1.1 What is anti-virus software
Anti-virus software is designed to provide better security for the native operating system of special software. Most of the time, it was used as a defensive safety program.
Anti-virus software uses a variety of techniques to detect hidden deep in the operating system and with a self-protection function of malware.
Malicious source file anti-virus software to be addressed are: network data packets, e-mail attachments, attacks that exploit browser vulnerabilities procedures, document viewer, an executable file.
Composition 1.2 anti-virus software
Anti-virus software contains a scanner, virus database, virtual machine , and connect them subject program.
Anti-virus software often use more than one anti-virus engine or kernel.
1.3 anti-virus software features
One.
1. The ability to scan compressed files and packed executable file.
2. Can the executable file or directory on demand or real-time scanning.
3. have protected the driver malware attacks anti-virus software process.
4. have a firewall and traffic monitoring.
5. It has a command line and graphical interface tool set.
6. has a daemon or service.
7. own management console.
two.
basic functions
1. native language. Most anti-virus engines are using the native language. Anti-virus engine must without affecting system performance, running fast enough. The native language well positioned to meet this requirement, because when the code is compiled, you can run at full speed in the target host CPU.
However, using the native programming language also has drawbacks, such as more likely to cause memory and system resources leak, causing memory corruption.
2. Scanner
In most cases, there is a GUI interface or command line interface of the scanner, when the user wants to detect certain files, such tools comes into play.
There is also a background in real-time scanner, called resident anti-virus protection process, in fact, the equivalent of a daemon, security, real-time detection system, preventing malicious programs to run.
3. signature
Signature is known malicious files unique fingerprint, each signature corresponds to a malicious virus.
Some typical scanning function and the basic pattern based on a simple "fingerprint" matching techniques, for example, found that a specific character string (e.g. Panda), calculated CRC checksum is calculated MD5 hash.
If pattern matching techniques alone class MD5 value, only a single signature file corresponding to the targeted detection.
If the pattern technology based on fuzzy logic, a specific data block as characterized in the CRC of the matching algorithm, it can be identified relatively more malicious files.
three.
Advanced Features
1. Traffic monitoring and firewall
Because many worms infected with the network computer, upload and download traffic screening function computer anti-virus software appears. To accomplish this, install anti-virus software to analyze network traffic drive in the computer, the firewall will detect and block known attacks.
2. Self-protection
Some malware through certain techniques, will shut down anti-virus process, to achieve the purpose of infection.
Therefore, many anti-virus software self-protection by the kernel driver, disable the anti-virus software to protect against the malicious actions by ZwTerminateProcess. Self-protection technology some anti-virus product by blocking calls to certain parameters OpenProcess to shut down anti-virus software processes, or by refusing to call an external process WriteProcessMemory
Anti-virus process want to inject code.
This type of technique is generally performed by a kernel driver achieved , of course, some protection is only implemented in a user environment layer.