This forum is in archive mode. You will not be able to post new content.
Pages: [1]

Author Topic: the engine of an AV  (Read 1686 times)

0 Members and 2 Guests are viewing this topic.

Offline gh0st

  • Sir
  • ***
  • Posts: 575
  • Cookies: 8
  • #DEDSec
    • View Profile
the engine of an AV
« on: July 20, 2011, 07:53:28 AM »
well guys Im trying to code a basic AV so but first Im learning the language cause Im new on it but I will learn it quickly so Ive seen some stuff on wikipedia about the way how an AV(AntiVirus) reads the file to look for the malware now lets get onto programming terms well the first thing that goes to my mind is to use a library class (I dont know if thats well spelled) which will work as a reader of the file which is infected so any advice ? Im coding it into java cause its multiplataform.
any advice will be well appreciated thanks in adnvace
« Last Edit: July 20, 2011, 07:53:39 AM by gh0st »
Report to moderator   Logged

Offline Kulverstukas

  • Administrator
  • Zeus
  • *
  • Posts: 6627
  • Cookies: 542
  • Fascist dictator
    • View Profile
    • My blog
Re: the engine of an AV
« Reply #1 on: July 20, 2011, 10:59:37 AM »
Get the source Kaspersky, mod it and canll it gh0stPersky :D
Nah, really, like someone said already on the forums, it would be a lot more work keeping it up to date then making an AV.
If it's for learning then go for it :D although not sure I will use it, lol.
Report to moderator   Logged

Offline ca0s

  • VIP
  • Sir
  • *
  • Posts: 432
  • Cookies: 53
    • View Profile
    • ka0labs #
Re: the engine of an AV
« Reply #2 on: July 21, 2011, 01:22:44 AM »
An AV is composed of several components:
- Static analyser: it looks into files for "signs" (chunks of data classified as "evil").
- Run-time analyser: it monitorizes what every app is doing in every moment.

You will need to load a kernel module if you want it to be effective, and set hooks to a lot of functions. Idk if java lets you do all those things. You can start by doing a static analysis, tho.

Report to moderator   Logged

Offline gh0st

  • Sir
  • ***
  • Posts: 575
  • Cookies: 8
  • #DEDSec
    • View Profile
Re: the engine of an AV
« Reply #3 on: July 21, 2011, 04:19:21 AM »
okay ca0s nice intro dude Im searching some info well and Ive found this wikipedia :3 http://en.wikipedia.org/wiki/Digital_signature so the AV have to look for the signature which is from the viruses and have to delete it now what happen if the virus use an encryptation? there is where the war of algoritms start? I mean cause until I know exists something that we name FUD right?
Report to moderator   Logged

Offline ca0s

  • VIP
  • Sir
  • *
  • Posts: 432
  • Cookies: 53
    • View Profile
    • ka0labs #
Re: the engine of an AV
« Reply #4 on: July 21, 2011, 12:53:08 PM »
You don't have to delete the signature. The signature is just a chunk of bytes which presence is suspicious. Deleting it you don't remove the malware part of a file.
If the virus is encrypted, you will find signatures of that encryption, and sometimes you will be able to decrypt it from code.
You will need a database with signatures... That will be the worst part. You can try picking one from another AV.
Report to moderator   Logged

Offline PiZZ4

  • Serf
  • *
  • Posts: 26
  • Cookies: 2
    • View Profile
Re: the engine of an AV
« Reply #5 on: July 21, 2011, 04:09:23 PM »
Try looking into behavioral antivirus software.
Report to moderator   Logged
Pages: [1]
 



Want to be here? Contact Ande, Factionwars or Kulverstukas on the forum or at IRC.