So I was thinking about viruses recently, and wondering how exactly antiviruses keep up?Considering anybody who’d been coding for a few weeks could hack together something do do nasty, nasty things to somebody’s PC, the quantity alone would make a simple list of hashes prohibitive, so how do antiviruses do it? Do they monitor process activity and have a 3 strikes rule for doing virus-like things? And if so, what’s stopping it from triggering on perfectly harmless things (like me moving files around in system32)?
I did a bit of googling, but the regular places didn’t particularly help, and I couldn’t find a dupe here, so I thought it’d be good to ask 🙂
Solution:
This article from 2002 talks about building an antivirus engine.
The article will describe the basic ideas, concepts, components and approaches involved in developing an anti-virus program from scratch from a developer’s/software engineer’s point of view. It will focus on the main elements of an anti-virus engine (hereafter referred to as AV engine) and will exclude aspects like graphical user interfaces, real-time monitors, file system drivers and plug-ins for certain application software like Microsoft Exchange or Microsoft Office. Although AV engines running/scanning for single platforms (such as Palm OS or EPOC/Symbian OS) can be designed in the same way, this article will focus on designing multi-platform scanning engines, which are far more complex.
There’s also an article on heuristic techniques to detect infections. It’s also an interesting read.