Re: Virus Scanners
From: FatFinger (fatfinger@uol.com.br)Date: 02/02/02
- Previous message: John Daniele: "Re: Attack Responses id check returned root"
- Next in thread: Matthew J. Landheim: "Re: Virus Scanners"
- Reply: Matthew J. Landheim: "Re: Virus Scanners"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "FatFinger" <fatfinger@uol.com.br> To: "Steve" <steve@frij.com.au>, <security-basics@security-focus.com> Date: Sat, 2 Feb 2002 13:34:07 -0200
Hi Steve,
Norton, for instance, checks data headers, file names, checks for particular
functions, etc...It checks for signatures.
Along with that, it has a technology called Bloodhound which stands for its
heuristics analysis. It works with another technology called Striker.
These two technologies work creating a 'virtual computer' so the file can
run normally prior to interact with the user or the 'real' environment.
Maybe this file doesn't have any known signatures but, running in
bloodhound, Norton can notice particularly weird behaviours, like mbr
access, file attribute change, vb scripts running abnormal functions, etc.
Then it gives this file a stamp telling you that it's is a virus activity
and then puts it on quarentine.
This technology is really mature now and it's not likely to see false
positives.
You can go to symantec's web site and search for bloodhound. They have a
neat whitepaper explaining technically all the aspects of their antivirus
technologies including scanning functions.
all the best,
Fatfinger
----- Original Message -----
From: "Steve" <steve@frij.com.au>
To: <security-basics@security-focus.com>
Sent: Thursday, January 31, 2002 12:17 AM
Subject: Virus Scanners
> Hi all,
>
> My question for today is How Do Virus Scanners work ? I mean the really
> excellent scanners like Sophos and Norton, amongst others.
>
> I mean, they do check for signatures of a Virus identity ? But what method
?
> I can think of a few possibilities to make my question clearer ....
>
> 1. Scan for size of file, or header of file, or structure of file
(probably
> not)
> 2. Scan for include files and include library, and procedures ?
> 3. Scan for the sequence at which a file executes, for eg, getting
> addresses, then open socket, connect to SMTP ?
> 4. Scan for standard declared texts ? eg. Subject db "Credit Card
details",0
>
> Question begs to be asked, if updated Virus identities files are
'modified',
> can it become a threat to the Virus programs, since they mostly run with
> SYSTEM privileges ? How is this prevented ?
>
> Thanks in advance, I am very curious.
>
> regards
>
> Steve
>
>
> note : One of our readers have a virus, it was sent to those who responded
> to the WAN/LAN Remote Management thread. I dont know who it is as the
return
> path is altered, it had a ".mp3.pif" extension with no malicious payload.
>
>
>
>
- Previous message: John Daniele: "Re: Attack Responses id check returned root"
- Next in thread: Matthew J. Landheim: "Re: Virus Scanners"
- Reply: Matthew J. Landheim: "Re: Virus Scanners"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
