Computer virus detection

Computer virus detection

The easiest way is to use a newer anti-virus software to conduct a comprehensive test of the disk.
How to find a new virus early should pay attention to the memory situation first, most viruses reside in memory.
Second, you should pay attention to the number of bytes of commonly used executable files. Most viruses increase the file length after infecting the file.
For floppy disks, you should pay attention to whether there are bad blocks for no reason (some viruses will mark bad on the disk to hide their parts).

Virus detection method-feature code method implementation steps: collect known virus samples, and extract virus codes from them according to the principle:
The extracted code is special and unlikely to match the normal normal program code.
The extracted code should have an appropriate length, on the one hand to maintain the uniqueness of the feature code, on the other hand, there should not be too much space and time overhead.
Incorporate signature codes into the virus database.
Detection process: Open the detected file, search in the file, and check whether the file contains the virus signature code in the virus database. If it is found that because the signature codes correspond to viruses one by one, it can be determined what kind of virus is contained in the file under investigation.
Advantages: accurate and fast detection, identifiable virus name, low false alarm rate, based on the detection results, can be detoxified Disadvantages: Unable to detect unknown viruses, need to collect signature codes of known viruses, large cost overhead, low efficiency on the network .
Virus detection tools SCAN, CPAV

Virus detection method-checksum method calculates the checksum of normal file content, writes the checksum into a file or save it in another file, during file use, check regularly or before each use of the file The checksum of the content of the file is consistent with the original, so you can find whether the file is infected. This method is called the checksum method.
Three methods are used to check the virus using the checksum method:
Incorporate the checksum method into the virus detection tool Put the checksum method into the application self-checking function will checksum check program resides in memory Advantages: can find unknown viruses Disadvantages: can not identify the name of the virus, will false alarm, can not To deal with hidden viruses (after the hidden viruses enter the memory, the virus code in the infected program will be automatically stripped, so that the checksum method is deceived, and the normal checksum is calculated for a toxic file)

Virus detection method-behavior monitoring method Behavior monitoring method: a method for monitoring viruses using the unique behavior characteristics of viruses.
Through years of observation and research on the virus, there are some behaviors that are common to the virus and are relatively special. In normal procedures, these behaviors are relatively rare. When the program is running, monitor its behavior, and if a virus behavior is found, immediately call the police.
The advantages of the behavior monitoring method: Unknown viruses can be found, and most unknown viruses can be predicted quite accurately.
Disadvantages of the behavior monitoring method: it may give false alarms, the virus name cannot be identified, and it is difficult to implement.

Virus detection method-software simulation method Polymorphic virus changes its virus password every time it is infected. To deal with this virus, the signature code method fails. Because the polymorphic virus codes are encrypted and the keys used are different each time, the virus codes infected are also compared with each other. Therefore, a new virus monitoring method has emerged, that is, the software simulation method. This type of tool starts to use the signature code method to monitor viruses. If a hidden virus or polymorphic virus is suspected, the software simulation module is started to monitor the operation of the virus. After the password of the virus itself is decoded, the signature code method is used to identify the virus kind of.

Methods of detecting viruses (summary)
The feature code method collects virus samples and extracts feature code characteristics: it can quickly and accurately detect known viruses, but cannot find unknown viruses.
Checksum method: The checksum calculated based on the content of the file is compared with the previous one.
Advantages: It can judge the subtle changes of files and find unknown viruses.
Disadvantages: When the software is upgraded and the password is changed, a false alarm will be generated; the virus name cannot be recognized; it is invalid for the hidden virus.
Behavior monitoring method: Based on the judgment characteristics of virus-specific behavior: many unknown viruses are found; possible false alarms, difficult to implement software simulation method: a software analyzer that uses software methods to simulate and analyze the operation of programs.
Features: Can be used against polymorphic viruses.

Guangzhou Yunge Tianhong Electronic Technology Co., Ltd , http://www.e-cigaretteyfactory.com