Antivirus Software

Computer & Network Security

KHL 2010 – 2011

Overview

• Introduction• How does a virus scanner work?• Virus scanner implementation• Final thoughts• Conclusion

Overview

• Introduction• How does a virus scanner work?• Virus scanner implementation• Final thoughts• Conclusion

Introduction

• Motive• Definitions

Introduction

• Motive– Wide-spread software:

• At one hand it is often taken for granted• At the other the impact of malware is too often

underestimated– Personal interest :

• How do they work?• Is it possible to create your own antivirus program?

Introduction

• Definitions *– Virus

• “A virus is a man-made computer program that infects a file or program on our computers. Each time the infected program is run, the virus is also triggered. It replicates or spreads itself by infecting other programs on the same computer. (...)” [GUARD2010]

* There are many definitions on the web, these are just some them

Introduction

• Definitions– Antivirus software

• “Antivirus or anti-virus software is used to prevent, detect, and remove computer viruses, worms, and trojan horses. It may also prevent and remove adware, spyware, and other forms of malware. (...)” [WIKI01]

Overview

• Introduction• How does a virus scanner work?• Virus scanner implementation• Final thoughts• Conclusion

How does a virus scanner work?

• Detection strategies– Signature based– Heuristics– Identifying suspicious behaviour– Sandbox

How does a virus scanner work?

• Detection strategies– Signature based

• “In the virus dictionary approach, when the anti-virus software examines a file, it refers to a dictionary of known viruses that have been identified by the author of the anti-virus software. If a piece of code in the file matches any virus identified in the dictionary, then the anti-virus software can try to solve the problem (...)” [ANTIVa]

• This approach will be demonstrated

How does a virus scanner work?

• Detection strategies– Heuristics

• “Many viruses start as a single infection and through either mutation or refinements by other attackers, can grow into dozens of slightly different strains, called variants. Generic detection refers to the detection and removal of multiple threats using a single virus definition.” (...)

How does a virus scanner work?

• “(...) While it may be advantageous to identify a specific virus, it can be quicker to detect a virus family through a generic signature or through an inexact match to an existing signature; (...) using wildcard characters where differences lie.

• These wildcards allow the scanner to detect viruses even if they are padded with extra, meaningless code. A detection that uses this method is said to be ‘heuristic detection’.” [WIKI01]

How does a virus scanner work?

• Detection strategies– Identifying suspicious behaviour

• “The suspicious behavior approach (...) monitors the behavior of all programs. If one program tries to write data to an executable program, for example, this is flagged as suspicious behavior and the user is alerted to this, and asked what to do.”

• “(...) the suspicious behavior approach therefore provides protection against brand-new viruses that do not yet exist in any virus dictionaries. However, it also sounds a large number of false positives, and users probably become desensitized to all the warnings. (...)” [ANTIVa]

How does a virus scanner work?

• Detection strategies– Sandbox

• “A sandbox emulates the operating system and runs the executable in this simulation. After the program has terminated, the sandbox is analysed for changes which might indicate a virus. Because of performance issues this type of detection is normally only performed during on-demand scans.” [ANTIVa]

How does a virus scanner work?

• When an infected file is detected, we can choose to :– Delete the file;

• We will use this option in the demonstration.

– Quarantine it so that the file is inaccessible to other programs and its virus is unable to spread;

– Attempt to repair the file by removing the virus itself from the file.

Overview

• Introduction• How does a virus scanner work?• Virus scanner implementation• Final thoughts• Conclusion

Virus scanner implementation

• Introduction• Virus definitions• Scanning• Dealing with infected files

Virus scanner implementation

• Introduction– Now that we have an idea of how the antivirus

software may work, let us see if we can make our own

– Searching online I eventually found a tutorial on how to make a virus scanner in Visual Basic

Virus scanner implementation

• Virus definitions– A list of apparently over 70.000 virus

definitions was included in the tutorial [JAMESG2010]

– I have looked for additional, updated virus definition lists, but unfortunately I haven’t found much useful

• Professional virus scanners download these definitions from websites that require authentication [GFI2010]

Virus scanner implementation

• Scanning1. In the Visual Basic code we import all the

virus definitions2. De last found file from the

“FileSystemWatcher” is read3. The hash is created4. The hash is compared to the virus

definitions

Virus scanner implementation

1.

2.

3.

4.

Virus scanner implementation

• Dealing with infected files– To keep things simple we will ask the user

delete detected files

Virus scanner implementation

Deleting the infected file

Overview

• Introduction• How does a virus scanner work?• Virus scanner implementation• Final thoughts• Conclusion

Final thoughts

• Our virus scanner is far from perfect, but illustrates the basic concepts of signature based detection

Final thoughts• While searching online I came across some

things that might be worth mentioning:– “Companies that sell anti-virus software seem to have

a financial incentive for viruses to be written and to spread, and for the public to panic over the threat.” [ANTIVa]

– “Free virus scanners are performing as well as commercial virus scanners (...) During the traditional, signature-based test, the commercial ones detected 96.2% of all malware instances; the free products achieved acreditable 95.7%.” [SECNL2010]

– ...

Overview

• Introduction• How does a virus scanner work?• Virus scanner implementation• Final thoughts• Conclusion

Conclusion

• What did we learn from this assignment?– Some of the different techniques antivirus

software apply to deal with virusses and other malware

– The basics on how to implement our very own virus scanner using the virus dictionary approach

References• Internet

– [GUARD2010]• http://www.guard-privacy-and-online-security.com/computer-virus-d

efinition.html– [WIKI01]

• http://en.wikipedia.org/wiki/Antivirus_software– [ANTIVa]

• http://www.antivirusworld.com/articles/antivirus.php– [KUENNING2002]

• http://www.scientificamerican.com/article.cfm?id=how-does-a-computer-virus

– [SECNL2010]• http://www.security.nl/artikel/35288/1/

Gratis_virusscanner_even_goed_als_commercieel_pakket.html– [GFI2010]

• http://kbase.gfi.com/showarticle.asp?id=KBID002885

References

• Video– [JAMESG2010]

• http://www.youtube.com/watch?v=HxjGR6GQhRc• http://www.youtube.com/watch?v=AtfNcefh_Lk• http://www.youtube.com/watch?v=IRHHDihFjhc• http://www.youtube.com/watch?v=PUniAps7bVM