Why some things are detected as "Virus".
To all noobs who allways claim everything is a virus.
Antivirus (I will refer to it by "AV") software checks files by using
definitions and heuristics, you have maybe heard of those two terms.
Definitions : a "list" of signatures (arrays of bytes) that are present in certain programs. These lists are what you download in AV updates.
Heuristics : These are "rules" defined by the AV that tell it what
behavior is subspicious. For example, openeing a Winsock connection and
then connecting without asking you is flagged as subspicious.
With that fairly clear (I hope), lets continue. Now, signatures are
generated in forms of array of byte. That means that every file that has
these bytes present are flagged as a virus.
Example of a Signature :
EB 01 68 EB 01 ?? ?? ?? ?? 83 EC 0C 53 56 57 EB 01 ?? 83 3D ?? ?? ?? ??
00 74 08 EB 01 E9 E9 56 01 00 00 EB 02 E8 E9 C7 05 ?? ?? ?? ?? 01 00 00
The ? are wildcards (?? resembles 8 bit, 8 bit = 1 byte). They can resmble any byte (00-FF), this is because
those are compiler variables and can change depending on how it is
Now, as you can maybe guess, it sometimes happens that AV companies (I
hate them seriously) mark certain API calls (API = Application
Programming Interface, part of windows on which every program builds up
on). As a result , every program using those calls is now flagged as
harmful - most AVs sign this behavior by calling the "Virus" something
Will add more soon.
Why some things are detected as "Virus". Discussions
|Title||Started By||Replies||Last Post|
|Cryfarm make a connection to an internet server||marmor15||2||
1 year ago
|CAUTION DO NOT READ! VIRUS||ntKid||1||
2 years ago
|View All Why some things are detected as "Virus". Discussions|