Jump to content
IObit Forum
Top Free Driver Updater Tools Best 25 PC Optimization Software Best 22 Antimalware Best 22 Uninstaller Software IObit Coupons & Discount Offers PC Optimizer Mac Boost Advice IObit Coupons A Good Utility Program From IObit IObit Promo Codes IObit Coupon Codes IObit Coupons and Deals FAQs Driver Booster Pro Review

What do Security programs Look For?


Toppack

Recommended Posts

I could Not add this question to the original thread so I started a new thread about it.

PING.EXE appears in my Windows Task Manager, and it pops right back up every time i press "End Process" It also wont let me delete the folder, or files NEED HELP!!!!

 

This brings up the question:

If a Virus or Malware program uses the 'Same name' as a valid Windows file,

how the heck can Security software determine which is real and which is not?

Do Security programs look at Other things in the Malware program,

Or is it by Name only?

Link to comment
Share on other sites

enoskype,

Thanks for moving this thread to a normal forum.............But

I doubt that anyone will reply, with an answer,

with it stuck in this backwater hole? :roll::lol:

 

Oh well, maybe that's one of those things that Only the Programmers are meant to know ??? ;-)

If we users knew All the details, we would 'Be Very Afraid'! :cry:

Link to comment
Share on other sites

Hi ya..

 

depends on the malaware made by a hack...the files if you had say a file,real one compared to a hack ,its signatures,or size,generally its coded different,

file different from the real thing. then a program Analiese the difference have the real signatures in its data base. sees the rouge one is not the same, ..asking you to remove it..now in some cases it could be a false alarm .

 

mostly thy are malformed and a scan picks this up..depending who made it.some are very difficult to pick up.others stand out like a shining star..

 

 

Mr Bean

Link to comment
Share on other sites

But, do All Secutity programs check in the Code?

How would a Security software programmer know what to check for, if it's a new Virus?

Do they have to analyze every new malware hack,

before they put them in the definitions-list?

(They certainly can't have comparison data for all the Valid software files, out there.)

I'm betting that Most don't do that much Detail comparison, unless they 'borrow' the list from other companies that have already done the hard work.

I'm wondering if some smaller security software companies Purchase their Definitions-Lists from several of the larger companies,

or maybe even Steal them. That type of 'borrowing' would be difficult to track.

Link to comment
Share on other sites

hi again

look explaining the way its done well I would sit here typing pages of the way its done and you probably you get bored silly..and say to your self ,ok.

 

simply put.

a dog owner breeder sees with years of experience if his dogs are healthy.and know the sines if there is a problem. or something is ailing the dog. the normal Pearson cant see any problems. its its behavior or movements.but the owner knows something is and then seeks the fix.what happens is thy allow systems to be hit.or sent in virus or suspected files then Analise the problem make a cure to fix the virus.programing the ante virus to kill of the bug..and its behavior..

very simple answer.you probably knew any how.I have seen a programmer change things around while using it.on the fly.fixing cliches.and its signatures..detecting a virus .till he got it right.and did not have a idea how or what he was doing.

as i am not a pro, programmer tho he was telling showing me every move he made ..only understood part of it.

i am a hobby programmer,and can change thing about with limitations,

Mr Bean

Link to comment
Share on other sites

I did an Internet search and can Not find any Information about how the Definitions-Lists are Actually created and who creates them. ???

I suppose they really want to 'Keep that a Secret'. :?

 

It's probably some kid at Microsoft, that makes All of them,

for All the other companies. :lol:

Link to comment
Share on other sites

Hi

The lists of virus or other forms of malware of course started by seeing which files/insertions created undesirable effects in the computer.

These lists are collected all the time from various sources - also reports by individuals.

One could call this method a simple seach based on experience, where you decide what form of malware it is from the way it behaves.

The security companies of course tried to find ways to determine undesirable behaviour before that behaviour created undesirable effects in the operation of the computer.

They called this approach "heuristic" this word comes from Greek and simply originally meant "seach/find".

This approach can have a lot of parameters, but in the case of virus it of course looks for infections that replicate itself to spread the infection to either the rest of the computer or to other computers through the connections fx. mail/network.

This behaviour will often show as growth of the concerned file - and this can be checked by the anti-virus program by simply counting the zeroes and ones contained in the file. (difference between the first check and subsequent checks)

You can also create strings that looks for specific behaviour in a file.

This is just a simple explanation of how I view the seach for undesirable elements in our computers.

Cheers

solbjerg

Link to comment
Share on other sites

Hi Toppack

If a crime is committed in the US there are potentially >300 Mill. possibles - the 299,999,999 are what you could call false positives.

Cheers

solbjerg

 

 

But, if the Security programs Really do All that, why are there So Many False-positives?

Is what I don't understand.

I think It's because they don't Really do all the data comparisons and look for known malware Names only?

Link to comment
Share on other sites

Hi Toppack

If toppack was registered in a list of allowed names - you would be okay :-)

If the security programs had an heuristic program with some parameters focusing on these specific letters it would find toppack which then would be vindicated by being white listed, packpot on the other hand would be flagged as a possible malware tackpop likewise and they may both be false positives. You would have to have more parameters to decide one way or the other.

There are in this example a parameter that contains 7 specific letters - but not the order.

There are 7! (1*2*3*4*5*6*7) = 5040 ways to place those letters together and all but the one example toppack (which is white-listed) can be false positives.

Cheers

solbjerg

 

 

Okay.............................:shock:

 

I wish I was an expert program hacker, so I could Prove to myself

what is really going on, in Security software. :wink:

Link to comment
Share on other sites

I think I understand what you are saying

but those are parameter possiblities in a NAME.

What I'm mainly trying to learn is what Other parameters and how many, if any, are compared to the malware black-list ?

Other than Just the Name.

 

I assume the Security program has to first try to find files in the black-list by comparing the Names,

then it would need to check other parameters.

It's what parameters and how many, is where I'm afraid most Security programs are Lacking in their thoroughness.

Link to comment
Share on other sites

Hi TopPack

Anything you write is a character fx, FF (hex) is character (ÿ /255) (11111111 in binary notation.)

The parameters probaby look for specific behaviour primarily (this seach string can be very long), fx. sending some information like fx. a tracking cookie.

In my previous example (toppack) (which wasn't so good as it contains two p's where the p's are interchangeable which makes the number of possibilities smaller) - but the point was that it shows that with just the parameters in that example it will generate a lot of potentially false positives.

My further point is that it isn't easy to write parameters that will equivocally find "the bad guys"

When they have found "a bad egg" they can place it in the malware list - I think that generally every kilobyte of a definition file contains about 10 strings for a specific malware.

If the parameter looks for the word "send" it will find a lot of legitimate usage of that word too, but also some that may be a malware of some kind.

Cheers

solbjerg

 

 

I think I understand what you are saying

but those are parameter possiblities in a NAME.

What I'm mainly trying to learn is what Other parameters and how many, if any, are compared to the malware black-list ?

Other than Just the Name.

 

I assume the Security program has to first try to find files in the black-list by comparing the Names,

then it would need to check other parameters.

It's what parameters and how many, is where I'm afraid most Security programs are Lacking in their thoroughness.

Link to comment
Share on other sites

The parameters probaby look for specific behaviour primarily (this seach string can be very long), fx. sending some information like fx. a tracking cookie.

If the parameter looks for the word "send" it will find a lot of legitimate usage of that word too, but also some that may be a malware of some kind.

Cheers

solbjerg

 

You are probably correct.

There are just Too many Unknows, as to how and where the different companies get their definition (black) lists, and what they check for,

that I can not find answers for.

Link to comment
Share on other sites

Hi Toppack

The lists are collected from many different sources - IObit itself has a thread that encourages people to send them what malware they have found (this gave some trouble a couple of years ago)

But a real anti-virus program in my opinion has to have a program that are able to find (heuristically or otherwise) a possible virus from the traits this virus exhibits - especially if it is a new unknown form that are found for the first time.

In my opinion the lists of found malware ought to be shared by all for the benifit of common users.

The anti-virus company that had the best heuristically written engine would then be the best anti-virus company around.

Cheers

solbjerg

p.s. You know that we try to keep this forum free of advertising spam, much of this spam is sent out by spambots and after a very short while we know what parameters this spambot exhibits and take a closer look at the possible spam that exhibits these traits to decide whether they need a warning or if we can just ban them.

p.p.s. We have several more strings to our bow - but I won't divulge those for obvious reasons :-)

 

You are probably correct.

There are just Too many Unknows, as to how and where the different companies get their definition (black) lists, and what they check for,

that I can not find answers for.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...