Scribd
Upload
183 views19 pages

Anti-Malware Engine Techniques

This document discusses various techniques used in anti-malware engines, including blacklisting, whitelisting, scanning techniques, and heuristics methods. It covers static and dynamic analysis, components of antivirus engines like unarchivers and parsers, scanning methods like string scanning, hash scanning, and emulation. It also discusses script malware detection, behavior blockers, rootkit detection, and challenges like scanning speed and database storage.

Uploaded by

himanshupareek5782
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
183 views19 pages

Anti-Malware Engine Techniques

This document discusses various techniques used in anti-malware engines, including blacklisting, whitelisting, scanning techniques, and heuristics methods. It covers static and dynamic analysis, components of antivirus engines like unarchivers and parsers, scanning methods like string scanning, hash scanning, and emulation. It also discusses script malware detection, behavior blockers, rootkit detection, and challenges like scanning speed and database storage.

Uploaded by

himanshupareek5782
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 19

Anti malware* Engine

Information Sharing Talk (IST)

*should we avoid using


term virus as catch all term for Malware

*Why not two antivirus (anti malware) on a system

Classify
Blacklisting
Detect bad objects Can not be perfect as problem itself is un-decidable Signature (reactive mechanism) Heuristics
Dynamic Static parameters

Whitelisting
Allow only good and block the remaining ones Can be solved theoretically but practically challenging
Anti malware engine 2

How an anti malware works


Behavior Based Engine (On Process Activities) Behaviors database

Basic Activity Scanning *

Anti Virus Scanning (On file content)

Malware Signature database

White listing (On process creation) ( * Process activity, file read or write )
Anti malware engine

Known Applications database


3

Design Problems
Scanning for clean file need to be faster Scanning or disinfecting malware may take a long Where to keep the database while scanning
Tradeoff between memory and file IO

Engines differ for desktop and mobiles Preprocessing helps but


Will make booting slower
Anti malware engine 4

Scanning
Static
Scan/Analysis of a file structure and contents Methods
On demand On access

Dynamic
Monitoring while target is executing Emulate
Anti malware engine 5

Components of AV engine
Malware.zip UNARCHIVER PE Parser

Malware.exe Un packer File type recognizer

Signature scanning and heuristics

Clean
Anti malware engine

infected
6

Scanning Techniques
String scanning Hash scanning Virus specific scanning Heuristics Emulation
Used with other techniques

Anti malware engine

String Scanning
Native Scanning O(nm) Boyer Moore O(n) Aho Corasick Algorithm

a a

b b

c a b

Anti malware engine

Aho-Carsick
Set Matching Problem
Pattern to search P = {P1, P2, ., Pk} in Target T = {1, ., m}
k

n = i=1 |Pi|
A multiple string matching algorithm that constructs a finite state machine from a pattern (list of keywords), then uses the machine to locate all occurrences of the keywords in a body of text. O(m + n + z) where z is the number of patter occurrences in T
Anti malware engine 9

Hash scanning
Take a hash of full file
Can not work for file infectors Slow Single junk byte appended in malware will deny detection

Use (start, length) pair for calculating hash


If length is short
False Positives

Long
Lot of disk access
Anti malware engine 10

Start position
It can be Arbitrary point It can be fixed
PE Entry Point Beginning of the file Beginning of the code section Beginning of an exported function

There can be many unique pairs


Makes the scan slower
Anti malware engine 11

Heuristics
Enabling a person to discover or learn for themselves Relating to a speculative formulation serving as a guide in the investigation or solution of a problem

Anti malware engine

12

Anti malware engine

13

Heuristics methods
Strategy
Dynamic Static

Subject of Analysis

Behavior

Structure

Analysis Methods

Weights

Rules

Anti malware engine

14

Weights Based
Activity Weight

Rules Based
1. Small Executable AND Runs A SERVER

Network server
Disable system tools

2
5

2. Kill AV Process AND contains decryption loop


3. Packed Executable and deleted self 4. Suspicious Double Extension (for e.g. amazingshoots.jpeg.exe) 5. Program Runs from Temp directory AND Creates new executable in Windows 6.

Hidden process
Writes to HOSTS File Creating executables NO GUI Sends HTTP Sends IRC

7
3 2 1 2 5

7.

Anti malware engine

15

Script malware
A script host program is generally used to run the scripts
Perl myscript.pl msiexec.exe myinstall.msi iexplore.exe mysc.js

Threat will be shown in process running Approach of Behavior learning will generate false positives in this case Simplest solution is to look at command line
However not possible in many cases (WINWORD etc.)
Anti malware engine 16

Otherwise
Script NORMALIZER

PARSER/ Analyzer

Emulator

Clean

Rating Logic
Malware

Anti malware engine

17

Behavior Blocker
Of course not all provide same protection Commonly known as HIPS = Host Intrusion Prevention System HIPS monitors application make
Sequence of system calls Parameters passed into a call

HIPS Decision Logic


Ask user to decide Use heuristic methods Use Both
Anti malware engine 18

Root kit Detection


Cross View Diff
We use a variant of it Low FP rate

Hook Detection
Good hooking is common (ENSAFE) Can not be a decision point to Quarantine But very important for security Not allowed on many Linux systems and 64 Bit Windows

Static Analysis
Sequence which hooks AND Sequence which manipulates EPRCESS pointers

Hooking Behavior is monitored


Can take a decision from user

Anti malware engine

19

You might also like