👉💣 How Antivirus Works?

  What Is Antivirus Software?

  ➠ When connected to the Internet, your computer can get infected by different types of viruses. These threats can get into your device’s system via things you download such as emails or files that you copy online. In just a matter of minutes, a virus can destroy your data by wiping it out or making it unusable and can also affect the performance of your computer by slowing it down. Additionally, a virus can also be used to hold your confidential data hostage or let someone take control of your computer remotely to use it to attack others.

 Signature-based detection searches for the specific digital code of a virus (you can think of it as a virus’ fingerprint) and if it finds it, quarantines or deletes it. Once a virus has been identified, it can be added to a signature database, which is kept locally or in the cloud to be accessed when scanning a system for threats moving forward. However, this process requires at least one user or system to be attacked by the malicious software and recognize it before everyone else can be protected against it. Put simply, it’s not very useful for brand new threats

 

How Antivirus Works?

 

 

  👉   Here are some of the methods antivirus software commonly  used:

1.Heuristic-based detection

👉 The first approach is heuristics. The AntiVirus(AV) looks at loose properties of the file, such as how big the file is, whether it looks like it’s using a set of dangerous functions, or whether it has abnormal permissions. With heuristic approaches, the AV matches things that aren’t in the code directly. One example of how this might work is as by asking the following questions of the file:

• Does the executable import VirtualAlloc?
• Is the executable greater than 30KB and less than 75KB?
• Does the executable have a section whose permissions are read, write and execute?
  =>> If all of these things are true, then it is malware

2.Behavioral detection 

 👉A second approach is behavioral analysis, which is similar to heuristics and targets the actual behavior exhibited by malware. Behavioral analysis looks at questions such as:

• What is the file doing on a file system level?
• What is the file doing on a registry level?
• What is the file doing on a process level?
• What is the file doing on a network level?

 

3. Pattern Matching

👉The third approach is pattern matching via signatures. Pattern matching is used to check a sequence of tokens for the presence of the constituents (parts) of a pattern. In contrast to the flexibility offered by pattern recognition, the match has to be absolutely exact.

A signature is the digital fingerprint of a piece of malware. It’s a unique string of bits, a binary pattern representing the malware. Each time a traditional AV product encounters a new file, the AV product looks through its signature list and asks, “does this byte in the signature match this byte in the file?” If it does, it moves on and checks the next byte. It continues through the whole file in this way. If every byte of the file matches every byte in one of its signatures, exactly, it flags the file as malware.

4. Cloud antivirus detection

👉 Cloud antivirus needs an Internet connection to collect information, which is uploaded to, and processed by, a server in the cloud. It generally spares your computer additional processing by running all detection on the server.

 

5.Hash Matching

👉 The forth approach is hash matching. The AV calculates hashes over different parts of the file, and does the following:

• Takes a hash over a certain area of the executable (MD5, SHA256, CRC32)
• Asks: does the hash match the hash of a known piece of malware?
  =>> If yes, then it is malware

The only part where that gets more complicated in the real world is the fact that, sometimes, engines will take many different hashes across the binary and see if any of them match. For instance, it may cut up the file into 1024-byte chunks and take the hashes of all of them and see if any of them match a virus.

6.Signature-based detection

👉 Signature-based detection searches for the specific digital code of a virus (you can think of it as a virus’ fingerprint) and if it finds it, quarantines or deletes it. Once a virus has been identified, it can be added to a signature database, which is kept locally or in the cloud to be accessed when scanning a system for threats moving forward. However, this process requires at least one user or system to be attacked by the malicious software and recognize it before everyone else can be protected against it. Put simply, it’s not very useful for brand new threats

by:-Rjkumar😎 :- attack on u