Friday, June 3, 2011

How does Antivirus software works or detects virus

Hello friends, today i will explain you all how an antivirus software works and detects virus. Most of you already know that what is antivirus, but have you ever tried to understand how it works and why it requires updates regularly? How antivirus searches for viruses and detects the virus in the file and eliminates it or heal it. Working of antivirus involves two basic technologies namely:
1. Dictionary based continuous and fragmented string search
2. Suspicious activity detection (process manipulation)

antivirus working, how antivirus detects virus
How does antivirus software works

So friends, lets start learning how an antivirus works and detects virus and then eliminates and heals them.

Dictionary based continuous and fragmented string Search:

As the technique's name suggest, as dictionary signifies virus definitions database that is regularly updated as soon as new virus is being found (that is found by second technique). In dictionary based search technique, antivirus software searches a string by comparing the file with strings existing in virus definition's or database.
 Now consider an hypothetical example for better understanding, suppose you have a file whose code is something like below:
Now when a virus infects a file what it does it manipulates the original file and adds some extra code or functionality to it so that the behaviour of file  changes that means that defers from its normal functioning. So after virus infection file becomes something like this:
where 012345 is the string that virus has attached to the file after infection.
Now what does antivirus database contains is that 012345 string . It matches the string in database with string in program or code and if it matches it identifies it as a virus.
Note: This all processing is done on binary format of codes and sometimes executable. 
Only if you manipulate the virus string that is 012345 and add some dead code between that something like below:
0a1a2a3a4a5a that means what we have done is added a between virus string but attached it in such a way that a does not affects the processing of string(virus). That means we have made new virus as this string is not there in the antivirus database so it is not detected by antivirus.
How can you add dead code, consider this string only 0a1a2a3a5a , read the character one by one and whenever character 'a' is found just skip the processing else concatenate the string and store that in new variable and use that variable in further processing of the code. This is how we makes any virus undetectable.
Note: But suspicious activity technique might detect this way as functionality of virus string is same.

That's the main reason why antivirus needs updates regularly. Antivirus companies daily adds new detected strings to their database so that the user can remain secure.

We can also bypass this using crypters too but as we are elite hackers and not script kiddies so i love to do this by manual editing rather than doing it by tools. Because if you do it using tools you will never come to know how its happening. And the day crypter becomes detectable your virus also becomes detectable. So friends i will recommend you that never depend on tools for hacking for two reasons:
1. You will never come to know the real scenario that what is happening in real time that means no knowledge. When the tool become detectable then you are noob again.
2. Most tools available are already infected with keyloggers and spy trojans that inspect your system and send personal credentials to hackers who has created them.

Suspicious activity detection:

The most effective method to detect any malfunctioning in your system as it does not based of any search techniques rather it depends on the behavior of programs and files that how they act while they are executed or running. In this technique what happens is that antivirus identifies the normal behavior of the file or program that what it should do when it is run without infection. Now if any file or program do any illegal processing like manipulating windows files integrity and protection then antivirus identifies that file as virus and terminate that program and process related to it. That's the only reason why it detects patches and key-gens  as virus, as they try to manipulate the files by disassembling their integrity. 
The main drawback of this technique is that its quite annoying as sometimes it detects normal files as virus too but if you want to keep your PC safe then you need to do what your antivirus suggests.
Also note one more thing, 99% patches and key-gens that you use to crack softwares are already infected with trojans which are identity theft programs that steals your personal information and send them hackers. Some patches also contains backdoors that make your system open for attack similar to the way you have left your house main gate open for theifs in night....:P but its truth... 

So what is the lesson you have got from this article stop using pirated softwares and cracks to patch them otherwise you can be in great trouble. Solution for this is simple use trusted freewares as alternatives for paid tools rather than using their cracked versions...
I hope you all have liked it.... If you have any queries ask me in form of comments...


  1. please tell us a good freeware antivirus that performs both database and process manipulation techniques.....

  2. nice post n well it!!

  3. I really like it when you post these sort of informative posts :)

  4. Very nice post, but one thing i dint get is how do the Antivirus programmers find the newly found virus and add them to their database..??? How do they get to know about these new viruses..??

  5. Antivirus find new viruses using suspicious activity detection... as file or program will behave differently when a virus is attached to it..This is found by comparison of current functionality with functionality in normal condition that is without infection conditions..

  6. OH! Then for this the AV people must have to test each and every software released and check for this Suspicious activity to find the viruses.. :P
    Any how thanks for the great info sir..!

  7. @srikanth

    There are several tools that convert the exe files into assembly level or machine language codes, from which they find the basic functionality of the program when its running like which file its opening in read, write or execution mode. Now if the program tries to modifies some of the windows files (files in windows folder and system 32 folder) or try to change the functionality of existing files then antivirus count it as suspicious activity and then that program is investigated thoroughly to get the malicious code out of it and that malicious string is updated in to antivirus database..

    And you receive that in form of antivirus updates..
    I think now you got your answer..:)

  8. nice sir. but u also provide lots of tools in ur post. Is that tools also contains trojans or not

  9. HI Sir...
    I'm using window vista. i have a problem from last few days that my processor is using almost 100% even I'm not doing any work on my laptop. i reboot my laptop using avast antivirus two times still the problem is same. plz help me. my system is working very slow.

  10. This article is good but my friend I want to ask you that how the antivirus companies detect that how many machines/systems had been used for a single key. How do they prevent their number of usage for a single licenced key. Please reply brother as this is my research topic. Pl visit my idea about how to trace stolen laptop in Your comment and suggestion is needed for the betterment of my research.

  11. Dear Lokesh,
    I wanted to know something about Antivirus in my previous comment but I have not got your help my brother. Pl help me.

  12. Good JOB friend,but we have to read these posts online can u also post these information as in pdf format,so that we can be able to read ur posts offline also ,as they are important for us..Thankyou..


Please do not spam.

Designed by Hackingloops.