Antivirus and its aspects

Compressors and Archives

Another important work of every AntiVirus kernel is the maintenance for compressed or archived file formats: ZIP, GZ, 7z, XAR, and RAR, to name just a few. Anti viruses should be able to decompress and navigate through all the files inside any compressed or archived file, as well as compressed streams in PDF files and other file formats. Because Antivirus kernels must support so many different file formats and extensions, vulnerabilities are often found in the code that deals with this variety of input. Below are the various aspects of the AntiVirus.

Also Check : 


An unpacker is a daily process or set of routines developed for unpacking protected or compressed executable and batch files. Executable Malware or batch malware is commonly packed using freely available cheap and local made compressors and protectors or proprietary packers (obtained both legally and illegally from the local market). The number of packers of an Antivirus kernel must support is even larger than the number of compressors and archives available, and it grows almost every month with the emergence of new packers which are used to hide the logic of new malware.

Packers Instruments

Some packer instruments, for example, UPX (the Universal Unpacker), simply apply basic solidness. Unloading tests packed by UPX is an extremely basic and uncomplicated method for doing it. Then again, there are exceptionally perplexing bits of programming packers and defenders that change the code to be pressed into bytecode and after that infuse at least one haphazardly produced virtual machines into the executable so it runs the first code that the malware composed. Disposing of this virtualization layer and revealing the rationale of the malware is hard and tedious.

Central Processing Unit Emulator

Central Processing Unit (CPU) emulator Antivirus kernel can be unpacked by Some packers (a component that is discussed in the following sections); others are unpacked entirely via static means. Whereas other most complex ones can be unpacked using these two techniques: using the emulator up to some known layer and then using a static routine that is faster than using the emulator when some specific values are known (such as the value of the encrypted data, the algorithm used by then, the key, and the other available information and so on).

Compressors and Archives- Part II

With the help of the compressors and archives, unpackers are a very ordinary area to explore when you are looking for vulnerabilities in Antivirus software. The list of packers to be supported is huge; some of them are used only with the specific malware campaign, so the code is likely written once and never again verified or audited. The list of packers to be supported grows years by years.

Most Antivirus kernels on the market offer support to a variety of emulators, with the only exception being Clam Antivirus. The most common emulator in Antivirus cores or kernal is the Intel x86 emulator. Some advanced Antivirus products can offer support for AMD64 or ARM emulators. Emulators are not limited to regular CPUs, like Intel x86, AMD64, or ARM; there are also emulators for some virtual machines. For example, some emulators are aimed at inspecting Java bytecode, Android DEX bytecode, JavaScript, and even VBScript or Adobe ActionScript.

Virtual Machines and Fingerprintings

Virtual machines, Fingerprinting or bypassing emulators used in Antivirus products is an easy task: you just need to find some incompatibility here and there. For example, for the Intel x86 emulator, it is unlikely, if not impossible, that the developers of the Antivirus kernel would implement all of the instructions supported by to-be-emulated CPUs in the same way the manufacturers of those specific CPUs do. For higher-level machinery that uses the emulator, such as the completing environments for ELF or PE files, it is even less likely that the developers would implement the whole operating system environment or every API provided by the OS. Therefore, it is really easy to discover many different ways to fool emulators and to fingerprint them. Many techniques for evading Antivirus emulators are discussed in this book, as are techniques for fingerprinting them.

Miscellaneous File Formats

Developing an Antivirus kernel is very complex. The previous sections discussed some of the similar features shared by Antivirus cores, and you can imagine the time and effort required to support these features. However, it is even worse with an Antivirus kernel has to be very strong so the kernel must support a very long list of file formats in order to catch exploits embedded in the files. Some file formats (excluding compressors and archives) that come to mind are OLE2 containers (Word or Excel documents); HTML pages, XML documents, and PDF files; CHM help files and old Microsoft Help file formats; PE, ELF, and MachO executables; JPG, PNG, GIF, TGA, and TIFF image file formats; ICO and CUR icon formats; MP3, MP4, AVI, ASF, and MOV video and audio file formats; and so on.
Microsoft Office file formats

Whenever any exploit appears for some new file format, an Antivirus engineer must increase some level of support for the file format. Some formats are so complicated that even their original makers have problems correctly handling them; two examples are Microsoft and its Office file formats, and Adobe and its PDFformat. That’s why AntiVirus developers be expected to deal with it better than the original author, considering that they probably have no previous knowledge about this file format and may need to do some reverse-engineering work?