Professional Documents
Culture Documents
• An AV product cannot spot new unknown threats unless they are based on
old known patterns, regardless of what the AV industry advertises.
• Native languages fulfill these requirements because, when code is compiled, they run
natively on the host CPU at full speed.
• Scanners:
• Scanners are used to scan whenever the user decides to check a set of files,
directories, or the system’s memory
• Real-Time Scanners analyze analyzes files that are accessed, created, modified, or
executed by the operating system or other programs
• Unpackers
• An AV product must be able to decompress the executables that were packed
(compressed).
• Some AVs apply CPU emulation, to emulate the execution (unpacking) of the
scanned files.
Eng. Mahmoud Al-Hoby 11
Antivirus Features: Basic Features
• Miscellaneous File Formats
• The AV products must support a very long list of fi le formats in order to catch
exploits embedded in the files.
• Whenever an exploit appear for a specific file format, the AV product must
add a level of support to that file, which adds to the complexity of the AV
Kernel.
• To do this, AV software implement the concept of firewalls for blocking and detecting the
most common known network attacks.
• Self-Protection
• AV software need to protect themselves from malware.
1. On-demand Scanning:
• When triggered, it reads the files on the file system to search for malware it
knows about or for signatures common to certain types of viruses.
• The triggering may be set to manual or scheduled.
• The drivers can request every IO request, pass it to the file system,
change it on the way to the file system, or even reject the request
completely
• The driver can also scan the result of the responses as well
Read Request
Hardware Read Reply
Sig1
.
Sig2
.
.
.
SigN
Memory Search
Content-Base
Search File Search
Icon-Based
Registry Search
Worm.BugBear.A(Clam)=63023a2041706163686519332e3236202855a251b1db
7678291d44a5653a2760a56eadb00a022d74
• ClamAV signatures are a mix of the file content that uniquely identity
the malware sample.
• The signature are recommended to be from 40 to 3000 characters
• The lengthier the signatures are, the more accurate they become