As detection gets more sophisticated, so do the virus writers. Many polymorphic and metamorphic viruses use anti-antivirus techniques, such as only executing on a specific day of the week, or activating only after a specific keystroke combination. Polymorphic viruses are encrypted with random keys every time they infect a file so they do not have a set pattern that can be recognized. For these viruses, researchers execute them in automated environments that run through series of day changes and other input or environment changes to attempt to force the virus to replicate or trigger malicious behavior. However, manual analysis is the only way certain types of viruses can be detected.
Once they execute and replicate, the virus code and its behaviors are analyzed and cataloged for ways to identify the virus with a software scanner (like products from Symantec, McAfee, Trend Micro, Panda, etc). In the lab, trained researchers can run and analyze an application for hours or days to determine its infection level or potential, but for consumers, detection has to be fast or they wont use the product.
Once they execute and replicate, the virus code and its behaviors are analyzed and cataloged for ways to identify the virus with a software scanner.
In our two-part series, well be looking more closely at the two types of detection that most if not all antivirus products use-- signature (or pattern) detection for exact matches, and heuristic scanning/behavior detection for extrapolated detection. Most systems use a combination of the two, and its hard to draw the line between them. Well cover signature detection in Part I and heuristic scanning in Part II.
While we wont discuss all the possibilities here, there are several other methods of combating viruses other than scanning. File and boot integrity checking by some products will record a checksum of key executables and system files, and will check for anomalies on boot or execution. Most CMOS BIOS systems now have a setting to monitor changes to boot records. Behavior blocking by many antivirus and security products, such as Network Associates and Pandas software can also watch for changes to boot records, as well as system files. Symantecs products offer script blocking that can stop malicious scripts before they do damage. Windows XP and 2000 will also watch for infection to system files as part of their System File Checker (SFC) ability, and logs changes. The SFC mechanism is meant to solve "DLL hell" when applications overwrite each other, though it is vulnerable to virus writers turning it off or avoiding infecting protected files. Windows Me and later versions of Windows have system file backups and the ability to roll back to prior system and file states, mostly for repairing problems caused by application installations that overwrite system DLLs. Unfortunately, there isnt always a warning when a system file is corrupted rather than overwritten.