Ximal Posted October 11, 2014 Posted October 11, 2014 I am looking for material that might better explain the basic functionality of Anti-Virus programs such as the old mcafee and other programs such as security suites that are specifically produced by that system's managers? Maybe even to give a low-level user the introductory things such as how or what security suites look for when they scan a file, how the files are scanned etc? I mean, I have allot of questions on the subject, but they are all arbitrary and motivated for other reasons. I was wanting to find out the right direction in learning about this without it being through il-motivation.. I am, in a way, seeking a way to improve the security of a certain program through the creation of my own add-on(s)... Quote
overwraith Posted October 11, 2014 Posted October 11, 2014 (edited) From what I understand, hashing the file signature is involved in the process. A hashing algorithm is also known as a fingerprinting algorithm, because if the string input changes by even one character, then the hash changes drastically. AV walks the directory tree, scans the hashes, and if the hash for a file has changed, or matches a virus hash, then the AV software implements a quarantine and removal process, I think that part may vary for any given virus. Some hashing algorithms are Sha-1, sha-512, MD5, etc. There are more complexities, I am sure, I am no expert on the matter. Hashes are also said to be one way, cannot be reversed. I think Clam AV is a free AV software that you should be able to view the source code. Edited October 11, 2014 by overwraith Quote
newbi3 Posted October 11, 2014 Posted October 11, 2014 Also some AVs look at what programs are doing while they are running and if it does something that the AV thinks is abnormal then it will flag it. This happened to me when I was working on a python program that had the ability to turn on the webcam. I was testing it out on one of my windows vms and boom AVG flagged it as soon as i tried to enable the webcam and it gave me a nice warning saying that it was trying to get a look at me and told me I should block it. Quote
overwraith Posted October 12, 2014 Posted October 12, 2014 Right, I think that would be an API monitor or something. Quote
cooper Posted October 12, 2014 Posted October 12, 2014 (edited) From what I understand, hashing the file signature is involved in the process. A hashing algorithm is also known as a fingerprinting algorithm, because if the string input changes by even one character, then the hash changes drastically. AV walks the directory tree, scans the hashes, and if the hash for a file has changed, or matches a virus hash, then the AV software implements a quarantine and removal process, I think that part may vary for any given virus. Some hashing algorithms are Sha-1, sha-512, MD5, etc. There are more complexities, I am sure, I am no expert on the matter. Hashes are also said to be one way, cannot be reversed. I think Clam AV is a free AV software that you should be able to view the source code. The problem with that is that a full system check would result in the AV software reading the file for *EACH AND EVERY* binary on the system it has a hash for, and recomputing it to compare. That's a *LOT* of hashes to compute and a *LOT* of data to read from disk. It would be slow as hell, so not something you'd do regularly. From what I understood an anti-virus program inspects the beginning of any executable, where the file contains basically the setup code, looking for 'anomalies'. It would usually contain something like 'set up a few registers, then jump to file position 0x1234 and execute the instruction there. Since virusses tend to append themselves to the very end of the program file, they change this setup code to first jump to the virus code so it becomes active, and then jumps back to the original 0x1234 position to get the program to run and you being none the wiser. It's unusual for a normal program to have that jump to the very first instruction be a jump to some location nearer to the end of the file, so that's a red flag. The antivirus program can also read the program to find that first jump, go there, read the next X bytes, compute a checksum over it and compare the result with that of known virus definitions. This would massively reduce the amount of data that needs to be read from disk or the amount of data over which a hash needs to be computed. Edited October 12, 2014 by Cooper Quote
Broti Posted October 12, 2014 Posted October 12, 2014 Well I know how Avira Anti Virus reacts if a suspicious file is found. When you click "remove" it'll scan the registry for other harmful stuff. An it even checks if the own program files have been manipulated. Since I'm using the free version there is an exe file which is nagging with ad. So I wrote a very small exe that closes itself. As the replacement method I had to use Image Hijacking, because if I replaced the original exe it got restored after some time. But even this method it not bullet-proof. When Avira's scanning the registry it'll find the registry entry under "Image File Execution Options" and removes it. So it's very protective to its own files. Quote
overwraith Posted October 12, 2014 Posted October 12, 2014 The problem with that is that a full system check would result in the AV software reading the file for *EACH AND EVERY* binary on the system it has a hash for, and recomputing it to compare. That's a *LOT* of hashes to compute and a *LOT* of data to read from disk. It would be slow as hell, so not something you'd do regularly. Well, AV scans are particularly slow anyway, I guess making the scan more selective is one way to ensure that it does not take as long. Another thought I had, AV programs do have to be very bullet proof, because hackers will search for exploits in the program that allows them to subvert the AV. A few methods of making the program more bullet proof are obfuscation (possibly on a per build basis), crypting/encryption, good coding techniques, and some AV programs even separate some of their functionality from the end users by placing it on a server so it is not possible to reverse engineer. I know that pc-matic (spellcheck) software is an online service, perhaps this is the reasoning behind it. There are also security loopholes that the AV companies have to know about, have you all ever heard about alternate data streams? The best way I can describe it is by hiding a file behind another file in the data stream, AV's are checking them now, but they didn't always. I think it is an NTFS feature. I may not be getting the syntax right here, you may need to look it up elsewhere. Basically the colon is the alternate data stream. echo "Hello World!!!" > "Hello World.txt:Something.txt" Quote
cooper Posted October 12, 2014 Posted October 12, 2014 Explanatory article on Alternate Data Streams or ADS. To my knowledge it's an NTFS-only feature and in the article they point out the only sensible use I can think of it. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.