how to create an antivirus program?

Replies

• 

  gaurav.bhorkar

  As far as what I've learned in programming classes, an anti-virus program checks the signature of a virus in every file. If the file contains the virus signature, then it copies the original contents (not the virus code) of that file into a new file, deletes the old file and renames the new file. Thus removing the virus code from that file.
• 

  sushant005

  gaurav.bhorkar

  As far as what I've learned in programming classes, an anti-virus program checks the signature of a virus in every file. If the file contains the virus signature, then it copies the original contents (not the virus code) of that file into a new file, deletes the old file and renames the new file. Thus removing the virus code from that file.

  hi gaurav,
  you want to say that when virus attack take place in our system then its code merge with the orignal system program code.And the work of the antivirus is that it sifts the orignal code of the system progam into the new file created by the antivirus.
  
  it conclude that antivirus is unable to delete the virus infected system file.
  Am i correct?
  
  
  Do me correct if i am wrong.
  
  😁
• 

  gaurav.bhorkar

  sushant005

  hi gaurav,
  you want to say that when virus attack take place in our system then its code merge with the orignal system program code.And the work of the antivirus is that it sifts the orignal code of the system progam into the new file created by the antivirus.
  
  it conclude that antivirus is unable to delete the virus infected system file.
  Am i correct?
  
  
  Do me correct if i am wrong.
  
  😁

  The anti-virus removes the Virus code from our file.
  
  Actually, it creates a new file and copies the original contents of the old file into the new file leaving the virus code in the old file. When it (anti-virus) deletes the old file the virus code also gets deleted. After that the anti-virus software renames the new file to that of the old file.
  
  I hope you got it.
• 

  Morningdot Hablu

  gaurav.bhorkar

  The anti-virus removes the Virus code from our file.
  
  Actually, it creates a new file and copies the original contents of the old file into the new file leaving the virus code in the old file. When it (anti-virus) deletes the old file the virus code also gets deleted. After that the anti-virus software renames the new file to that of the old file.
  
  I hope you got it.

  gaurav you say that "it(anti virus) creates a new file and copies the original contents of the old file into the new file leaving the virus code in the old file."
  can you tell me how antivirus know that it is the original content of the old file and other other is the virus. is the programming of virus is loaded in antivirus. how an antivirus know that it is a virus file.?
  .
  😁
• 

  gaurav.bhorkar

  can you tell me how antivirus know that it is the original content of the old file and other other is the virus. is the programming of virus is loaded in antivirus.

  From what I've learned, the anti-virus verifies the virus code with virus definitions available with it. From the definitions, the antivirus knows that how much bytes of code is to be removed (virus code) from a file.
  
  

  how an antivirus know that it is a virus file.?

  It scans every file and checks its code in the virus definition dictionary available with it.
• 

  ONKSSSSS

  gaurav.bhorkar

  From what I've learned, the anti-virus verifies the virus code with virus definitions available with it. From the definitions, the antivirus knows that how much bytes of code is to be removed (virus code) from a file.
  
  
  It scans every file and checks its code in the virus definition dictionary available with it.

  
  All I know about AV softwares that they have 'heuristic scanner' to detect malware of such other types malicious scripts.? Please reply if you know more about it....
• 

  gaurav.bhorkar

  ONKSSSSS

  All I know about AV softwares that they have 'heuristic scanner' to detect malware of such other types malicious scripts.? Please reply if you know more about it....

  I don't know much about it. A heuristics scanner checks the behavior of a file. I guess it involves the monitoring of an executable. So, when an executable file is running abnormally (like a virus) the AV identifies it and prompts appropriately to the user. This way the anti virus can detect even those viruses, the definitions of which aren't in the dictionary.
• 

  durga ch

  umm... i think I remember something similar.
  there are soemthing called as virus definitions or something like signatures what Gaurav mentioned, an anti virus program continuosuly looks for these signatures. When a packet enters a computer, anti virus looks for these signatures in the packet and if it isolates any, it doesnot allow the packet to enter the computer.
  Thats the reason, you get continous anti-virus updates, these updates infact carry the latest signatures.
• 

  thechamp

  i agree with durga
  AFAIK every AV has different definations for different viruses. and it checks in those definations that what type of virus is it in the current file. dirga also correctly mentioned about updates, AV updates its definations and can detect new viruses released by updating with the definations of those..
• 

  optimystix

  See, basically it is like u are given a letter(the one which we post messages on) and u are told that this letter contains the handwriting of a criminal . And u are given 100 other letters and u are told that find if any one of these 100 are written by that criminal. How would u do it? you will have to match the handwriting of these 100 new letters with the letter of the known culprit. If any of the 100 letter matches with the handwriting of the known letter of the culprit, then we can say that this letter(from the 100 set) also belongs to that culprit. Right? Thus the required action can be taken now.
  
  Anti virus system work in a similar way. They check the handwriting of known viruses(called virus signatures- which are actually program codes specific to that type of virus) with the codes executing codes of a file on the computer. If virus like trait is found on the code of the file then it is marked as harmful and required action can be then taken by the antivirus or the user.
  Get a better picture about how viruses infect a file from eg of algorithm given below.
  Original file: on clicking the original file(ie to execute it)
  ____starts here_____
  step 1 : open the program
  step 2 : extract the contents to temp folder
  step 3 : start the installation
  step 4 : clear temp folder
  step 5: finish installation
  ____ends here______
  
  Virus file may contain the following set of algorithm
  _____starts here_____
  step A : infect the file
  step B : perform ABC procedure
  step C: end operation
  Step D: Goto condition
  _____ends here_____
  
  so after the virus infects the original file the algorithm will be looking something like this
  _____starts here_____
  (the virus modifies the file)step A : infect the file
  step B : perform ABC procedure
  step C: end operation
  Step D : Goto Step 1
  step 1 : open the program
  step 2 : extract the contents to temp folder
  step 3 : start the installation
  step 4 : clear temp folder
  step 5: finish installation
  _____Ends here_____
  
  thus you can see from above that the virus has prepended its malicious code to the original file. Note that while most viruses prepend their codes, some append to make it difficult for the antivirus to scan and find it. Will be tedious especially if the file is very big.
  Now in such cases, antivirus(AV) will scan the file and when the malicious code is found, it will try to repair it by deleting the malicious code off and re compiling it to normal status. With most complex viruses this is not possible so it may require to be deleted. Some AVs maintain databases of clean scanned files called footprints and can use these to restore infected files(eg Avast). In this procedure, virus signatures are used. These virus signatures or definitions are the ones that we receive as updates.
  
  With more n more complex viruses using polymorphism and other techniques, it becomes extremely difficult to detect viruses just by scanning against signatures. Thus along with that many other technologies are used simultaneously in an AV program. Such techniques include, Heuristics, Sandbox method, 'in the cloud', behavioral techniques etc.
  I have a detailed post on my blog on how to select the best antivirus for ourselves. You may check that to know more about the techniques mentioned above in one place(Technorama Blog: Best Antivirus Software) or you may google them out separately.
  
  Ill mention about heuristic in short as someone asked about it specifically.
  As i said above, that the AV updates that we receive are actually signature/definition updates. These signatures are made after we get their samples from the computer users. That means that the virus infects some computers, these computers send samples to the AV team, signatures are made and then updated. Then the virus can be removed , or in cases where it is not yet infected, they will be immunised. But the AV companies do not want to compromise the security of even those small groups of people who get infected before the updates are out. Thus to prevent that a heuristic scanner is added. Its work is not to look for the exact codes matching with those of signatures in the database but to look for a similar code which may act the same way as the known virus may do. But this method brings out a lot of false reportings(called false positives). It may show a file as being virus like even though it may not be. It is like they may label all people who wield guns as terrorists even though there are policemen too who use them. To minimise this problem further, sandbox technique is used in which this suspect file is allowed to run fully in a control virtual environment. Inside the sandbox, if it shows virus like activity then it will be confirmed that its a virus too. This method is good but slows down scanning.
  
  As for making a full fledged AV as a part of CE labs project, I think it is a difficult prospect because there are so many delicate things involved and moreover it will require a dedicated team to maintain it and make the required updates. If we have manpower to do such a work then it would be a great idea. But i would suggest making a antivirus tool for some particular types that infect the most. That would be easy and most probably a one time issue;-)
• 

  Manish Goyal

  hey anybody knows about antivirus that are behavior based
• 

  Ashraf HZ

  Good post optimystix!
  
  Has anyone tried looking into the source code of Clamwin?
• 

  silverscorpion

  Nice post optimystix..
  
  Btw, I've seen in some antivirus softwares, the infected files are kept in a folder called quarantine.
  How come, keeping the infected files in that particular folder stops them from infecting other files??
• 

  optimystix

  goyal420

  hey anybody knows about antivirus that are behavior based

  behavioral technique is used along with traditional signature checking method.
  more and more anti viruses these days are using it. Most of the well known Avs have them by now
• 

  optimystix

  silverscorpion

  Nice post optimystix..
  
  Btw, I've seen in some antivirus softwares, the infected files are kept in a folder called quarantine.
  How come, keeping the infected files in that particular folder stops them from infecting other files??

  quarantine according to dictionary means "Isolation to prevent the spread of infectious disease"
  
  same is the case here in case of these computer viruses. once detected , the viruses can be quarantined , or in other words they are stored away in a protected folder by the anti virus. It is like a prison for them from where these computer culprits cannot move out and infect other files.
• 

  ONKSSSSS

  Good post optimystic.
  I heard LINUX has inbuilt heauristeric scanner So it always has a check over what a exe does (No exe in linux but .bin).
  So people say that Linux is more secure than others. Well please correct me if I am wrong.
• 

  Shefali Moudgil

  Nice post optimystix..... easily understood with example..... 😀
• 

  optimystix

  ONKSSSSS

  Good post optimystic.
  I heard LINUX has inbuilt heauristeric scanner So it always has a check over what a exe does (No exe in linux but .bin).
  So people say that Linux is more secure than others. Well please correct me if I am wrong.

  i am not well versed with linux but i've used it at times. I never found any heuristic activity inside linux but maybe i've overlooked it. help from a linux expert would be greatly appreciated.
  
  the reason why they say that linux is more secure than windows/mac is because more than 80% of applications are made for windows and some more for mac. thus for a hacker it would be plain common sense to develop exploits for windows based computers. that is why we see so many viruses and other unwanted applications for windows and so few(negligible until a few years ago) for linux.
  
  Thus a windows based computer is more vulnerable to malicious attacks because it is more widely used
• 

  thechamp

  all the theoratical knowledge given by optyimystix was great.
  but how do i develop an antivirus, i mean how do i detect the signatures of viruses in file to be precise
• 

  ankesh.cs2007

  yes i agree with durga. writing an antivirus pogram you need to have good knowledge about antivirus functioning. search the web for help👍