Antivirus and its aspects
Compressors and
Archives
Another important work of every
AntiVirus kernel is the maintenance for compressed or archived file formats:
ZIP, GZ, 7z, XAR, and RAR, to name just a few. Anti viruses should be able to
decompress and navigate through all the files inside any compressed or archived
file, as well as compressed streams in PDF files and other file formats.
Because Antivirus kernels must support so many different file formats and
extensions, vulnerabilities are often found in the code that deals with this
variety of input. Below are the various aspects of the AntiVirus.
Also Check :
- Webroot Safe Antivirus Installation
- Antivirus and its Techniques
- Usual Misconceptions about Antivirus Software
- Web Advancement Techniques for Web Designer
Unpackers
An unpacker is a daily process or set
of routines developed for unpacking protected or compressed executable and
batch files. Executable Malware or batch malware is commonly packed using
freely available cheap and local made compressors and protectors or proprietary
packers (obtained both legally and illegally from the local market). The number
of packers of an Antivirus kernel must support is even larger than the number
of compressors and archives available, and it grows almost every month with the
emergence of new packers which are used to hide the logic of new malware.
Packers Instruments
Some packer instruments, for example,
UPX (the Universal Unpacker), simply apply basic solidness. Unloading tests
packed by UPX is an extremely basic and uncomplicated method for doing it. Then
again, there are exceptionally perplexing bits of programming packers and
defenders that change the code to be pressed into bytecode and after that
infuse at least one haphazardly produced virtual machines into the executable
so it runs the first code that the malware composed. Disposing of this
virtualization layer and revealing the rationale of the malware is hard and
tedious.
Central Processing
Unit Emulator
Central Processing Unit (CPU)
emulator Antivirus kernel can be unpacked by Some packers (a component that is
discussed in the following sections); others are unpacked entirely via static
means. Whereas other most complex ones can be unpacked using these two techniques:
using the emulator up to some known layer and then using a static routine that
is faster than using the emulator when some specific values are known (such as
the value of the encrypted data, the algorithm used by then, the key, and the
other available information and so on).
Compressors and
Archives- Part II
With the help of the compressors and
archives, unpackers are a very ordinary area to explore when you are looking
for vulnerabilities in Antivirus software. The list of packers to be supported
is huge; some of them are used only with the specific malware campaign, so the
code is likely written once and never again verified or audited. The list of
packers to be supported grows years by years.
Emulators
Most Antivirus kernels on the market offer
support to a variety of emulators, with the only exception being Clam
Antivirus. The most common emulator in Antivirus cores or kernal is the Intel
x86 emulator. Some advanced Antivirus products can offer support for AMD64 or
ARM emulators. Emulators are not limited to regular CPUs, like Intel x86,
AMD64, or ARM; there are also emulators for some virtual machines. For example,
some emulators are aimed at inspecting Java bytecode, Android DEX bytecode,
JavaScript, and even VBScript or Adobe ActionScript.
Virtual Machines
and Fingerprintings
Virtual machines, Fingerprinting or
bypassing emulators used in Antivirus products is an easy task: you just need
to find some incompatibility here and there. For example, for the Intel x86
emulator, it is unlikely, if not impossible, that the developers of the
Antivirus kernel would implement all of the instructions supported by
to-be-emulated CPUs in the same way the manufacturers of those specific CPUs
do. For higher-level machinery that uses the emulator, such as the completing
environments for ELF or PE files, it is even less likely that the developers
would implement the whole operating system environment or every API provided by
the OS. Therefore, it is really easy to discover many different ways to fool
emulators and to fingerprint them. Many techniques for evading Antivirus
emulators are discussed in this book, as are techniques for fingerprinting
them.
Miscellaneous File
Formats
Developing an Antivirus kernel is
very complex. The previous sections discussed some of the similar features
shared by Antivirus cores, and you can imagine the time and effort required to
support these features. However, it is even worse with an Antivirus kernel has
to be very strong so the kernel must support a very long list of file formats
in order to catch exploits embedded in the files. Some file formats (excluding
compressors and archives) that come to mind are OLE2 containers (Word or Excel
documents); HTML pages, XML documents, and PDF files; CHM help files and old
Microsoft Help file formats; PE, ELF, and MachO executables; JPG, PNG, GIF,
TGA, and TIFF image file formats; ICO and CUR icon formats; MP3, MP4, AVI, ASF,
and MOV video and audio file formats; and so on.
Microsoft Office
file formats
Whenever any exploit appears for some
new file format, an Antivirus engineer must increase some level of support for
the file format. Some formats are so complicated that even their original
makers have problems correctly handling them; two examples are Microsoft and
its Office file formats, and Adobe and its PDFformat. That’s why AntiVirus
developers be expected to deal with it better than the original author,
considering that they probably have no previous knowledge about this file
format and may need to do some reverse-engineering work?
Comments
Post a Comment