签名扫描 [英] Signature scanning
问题描述
许多使用基于签名的恶意软件检测的防病毒程序.这是为ClamAV创建签名.考虑到整个文件都是恶意软件,我可以理解它们如何创建签名,但是当文件位于文件正文中时,我无法理解如何找到恶意软件-哈希将是另一个.有人知道吗?
many antivirus programs using signature-based malware detection. Here is creating signatures for ClamAV. I can understand how they create signatures considering that the whole file is a malware, but I couldn't understand how to find malware when it is in the body of the file - the hash would be another. Anybody knows?
推荐答案
我的答案并非特定于ClamAV;相反,我的回答是一般意义上的.也许这对您有所帮助.
My answer is not specific to ClamAV; instead I've answered in a general sense. Maybe this is helpful for you.
首先,病毒签名不是不必要文件的哈希值. 签名通常是在文件中找到的一串位,尽管散列值也可以用作签名.
First of all a virus signature is not necessarily a hash value of a file. A signature is usually a string of bits found in a file, although a hash value could also be used as a signature.
例如,假设病毒包含字符串0x23956a58bd910345
.我们可以将该字符串视为病毒的签名,并且可以在系统文件中搜索该签名. 但是,即使我们找到了签名,也不能确定是否已找到病毒,因为其他无害文件可能包含相同的字符串.
Suppose, for example, that a virus contains the string of bits 0x23956a58bd910345
. We can consider this string to be a signature of the virus, and we can search for this signature in the files on a system. However, even if we find the signature, we can’t be certain that we’ve found the virus, since other innocent files could contain the same string of bits.
有趣的是,如果文件中的位是随机的,则这种错误匹配的机会在1/2 ^ 64可以忽略不计. 参考
Its interesting to note that if the bits in files were random, the chance of such a false match would be negligible at 1/2^64. reference
有许多方法可以生成用于恶意软件检测的签名和/或功能. 在此处了解更多信息.
There many ways to generate signature and/or features for malware detections. Learn more here.
此外,还有其他检测病毒的方法:
1 异常检测-也称为行为分析-可执行文件的活动跟踪,例如:
Also, there is other way to detect viruses:
1 Anomaly detection - also known as behaviour analysis - tracks of activities of an executable like:
- 修改或创建的文件
- 注册表修改
- 执行之前加载了哪些DLL
- 访问的虚拟内存
- 已创建的流程
- 打开网络连接并发送数据包
- 恶意软件访问的存储区域,已安装的服务和内核驱动程序以及其他信息.
参考
- Modified or created files
- Registry modification
- Which DLLs were loaded before execution
- Accessed virtual memory
- Created processes
- Network connections opened and the packets transmitted
- What storage areas the malware accessed, installed services and kernel drivers as well as other information.
reference
2 更改检测-意外更改的文件可能表示已感染.
2 Change detection - a file that unexpectedly changes may indicate an infection.
我们如何发现变化?哈希函数在这方面很有用.假设我们 计算系统上所有文件的哈希值,并安全地存储这些哈希值.然后,在 定期,我们可以重新计算哈希值,并将新值与 先前存储的值.如果文件在一个或多个位位置发生了更改(例如在感染病毒的情况下可能发生了变化),我们将发现新计算出的哈希值与先前计算出的哈希值不匹配.
How can we detect changes? Hash functions are useful in this regard. Suppose we compute hashes of all files on a system and securely store these hash values. Then, at regular intervals, we can recompute the hashes and compare the new values with the previously stored values. If a file has changed in one or more bit positions — as it might in the case of a virus infection — we'll find that the newly computed hash does not match the previously computed hash value.
更改检测有很多缺点.系统上的文件经常由于正常的系统功能而不是恶意行为而更改.结果,更改检测可能会产生许多误报,这给用户和管理员带来了沉重的负担.如果将病毒插入到经常更改的文件中,则很可能会通过更改检测方案来将其漏掉. [参考:Mark-Stam的书《信息安全性》]
There are many disadvantages to change detection. Files on a system often change due to normal system functions rather than malicious behaviour. As a result, change detection is likely to yield many false positives, which places a heavy burden on users and administrators. If a virus is inserted into a file that changes often, it will likely slip through a change detection regimen. [reference: Mark-Stam's Book INFORMATION SECURITY]
并且您认为正确的哈希机制是检测的较弱方法.
在研究工作中,我使用14种防病毒工具对2000多种真实病毒进行了比较和分类,发现ClamAV在检测病毒方面非常不好!这是描述
And you thinks correct hash mechanism is weak method to for detection.
In my research work, I compared and classified more than 2000 real viruses using 14 antivirus tools and I found that ClamAV is very bad at detecting virus! Here is the link for a paper describing MOMENTUM.
这篇关于签名扫描的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!