Computer expert, talk about the basic knowledge of famous antivirus software!

Just replace a virus code with six numbers: 0 12345.

Virus killing technology based on virus characteristics

1. signature technology

Suppose: 0 12345 is a part of a virus code, and there is a feature like 0 12345 in the virus database of antivirus software. If there is a complete match, the code containing 0 12345 is judged to be a virus. The method of signature virus detection needs that the characteristics in the virus database match the characteristics of the virus completely and identify the virus in a one-to-one way. So the virus came up with a variant method to fight anti-virus software.

Virus mutation technology: 0 12345 with a space in the middle becomes 0 1 2 3 4 5, which is different from 0 12345 in the virus database, but the virus can be executed completely.

2. Broad-spectrum signature technology

At this time, the anti-virus software adopts broad-spectrum signature technology, which is actually to automatically filter out the spaces between 0 1 2 3 4 5, so that a signature in the virus database can be used for a long time. To match the mutant virus. So the virus once again came up with a deformed method to fight anti-virus software.

Virus transformation technology: 0 12345 is transformed into: zero, one, two, three, four and five. It looks completely different. The signature code of antivirus software can't match, but the virus is still the same virus.

Anti-virus software technology based on virus behavior;

3. Heuristic technology

Based on the deformation technology of this virus, antivirus software manufacturers have developed heuristic technology. Heuristic technology is divided into:

Static heuristic virus detection technology

Heuristic virus detection technology based on the characteristics of single virus sample

Heuristic drug detection technology based on statistics

Dynamic heuristic virus detection technology

Heuristic virus detection technology based on virtual machine

The modified virus 0 12345 does not have any * * * characteristics at all. But they still have the same behavior. Such as infecting a file, releasing some specific code and calling an API interface. At this time, the developer of antivirus software manually summarizes these behaviors and matches whether the file is a virus through behaviors.

Heuristic virus detection based on statistics is to count a large number of known virus behaviors. The simple list is like this: (Of course, there must be many items in real heuristic statistics)

What did the virus do? Give a score to these practices.

Modify startup project -5

Modify Registry -5

Modify system files -5

Modify System Services -5

Modify common software -5

A score dividing line is set: if the score exceeds-15, it is judged as a virus.

At this time, 0 12345 modified the startup item -5, modified the registry -5, and modified the system file -5, so OK, this is a virus.

The virus that can be detected and killed by heuristic method is a virus that does not know the characteristics of the virus but knows the behavior of the virus. This can't be said to be killing unknown viruses. If some virus behaviors are not within the statistical range of heuristics, then heuristics are powerless.

The so-called self-learning QVM is this kind of heuristic virus detection based on statistics, which just extracts the virus behavior and puts it into its own virus database, and then matches the file with the statistical value. Just sauce purple!

Dynamic heuristic is a virtual machine technology, and its principle is almost to analyze the behavior of viruses and observe what "12345" has done in the virtual machine. But the virtual machine is not omnipotent, and the simulated real environment is not a completely real environment after all.

For example, there is an obscure file in the real system called "!" And when the virtual machine imitates, it feels this "!" Removing it will not affect anything. At this time, the virus released the deletion "!" Then I found that there was no "!" This file, knowing that you are in the virtual machine, will not release those harmful behaviors.

Static heuristic method

Advantages:

Compared with dynamic heuristic, the killing speed is faster.

Disadvantages:

Easily affected by means such as shelling, encryption and deformation.

Based on statistical heuristics, the database is relatively large.

Dynamic heuristic method

Advantages:

Based on virtual execution, real virus behavior can be captured.

High confrontation intensity

Disadvantages:

Virus detection is slow, so it should be used with caution in the engine.

R&D costs are very high.

4. Active defense technology

If heuristic technology still needs to match behaviors, then active defense is to monitor behaviors in real time on the basis of heuristic technology. The principle of the two is similar, and both are judged according to the known virus behavior. But the heuristic way of working is:

Virus behavior found-matching characteristics-returning results.

How active defense works:

Virus behavior found-return results directly.

The function of active defense is to reduce the confrontation time between virus and antivirus software.

Advantages of active defense:

Reduce the time of confrontation between virus and antivirus software.

It has a certain effect on viruses with known virus behavior.

Disadvantages of active defense:

Due to the comprehensive monitoring of the whole system, the performance of the system will decline.

It relies heavily on driving technology and often needs to use some technologies that are not disclosed in the system, so its compatibility is poor.

Different antivirus software technologies actually correspond to different kinds of viruses. If only the signature technology is used, it is difficult to effectively kill viruses that use virus deformation technology. If you only use behavior analysis technology, it will lose efficiency for viruses that can be detected and killed simply by using signature code. Moreover, behavioral analysis technology needs to sacrifice some system resources to improve work efficiency.

Is there a scheme that can ensure both efficiency and effectiveness? The emergence of cloud technology makes it possible to integrate feature technology and virus behavior technology into a huge system, and use anti-virus software technology that can complement each other:

5. Frontier defense technology

Virus characteristics and virus behavior have a basic premise, that is, the virus has entered the computer.

But the virus is not produced by the computer itself. How did the virus get into the user's computer? We often say that illness comes from the mouth. Can we take some measures at this entrance? For a long time, the problem of entrance has been ignored because all antivirus software manufacturers are busy fighting the virus with one knife and one gun. On the basis of characteristics and behavior killing, frontier defense technology pays attention to how the virus enters the computer in the first time.

Frontier defense technology uses something called a web crawler. A crawler similar to a search engine automatically crawls new software and websites on the Internet for analysis, and then uses various technologies in the cloud to evaluate the security level of this software or website. When users visit or download things from websites with low security level, it will trigger anti-virus software to improve their protection level.

At the same time, the frontier defense divides files accessing users' computers into known files and unknown files, and identifies whether the unknown files are safe or virus through feature analysis or behavior judgment.

6. Cloud security technology. In fact, cloud security is not a simple technology, but an idea. This concept is a combination of emerging technologies and concepts such as parallel processing, grid computing, and unknown virus behavior judgment. Through the abnormal monitoring of software behavior in the network by a large number of mesh clients, the latest information of Trojans and malicious programs in the Internet is obtained, transmitted to the server for automatic analysis and processing, and then the solutions of viruses and Trojans are distributed to all clients.

These are the technologies adopted by mainstream anti-virus software at present. With these, we can mainly classify software killing, such as the high inspiration of NOD32, the cloud killing of Jinshan and the QVM of 360. They have their own advantages and disadvantages, and there is no 100% software to kill them, as long as they are comfortable to use. If you are used to surfing the Internet, you won't be so easily poisoned! ?