Scribd Logo
Upload

Welcome to Scribd!

  • Inside Av Engine

    Uploaded by

    himanshupareek5782
    41 views19 pages
    Anti malware engine is based on Behavior Based Engine (on process activities) behavior database (On process activities) Signature database (on process creation) whitelisting - Allow only good and block the remaining ones - Can not be perfect as problem itself is un-decidable. Anti malware engine uses string scanning, hash scanning, Signature scanning and heuristics.

    Original Description:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Anti malware engine is based on Behavior Based Engine (on process activities) behavior database (On process activities) Signature database (on process creation) whitelisting - Allow only good and block the remaining ones - Can not be perfect as problem itself is un-decidable. Anti malware engine uses string scanning, hash scanning, Signature scanning and heuristics.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    41 views19 pages

    Inside Av Engine

    Uploaded by

    himanshupareek5782
    Anti malware engine is based on Behavior Based Engine (on process activities) behavior database (On process activities) Signature database (on process creation) whitelisting - Allow only good and block the remaining ones - Can not be perfect as problem itself is un-decidable. Anti malware engine uses string scanning, hash scanning, Signature scanning and heuristics.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 19

    Anti malware* Engine

    Information Sharing Talk (IST)

    *should we avoid using


    term virus as catch all term for Malware

    *Why not two antivirus (anti malware) on a system

    Classify
    Blacklisting
    Detect bad objects Can not be perfect as problem itself is un-decidable Signature (reactive mechanism) Heuristics
    Dynamic Static parameters

    Whitelisting
    Allow only good and block the remaining ones Can be solved theoretically but practically challenging
    Anti malware engine 2

    How an anti malware works


    Behavior Based Engine (On Process Activities) Behaviors database

    Basic Activity Scanning *

    Anti Virus Scanning (On file content)

    Malware Signature database

    White listing (On process creation) ( * Process activity, file read or write )
    Anti malware engine

    Known Applications database


    3

    Design Problems
    Scanning for clean file need to be faster Scanning or disinfecting malware may take a long Where to keep the database while scanning
    Tradeoff between memory and file IO

    Engines differ for desktop and mobiles Preprocessing helps but


    Will make booting slower
    Anti malware engine 4

    Scanning
    Static
    Scan/Analysis of a file structure and contents Methods
    On demand On access

    Dynamic
    Monitoring while target is executing Emulate
    Anti malware engine 5

    Components of AV engine
    Malware.zip UNARCHIVER PE Parser

    Malware.exe Un packer File type recognizer

    Signature scanning and heuristics

    Clean
    Anti malware engine

    infected
    6

    Scanning Techniques
    String scanning Hash scanning Virus specific scanning Heuristics Emulation
    Used with other techniques

    Anti malware engine

    String Scanning
    Native Scanning O(nm) Boyer Moore O(n) Aho Corasick Algorithm

    a a

    b b

    c a b

    Anti malware engine

    Aho-Carsick
    Set Matching Problem
    Pattern to search P = {P1, P2, ., Pk} in Target T = {1, ., m}
    k

    n = i=1 |Pi|
    A multiple string matching algorithm that constructs a finite state machine from a pattern (list of keywords), then uses the machine to locate all occurrences of the keywords in a body of text. O(m + n + z) where z is the number of patter occurrences in T
    Anti malware engine 9

    Hash scanning
    Take a hash of full file
    Can not work for file infectors Slow Single junk byte appended in malware will deny detection

    Use (start, length) pair for calculating hash


    If length is short
    False Positives

    Long
    Lot of disk access
    Anti malware engine 10

    Start position
    It can be Arbitrary point It can be fixed
    PE Entry Point Beginning of the file Beginning of the code section Beginning of an exported function

    There can be many unique pairs


    Makes the scan slower
    Anti malware engine 11

    Heuristics
    Enabling a person to discover or learn for themselves Relating to a speculative formulation serving as a guide in the investigation or solution of a problem

    Anti malware engine

    12

    Anti malware engine

    13

    Heuristics methods
    Strategy
    Dynamic Static

    Subject of Analysis

    Behavior

    Structure

    Analysis Methods

    Weights

    Rules

    Anti malware engine

    14

    Weights Based
    Activity Weight

    Rules Based
    1. Small Executable AND Runs A SERVER

    Network server
    Disable system tools

    2
    5

    2. Kill AV Process AND contains decryption loop


    3. Packed Executable and deleted self 4. Suspicious Double Extension (for e.g. amazingshoots.jpeg.exe) 5. Program Runs from Temp directory AND Creates new executable in Windows 6.

    Hidden process
    Writes to HOSTS File Creating executables NO GUI Sends HTTP Sends IRC

    7
    3 2 1 2 5

    7.

    Anti malware engine

    15

    Script malware
    A script host program is generally used to run the scripts
    Perl myscript.pl msiexec.exe myinstall.msi iexplore.exe mysc.js

    Threat will be shown in process running Approach of Behavior learning will generate false positives in this case Simplest solution is to look at command line
    However not possible in many cases (WINWORD etc.)
    Anti malware engine 16

    Otherwise
    Script NORMALIZER

    PARSER/ Analyzer

    Emulator

    Clean

    Rating Logic
    Malware

    Anti malware engine

    17

    Behavior Blocker
    Of course not all provide same protection Commonly known as HIPS = Host Intrusion Prevention System HIPS monitors application make
    Sequence of system calls Parameters passed into a call

    HIPS Decision Logic


    Ask user to decide Use heuristic methods Use Both
    Anti malware engine 18

    Root kit Detection


    Cross View Diff
    We use a variant of it Low FP rate

    Hook Detection
    Good hooking is common (ENSAFE) Can not be a decision point to Quarantine But very important for security Not allowed on many Linux systems and 64 Bit Windows

    Static Analysis
    Sequence which hooks AND Sequence which manipulates EPRCESS pointers

    Hooking Behavior is monitored


    Can take a decision from user

    Anti malware engine

    19

    You might also like