Antivirus programs have developed in parallel with the evolution of viruses. As new technologies create viruses, is complicated and mathematical tools used in the development of anti-virus.
The first anti-virus algorithms were based on a comparison with the standard. This is a program in which the virus is determined by the classical core of a mask. The meaning of the algorithm is to use statistical methods. The mask should be, on the one hand, the small size of the file to a manageable size, and on the other – big enough to avoid false positives (when “a” is perceived as “foreign”, and vice versa).
The first anti-virus software, built on this principle (called crawlers, polyphagous), knew a number of viruses and know how to treat them. These programs were created in the following way: the developer, get the code of the virus (the virus code was initially static), was on the code unique mask (the sequence of bytes 10-15) and has made it into the database antivirus software. Antivirus program scans the files and, if found this sequence of bytes, it is concluded that the file is infected. This sequence (signature) was chosen so that it is unique and is not found in the normal data set.
The approaches described are used by most anti-virus software up to the mid 90’s, when the first polymorphic virus, which changes the body in unexpected advance algorithms. Then the signature method was added to the so-called processor emulator that allows to find the cipher and polymorphic viruses that do not have an explicit constant signature.
The principle of emulation processor is demonstrated in Fig. 1. If usually conditional chain consists of three main elements: CPU-OS software, the emulation processor emulator adds a chain. Emulator as it reproduces the program in a virtual space and reconstructs its original contents. The emulator is always able to stop the program, monitors its actions, not letting anything spoil, and causes anti-virus scanning kernel.
The second mechanism, introduced in the mid-90’s, and used by any antivirus program – is heuristic analysis. The fact that the device emulating a processor, which allows you to distillation of acts done by a test program that is not always possible to search for these actions, but can make some analysis and hypothesis of the “virus or a virus? ‘.
In this case, the decision is based on statistical approaches. A corresponding program is called a heuristic.
To reproduce, a virus must perform any action: copy in memory, write to the sector, etc. Heuristic analyzer (it is part of the antivirus engine) contains a list of such actions, scans the code is running, determine what it is doing, and based on that decides the program is a virus or not.