|written 10 months ago by||• modified 10 months ago|
|written 10 months ago by|
There are several methods which antivirus scanners can use to identify malwares:
Signature-based detection: To identify malwares, AV compares the contents of a file to its database of known malware signatures.
Heuristic-based detection: Detects malware based on characteristics typically used in known malwares.
Behavioral-based detection: This is based on the behavioral aspects of the malware at run time. This technique can detect (known or unknown) malware based on their behaviors.
Data mining techniques: Data mining and machine learning algorithms are used to try to classify the behavior of a file or an http link (as either malicious or benign) given a series of extracted features.
Scanners of antiviruses or anti-malwares search files or packets using a set of predefined signatures to determine if those files or packets are malicious.
Those signatures are the known, from previous knowledge, patterns of malicious files.
Some signatures can represent simple pattern-matching techniques (e.g., finding a specific string, CRCs (checksums), or MD5 hashes).
Those simple signatures may work in some cases. Other fuzzy logic-based signatures, such as applying the CRC algorithm on specific chunks of data (as opposed to hashing the whole file), can also identify various files (Koret and Bachaalany 2015).
Most notable AV signatures include (Koret and Bachaalany 2015):
Byte-streams: The simplest form of an antivirus signature is a byte-stream that is specific to a malware file.
Checksums: The most typical signature-matching algorithm is used by almost all existing AV engines and is based on calculating CRCs.
Cryptographic hashes: A cryptographic hash function generates a “signature” that univocally identifies one buffer and just one buffer, which thus reduces producing a false-positive result.
Fuzzy hashing: A fuzzy hashing signature is the result of a hash function that aims to detect groups of files instead of just a single file, such as the cryptographic hash functions’ counterparts do.