1 COMP 6370 1 Current Techniques For Detecting and Preventing Damage From Computer Viruses COMP 5370/6370 COMP 6370 2 3 Basic Anti-Virus Technologies 3 Basic Anti-Virus Technologies Virus Scanners Integrity Checkers Behavior Blockers COMP 6370 3 Virus Scanners Virus Scanners Examine the contents of each file that can carry executable instructions “.exe”, “.bat”, “.com”, “.vbs”, “.scr”, etc. Search each potential file for certain “search strings” which are present in known viruses. Use a variety of techniques to check for matches Fuzzy search (Heuristic search), exact search Fuzzy search accounts for virus variants by not requiring an exact match, takes more time Exact search will not catch virus variants, but is much faster COMP 6370 4 Virus Scanning Search each file for a known “search string” Search string should be something that uniquely identifies the virus In this case, searching for the two printf statements and the system() call may make a good signature Remember, searching is parsing the hexadecimal executable, so there is no need to worry about case sensitivity, overhead of comparing strings, etc. / COMP 6370 Virus #include <stdio.h> #include <stdlib.h> { printf(“The COMP 6370 virus\n”); printf(“Removing C:\My Documents\n”); system(“deltree C:\My Documents”); } COMP 6370 5 Virus Scanners Problems With Virus Scanners Unable to cope with unknown viruses Since scanners use a database of known viruses, unknown viruses will escape detection Minor variants of known viruses can be missed Fuzzy search is very time intensive, so software developers may not use it as aggressively as it should Time concerns
