3 Years
Discussion Span
Last Post by rubberman

The only real way you can build an anti-virus is first to look at how viruses are created.
Once you know how viruses are created, you can begin looking at ways to detect them and how you can prevent them. This is the basis for anti-virus companies such as Symantec (Norton), and McAfee which invest a huge amount of time and money in analysing how new viruses and malicious content works.

A lot of it is trial and error. An initial virus cannot be defended against, the attacker has found a vulnerability in your system and they are going to exploit it. The task of the developers is now to analyse the virus and look at how it managed to get in and what it managed to do, from this they can then patch it up. This shall go on and on, and soon you shall of built a library of common defence methods which means that the atacker shall be forced to think up new ways to try and get in, completely different to the old ones which have been stopped.

This process essentially repeats itself until either the developers have made a "completely" secure system (although as we know from the Titanic, nothing is unsinkable), or the attacker has managed to exploit the existing system to such an extent that it is worthless to try and protect.

Antivirus software itself is normally going to be written in a couple of languages, but especially things like C and C++.

Edited by Octet


Often, detection is a 2 (or more) step process. You install a clean system, and take "signatures" (usually checksums) of all files and directories on the system. Then you let the virus infect the system, take it off-line, and using a different operating system, mounting the disc in a "sandbox", you compute the signatures of all the files (and boot sector of the disc), and determine what has been changed. That is the beginning of the analysis. Next you have to determine what changes were made to the files whose signatures were changed. That will lead you to the point where you can determine (usually - sometimes) how to identify this particular virus. Of course, each virus has different characteristics, and modern ones obfuscate their identifying signatures by not infecting any system the same way. Some now even don't bother to modify files, but modify RAM memory, and write themselves to the system virtual memory swapfile so that the next time you boot you are infected again... Very difficult to detect and remove. Sometimes the only solution is a full wipe of the disc and re-installation of the operating systems! :-(

Edited by rubberman


As an addendum, I have observed some viruses that infect dll's in the recovery partition, so even if you run a system recovery operation, you are still infected! I call this "digital whack-a-mole"... This is why I always recommend to my clients that they pay for and get the "optional" installation DVD from their system vendor, and to find another vendor if such is not available.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.