Computer Security

Introduction to Anti-Virus Software

Eng. Mahmoud Al-Hoby 1

What Is Antivirus Software?
• Antivirus software is special security software that aims to give better
protection than that offered by the underlying operating system.

• In most cases, it is used as a preventive solution.

• If that fails, the AV software is used to disinfect the infected programs or to
completely clean malicious software from the operating system.

• AV software uses various techniques to identify malicious software.

Eng. Mahmoud Al-Hoby 2

What Is Antivirus Software?
• AV software is designed to deal with all kinds of malicious payloads
coming from both trusted and untrusted sources

• AV software tries to protect an operating system from malicious

network packets, email attachments, and exploits for browsers and
document readers, as well as executable programs running on the
operating system.

Eng. Mahmoud Al-Hoby 3

Antivirus Software: Past and Present
• The earliest AV products were simply called scanners
• They were command-line scanners that tried to identify malicious patterns in
executable programs.

• Now, Traditional AV products use graphical user interface (GUI)

scanners that check every single fi le that is created, modified, or
accessed by the operating system or by user programs.

Eng. Mahmoud Al-Hoby 4

Antivirus Software: Past and Present
• An AV product cannot detect malware that is as yet unknown,
especially if there is some quality assurance during the development
of the malware software piece.
• AV evasion is a key part of malware development, and for attackers it is
important that their malware stay undetected as long as possible.

Eng. Mahmoud Al-Hoby 5

Typical Misconceptions
• AV products are not bulletproof solutions to malware, and just
installing an AV software will not keep computers safe.

• An AV product, must be able to at least do the following:

• Discover known malicious patterns and bad behaviors in programs
• Discover known malicious patterns in documents and web pages
• Discover known malicious patterns in network packets
• Adapt and discover new bad behaviors or patterns

Eng. Mahmoud Al-Hoby 6

Typical Misconceptions
• AV Marketing makes users think they are fully protected from
everything, but this is unfortunately far from true.
• The AV industry is based on known malware patterns.

• An AV product cannot spot new unknown threats unless they are based on
old known patterns, regardless of what the AV industry advertises.

Eng. Mahmoud Al-Hoby 7

Antivirus Features
• All antivirus products share a set of common features, which include:
• Scanning compressed files and packed executables.
• Performing on-demand or real-time file or directory scanning.
• Self-protection to guard against malware attacking the actual AV.
• Firewall and network inspection functionality.
• Command-Line and graphical interface tools.
• A daemon or Service
• A management console

Eng. Mahmoud Al-Hoby 8

Antivirus Features: Basic Features
• Making Use of Native Languages:
• AV engines must execute as quickly as possible without degrading the system’s
performance.

• Native languages fulfill these requirements because, when code is compiled, they run
natively on the host CPU at full speed.

• Scanners:
• Scanners are used to scan whenever the user decides to check a set of files,
directories, or the system’s memory

• Real-Time Scanners analyze analyzes files that are accessed, created, modified, or
executed by the operating system or other programs

Eng. Mahmoud Al-Hoby 9

Antivirus Features: Basic Features
• Signatures
• AV Scanners searches for files using a set of Signatures to determine if the
files are malicious or infected
• Signatures are patterns for known malware, they can be simple string
matching or cryptographic hash (e.g. MD5)
• Signatures must be designed with great care to prevent false-positives
• A False-Positive occurs when a healthy file is detected as malicious

Eng. Mahmoud Al-Hoby 10

Antivirus Features: Basic Features
• Compressors and Archives
• Another key part of every AV kernel is the support for compressed or archived
file formats: rar, zip, tgz, 7z, and xar
• AVs must be able to decompress and navigate through all the files inside any
compressed or archived file

• Unpackers
• An AV product must be able to decompress the executables that were packed
(compressed).
• Some AVs apply CPU emulation, to emulate the execution (unpacking) of the
scanned files.
Eng. Mahmoud Al-Hoby 11
Antivirus Features: Basic Features
• Miscellaneous File Formats
• The AV products must support a very long list of fi le formats in order to catch
exploits embedded in the files.
• Whenever an exploit appear for a specific file format, the AV product must
add a level of support to that file, which adds to the complexity of the AV
Kernel.

Eng. Mahmoud Al-Hoby 12

Antivirus Features: Advanced Features
• Packet Filters and Firewalls
• Many malwares use network resources to infect computers, which made the AV products
work to inspect incoming and outgoing traffic.

• To do this, AV software implement the concept of firewalls for blocking and detecting the
most common known network attacks.

• Self-Protection
• AV software need to protect themselves from malware.

• This can be achieved by preventing killing operations, such as issue to

ZwTerminateProcess function, or by denying access to OpenProcess with certain
parameters.

Eng. Mahmoud Al-Hoby 13

Antivirus Features: Advanced Features
• Anti-Exploitation
• Some AV suites offer anti-exploiting solutions, to prevent exploiting
vulnerabilities in the AV product or the OS itself.

• Some anti-exploiting solutions include enforcing anti-exploitation techniques

offered by the OS, while others try to do it on their own, by using user- or
kernel-based hooks to determine if some action is allowed for some specific
process

Eng. Mahmoud Al-Hoby 14

Scanning Engines

Eng. Mahmoud Al-Hoby 15

Scanning Engines
• AV products typically provide two options for scanning:

1. On-demand Scanning:
• When triggered, it reads the files on the file system to search for malware it
knows about or for signatures common to certain types of viruses.
• The triggering may be set to manual or scheduled.

2. On-access (Real-time) Scanning:

• This scanning will scan the files at the time of their access or execution
• It provides real-time protection, but also affect the system performance
Eng. Mahmoud Al-Hoby 16
Scanning Engines
• The Scanning process itself is straightforward.
• The scanner simply open the file and look for known malicious patterns

• It is relatively easy to scan files in on-demand mode, because no

interception or hooking would be needed.

Eng. Mahmoud Al-Hoby 17

Sample Scanner Routine
using System;
using System.IO;

public class Scanner{

public void Scan(string root_path){
string[] files = Directory.GetFiles(root_path, "*.*");
foreach (string file in files){
if (File.Exists(file)){
ScanFile(file);
}
else if (Directory.Exists(file)){
Scan(file);
}
}
}
public void ScanFile(string file){
// Scanning routine here
}
} Eng. Mahmoud Al-Hoby 18
Scanning Engines
• Real-Time Scanning is trickier than on-demand scan
• Win32 API cannot be used to check all files whenever they’re executed or
accessed

• The Scanning process must be transparent to the applications, i.e. the

applications access to their files shouldn’t be affected by the AV

• The interception needed to implement Real-Time Scanning is

achievable by using File System Filter Drivers

Eng. Mahmoud Al-Hoby 19

File System Filter Drivers
• FS Filter Drivers hook themselves on top of the file system layer, so
that they can intercept requests headed toward the file systems.
• Similar to Keyboard Hooking, but on the I/O level

• The drivers can request every IO request, pass it to the file system,
change it on the way to the file system, or even reject the request
completely
• The driver can also scan the result of the responses as well

Eng. Mahmoud Al-Hoby 20

File System Filter Drivers
User Mode Win32 Program Kernel32.dll

File System Driver

Kernel Mode IO Manager
Disk Driver

Read Request
Hardware Read Reply

Eng. Mahmoud Al-Hoby 21

File System Filter Drivers
1
Virus Scanner
File System Filter Driver
4 IO Manager
2 3

File System Driver (1) Original CreateFile Request from IO Manager

(2) CreateFile propagated to the File System
(3) Virus Scanner reads and checks file, and if infected takes predefined action
(4) Virus Scanner return original CreateFile result, or an indication to failure

Eng. Mahmoud Al-Hoby 22

How Scanning Works
• Scanners will search the files/executables data for certain patterns,
which are used to uniquely identity malware samples.

• The set of all Signatures are referred to as Signature Database or

(Definitions Database)

Eng. Mahmoud Al-Hoby 23

How Scanning Works
10101 10102
Anti-Virus Software Virus Alert
10103 10104

Sig1
.
Sig2
.
.
.

SigN

Eng. Mahmoud Al-Hoby 24

How Scanning Works
• As mentioned earlier, Signatures can be as simple as a cryptographic hash
(MD5 or SHA1), or even a simple string to search for in the scanned file.

• However, more complex Signatures require the inclusion of data from

inside the malicious samples.
• Hash
• Hex Pattern
• Filename
• Registry Keys/Values
• …

Eng. Mahmoud Al-Hoby 25

How Scanning Works

Memory Search
Content-Base
Search File Search
Icon-Based
Registry Search

Eng. Mahmoud Al-Hoby 26

How Scanning Works
• The following is a Signature for ClamAV which is an Open Source
AntiVirus

Worm.BugBear.A(Clam)=63023a2041706163686519332e3236202855a251b1db
7678291d44a5653a2760a56eadb00a022d74

• ClamAV signatures are a mix of the file content that uniquely identity
the malware sample.
• The signature are recommended to be from 40 to 3000 characters
• The lengthier the signatures are, the more accurate they become

Eng. Mahmoud Al-Hoby 27