusion
• What did we learn from this assignment?– Some of the different techniques antivirus
software apply to deal with virusses and other malware
– The basics on how to implement our very own virus scanner using the virus dictionary approach
![Page 29: Introduction to Virus Scanners](https://reader036.vdocuments.us/reader036/viewer/2022081412/540691718d7f72b90a8b4627/html5/thumbnails/29.jpg)
![Page 30: Introduction to Virus Scanners](https://reader036.vdocuments.us/reader036/viewer/2022081412/540691718d7f72b90a8b4627/html5/thumbnails/30.jpg)
References• Internet
– [GUARD2010]• http://www.guard-privacy-and-online-security.com/computer-virus-d
efinition.html– [WIKI01]
• http://en.wikipedia.org/wiki/Antivirus_software– [ANTIVa]
• http://www.antivirusworld.com/articles/antivirus.php– [KUENNING2002]
• http://www.scientificamerican.com/article.cfm?id=how-does-a-computer-virus
– [SECNL2010]• http://www.security.nl/artikel/35288/1/
Gratis_virusscanner_even_goed_als_commercieel_pakket.html– [GFI2010]
• http://kbase.gfi.com/showarticle.asp?id=KBID002885
![Page 31: Introduction to Virus Scanners](https://reader036.vdocuments.us/reader036/viewer/2022081412/540691718d7f72b90a8b4627/html5/thumbnails/31.jpg)
References
• Video– [JAMESG2010]
• http://www.youtube.com/watch?v=HxjGR6GQhRc• http://www.youtube.com/watch?v=AtfNcefh_Lk• http://www.youtube.com/watch?v=IRHHDihFjhc• http://www.youtube.com/watch?v=PUniAps7bVM