|
Signature-based virus detection is the basis for all current AV products. Originally designed to catch primitive viruses that infected the DOS .COM files, a signature literally contains chunks of the virus’s executable. The signatures are created in the antivirus vendors’ labs during a semi-automated process of virus analysis. The goal is to create a signature specific enough so it matches only its virus, and never any other (possibly innocent) executables. Such approach allows the anti-virus to pin down the specific virus, and, possibly its flavor or version.
However, this approach comes with several disadvantages. Perhaps the most important one is the overly specific nature of each signature, which focuses on the superficial, syntactic appearance of the code of this particular virus rather than attempt to reason about the semantics of the code: step away from its appearance and try to understand what it actually does, and do its behavior characteristics resemble anything malicious as seen in previous malware, or perhaps defined as such by the current system policy.
Nevertheless, signature-based approach still forms the core of virus detection, effectively providing a filter against the plethora of well-known and studied unsophisticated attacks. Providing the basis of antivirus — a solid, reliable, low-false-positive protection against previously seen malware, this technology must be used in conjunction with other methods in order to address the problem of novel and more complex viruses.
|
|
|
|
