tags:

views:

545

answers:

4
+6  Q: 

How do antivirus programs detect viruses?

How do anti-virus programs detect if something is a virus or trojan?

I'm from Turkey, please keep the English simple if possible, thanks.

A: 

http://www.google.com/search?q=how+does+antivirus+work

the first link was pretty good:

  • virus dictionary - looks for known signatures, for example the UPX executable compression algorithm is popular to make the payload really small.
  • suspicious behavior - detects things that don't happen in everyday work, like writing to another executable.
Dustin Getz  2009-09-08 21:40:11
Although it gives a good answer, linking to Google is often considered poor etiquette on SO. Just an FYI since I've been downvoted before for doing this.
Jacob Adams  2009-09-08 21:42:35
I wouldn't downvote over something so trivial, but there is a point: Google rankings shift. The article Dustin referenced is at http://www.antivirusworld.com/articles/antivirus.php
Steven Sudit  2009-09-08 21:49:30
+4  A: 

There are different types of virus detection. Some of the different techniques they use are

1) Look at binary makeup of file for match or partial match in database of known viruses and trojans (most common technique)

2) Watch what program does and see if it ever does anything similar to viruses/trojans

3) Analyze program code (sometimes disassemble program code) and look for malicious things. This is often very difficult and usually only advanced detection programs do this.

Jacob Adams  2009-09-08 21:40:33
3 is very slow too :)
lfaraone  2009-09-08 21:41:32
A: 

They use signatures, or definitions of what a virus looks like, and compares them to files it scans.

See this article from SciAm for a good explanation.

lfaraone  2009-09-08 21:41:02
There's also heuristic scanning and behaviorial scanning, at least in any decent modern AV.
Joe  2009-09-08 22:51:39
A: 

There are three basic ways to find viruses. You can scan files to see if they have virus code in them from known viruses. You can scan files to see if the code will do virus-like things. You can wait until a program does something it should not do, and flag the program as infected.

You would scan files when they are first created, and you would also do it on a schedule after that. You would have to install a kernel driver in order to watch what programs do and stop them from doing malicious things.

Many anti-spyware programs work exactly the same way. For example, Spybot S&D can watch for Registry changes that could be spyware installations.

jprete  2009-09-08 21:41:38

related questions

How would you programmatically test a file for viruses ?
Where does an uploaded file in ASP.Net 2 go?
MOSS Anti-Virus
Lightweight Anti Virus
(anti-)virus preventing my apps from working?
Is there any Anti Virus product which provides a .Net (or COM) API?
Send files to Symantec AV Scan Engine from a C# Application
Should we run anti-virus software on our dedicated sql server?
ASP.NET Imagemap blocked by Kaspersky anti-virus software
Good free antivirus software for Windows 2003 / 2008
.NET/IIS friendly in-memory antivirus scanning
Activate a File Virus Scan from within Delphi app
Query antivirus definitions date?
Detecting Virus Scanners
How Does Security Software Prevent its Unauthorized Removal from System?
Virus scanners locking and deleting temporary files - best way to cope with them?
Anti virus integration with .net application
Visual Studio and Virus Scan of Temp folder
Server side virus scanning
Antivirus and file access conflict : good programming practices?
Find matching sequences in two binary files
Least intrusive antivirus software for development PC?
Techniques to detect Polymorphic and Metamorphic viruses?
ensuring uploaded files are safe
C# application detected as a virus