Computer Security You can find Computer Security Systems articles, information about how everything from antivirus to firewalls works here.


How Antivirus Software is Able to Detect Viruses

Gauloran - ait Kullanıcı Resmi (Avatar)
Kadim Üye
Üyelik tarihi:
Teşekkür (Etti):
Teşekkür (Aldı):
(0) %
03-08-2020 14:13
Hello, in this article I would like to talk about how antiviruses detect viruses & trojans. I want to talk about this topic because many people give false information to others in forums. This false information is mostly given from the "which antivirus is the best" articles.

Some people say that Kaspersky is better. Some people say that Avast is better. This is so wrong you know.. everyone has something to say..

So How AntiViruses Detect Viruses??

First of all, no antiviruses can detect a virus or trojan that you have just created. Because antiviruses don't decide what a program is doing by looking at its structure. (except for some malicious scripts encoded in ascii format!!) So how antiviruses detect viruses? First of all, antivirus company should get at least two reports about the suspicious file. Then the file is analyzed and when it is decided that there is a virus or trojan or something like that, hex is taken from the file and processed in the virus databases. So this is how it works.

In other words, whether the program is a virus or trojan that damages the computer and open backdoors, they can never be recognized by an antivirus until they are reported. If you don't believe me, write a program that formats the computer or write a program that executes malicious commands on the computer. When you scan this program, antivirus can't detect and will not recognize this program as a virus.

Let's get a hex signature from a virus. For example I got a hex signature from the Lorez virus:

58 FF E0 8B 85 57 17 40 00
50 B9 78 56 34 12 FF 95 E6
16 40 00 89 85 53 17 40 00
83 F8 FF 75 01 C3 6A 20 8B
Now let's assume that we wrote a program that include this hex signature. To give an example, let's place our code in a BYTE type:

BYTE lorez_virus_signature[] = {0x58,0xFF,0xE0,0x8B,0x85,0x57,0x17,0x40,0x00,
So most likely antivirus will give a warning that program because of Win95.Lorez virus. Now we have learned how an antivirus program works in general. So how can we decide which one is better? Antivirus shouldn't slow down the system and I think this is very important factor to select and download an antivirus. And you should look the features like e-mail checking, web protection..etc.

In addition to this article, I can easily say Kaspersky is a very good antivirus program. In addition to the hex signatures that are taken from these viruses, they get the file in the database by getting a hex signature from many exe packers and separately packaged. So, even if you make it a unrecognizable trojan, Kaspersky can recognize this trojan while other antiviruses can't recognize it.

Translator @Gauloran
--------------------- more than you know
M3m0ry Teşekkür etti.


« Önceki Konu | Sonraki Konu »