How Does an Antivirus engine work? | Antivirus Engine
We are using Antivirus??But do u know how does it work???
Here we are talking about the core of antivirus program i.e. it’s engine.
The basic building blocks of an antivirus program are :
- Engine Core
- File System Interface
- Memory Scanner
- Update mechanism
The Engine core is the framework that keeps the entire software together. In essence it acts as the ‘glue’ and calls the external module when required. Usually scan engine frameworks already are there in place such as the Exchange antivirus Protection, that use various scan engines from various vendors, which directly called out to the framework. But some antivirus program utilize their own engines for added benefits along with really available scan engines like F-Prot or AVP. The engine core contains both signature and heuristic based scanners.
Traditionally, antivirus engines depended on scan string based technologies. The signature based scan engine searches for the presence of certain strings within given files often in found in certain regions only. If these strings are found, certain actions can be triggered like alarms. However, Signature based scanning only detects known malware and may not work against new attack mechanisms.
Heuristic scanning is like signature based scanning where instead of looking for specific strings in files it looks for a certain command or instructions in a program that aren’t found in a typical programs. Say for example in most cases virus are encrypted, so the heuristic scanner looks for a decryption loop and in case it does find a decryption loop it takes the decrypted code and runs it through an emulator to verify whether its actually malicious code or not. As a result of this mechanism heuristic based scanners have more chance of detecting previously unexamined, functionality such as the mechanism of replication of a virus, the payload of a trojan the distribution routine of a worm.
When you submit a file to Antivirus for scanning, it goes through a complex series of steps of fetching the files, scanning based on signature and/or heuristic and then further processing it based on the outcome.
Antivirus software is are all about files, in fact the better part of their operations are spent on processing file. This block or module is a major bottleneck and hence is very carefully designed. In most cases,one layer is there called abstraction layer between the file system and the core AV engine, this layer is included for conditional compilation. The memory scanning blocks scans the RAM for malicious code, and halts execution of the program in question. But more or less the memory scanning component does not fall under the preview of the core engine.
Emulators are used by the engine to check whether the code is malicious or not. It’s a virtualized environment in which the code is executed by the AV engine. Based on the instructions running inside the emulator it determines whether it has any malicious functionality or not. Another important module is the update module which updates the software so that it can deal with the latest threats, the update mechanism is usually in two part choices of update functionality: update data files and update executable code or update data files. The data files are usually virus definitions or signatures while it’s more complicated to update the executable code when the actual modules are replaced.