dcsimg


DevX Home    Today's Headlines   Articles Archive   Tip Bank   Forums   

Results 1 to 3 of 3

Thread: Antivirus Question

  1. #1
    John Guest

    Antivirus Question


    I am an independent software developer. I am working on making an advanced
    Antivirus program.

    How do you figure out if a program is a virus, worm or Trojan horse?

    Any clues or hints would be greatly appreciated.

    I know you have the ability to figure out what the program targets.

    So my thinking is that somehow you decompile the program and look at its
    source code then you make the antivirus defís to be downloaded by users of
    Norton Antivirus to guard against viruses, worms and Trojan horses.

    If you canít tell me maybe you direct me to a website that can assist me
    on my project.

    Thanks,
    John

  2. #2
    Danny Kalev Guest

    Re: Antivirus Question



    John wrote:
    >
    > I am an independent software developer. I am working on making an advanced
    > Antivirus program.
    >
    > How do you figure out if a program is a virus, worm or Trojan horse?


    there's no simple answer to this. Viruses are usually identified by
    scanning the .exe file for a special pattern, or sequence of bytes, that
    is known to be existent in the specific virus program. This means that
    you have to maintain a catalog of such patterns and update it
    frequently, as every new virus has its own pattern and new viruses
    appear everyday. Another way to detect malicious code is by examining
    specific behavior patterns. For example, renaming system files and
    replacing them with new ones, opening suspected ports, disabling anti
    virus programs and so on. In short, I don't think that writing your own
    anti virus program is a feasible task, unless you intend to do it for
    fun or educational purposes. More comments below.
    >
    > Any clues or hints would be greatly appreciated.
    >
    > I know you have the ability to figure out what the program targets.
    >
    > So my thinking is that somehow you decompile the program and look at its
    > source code then you make the antivirus defís to be downloaded by users of
    > Norton Antivirus to guard against viruses, worms and Trojan horses.


    If you can truly decompile a program, you should get a Nobel prize.
    Considering that most programs are optimized, and that many of them are
    distributed in several files and dll's, this is practically impossible.

    Danny

  3. #3
    jonnin Guest

    Re: Antivirus Question


    AFAIK houses like norton find the virus code in a file (manually?) and then
    find a pattern. Then this pattern is added to your virus database when you
    update the definitions. Then your files are scanned and if the pattern is
    found its contaminated. Something more must be done because the thing knows
    thousands of virus patterns but can scan the disk fairly quickly, but I don't
    know how the optimal scanning is done...

    The two I have caught that got past the protection both set the cpu usage
    to max (too long to be a random windows spasm). There are other clues too,
    any modification of the registry, windows.ini, startup dir, etc should trigger
    a scan.

    Trying to analyse the program code to find "intent" is impossible (I think),
    review theory of computing (can a program be written that determines if another
    program will do _________ ) is impossible if memory serves... (and that assumes
    full access to the source code). I think it can be done on some scale but
    not 100% of the time, probably only in a very limited way. Theory was long
    ago for me, so I could be wrong here...

    And you can decompile to assembly, but not really much more than that.
    After the grillionth lea command you will probably see why this is not helpful
    <g>





    "John" <randal@fanninelectric.com> wrote:
    >
    >I am an independent software developer. I am working on making an advanced
    >Antivirus program.
    >
    >How do you figure out if a program is a virus, worm or Trojan horse?
    >
    >Any clues or hints would be greatly appreciated.
    >
    >I know you have the ability to figure out what the program targets.
    >
    >So my thinking is that somehow you decompile the program and look at its
    >source code then you make the antivirus defís to be downloaded by users

    of
    >Norton Antivirus to guard against viruses, worms and Trojan horses.
    >
    >If you canít tell me maybe you direct me to a website that can assist me
    >on my project.
    >
    >Thanks,
    >John



Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center
 
 
FAQ
Latest Articles
Java
.NET
XML
Database
Enterprise
Questions? Contact us.
C++
Web Development
Wireless
Latest Tips
Open Source


   Development Centers

   -- Android Development Center
   -- Cloud Development Project Center
   -- HTML5 Development Center
   -- Windows Mobile Development Center