[Question] Anti Virus signatures?

Stuff that don´t fit in the other categories.
Post Reply
User avatar
ayu
Staff
Staff
Posts: 8109
Joined: 27 Aug 2005, 16:00
18
Contact:
Contact ayu

[Question] Anti Virus signatures?

Post by ayu »

I see myself as a pretty organized human, thus making me want to keep my computers pretty organized as well.

This includes a very organized and secure box.

And this has since long ago have me bound to the interest of the making of malicious apps and the destruction of them.

I have read a lot about anti virus and some may know that i have tested a lot of them as well ^^

Now there is something i would like to know, that i can't seem to find anywhere.

1: The signatures that the anti viruses use to identify the malware, if i am not mistaken it should be the first 20 bytes of the file or so, but i am not sure. Could someone help em clarify how this works?

2: Secondly i would like to know where some anti viruses store their signatures. For example when you update your anti virus, it downloads a number of definition files. Where does norton for example, store these? and how would i be able to see the signatures in clear text?

Answer these questions and me love you long time. :D
"The best place to hide a tree, is in a forest"
Top
User avatar
n3rd
Staff Member
Staff Member
Posts: 1474
Joined: 15 Nov 2005, 17:00
18
Location: my own perfect world in ma head :)
Contact:
Contact n3rd

Post by n3rd »

Cats wrote: 1: The signatures that the anti viruses use to identify the malware, if i am not mistaken it should be the first 20 bytes of the file or so, but i am not sure. Could someone help em clarify how this works?
I think the way of searching is different for each scanner, for all you know their ways of being searched is allready patented.
[img]http://img580.imageshack.us/img580/8009/userbar2k.png[/img]
Top
User avatar
bad_brain
Site Owner
Site Owner
Posts: 11636
Joined: 06 Apr 2005, 16:00
19
Location: In your eye floaters.
Contact:
Contact bad_brain

Post by bad_brain »

well, how the virus signatures really work is like asking Coke for their recipe....they keep it secret. you can find the signatures for Kaspersky for example somewhere in C:\documents and settings/all users/application data/Kapsersky, but don't expect clear text, it's most likely all MD5 hashes... :?
Top
User avatar
ayu
Staff
Staff
Posts: 8109
Joined: 27 Aug 2005, 16:00
18
Contact:
Contact ayu

Post by ayu »

hmm, i always thought there was a special amount of bytes that was used to identify the files, i mean so that they could be sure that the signatures really were unique =/
"The best place to hide a tree, is in a forest"
Top
User avatar
DNR
Digital Mercenary
Digital Mercenary
Posts: 6114
Joined: 24 Feb 2006, 17:00
18
Location: Michigan USA
Contact:
Contact DNR

common sense

Post by DNR »

av signatures are more propriety than anything else. Each AV app has its own tricks and features, each also has to be different and 'smarter' than the other - otherwise they all be the same. They have to be different as not to be predictable to malware coders, they have to offer extra features to assure the customer they have a good product.

Some AV work on detecting behavior, as a means of _not_ relying on a 'file signature', since file sizes and patterns can now be morphing between victims.

Remember it is a combination of appz, OS knowledge, some code, and plain old common sense.

DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
Top
Post Reply

Return to “General Computing”