All geek questions in one place

How Antivirus cannot detect non-malicious code?

Let's say I created a file compression library, and this library was used in 1000 (non-malware) programs. But now the malware developer decided to create a malware program and use my library to compress some files.

Based on my little knowledge of how Antivirus works, it selects a group of byte strings from the malware and saves it in its database. Now, when Anti-Virus scans a program with these byte strings, it warns the user that it is a malicious program.

But what if Anti-Virus selected a byte string that matches part of my library code, does this mean that my library is now detected as malware (and, therefore, 1000 non-malware programs are now detected as malware)?

+5
source share
3 answers

If an antivirus program prevented a widely used piece of code from being malicious, then yes, it would (incorrectly) detect many programs as malware. But malware signatures are not randomly selected; they are developed by human analysts who study malware to find out what it does and how it works. These analysts are trying to create a signature based on what is really specific for malware, and not a piece of code that is not related to malicious libraries, which, as it turned out, is included in it.

+2
source

There are two types of malware detection methods: the first is file signatures, for example, Kaspersky receives a huge amount of malicious code every day, which will be analyzed by its experts, and then generates a signature for each of them. Thus, when the file is analyzed by antivirus, it compares the signature with all signatures in its database. and then return the result to the user. The second way to identify malware is to use data mining techniques. which takes as input the results of static and dynamic analysis of the software, and then returns the result. In this case, it can return a false positive result, depending on the antivirus.

+1
source

If you are the author of a legitimate lib, and some malicious guys use your lib, then AV files begin to detect clean programs using your lib, the only way to deal with this is to contact AV companies and tell them to remove the detection from your library. They can do detection by malicious code, not by library code. Check each AV website for complaints or contact support.

+1
source

Source: https://habr.com/ru/post/1246284/

More articles:


All Articles