Upload
joris-schelfaut
View
1.303
Download
0
Embed Size (px)
DESCRIPTION
An introduction to virus scanners and the basics to implement a signature-based virus scanner.
Citation preview
Antivirus Software
Computer & Network Security
KHL 2010 – 2011
Overview
• Introduction• How does a virus scanner work?• Virus scanner implementation• Final thoughts• Conclusion
Overview
• Introduction• How does a virus scanner work?• Virus scanner implementation• Final thoughts• Conclusion
Introduction
• Motive• Definitions
Introduction
• Motive– Wide-spread software:
• At one hand it is often taken for granted• At the other the impact of malware is too often
underestimated– Personal interest :
• How do they work?• Is it possible to create your own antivirus program?
Introduction
• Definitions *– Virus
• “A virus is a man-made computer program that infects a file or program on our computers. Each time the infected program is run, the virus is also triggered. It replicates or spreads itself by infecting other programs on the same computer. (...)” [GUARD2010]
* There are many definitions on the web, these are just some them
Introduction
• Definitions– Antivirus software
• “Antivirus or anti-virus software is used to prevent, detect, and remove computer viruses, worms, and trojan horses. It may also prevent and remove adware, spyware, and other forms of malware. (...)” [WIKI01]
Overview
• Introduction• How does a virus scanner work?• Virus scanner implementation• Final thoughts• Conclusion
How does a virus scanner work?
• Detection strategies– Signature based– Heuristics– Identifying suspicious behaviour– Sandbox
How does a virus scanner work?
• Detection strategies– Signature based
• “In the virus dictionary approach, when the anti-virus software examines a file, it refers to a dictionary of known viruses that have been identified by the author of the anti-virus software. If a piece of code in the file matches any virus identified in the dictionary, then the anti-virus software can try to solve the problem (...)” [ANTIVa]
• This approach will be demonstrated
How does a virus scanner work?
• Detection strategies– Heuristics
• “Many viruses start as a single infection and through either mutation or refinements by other attackers, can grow into dozens of slightly different strains, called variants. Generic detection refers to the detection and removal of multiple threats using a single virus definition.” (...)
How does a virus scanner work?
• “(...) While it may be advantageous to identify a specific virus, it can be quicker to detect a virus family through a generic signature or through an inexact match to an existing signature; (...) using wildcard characters where differences lie.
• These wildcards allow the scanner to detect viruses even if they are padded with extra, meaningless code. A detection that uses this method is said to be ‘heuristic detection’.” [WIKI01]
How does a virus scanner work?
• Detection strategies– Identifying suspicious behaviour
• “The suspicious behavior approach (...) monitors the behavior of all programs. If one program tries to write data to an executable program, for example, this is flagged as suspicious behavior and the user is alerted to this, and asked what to do.”
• “(...) the suspicious behavior approach therefore provides protection against brand-new viruses that do not yet exist in any virus dictionaries. However, it also sounds a large number of false positives, and users probably become desensitized to all the warnings. (...)” [ANTIVa]
How does a virus scanner work?
• Detection strategies– Sandbox
• “A sandbox emulates the operating system and runs the executable in this simulation. After the program has terminated, the sandbox is analysed for changes which might indicate a virus. Because of performance issues this type of detection is normally only performed during on-demand scans.” [ANTIVa]
How does a virus scanner work?
• When an infected file is detected, we can choose to :– Delete the file;
• We will use this option in the demonstration.
– Quarantine it so that the file is inaccessible to other programs and its virus is unable to spread;
– Attempt to repair the file by removing the virus itself from the file.
Overview
• Introduction• How does a virus scanner work?• Virus scanner implementation• Final thoughts• Conclusion
Virus scanner implementation
• Introduction• Virus definitions• Scanning• Dealing with infected files
Virus scanner implementation
• Introduction– Now that we have an idea of how the antivirus
software may work, let us see if we can make our own
– Searching online I eventually found a tutorial on how to make a virus scanner in Visual Basic
Virus scanner implementation
• Virus definitions– A list of apparently over 70.000 virus
definitions was included in the tutorial [JAMESG2010]
– I have looked for additional, updated virus definition lists, but unfortunately I haven’t found much useful
• Professional virus scanners download these definitions from websites that require authentication [GFI2010]
Virus scanner implementation
• Scanning1. In the Visual Basic code we import all the
virus definitions2. De last found file from the
“FileSystemWatcher” is read3. The hash is created4. The hash is compared to the virus
definitions
Virus scanner implementation
1.
2.
3.
4.
Virus scanner implementation
• Dealing with infected files– To keep things simple we will ask the user
delete detected files
Virus scanner implementation
Deleting the infected file
Overview
• Introduction• How does a virus scanner work?• Virus scanner implementation• Final thoughts• Conclusion
Final thoughts
• Our virus scanner is far from perfect, but illustrates the basic concepts of signature based detection
Final thoughts• While searching online I came across some
things that might be worth mentioning:– “Companies that sell anti-virus software seem to have
a financial incentive for viruses to be written and to spread, and for the public to panic over the threat.” [ANTIVa]
– “Free virus scanners are performing as well as commercial virus scanners (...) During the traditional, signature-based test, the commercial ones detected 96.2% of all malware instances; the free products achieved acreditable 95.7%.” [SECNL2010]
– ...
Overview
• Introduction• How does a virus scanner work?• Virus scanner implementation• Final thoughts• Conclusion
Conclusion
• What did we learn from this assignment?– Some of the different techniques antivirus
software apply to deal with virusses and other malware
– The basics on how to implement our very own virus scanner using the virus dictionary approach
References• Internet
– [GUARD2010]• http://www.guard-privacy-and-online-security.com/computer-virus-d
efinition.html– [WIKI01]
• http://en.wikipedia.org/wiki/Antivirus_software– [ANTIVa]
• http://www.antivirusworld.com/articles/antivirus.php– [KUENNING2002]
• http://www.scientificamerican.com/article.cfm?id=how-does-a-computer-virus
– [SECNL2010]• http://www.security.nl/artikel/35288/1/
Gratis_virusscanner_even_goed_als_commercieel_pakket.html– [GFI2010]
• http://kbase.gfi.com/showarticle.asp?id=KBID002885
References
• Video– [JAMESG2010]
• http://www.youtube.com/watch?v=HxjGR6GQhRc• http://www.youtube.com/watch?v=AtfNcefh_Lk• http://www.youtube.com/watch?v=IRHHDihFjhc• http://www.youtube.com/watch?v=PUniAps7bVM