Menu
homeTelephone

Rating of computer protection programs. What's included in the package. Managing Windows Firewall

One of the main parts of any antivirus is the so-called antivirus “engine” - a module responsible for scanning objects and detecting malware. The quality of malware detection and, as a consequence, the level of protection provided by the antivirus depends on the antivirus engine, how it is designed, and what detection methods and heuristics it uses.

This article describes in detail standard technologies and some original approaches of various antivirus developers, implemented in the antivirus “engine”. Along the way, some related technical issues will be considered that are necessary to assess the quality of the anti-virus engine and clarify the technologies used in it.

Good or bad "engine"?

Unfortunately, the antivirus developers software very rarely disclose details of the implementation of their “engines”. However, by indirect signs you can determine whether the “engine” is good or not. Here are the main criteria by which you can determine the quality of an antivirus engine:

Detection quality. How well does the antivirus detect viruses? This criterion can be assessed based on the results of various tests that are conducted by several organizations and are usually presented on the developer’s web resources.

Level of detection by heuristic analyzers. Unfortunately, it is impossible to determine this parameter without testing on a collection of viruses, but you can quite easily determine what the level of false positives is for a particular engine.

False positive rate. If on 100% uninfected files the antivirus reports that it has detected a possibly infected file, then this is a false positive. Should we trust such a heuristic analyzer that bothers the user with false alarms? After all, for big amount the user can really miss false positives new virus.

Support for a large number of packers and archivers. This is a very important factor, since often the creators of malware, having written a virus, package it with several utilities for packaging executable modules and, having received several different viruses, release them into the world. Essentially, all of these viruses are instances of the same variant. For an antivirus engine that supports all or almost all popular packaging utilities, it will not be difficult to identify all these instances of the same virus, calling them by the same name; for other engines, it will be necessary to update the antivirus database ( as well as the time it takes for antivirus experts to analyze the virus instance).

Frequency and size of anti-virus database updates. These parameters are indirect signs of the quality of the engine. Since the frequent release of updates ensures that the user will always be protected from newly emerging viruses. The size of the update (and the number of viruses detected in this update) speaks about the quality of the design of the anti-virus database and, in part, the engine.

The ability to update the engine without updating the antivirus program itself. Sometimes, to detect a virus, it is necessary to update not only the anti-virus database, but also the engine itself. If the antivirus does not support this feature, then the user may be left without protection in the face of a new virus. In addition, this feature allows you to quickly improve the engine and correct errors in it.

Anti-virus "engine": existing technologies

With the advent of the first computer viruses programmers quickly figured out the principles of their operation and created the first anti-virus programs. Quite a lot of time has passed since then, and modern antivirus differs from those first antiviruses, just as a personal computer differs from a calculator.

In the first paragraph of this article, a somewhat “naive” definition of the antivirus “engine” was given. Next, a number of precise definitions and technological descriptions will be given, which, ultimately, will allow you to fully understand the structure and algorithms of the anti-virus engine.

Anti-Virus Engine is a software module that is designed to detect malicious software. The "engine" is the main component of any antivirus program, regardless of its purpose. The engine is used both in personal products - a personal scanner or monitor, and in server solutions - a scanner for email or file server, firewall or proxy server. As a rule, to detect malware, most “engines” implement the following technologies:

Search by "signatures" (a unique sequence of bytes);
Search by checksums or CRC (checksum with a unique sequence of bytes);
Using a reduced mask;
Cryptanalysis;
Statistical analysis;
Heuristic analysis;
Emulation.

Let's look at each of these methods in more detail.

Search by "signatures"


A signature is a unique “string” of bytes that uniquely characterizes a particular malicious program. Signature search, in one modification or another, has been used to detect viruses and other malware, from the very first antivirus programs to the present day. Undeniable dignity signature search - speed of operation (using specially developed algorithms, of course) and the ability to detect several viruses with one signature. Disadvantage - the size of the signature for reliable detection must be quite large, at least 8-12 bytes (usually much longer signatures, up to 64 bytes, are used for accurate detection), therefore, the size of the anti-virus database will be quite large. In addition, in Lately Malicious programs written in languages ​​have become increasingly widespread high level(C++, Delphi, Visual Basic), and such programs have separate parts of the code that practically do not change (the so-called Run Time Library). An incorrectly selected signature will inevitably lead to a false positive - detection of a “clean”, uninfected file as infected with a virus. As a solution to this problem, it is proposed to use either very large signatures or use detection for certain data areas, for example, relocation tables or text strings, which is not always good.

Search by checksums (CRC)


Search by checksums (CRC - cyclic redundancy check), in essence, is a modification of search by signatures. The method was developed to avoid the main disadvantages of signature search - the size of the database and reduce the likelihood of false positives. The essence of the method is that to search for malicious code, not only the “reference” line is taken - the signature, or rather, the checksum of this line, but also the location of the signature in the body of the malicious program. The location is used to avoid having to calculate checksums for the entire file. Thus, instead of 10-12 bytes of signature (minimum), 4 bytes are used to store the checksum and another 4 bytes for the location. However, the checksum search method is somewhat slower than the signature search.
The use of masks to detect malicious code is quite often complicated by the presence of encrypted code (so-called polymorphic viruses), since it is either impossible to select a mask, or a mask of the maximum size does not satisfy the condition of unambiguously identifying a virus without false positives.
The impossibility of choosing a mask of sufficient size in the case of a polymorphic virus is easily explained. By encrypting its body, the virus ensures that most of its code in the affected object is a variable and, accordingly, cannot be selected as a mask. (Self-encrypting and polymorphic viruses are described in more detail in the appendix at the end of the article).
To detect such viruses, the following methods are used: the use of a reduced mask, cryptanalysis and statistical analysis. Let's look at these methods in more detail.

Using a reduced mask


When infecting objects, a virus that uses encryption converts its code into an encrypted sequence of data:
S = F(T), where
T is the base code of the virus;
S - encrypted virus codes;
F is the virus encryption function, randomly selected from a certain set of transformations (F).
The reduced mask method consists in choosing a transformation R of the encrypted virus codes S, such that the result of the transformation (that is, some sequence of data S") will not depend on the transformation keys F, that is
S=F(T)
S" = R (S) = R (F (T)) = R" (T).
When applying the transformation R to all possible variants of the cipher code S, the result S" will be constant at a constant T. Thus, the identification of affected objects is done by choosing S" as a reduced mask and applying the transformation R to the affected objects.

Cryptanalysis


This method is as follows: according to the known base code virus and using a known encrypted code (or a “suspicious” code similar to the encrypted body of the virus) the keys and algorithm of the decryption program are restored. This algorithm is then applied to the encrypted portion, resulting in the decrypted body of the virus. When solving this problem, you have to deal with a system of equations.
As a rule, this method works much faster and takes up much less memory than emulating virus instructions. However, solving such systems is often a highly complex task.
Moreover, the main problem is the mathematical analysis of the resulting equation or the resulting system of equations. In many ways, the problem of solving systems of equations when recovering the encrypted body of a virus resembles the classical cryptographic problem of recovering ciphertext with unknown keys. However, here this task sounds somewhat different: it is necessary to find out whether a given encrypted code is the result of applying some function known up to the keys. Moreover, many data for solving this problem are known in advance: a section of encrypted code, a section of unencrypted code, possible options conversion functions. Moreover, the algorithm of this transformation itself and the keys are also present in the analyzed codes. However, there is a significant limitation that this task must be resolved within specific boundaries random access memory and the decision procedure should not take much time.

Statistical analysis


Also used to detect polymorphic viruses. During its operation, the scanner analyzes the frequency of use of processor commands, builds a table of encountered processor commands (opcodes), and based on this information makes a conclusion that the file is infected with a virus. This method is effective for searching for some polymorphic viruses, since these viruses use a limited set of commands in the decryptor, while “clean” files use completely different commands with a different frequency. For example, all MS-DOS programs often use interrupt 21h (opcode CDh 21h), but this command is practically never found in the decryptor of polymorphic DOS viruses.
The main disadvantage of this method is that there are a number of complex polymorphic viruses that use almost all processor commands and from copy to copy the set of commands used changes greatly, that is, it is not possible to detect a virus using the constructed frequency table.

Heuristic analysis


When the number of viruses exceeded several hundred, antivirus experts began to think about the idea of ​​detecting malware that the antivirus program did not yet know existed (there were no corresponding signatures). As a result, so-called heuristic analyzers were created. A heuristic analyzer is a set of routines that analyze the code of executable files, macros, scripts, memory or boot sectors to detect different types of malicious code. computer programs. There are two operating principles of the analyzer.

Static method. Search for common short signatures that are present in most viruses (so-called “suspicious” commands). For example, a large number of viruses search for viruses using the *.EXE mask, open the found file, write to open file. The task of heuristics in this case is to find signatures that reflect these actions. Then the found signatures are analyzed, and if a certain number of necessary and sufficient “suspicious commands” are found, a decision is made that the file is infected. The big advantage of this method is the ease of implementation and good speed work, but the detection rate of new malware is quite low.

Dynamic method. This method appeared simultaneously with the introduction of processor command emulation into antivirus programs (the emulator is described in more detail below). The essence of the method is to emulate program execution and log all “suspicious” program actions. Based on this protocol, a decision is made on possible infection programs with a virus. Unlike the static method, the dynamic method is more demanding on computer resources, however, the detection level is dynamic method much higher.

Emulation


Program code emulation technology (or Sandboxing) was a response to the emergence of a large number of polymorphic viruses. The idea of ​​this method is to emulate the execution of a program (both infected with a virus and a “clean” one) in a special “environment”, also called an emulation buffer or “sandbox”. If an infected person gets into the emulator polymorphic virus file, then after emulation the decrypted body of the virus appears in the buffer, ready for detection by standard methods (signature or CRC search).
Modern emulators emulate not only processor commands, but also operating system calls. The task of writing a full-fledged emulator is quite labor-intensive, not to mention the fact that when using an emulator you have to constantly monitor the actions of each command. This is necessary to avoid accidentally executing destructive components of the virus algorithm.
It should be especially noted that it is necessary to emulate the operation of virus instructions, and not trace them, since when tracing a virus, the probability of calling destructive instructions or codes responsible for spreading the virus is too high.

Antivirus engine database


The database is an integral part of the antivirus engine. Moreover, if we assume that a well-designed “engine” does not change so often, then the anti-virus database changes constantly, because it is in the anti-virus database that signatures, checksums and special software modules to detect malware. As is known, new viruses network worms and other malware appear with enviable frequency, and therefore it is very important that the anti-virus database is updated as often as possible. If five years ago weekly updates were enough, today it is simply necessary to receive at least daily updates to the anti-virus database.
It is also very important what exactly is in the anti-virus database: are there only records about viruses or additional ones? software procedures. In the second case, it is much easier to update the functionality of the anti-virus engine by simply updating the databases.

Support for "complex" nested objects


Antivirus engines have changed a lot over the past few years. If the first antiviruses in order to be considered a first-class program, it was enough to check system memory, executable files and boot sectors, then just a few years later, due to the growing popularity of special utilities for packaging executable modules, developers were faced with the task of unpacking the packed file before scanning it.
Then new problem- viruses have learned to infect archived files (and users themselves often sent infected files in archives). Antiviruses were forced to learn how to process archive files as well. In 1995, the first macro virus appeared to infect documents. Microsoft Word. It is worth noting that the document format used by Microsoft Word is closed and very complex. A number of antivirus companies still do not know how to fully process such files.
Today, due to the enormous popularity Email, antivirus engines also process databases mail messages and the messages themselves.

Detection methods


In a typical antivirus “engine”, which is implemented in every antivirus program, all the necessary technologies are used to detect malware: an effective heuristic analyzer, a high-performance emulator and, most importantly, a competent and flexible architecture of the malware detection subsystem, which allows the use of all the detection methods listed above.
Almost every antivirus engine uses checksum detection as its base method. This method was chosen based on the requirement to minimize the size of anti-virus databases. However, the architecture of the engine is often so flexible that it allows the use of any of the detection methods listed above, which is what is done for some particularly complex viruses. This allows you to achieve a high level of virus detection. The architecture of the anti-virus engine is presented in more detail in the diagram later in the text.
The practical application of methods for detecting polymorphic viruses (cryptanalysis and statistical analysis, the use of a reduced mask and emulation) comes down to choosing the most optimal method in terms of speed and the amount of memory required. The code of most self-encrypting viruses is quite easily restored by the emulation procedure. If using an emulator is not optimal solution, then the virus code is restored using a subroutine that implements the inverse transformation - cryptanalysis. To detect viruses that cannot be emulated, and viruses for which it is not possible to construct an inverse transformation, the method of constructing reduced masks is used.
In some of the most complex cases, a combination of the above methods is used. Part of the decryptor code is emulated, and the commands that are actually responsible for the decryption algorithm are extracted from the decryptor. Then, based on the information received, a system of equations is constructed and solved to restore the virus code and detect it.
A combination of methods is also used when using multiple encryption, when the virus encrypts its body several times, using various algorithms encryption. A combined method of information recovery or “pure” emulation of the decryptor code is often used for the reason that each new virus must be analyzed and included in the anti-virus database within minimum terms, which do not always fit into the necessary mathematical analysis. And as a result, we have to use more cumbersome methods for detecting the virus, despite the fact that the methods are quite applicable mathematical analysis decryptor algorithm.

Working with "complex" objects


Anti-virus engines support working with a huge number of packaging and archiving formats. Developers rarely publish a complete (or at least sufficiently detailed) list of supported formats. The following is officially published information about support for “complex” formats in Kaspersky Anti-Virus. In other antivirus products, the list of supported formats should be approximately the same.
The Kaspersky Anti-Virus engine supports work with more than 400 various utilities packaging of executable files, installers and archivers (in total more than 900 modifications, as of May 2003). Among them:

Executable file packers and encryption systems. The most popular of them: Diet, AVPACK, COMPACK, Epack, ExeLock, ExePack, Expert, HackStop, Jam, LzExe, LzCom, PaquetBuilder, PGMPAK, PkLite, PackWin, Pksmart, Protect, ProtEXE, RelPack, Rerp, Rjcrush, Rucc, Scramb , SCRNCH, Shrink, Six-2-Four, Syspack, Trap, UCEXE, Univac, UPD, UPX (several versions), WWPACK, ASPack (several versions), ASProtect (several versions), Astrum, BitArts, BJFnt, Cexe, Cheaters , Dialect, DXPack, Gleam, CodeSafe, ELFCrypt, JDPack, JDProtect, INFTool, Krypton, Neolite, ExeLock, NFO, NoodleCrypt, OptLink, PCPEC, PEBundle, PECompact (several versions), PCShrink, PE-Crypt, PE-Diminisher, PELock , PEncrypt, PE-Pack (several versions), PE-Protect, PE-Shield, Petite, Pex, PKLite32, SuperCede, TeLock, VBox, WWPack32, XLok, Yoda.
Support for so many packers and archivers allows you to reduce the time of analysis of new viruses, which leads to an increase in the speed of response to the appearance of a new virus, and to achieve a high level of detection of already known viruses.

Archivers and installers (more than 60 in total). The most popular of them: CAB, ARJ, ZIP, GZIP, Tar, AIN, HA, LHA, RAR, ACE, BZIP2, WiseSFX (several versions), CreateInstall, Inno Installer, StarDust Installer, MS Expand, GKWare Setup, SetupFactory, SetupSpecialist , NSIS, Astrum, PCInstall, Effect Office.
Support for a large number of types of archivers is especially important for testing postal systems, since the vast majority of viruses are sent by mail in archived form. Objects are unpacked regardless of the nesting level of archives. For example, if an infected file is packed with the UPX utility, and then the file is packed with ZIP archive, which is packaged in a CAB archive, etc., then the antivirus "engine" should still be able to get original file and detect the virus.
It should be noted that such considerations are by no means theoretical. Yes, it is widely known Trojan horse Backdoor.Rbot, which was distributed packaged in many various programs(Ezip, Exe32Pack, ExeStealth, PecBundle, PECompact, FSG, UPX, Morphine, ASPack, Petite, PE-Pack, PE-Diminisher, PELock, PESpin, TeLock, Molebox, Yoda, Ezip, Krypton, etc.).
The archive unpacking algorithm usually has enough intelligence not to unpack all sorts of “archive bombs” - small archives that contain huge files (with a very high compression ratio) or several identical files. Typically, scanning such an archive takes a lot of time, but modern anti-virus engines often recognize such “bombs”.

The mechanism for updating anti-virus databases and their size


Antivirus database updates are usually released several times a day. Some are able to release updates once every hour, some - every two hours. In any case, given the current high level of danger on the Internet, such frequent updating of anti-virus databases is completely justified.
The size of the updates indicates the well-thought-out architecture of the anti-virus engine. Thus, the size of regular updates from leading companies in the industry, as a rule, does not exceed 30 KB. At the same time, anti-virus databases usually contain about 70% of the functionality of the entire anti-virus engine. Any update to the anti-virus database can add support for a new packer or archiver. Thus, by updating the anti-virus database daily, the user receives not only new procedures for detecting new malware, but also an update of the entire anti-virus. This allows you to react very flexibly to the situation and guarantee the user maximum protection.

Heuristic analyzer


The heuristic analyzer, which is part of almost every antivirus, uses both of the analysis methods described above - cryptanalysis and statistical analysis. A modern heuristic analyzer is designed from the ground up to be extensible (unlike most first-generation heuristic analyzers, which were designed to detect malware only in executable modules).
Currently, the heuristic analyzer allows you to detect malicious codes in executable files, sectors and memory, as well as new script viruses and malware for Microsoft Office(and other programs using VBA), and finally, malicious code, written in high level languages ​​such as Microsoft Visual Basic.
The flexible architecture and combination of various methods allows us to achieve a fairly high level of detection of new malware. At the same time, the developers are making every effort to reduce the number of false alarms to a minimum. Products presented by leaders in the antivirus industry rarely make mistakes in detecting malicious code.

Scheme of operation of the antivirus engine


The diagram below describes approximate algorithm operation of the antivirus engine. It should be noted that emulation and search for known and unknown malware occur simultaneously.


Scheme of operation of a typical anti-virus engine using the example of Kaspersky Anti-Virus


As mentioned above, when updating the anti-virus database, the modules for unpacking packed files and archives, the heuristic analyzer and other modules of the anti-virus engine are also updated and added.

Original technologies in antivirus engines


Almost every developer of anti-virus products implements some of their own technologies that make the program more efficient and productive. Some of these technologies are directly related to the design of the “engine”, since the performance of the entire solution often depends on its operation. Next, we will consider a number of technologies that can significantly speed up the verification of objects and at the same time guarantee the preservation High Quality detection, as well as improve the detection and treatment of malicious software in archived files.
Let's start with iChecker technology. This technology and its analogues are implemented in almost every modern antivirus. It should be noted that iChecker is a name proposed by Kaspersky Lab specialists. Experts, for example, Panda Software call it UltraFast. This technology makes it possible to achieve a reasonable balance between the reliability of protection of workstations (and especially servers) and the use system resources protected computer. Thanks to this technology, the loading time (up to 30-40%) of the operating system is significantly reduced (compared to traditional anti-virus protection) and the time it takes to launch applications when active antivirus protection. This ensures that all files on the computer’s disks have been scanned and are not infected. The main idea of ​​this technology is that there is no need to check what has not changed and has already been checked. The anti-virus engine maintains a special database in which the checksums of all scanned (and not infected) files are stored. Now, before submitting the file for verification, the “engine” calculates and compares the checksum of the file with the data stored in the database. If the data matches, this means that the file has been checked and re-checking is not required. It is worth noting that the time spent on counting checksums file - significantly less than the time of an anti-virus scan.
A special place in the work of the antivirus is occupied by the treatment of archived infected objects. This is exactly what will be discussed next. iCure is a technology for treating infected files in archives. Thanks to this technology, infected objects inside archived files will be successfully disinfected (or deleted, depending on the antivirus settings) without the use of external archiving utilities. Today, most antiviruses support following types archives: ARJ, CAB, RAR, ZIP. Thanks to the modular architecture and technologies for updating the anti-virus engine, the user, as a rule, can easily update and expand the list of supported types of archivers without rebooting the anti-virus.
iArc is another technology for working with archive files. This technology is necessary for working with multi-volume archives. iArc allows you to scan multi-volume archives and detect viruses even if they are packaged in multi-volume archive, which, in turn, will also be packed into a multi-volume archive.
Multithreading. The anti-virus engine is a multi-threaded module and can simultaneously process (check for malicious codes) several objects (files, sectors, scripts, etc.).
Most of the technologies listed above are implemented in one form or another in every modern antivirus product.

Polymorphic viruses


Throughout the article, the terms "polymorphic" and "self-encrypting" viruses were frequently used. As should have become clear from the previous discussions, it was this type of malicious code that had a strong influence on the development of antivirus technologies. The following is information about polymorphic viruses provided by Kaspersky Lab experts.

Basic definitions: self-encryption and polymorphism. They are used by almost all types of viruses in order to complicate the virus detection procedure as much as possible. Polymorphic viruses are quite difficult to detect viruses that do not have signatures, that is, they do not contain a single constant section of code. In most cases, two samples of the same polymorphic virus will not have a single match. This is achieved by encrypting the main body of the virus and modifying the decryptor program. Polymorphic viruses include those that cannot be detected (or are extremely difficult) using so-called virus masks - sections of constant code specific to a particular virus. This is achieved in two main ways - by encrypting the main virus code with a non-permanent key and a random set of decryptor commands, or by changing the executable virus code itself. There are also other, rather exotic examples of polymorphism: the DOS virus "Bomber", for example, is not encrypted, but the sequence of commands that transfers control to the virus code is completely polymorphic.
Polymorphism of varying degrees of complexity is found in viruses of all types - from boot and file DOS viruses to Windows viruses and even macro viruses.

Polymorphic decryptors


The simplest example of a partially polymorphic decryptor is the following set of commands, as a result of which not a single byte of the code of the virus itself and its decryptor is constant when infecting different files:

MOV reg_1, count ; reg_1, reg_2, reg_3 are selected from
MOV reg_2, key ; AX,BX,CX,DX,SI,DI,BP
MOV reg_3, _offset ; count, key, _offset can also change
_loop:
xxx byte ptr , reg_2 ; xor, add or sub
DEC reg_1
Jxx_loop ; ja or jnc
; Next comes the encrypted code and data of the virus

Complex polymorphic viruses use much more complex algorithms to generate the code of their decryptors: the above instructions (or their equivalents) are rearranged from infection to infection, diluted with commands that do not change anything like NOP, STI, CLI, STC, CLC, etc.
Full-fledged polymorphic viruses use even more complex algorithms, as a result of which the virus decryptor may contain operations SUB, ADD, XOR, ROR, ROL and others in an arbitrary number and order. Loading and changing keys and other encryption parameters is also performed by an arbitrary set of operations, in which almost all instructions of the Intel processor can be found (ADD, SUB, TEST, XOR, OR, SHR, SHL, ROR, MOV, XCHG, JNZ, PUSH, POP. ..) with everyone possible modes addressing. Polymorphic viruses also appear, the decryptor of which uses instructions up to Intel386, and in the summer of 1997 a 32-bit polymorphic virus was discovered that infects Windows EXE files 95.
As a result, at the beginning of a file infected with a similar virus, recruitment is underway seemingly meaningless instructions. It is interesting that some combinations that are quite functional are not accepted by proprietary disassemblers (for example, the combination CS:CS: or CS:NOP). And among this “mess” of commands and data, MOV, XOR, LOOP, JMP occasionally slip through - instructions that are really “working”.

Levels of polymorphism


There is a division of polymorphic viruses into levels depending on the complexity of the code that is found in the decryptors of these viruses. This division was first proposed by Dr. Alan Solomon, after some time Vesselin Bonchev expanded it:

Level 1: Viruses that have a certain set of decryptors with a constant code; when infected, they choose one of them. Such viruses are “semi-polymorphic” and are also called “oligomorphic”. Examples: "Cheeba", "Slovakia", "Whale".

Level 2: The virus decryptor contains one or more permanent instructions, but the main part is unstable.

Level 3: The decryptor contains unused instructions - "garbage" such as NOP, CLI, STI, etc.

Level 4: The decryptor uses interchangeable instructions and reordering (shuffling) instructions. The decryption algorithm does not change.

Level 5: All of the above techniques are used, the decryption algorithm is not constant, it is possible to re-encrypt the virus code and even partially encrypt the decryptor code itself.

Level 6: Permutating viruses. The main code of the virus is subject to change - it is divided into blocks, which, when infected, are rearranged in random order. The virus remains functional. Such viruses may not be encrypted.

The above classification has its drawbacks, since it is made according to a single criterion - the ability to detect a virus by the decryptor code using the standard technique of virus masks:

Level 1: to detect the virus, it is enough to have several masks;
Level 2: mask detection using "wildcards";
Level 3: detection by mask after removing “garbage” instructions;
Level 4: the mask contains several options for possible code, that is, it becomes algorithmic;
Level 5: inability to detect the virus using the mask.

The insufficiency of such division is demonstrated in the virus of the 3rd level of polymorphism, which is called “Level3”. This virus, being one of the most complex polymorphic viruses, according to the above division falls into Level 3, since it has a constant decryption algorithm, which is preceded by a large number of “garbage” commands. However, in this virus the garbage generation algorithm has been brought to perfection: almost all instructions of the i8086 processor can be found in the decryptor code.
If we divide into levels from the point of view of antiviruses that use systems for automatically deciphering the virus code (emulators), then the division into levels will depend on the complexity of emulating the virus code. It is possible to detect a virus using other methods, for example, decryption using elementary mathematical laws, etc.
A more objective classification would be one in which, in addition to the criterion of viral masks, other parameters are also involved, for example:

The degree of complexity of the polymorphic code (the percentage of all processor instructions that can be found in the decryptor code);
Using special techniques that make emulation difficult for antiviruses;
Constancy of the decryptor algorithm;
Constancy of decryptor length.


Changing Executable Code


Most often, this method of polymorphism is used by macro viruses, which, when creating new copies of themselves, randomly change the names of their variables, insert empty lines or change their code in some other way. Thus, the algorithm of the virus remains unchanged, but the virus code changes almost completely from infection to infection.
This method is used less frequently by complex boot viruses. Such viruses inject only a fairly short procedure into the boot sectors, which reads the main virus code from the disk and transfers control to it. The code for this procedure is selected from several different options (which can also be mixed with “empty” commands), the commands are rearranged, etc.
This technique is even less common in file viruses- after all, they have to completely change their code, and this requires quite complex algorithms. To date, only two such viruses are known, one of which ("Ply") randomly moves its commands around its body and replaces them with JMP or CALL commands. Another virus (“TMC”) uses a more complex method - each time it is infected, the virus swaps blocks of its code and data, inserts “garbage”, sets new offset values ​​on data in its assembly instructions, changes constants, etc. As a result, although the virus does not encrypt its code, it is a polymorphic virus - there is no constant set of commands in the code. Moreover, when creating new copies of itself, the virus changes its length.

360 Total Security- free antivirus from Qihoo 360 with PC optimization and real-time protection against all types of online threats with 5 engines: Avira and Bitdefender, proactive QVM II and cloud 360 Cloud, as well as System Repair for system recovery

Program description

360 Total Security offers comprehensive protection against all types of malware and online threats.

Free antivirus from Qihoo 360 uses real-time protection with Avira and Bitdefender antivirus engines, proactive QVM II and 360 Cloud, as well as System Repair for comprehensive assessment and quick recovery abnormal changes in the Windows operating system.

When you make online purchases, download files, visit web pages of various resources on the Internet, 360 Total Security protects you from threats in real time. In addition, you can use the one-click cleaning feature to optimize your computer's performance.

Five engines provide an unrivaled level of reliability and security - online and offline, while maintaining high performance and system performance.

Main features of 360 Total Security:

  • The new version of 360 Total Security adds the Avira antivirus engine and System Repair to restore the system to existing ones Bitdefender engines, proactive QVM II and cloud 360 Cloud.
  • Also added is a one-click acceleration and cleaning function to optimize your computer's performance.

Key features of 360 Total Security

System check
- Quick check the general health and security of your computer in one click

Antivirus scanning
- Use of 5 top engines, including 360 Cloud Engine / QVMII / Avira and Bitdefender for comprehensive protection And better detection, as well as System Repair to restore the system.

System acceleration
- Allows you to manage and optimize autostart of applications, plugins and services. Reduce your PC's boot time.

System cleaning
- Helps free up hard drive space by cleaning unnecessary files from your computer and making your work more efficient.

Real-time protection
- Protect your computer from malware, phishing, hidden and emerging threats using fast and smart cloud technology.

Today, more than ever, anti-virus software is not only the most in demand in the security system of any operating system, but also one of its main components. And if previously the user had a very limited, modest choice, now you can find a lot of such programs. But if you look at the list of “Top 10 antiviruses”, you will notice that not all of them are equivalent in terms of functionality. Let's look at the most popular packages. At the same time, the analysis will include both paid and shareware (antivirus for 30 days), and freely distributed applications. But first things first.

Top 10 antiviruses for Windows: testing criteria

Before you start compiling a rating, you should probably familiarize yourself with the basic criteria that are used in most cases when testing such software.

Naturally, it is simply impossible to consider all known packages. However, among all those designed to ensure the protection of a computer system at its most in a broad sense, we can highlight the most popular ones. At the same time, we will take into account both the official ratings of independent laboratories and reviews of users who use this or that software product in practice. In addition, mobile programs will not be affected; we will focus on stationary systems.

As for conducting basic tests, as a rule, they include several main aspects:

  • availability of paid and free versions and limitations related to functionality;
  • standard scanning speed;
  • quick identification of potential threats and the ability to remove or quarantine them using built-in algorithms;
  • frequency of updating anti-virus databases;
  • self-defense and reliability;
  • availability of additional features.

As can be seen from the list above, checking the operation of antivirus software allows you to determine the strengths and weaknesses of a particular product. Next, I will consider the most popular software packages included in the Top 10 antiviruses, and also give their main characteristics, of course, taking into account the opinions of people who use them in their daily work.

Kaspersky Lab software products

First, let's look at the software modules developed by Kaspersky Lab, which are extremely popular in the post-Soviet space.

It is impossible to single out just one program here, because among them you can also find a regular Kaspersky scanner Antivirus, and modules like Internet Security, And portable utilities type Virus Removal Tool, and even boot disks for damaged Rescue systems Disc.

It is immediately worth noting two main disadvantages: firstly, judging by the reviews, almost all programs, with rare exceptions, are paid or shareware, and secondly, system requirements unreasonably high, which makes it impossible to use them in relatively weak configurations. Naturally, this scares off many ordinary users, although activation keys Kaspersky Antivirus or Internet Security can easily be found on the World Wide Web.

On the other hand, the activation situation can be corrected in another way. For example, Kaspersky keys can be generated using special applications like Key Manager. True, this approach is, to put it mildly, illegal, however, as a way out, it is used by many users.

Operating speed at modern cars is in the average range (for some reason, more and more heavyweight versions are being created for new configurations), but constantly updated databases, unique technologies for identifying and removing known viruses and potentially dangerous programs here at the top. It is not surprising that Kapersky Laboratory is today a leader among security software developers.

And two more words about the recovery disk. It is unique in its own way, since it loads a scanner with a graphical interface even before Windows itself starts, allowing you to remove threats even from RAM.

The same goes for portable Virus utilities Removal Tool, capable of tracking any threat on an infected terminal. It can only be compared with a similar utility from Dr. Web.

Protection from Dr. Web

Before us is another of the strongest representatives in the field of security - the famous “Doctor Web”, who stood at the origins of the creation of all anti-virus software since time immemorial.

Among huge amount You can also find standard scanners, security tools for Internet surfing, portable utilities, and recovery discs. You can't list everything.

The main factors in favor of this developer’s software include high speed, instant detection of threats with the ability to either completely remove or isolate them, as well as a moderate load on the system as a whole. In general, from the point of view of most users, this is a kind of lightweight version of Kaspersky. There is still something interesting here. In particular, this is Dr. Web Katana. It is believed that this is a new generation software product. It is focused on the use of “sand” technologies, i.e. placing a threat in the “cloud” or “sandbox” (whatever you want to call it) for analysis before it penetrates the system. However, if you look at it, there is no particular innovation here, because this technique was used in the free Panda antivirus. In addition, according to many users, Dr. Web Katana is a kind of Security Space with the same technologies. However, generally speaking, any software from this developer is quite stable and powerful. It is not surprising that many users prefer such packages.

ESET programs

Speaking about the Top 10 antiviruses, it is impossible not to mention another bright representative of this field - ESET company, which became famous for such a famous product as NOD32. A little later, the ESET Smart Security module was born.

If we consider these programs, we can note an interesting point. To activate the full functionality of any package, you can do two things. On the one hand, this is the acquisition of an official license. On the other hand, you can install trial antivirus free, but activate it every 30 days. The situation with activation is also interesting.

As absolutely all users note, for ESET Smart Security (or for standard antivirus) on the official website you could find freely distributed keys in the form of a login and password. Until recently, only this data could be used. Now the process has become somewhat more complicated: first you need to login and password on a special website, convert it into a license number, and only then enter it into the registration field in the program itself. However, if you do not pay attention to such trifles, you can note that this antivirus is one of the best. Pros noted by users:

  • virus signature databases are updated several times a day,
  • identification of threats at the highest level,
  • there are no conflicts with system components (firewall),
  • the package has the strongest self-defense,
  • there are no false alarms, etc.

Separately, it is worth noting that the load on the system is minimal, and the use of the Anti-Theft module even allows you to protect data from theft or misuse for personal gain.

AVG Antivirus

AVG Antivirus is a paid software designed to provide comprehensive security computer systems(there is also a free truncated version). And although today this package is no longer among the top five, it nevertheless demonstrates fairly high speed and stability.

In principle, it is ideal for home use, because, in addition to speed, it has a convenient Russified interface and more or less stable behavior. True, as some users note, sometimes it is able to miss threats. And this does not apply to viruses as such, but rather to spyware or advertising "junk" called Malware and Adware. The program’s own module, although widely advertised, still, according to users, looks somewhat unfinished. And an additional firewall can often cause conflicts with the “native” Windows firewall if both modules are active.

Avira package

Avira is another member of the antivirus family. It is not fundamentally different from most similar packages. However, if you read user reviews about it, you can find quite interesting posts.

Many people do not recommend using the free version under any circumstances, since some modules are simply missing in it. To provide reliable protection, you will have to purchase paid product. But such an antivirus is suitable for versions 8 and 10, in which the system itself uses a lot of resources, and the package uses them at the lowest level. Basically, Avira is better It’s only suitable for, say, budget laptops and weak computers. A network installation, however, is out of the question.

Cloud service Panda Cloud

Free at one time became almost a revolution in the field of antivirus technologies. The use of a so-called “sandbox” to submit suspicious content for analysis before it penetrates the system has made this application especially popular among users of all levels.

And it is precisely with the “sandbox” that this antivirus is associated today. Yes, indeed, this technology, unlike other programs, allows you to prevent threats from entering the system. For example, any virus first saves its body on the hard drive or in RAM, and only then begins its activity. Here the matter does not come to conservation. First, the suspicious file is sent to cloud service, where it is checked, and only then can it be saved in the system. True, according to eyewitnesses, unfortunately, this can take quite a lot of time and unnecessarily loads the system. On the other hand, it’s worth asking yourself what is more important: security or increased verification time? However, for modern computer configurations with Internet connection speeds of 100 Mbit/s and higher, it can be used without problems. By the way, its own protection is provided precisely through the “cloud”, which sometimes causes criticism.

Avast Pro Antivirus Scanner

Now a few words about another prominent representative. It is quite popular among many users, however, despite the presence of the same sandbox, anti-spyware, network scanner, firewall and virtual account, unfortunately, Avast Pro Antivirus is outperformed in terms of the main indicators of performance, functionality and reliability clearly loses to such giants as Kaspersky Lab software products or applications using Bitdefender technologies, although it demonstrates high scanning speed and low resource consumption.

Users are attracted to this product mainly by the fact that the free version of the package is as functional as possible and does not differ much from paid software. In addition, this antivirus works on everyone Windows versions, including the “ten”, and behaves perfectly even on outdated machines.

360 Security Packages

Before us is probably one of the fastest antiviruses of our time - 360 Security, developed by Chinese specialists. In general, all products labeled “360” are distinguished by enviable speed of operation (the same Internet browser 360 Safety Browser).

Despite its main purpose, the program has additional modules to eliminate operating system vulnerabilities and optimize it. But neither the speed of operation nor the free distribution can be compared with false alarms. In the list of programs that have the highest indicators for this criterion, this software occupies one of the first places. According to many experts, conflicts arise at the system level due to additional optimizers, the action of which intersects with the execution of tasks of the OS itself.

Software products based on Bitdefender technologies

Another “old man” among the most famous defenders of operating systems is Bitdefender. Unfortunately, in 2015 it lost the palm to Kaspersky Lab products, nevertheless, in antivirus fashion, so to speak, it is one of the trendsetters.

If you look a little more closely, you will notice that many modern programs(the same 360 ​​Security package) in different variations are made precisely on the basis of these technologies. Despite the rich functional base, it also has its shortcomings. Firstly, you will not find the Russian antivirus (Russified) Bitdefender, since it does not exist in nature at all. Secondly, despite the use of the latest technological developments in terms of system protection, unfortunately, it shows too high a number of false positives (by the way, according to experts, this is typical for the entire group of programs created on the basis of Bitdefender). The presence of additional optimizer components and their own firewalls generally does not affect the behavior of such antiviruses for the better. But you can’t deny the speed of this application. In addition, P2P is used for verification, but there is no real-time email verification, which many people do not like.

Antivirus from Microsoft

Another application that is distinguished by its enviable operation with or without reason is its own Microsoft product called Security Essentials.

This package is included in the Top 10 antiviruses, apparently, only because it is designed exclusively for Windows systems, which means it does not cause absolutely any conflicts at the system level. Besides, who else, if not specialists from Microsoft, knows all the security holes and vulnerabilities of their own operating systems. By the way, it is interesting that the initial Windows builds 7 and Windows 8 had MSE as standard, but then for some reason they abandoned this kit. However, for Windows it can become the simplest solution in terms of security, although you can’t count on any special functionality.

McAfee app

As for this application, it looks quite interesting. However, it gained the greatest popularity in the field of application on mobile devices with all kinds of blocking, however, on desktop computers this antivirus behaves no worse.

The program has low-level support for P2P networks with sharing to Instant Messenger files, and also offers 2-level protection, in which the main role is given to the WormStopper and ScriptStopper modules. But in general, according to consumers, the functional set is at an average level, and the program itself is focused more on identifying spyware, computer worms and Trojans and preventing penetration into the system executable scripts or malicious codes.

Combined antiviruses and optimizers

Naturally, only those included in the Top 10 antiviruses were considered here. If we talk about other software of this kind, we can note some packages containing anti-virus modules in their sets.

What to prefer?

Naturally, all antiviruses have certain similarities and differences. What to install? Here you need to proceed from the needs and the level of protection provided. Usually, to corporative clients it's worth buying something more powerful with the ability network installation(Kaspersky, Dr. Web, ESET). As for home use, here the user chooses what he needs (if desired, you can even find an antivirus for a year - without registration or purchase). But, if you look at user reviews, it is better to install Panda Cloud, even despite some additional load on the system and the time it takes to check in the sandbox. But this is where there is a complete guarantee that the threat will not penetrate the system in any way. However, everyone is free to choose for themselves what exactly they need. If activation is not difficult, please: they work fine in home systems ESET products. But using optimizers with anti-virus modules as the main means of protection is highly undesirable. Well, it’s also impossible to say which program takes first place: there are so many users, so many opinions.

Antivirus engines.

One of the main parts of any antivirus is the so-called antivirus “engine” - a module responsible for scanning objects and detecting malware. The quality of malware detection and, as a consequence, the level of protection provided by the antivirus depends on the antivirus engine, how it is designed, and what detection methods and heuristics it uses.

This article describes in detail standard technologies and some original approaches of various antivirus developers, implemented in the antivirus engine. Along the way, some related technical issues will be considered that are necessary to assess the quality of the anti-virus engine and clarify the technologies used in it.

Good or bad "engine"?

Unfortunately, antivirus software developers very rarely disclose implementation details of their engines. However, by indirect signs you can determine whether the “engine” is good or not. Here are the main criteria by which you can determine the quality of an antivirus engine:
Detection quality. How well does the antivirus detect viruses? This criterion can be assessed based on the results of various tests that are conducted by several organizations and are usually presented on the developer’s web resources.

Level of detection by heuristic analyzers. Unfortunately, it is impossible to determine this parameter without testing on a collection of viruses, but you can quite easily determine what the level of false positives is for a particular engine.

False positive rate. If on 100% uninfected files the antivirus reports that it has detected a possibly infected file, then this is a false positive. Should we trust such a heuristic analyzer that bothers the user with false alarms? After all, due to a large number of false positives, the user may miss a truly new virus.

Support for a large number of packers and archivers. This is a very important factor, since often the creators of malware, having written a virus, package it with several utilities for packaging executable modules and, having received several different viruses, release them into the world. Essentially, all of these viruses are instances of the same variant. For an antivirus engine that supports all or almost all popular packaging utilities, it will not be difficult to identify all these instances of the same virus, calling them by the same name; for other engines, it will be necessary to update the antivirus database ( as well as the time it takes for antivirus experts to analyze the virus instance).

Frequency and size of anti-virus database updates. These parameters are indirect signs of the quality of the engine. Since the frequent release of updates ensures that the user will always be protected from newly emerging viruses. The size of the update (and the number of viruses detected in this update) speaks about the quality of the design of the anti-virus database and, in part, the engine.

The ability to update the engine without updating the antivirus program itself. Sometimes, to detect a virus, it is necessary to update not only the anti-virus database, but also the engine itself. If the antivirus does not support this feature, then the user may be left without protection in the face of a new virus. In addition, this feature allows you to quickly improve the engine and correct errors in it.

Anti-virus "engine": existing technologies

With the advent of the first computer viruses, programmers quickly figured out how they work and created the first anti-virus programs. Quite a lot of time has passed since then, and modern antivirus differs from those first antiviruses, just as a personal computer differs from a calculator.

In the first paragraph of this article, a somewhat “naive” definition of the antivirus “engine” was given. Next, a number of precise definitions and technological descriptions will be given, which, ultimately, will allow you to fully understand the structure and algorithms of the anti-virus engine.

Anti-Virus Engine is a software module that is designed to detect malicious software. The "engine" is the main component of any antivirus program, regardless of its purpose. The engine is used both in personal products - a personal scanner or monitor, and in server solutions - a scanner for a mail or file server, a firewall or a proxy server. As a rule, to detect malware, most “engines” implement the following technologies:
Search by "signatures" (a unique sequence of bytes);
Search by checksums or CRC (checksum with a unique sequence of bytes);
Using a reduced mask;
Cryptanalysis;
Statistical analysis;
Heuristic analysis;
Emulation.
Let's look at each of these methods in more detail.

Search by "signatures"

A signature is a unique “string” of bytes that uniquely characterizes a particular malicious program. Signature search, in one modification or another, has been used to detect viruses and other malware, from the very first antivirus programs to the present day. The undeniable advantage of signature search is the speed of operation (using specially developed algorithms, of course) and the ability to detect several viruses with one signature. Disadvantage - the size of the signature for reliable detection must be quite large, at least 8-12 bytes (usually much longer signatures, up to 64 bytes, are used for accurate detection), therefore, the size of the anti-virus database will be quite large. In addition, recently, malicious programs written in high-level languages ​​(C++, Delphi, Visual Basic) have become increasingly widespread, and such programs have separate parts of the code that practically do not change (the so-called Run Time Library). An incorrectly selected signature will inevitably lead to a false positive - detection of a “clean”, uninfected file as infected with a virus. As a solution to this problem, it is proposed to use either very large signatures or use detection for certain data areas, for example, relocation tables or text strings, which is not always good.

Search by checksums (CRC)

Search by checksums (CRC - cyclic redundancy check), in essence, is a modification of search by signatures. The method was developed to avoid the main disadvantages of signature search - the size of the database and reduce the likelihood of false positives. The essence of the method is that to search for malicious code, not only the “reference” line is taken - the signature, or rather, the checksum of this line, but also the location of the signature in the body of the malicious program. The location is used to avoid having to calculate checksums for the entire file. Thus, instead of 10-12 bytes of signature (minimum), 4 bytes are used to store the checksum and another 4 bytes for the location. However, the checksum search method is somewhat slower than the signature search.
The use of masks to detect malicious code is quite often complicated by the presence of encrypted code (so-called polymorphic viruses), since it is either impossible to select a mask, or a mask of the maximum size does not satisfy the condition of unambiguously identifying a virus without false positives.
The impossibility of choosing a mask of sufficient size in the case of a polymorphic virus is easily explained. By encrypting its body, the virus ensures that most of its code in the affected object is a variable and, accordingly, cannot be selected as a mask. (Self-encrypting and polymorphic viruses are described in more detail in the appendix at the end of the article).
To detect such viruses, the following methods are used: the use of a reduced mask, cryptanalysis and statistical analysis. Let's look at these methods in more detail.

Using a reduced mask

When infecting objects, a virus that uses encryption converts its code into an encrypted sequence of data:
S = F(T), where
T is the base code of the virus;
S - encrypted virus codes;
F is the virus encryption function, randomly selected from a certain set of transformations (F).
The reduced mask method consists in choosing a transformation R of the encrypted virus codes S, such that the result of the transformation (that is, some sequence of data S") will not depend on the transformation keys F, that is
S=F(T)
S" = R (S) = R (F (T)) = R" (T).
When applying the transformation R to all possible variants of the cipher code S, the result S" will be constant at a constant T. Thus, the identification of affected objects is done by choosing S" as a reduced mask and applying the transformation R to the affected objects.

Cryptanalysis

This method is as follows: using the known base code of the virus and the known encrypted code (or the “suspicious” code, similar to the encrypted body of the virus), the keys and algorithm of the decryptor program are restored. This algorithm is then applied to the encrypted portion, resulting in the decrypted body of the virus. When solving this problem, you have to deal with a system of equations.
As a rule, this method works much faster and takes up much less memory than emulating virus instructions. However, solving such systems is often a highly complex task.
Moreover, the main problem is the mathematical analysis of the resulting equation or the resulting system of equations. In many ways, the problem of solving systems of equations when recovering the encrypted body of a virus resembles the classical cryptographic problem of recovering ciphertext with unknown keys. However, here this task sounds somewhat different: it is necessary to find out whether a given encrypted code is the result of applying some function known up to the keys. Moreover, many data for solving this problem are known in advance: a section of the encrypted code, a section of the unencrypted code, possible variants of the transformation function. Moreover, the algorithm of this transformation itself and the keys are also present in the analyzed codes. However, there is a significant limitation that this problem must be solved within the specific boundaries of RAM and the solution procedure should not take much time.

Statistical analysis

Also used to detect polymorphic viruses. During its operation, the scanner analyzes the frequency of use of processor commands, builds a table of encountered processor commands (opcodes), and based on this information makes a conclusion that the file is infected with a virus. This method is effective for searching for some polymorphic viruses, since these viruses use a limited set of commands in the decryptor, while “clean” files use completely different commands with a different frequency. For example, all MS-DOS programs often use interrupt 21h (opcode CDh 21h), but this command is practically never found in the decryptor of polymorphic DOS viruses.
The main disadvantage of this method is that there are a number of complex polymorphic viruses that use almost all processor commands and from copy to copy the set of commands used changes greatly, that is, it is not possible to detect a virus using the constructed frequency table.

Heuristic analysis

When the number of viruses exceeded several hundred, antivirus experts began to think about the idea of ​​detecting malware that the antivirus program did not yet know existed (there were no corresponding signatures). As a result, so-called heuristic analyzers were created. A heuristic analyzer is a set of routines that analyze the code of executable files, macros, scripts, memory or boot sectors to detect different types of malicious computer programs. There are two operating principles of the analyzer.

Static method. Search for common short signatures that are present in most viruses (so-called “suspicious” commands). For example, a large number of viruses search for viruses using the *.EXE mask, open the found file, and write to the open file. The task of heuristics in this case is to find signatures that reflect these actions. Then the found signatures are analyzed, and if a certain number of necessary and sufficient “suspicious commands” are found, a decision is made that the file is infected. The big advantage of this method is its ease of implementation and good speed, but the level of detection of new malware is quite low.

Dynamic method. This method appeared simultaneously with the introduction of processor command emulation into antivirus programs (the emulator is described in more detail below). The essence of the method is to emulate program execution and log all “suspicious” program actions. Based on this protocol, a decision is made about the possible infection of the program with a virus. Unlike the static method, the dynamic method is more demanding on computer resources, however, the detection level of the dynamic method is much higher.

Emulation

Program code emulation technology (or Sandboxing) was a response to the emergence of a large number of polymorphic viruses. The idea of ​​this method is to emulate the execution of a program (both infected with a virus and a “clean” one) in a special “environment”, also called an emulation buffer or “sandbox”. If a file infected with a polymorphic virus enters the emulator, then after emulation the decrypted body of the virus appears in the buffer, ready for detection by standard methods (signature or CRC search).
Modern emulators emulate not only processor commands, but also operating system calls. The task of writing a full-fledged emulator is quite labor-intensive, not to mention the fact that when using an emulator you have to constantly monitor the actions of each command. This is necessary to avoid accidentally executing destructive components of the virus algorithm.
It should be especially noted that it is necessary to emulate the operation of virus instructions, and not trace them, since when tracing a virus, the probability of calling destructive instructions or codes responsible for spreading the virus is too high.

Antivirus engine database

The database is an integral part of the antivirus engine. Moreover, if we assume that a well-designed “engine” does not change so often, then the anti-virus database changes constantly, because it is in the anti-virus database that there are signatures, checksums and special software modules for detecting malware. As you know, new viruses, network worms and other malicious programs appear with enviable frequency, and therefore it is very important that the anti-virus database is updated as often as possible. If five years ago weekly updates were enough, today it is simply necessary to receive at least daily updates to the anti-virus database.
It is also very important what exactly is in the anti-virus database: are there only records of viruses or additional software procedures. In the second case, it is much easier to update the functionality of the anti-virus engine by simply updating the databases.

Support for "complex" nested objects

Antivirus engines have changed a lot over the past few years. If the first antiviruses, in order to be considered a first-class program, only had to check the system memory, executable files and boot sectors, then a few years later, due to the growing popularity of special utilities for packaging executable modules, developers were faced with the task of unpacking the packed file before it was scan.
Then a new problem - viruses learned to infect archived files (and users themselves often sent infected files in archives). Antiviruses were forced to learn how to process archive files as well. In 1995, the first macrovirus appeared, infecting Microsoft documents Word. It is worth noting that the document format used by Microsoft Word is closed and very complex. A number of antivirus companies still do not know how to fully process such files.
Today, due to the enormous popularity of e-mail, anti-virus engines also process both mail message databases and the messages themselves.

Detection methods

A typical anti-virus “engine”, which is implemented in every anti-virus program, uses all the necessary technologies for detecting malware: an effective heuristic analyzer, a high-performance emulator and, most importantly, a competent and flexible architecture of the malware detection subsystem, allowing the use of all of the above methods detection.
Almost every antivirus engine uses checksum detection as its base method. This method was chosen based on the requirement to minimize the size of anti-virus databases. However, the architecture of the engine is often so flexible that it allows the use of any of the detection methods listed above, which is what is done for some particularly complex viruses. This allows you to achieve a high level of virus detection. The architecture of the anti-virus engine is presented in more detail in the diagram later in the text.
The practical application of methods for detecting polymorphic viruses (cryptanalysis and statistical analysis, the use of a reduced mask and emulation) comes down to choosing the most optimal method in terms of speed and the amount of memory required. The code of most self-encrypting viruses is quite easily restored by the emulation procedure. If using an emulator is not the optimal solution, then the virus code is restored using a subroutine that implements the inverse transformation - cryptanalysis. To detect viruses that cannot be emulated, and viruses for which it is not possible to construct an inverse transformation, the method of constructing reduced masks is used.
In some of the most complex cases, a combination of the above methods is used. Part of the decryptor code is emulated, and the commands that are actually responsible for the decryption algorithm are extracted from the decryptor. Then, based on the information received, a system of equations is constructed and solved to restore the virus code and detect it.
A combination of methods is also used when using multiple encryption, when the virus encrypts its body several times, using different encryption algorithms. A combined method of information recovery or “pure” emulation of the decryptor code is often used for the reason that each new virus must be analyzed and included in the anti-virus database in the shortest possible time, which does not always fit into the necessary mathematical analysis. And as a result, you have to use more cumbersome methods for detecting a virus, despite the fact that methods of mathematical analysis of the decryptor algorithm are quite applicable.

Working with "complex" objects

Anti-virus engines support working with a huge number of packaging and archiving formats. Developers rarely publish a complete (or at least sufficiently detailed) list of supported formats. The following is officially published information about support for “complex” formats in Kaspersky Anti-Virus. In other antivirus products, the list of supported formats should be approximately the same.
The Kaspersky Anti-Virus engine supports work with more than 400 different utilities for packaging executable files, installers and archivers (more than 900 modifications in total, as of May 2003). Among them:

Executable file packers and encryption systems. The most popular of them: Diet, AVPACK, COMPACK, Epack, ExeLock, ExePack, Expert, HackStop, Jam, LzExe, LzCom, PaquetBuilder, PGMPAK, PkLite, PackWin, Pksmart, Protect, ProtEXE, RelPack, Rerp, Rjcrush, Rucc, Scramb , SCRNCH, Shrink, Six-2-Four, Syspack, Trap, UCEXE, Univac, UPD, UPX (several versions), WWPACK, ASPack (several versions), ASProtect (several versions), Astrum, BitArts, BJFnt, Cexe, Cheaters , Dialect, DXPack, Gleam, CodeSafe, ELFCrypt, JDPack, JDProtect, INFTool, Krypton, Neolite, ExeLock, NFO, NoodleCrypt, OptLink, PCPEC, PEBundle, PECompact (several versions), PCShrink, PE-Crypt, PE-Diminisher, PELock , PEncrypt, PE-Pack (several versions), PE-Protect, PE-Shield, Petite, Pex, PKLite32, SuperCede, TeLock, VBox, WWPack32, XLok, Yoda.
Support for so many packers and archivers allows you to reduce the time of analysis of new viruses, which leads to an increase in the speed of response to the appearance of a new virus, and to achieve a high level of detection of already known viruses.

Archivers and installers (more than 60 in total). The most popular of them: CAB, ARJ, ZIP, GZIP, Tar, AIN, HA, LHA, RAR, ACE, BZIP2, WiseSFX (several versions), CreateInstall, Inno Installer, StarDust Installer, MS Expand, GKWare Setup, SetupFactory, SetupSpecialist , NSIS, Astrum, PCInstall, Effect Office.
Support for a large number of types of archivers is especially important for scanning mail systems, since the vast majority of viruses are sent by mail in archived form. Objects are unpacked regardless of the nesting level of archives. For example, if an infected file is packaged with UPX, and then the file is packaged in a ZIP archive, which is packaged in a CAB archive, etc., then the antivirus engine should still be able to reach the original file and detect the virus.
It should be noted that such considerations are by no means theoretical. Thus, the Trojan program Backdoor.Rbot is widely known, which was distributed packaged with many different programs (Ezip, Exe32Pack, ExeStealth, PecBundle, PECompact, FSG, UPX, Morphine, ASPack, Petite, PE-Pack, PE-Diminisher, PELock, PESpin, TeLock , Molebox, Yoda, Ezip, Krypton, etc.).
The archive unpacking algorithm usually has enough intelligence not to unpack all sorts of “archive bombs” - small archives that contain huge files (with a very high compression ratio) or several identical files. Typically, scanning such an archive takes a lot of time, but modern anti-virus engines often recognize such “bombs”.

The mechanism for updating anti-virus databases and their size

Antivirus database updates are usually released several times a day. Some are able to release updates once every hour, some - every two hours. In any case, given the current high level of danger on the Internet, such frequent updating of anti-virus databases is completely justified.
The size of the updates indicates the well-thought-out architecture of the anti-virus engine. Thus, the size of regular updates from leading companies in the industry, as a rule, does not exceed 30 KB. At the same time, anti-virus databases usually contain about 70% of the functionality of the entire anti-virus engine. Any update to the anti-virus database can add support for a new packer or archiver. Thus, by updating the anti-virus database daily, the user receives not only new procedures for detecting new malware, but also an update of the entire anti-virus. This allows you to react very flexibly to the situation and guarantee the user maximum protection.

Heuristic analyzer

The heuristic analyzer, which is part of almost every antivirus, uses both of the analysis methods described above - cryptanalysis and statistical analysis. A modern heuristic analyzer is designed from the ground up to be extensible (unlike most first-generation heuristic analyzers, which were designed to detect malware only in executable modules).
Currently, the heuristic analyzer can detect malicious code in executable files, sectors and memory, as well as new script viruses and malware for Microsoft Office (and other programs using VBA), and, finally, malicious code written in high-level languages , such as Microsoft Visual Basic.
The flexible architecture and combination of various methods allows us to achieve a fairly high level of detection of new malware. At the same time, the developers are making every effort to reduce the number of false alarms to a minimum. Products presented by leaders in the antivirus industry rarely make mistakes in detecting malicious code.

The diagram below describes an approximate algorithm for the operation of the anti-virus engine. It should be noted that emulation and search for known and unknown malware occur simultaneously.

As mentioned above, when updating the anti-virus database, the modules for unpacking packed files and archives, the heuristic analyzer and other modules of the anti-virus engine are also updated and added.

Original technologies in antivirus
"engines"

Almost every developer of anti-virus products implements some of their own technologies that make the program more efficient and productive. Some of these technologies are directly related to the design of the “engine”, since the performance of the entire solution often depends on its operation. Next, we will consider a number of technologies that can significantly speed up the scanning of objects while guaranteeing the preservation of high quality detection, as well as improve the detection and treatment of malicious software in archived files.
Let's start with iChecker technology. This technology and its analogues are implemented in almost every modern antivirus. It should be noted that iChecker is a name proposed by Kaspersky Lab specialists. Experts, for example, Panda Software call it UltraFast. This technology allows you to achieve a reasonable balance between the reliability of protection of workstations (and especially servers) and the use of system resources of the protected computer. Thanks to this technology, the loading time (up to 30-40%) of the operating system (compared to traditional anti-virus protection) and the launch time of applications with active anti-virus protection are significantly reduced. This ensures that all files on the computer’s disks have been scanned and are not infected. The main idea of ​​this technology is that there is no need to check what has not changed and has already been checked. The anti-virus engine maintains a special database in which the checksums of all scanned (and not infected) files are stored. Now, before submitting the file for verification, the “engine” calculates and compares the checksum of the file with the data stored in the database. If the data matches, this means that the file has been checked and re-checking is not required. It is worth noting that the time spent calculating file checksums is significantly less than the time of an anti-virus scan.
A special place in the work of the antivirus is occupied by the treatment of archived infected objects. This is exactly what will be discussed next. iCure is a technology for treating infected files in archives. Thanks to this technology, infected objects inside archived files will be successfully disinfected (or deleted, depending on the antivirus settings) without the use of external archiving utilities. Today, most antiviruses support the following types of archives: ARJ, CAB, RAR, ZIP. Thanks to the modular architecture and technologies for updating the anti-virus engine, the user, as a rule, can easily update and expand the list of supported types of archivers without rebooting the anti-virus.
iArc is another technology for working with archive files. This technology is necessary for working with multi-volume archives. iArc allows you to scan multi-volume archives and detect viruses even if they are packed into a multi-volume archive, which, in turn, will also be packed into a multi-volume archive.
Multithreading. The anti-virus engine is a multi-threaded module and can simultaneously process (check for malicious codes) several objects (files, sectors, scripts, etc.).
Most of the technologies listed above are implemented in one form or another in every modern antivirus product.

Polymorphic viruses

Throughout the article, the terms "polymorphic" and "self-encrypting" viruses were frequently used. As should have become clear from the previous discussions, it was this type of malicious code that had a strong influence on the development of antivirus technologies. The following is information about polymorphic viruses provided by Kaspersky Lab experts.

Basic definitions: self-encryption and polymorphism. They are used by almost all types of viruses in order to complicate the virus detection procedure as much as possible. Polymorphic viruses are quite difficult to detect viruses that do not have signatures, that is, they do not contain a single constant section of code. In most cases, two samples of the same polymorphic virus will not have a single match. This is achieved by encrypting the main body of the virus and modifying the decryptor program. Polymorphic viruses include those that cannot be detected (or are extremely difficult) using so-called virus masks - sections of constant code specific to a particular virus. This is achieved in two main ways - by encrypting the main virus code with a non-permanent key and a random set of decryptor commands, or by changing the executable virus code itself. There are also other, rather exotic examples of polymorphism: the DOS virus "Bomber", for example, is not encrypted, but the sequence of commands that transfers control to the virus code is completely polymorphic.
Polymorphism of varying degrees of complexity is found in viruses of all types - from boot and file DOS viruses to Windows viruses and even macro viruses.

Polymorphic decryptors

The simplest example of a partially polymorphic decryptor is the following set of commands, as a result of which not a single byte of the code of the virus itself and its decryptor is constant when infecting different files:

MOV reg_1, count ; reg_1, reg_2, reg_3 are selected from
MOV reg_2, key ; AX,BX,CX,DX,SI,DI,BP
MOV reg_3, _offset ; count, key, _offset can also change
_loop:
xxx byte ptr, reg_2; xor, add or sub
DEC reg_1
Jxx_loop; ja or jnc
; Next comes the encrypted code and data of the virus

Complex polymorphic viruses use much more complex algorithms to generate the code of their decryptors: the above instructions (or their equivalents) are rearranged from infection to infection, diluted with commands that do not change anything like NOP, STI, CLI, STC, CLC, etc.
Full-fledged polymorphic viruses use even more complex algorithms, as a result of which the virus decryptor may contain operations SUB, ADD, XOR, ROR, ROL and others in an arbitrary number and order. Loading and changing keys and other encryption parameters is also performed by an arbitrary set of operations, in which almost all instructions of the Intel processor can be found (ADD, SUB, TEST, XOR, OR, SHR, SHL, ROR, MOV, XCHG, JNZ, PUSH, POP. ..) with all possible addressing modes. Polymorphic viruses also appear, the decryptor of which uses instructions up to Intel386, and in the summer of 1997 a 32-bit polymorphic virus was discovered that infects Windows 95 EXE files.
As a result, at the beginning of a file infected with such a virus there is a set of seemingly meaningless instructions. It is interesting that some combinations that are quite functional are not accepted by proprietary disassemblers (for example, the combination CS:CS: or CS:NOP). And among this “mess” of commands and data, MOV, XOR, LOOP, JMP occasionally slip through - instructions that are really “working”.

Levels of polymorphism

There is a division of polymorphic viruses into levels depending on the complexity of the code that is found in the decryptors of these viruses. This division was first proposed by Dr. Alan Solomon, after some time Vesselin Bonchev expanded it:

Level 1: Viruses that have a certain set of decryptors with a constant code; when infected, they choose one of them. Such viruses are “semi-polymorphic” and are also called “oligomorphic”. Examples: "Cheeba", "Slovakia", "Whale".

Level 2: The virus decryptor contains one or more permanent instructions, but the main part is unstable.

Level 3: The decryptor contains unused instructions - "garbage" such as NOP, CLI, STI, etc.

Level 4: The decryptor uses interchangeable instructions and reordering (shuffling) instructions. The decryption algorithm does not change.

Level 5: All of the above techniques are used, the decryption algorithm is not constant, it is possible to re-encrypt the virus code and even partially encrypt the decryptor code itself.

Level 6: Permutating viruses. The main code of the virus is subject to change - it is divided into blocks, which, when infected, are rearranged in random order. The virus remains functional. Such viruses may not be encrypted.

The above classification has its drawbacks, since it is made according to a single criterion - the ability to detect a virus by the decryptor code using the standard technique of virus masks:

Level 1: to detect the virus, it is enough to have several masks;
Level 2: mask detection using "wildcards";
Level 3: detection by mask after removing “garbage” instructions;
Level 4: the mask contains several options for possible code, that is, it becomes algorithmic;
Level 5: inability to detect the virus using the mask.

The insufficiency of such division is demonstrated in the virus of the 3rd level of polymorphism, which is called “Level3”. This virus, being one of the most complex polymorphic viruses, according to the above division falls into Level 3, since it has a constant decryption algorithm, which is preceded by a large number of “garbage” commands. However, in this virus the garbage generation algorithm has been brought to perfection: almost all instructions of the i8086 processor can be found in the decryptor code.
If we divide into levels from the point of view of antiviruses that use systems for automatically deciphering the virus code (emulators), then the division into levels will depend on the complexity of emulating the virus code. It is possible to detect a virus using other methods, for example, decryption using elementary mathematical laws, etc.
A more objective classification would be one in which, in addition to the criterion of viral masks, other parameters are also involved, for example:
The degree of complexity of the polymorphic code (the percentage of all processor instructions that can be found in the decryptor code);
Using special techniques that make emulation difficult for antiviruses;
Constancy of the decryptor algorithm;
Constancy of decryptor length.

Changing Executable Code

Most often, this method of polymorphism is used by macro viruses, which, when creating new copies of themselves, randomly change the names of their variables, insert empty lines, or change their code in some other way. Thus, the algorithm of the virus remains unchanged, but the virus code changes almost completely from infection to infection.
This method is used less frequently by complex boot viruses. Such viruses inject only a fairly short procedure into the boot sectors, which reads the main virus code from the disk and transfers control to it. The code for this procedure is selected from several different options (which can also be mixed with “empty” commands), the commands are rearranged, etc.
This technique is even less common with file viruses - after all, they have to completely change their code, and this requires quite complex algorithms. To date, only two such viruses are known, one of which ("Ply") randomly moves its commands around its body and replaces them with JMP or CALL commands. Another virus (“TMC”) uses a more complex method - each time it is infected, the virus swaps blocks of its code and data, inserts “garbage”, sets new offset values ​​on data in its assembly instructions, changes constants, etc. As a result, although the virus does not encrypt its code, it is a polymorphic virus - there is no constant set of commands in the code. Moreover, when creating new copies of itself, the virus changes its length.