Saturday, 7 July 2012

How an antivirus detect a virus.

We all know that antivirus softwares detect viruses from our pc and stop them to perform malicious task. Now most of us actually don't know how an antivirus detect a virus.

Some basic detection techniques are signature scan and hash scan.

In signature scan the antivirus softwares already have a long list of detected viruses with their signature and antivirus softwares search for those signatures into a file and if the file contain that signature the antivirus software treat that file as virus.

So what is a signature?

Each file contains binary data into it. Suppose a text file has the sentence "hello world" now how to create its signature ? Just convert each byte of this file into its corresponding hexadecimal value and join all hexadecimal value one after another serialy. The resultant string is the signature of that file.

Now if a file has the word "hello" and this file is a virus then we can easily detect it by creating its signature and search it into other infected files. If a file contain the word "hello", has the virus signature into it. So search each file and if any virus signature math found into this file we can easily say the this file contains a virus.

Another method for virus detection is hash scanning. A hash code of a file is a unique string made by hash algorithms. If we change the file name of a file the hash code will remain unchanged. It will change only if we change the data of that file. Some popular hash algorithms are SHA , md5 etc. In this detection technique the antivirus softwares already have a long list of previously known virus hashes. Now when scan a file for virus the file hash code is first created and this hash code is matched with other virus hashes. If any virus hash match this file hash then the file is a virus.

These are the most basic and easy virus detection techniques. But todays antivirus systems also perform some critical detection techniques.