Basicbuy
kira1bluejaelk13Why some things are detected as "Virus".
Description
To all noobs who allways claim everything is a virus.
READ THIS.
Instructions
Antivirus (I will refer to it by "AV") software checks files by using
definitions and heuristics, you have maybe heard of those two terms.
Definitions : a "list" of signatures (arrays of bytes) that are present in certain programs. These lists are what you download in AV updates.
Heuristics : These are "rules" defined by the AV that tell it what
behavior is subspicious. For example, openeing a Winsock connection and
then connecting without asking you is flagged as subspicious.
With that fairly clear (I hope), lets continue. Now, signatures are
generated in forms of array of byte. That means that every file that has
these bytes present are flagged as a virus.
Example of a Signature :
EB 01 68 EB 01 ?? ?? ?? ?? 83 EC 0C 53 56 57 EB 01 ?? 83 3D ?? ?? ?? ??
00 74 08 EB 01 E9 E9 56 01 00 00 EB 02 E8 E9 C7 05 ?? ?? ?? ?? 01 00 00
00
The ? are wildcards (?? resembles 8 bit, 8 bit = 1 byte). They can resmble any byte (00-FF), this is because
those are compiler variables and can change depending on how it is
compiled.
Now, as you can maybe guess, it sometimes happens that AV companies (I
hate them seriously) mark certain API calls (API = Application
Programming Interface, part of windows on which every program builds up
on). As a result , every program using those calls is now flagged as
harmful - most AVs sign this behavior by calling the "Virus" something
like :
CRYPT/xxxxxx
HEUR/xxxxx
GENERAL/xxxxx
W32/xxxxxxx
PACKER/xxxxxx
Will add more soon.
Digg
Facebook
StumbleUpon