antivirus - How do AV engines search files for known signatures so efficiently? -

-

data in form of search strings continue grow new virus variants released, prompts question - how av engines search files known signatures efficiently? if download new file, av scanner rapidly identifies file being threat or not, based on signatures, how can quickly? i'm sure point there hundreds of thousands of signatures.

update: tripleee pointed out, aho-corasick algorithm seems relevant virus scanners. here stuff read:

http://www.dais.unive.it/~calpar/aa07-08/aho-corasick.pdf

http://www.researchgate.net/publication/4276168_generalized_aho-corasick_algorithm_for_signature_based_anti-virus_applications/file/d912f50bd440de76b0.pdf

http://jason.spashett.com/av/index.htm

aho-corasick-like algorithm use in anti-malware code

below old answer. still relevant detecting malware worms make copies of themselves:

i'll write of thoughts on how avs might work. don't know sure. if thinks information incorrect, please notify me.

there many ways in avs detect possible threats. 1 way signature-based detection.

a signature unique fingerprint of file (which sequence of bytes). in terms of computer science, can called hash. single hash take 4/8/16 bytes. assuming size of 4 bytes (for example, crc32), 67 million signatures stored in 256mb.

all these hashes can stored in signature database. database implemented balanced tree structure, insertion, deletion , search operations can done in o(logn) time, pretty fast large values of n (n number of entries). or else if lot of memory available, hashtable can used, gives o(1) insertion, deletion , search. can faster n grows bigger , hashing technique used.

so antivirus calculates hash of file or critical sections (where malicious injections possible), , searches signature database it. explained above, search fast, enables scanning huge amounts of files in short amount of time. if found, file categorized malicious.

similarly, database can updated since insertion , deletion fast too.

you read these pages more insight.

which faster, hash lookup or binary search?

https://security.stackexchange.com/questions/379/what-are-rainbow-tables-and-how-are-they-used


Comments

Post a Comment

Popular posts from this blog

c++ - Function signature as a function template parameter -

-
i'd use function signature template argument. works great classes, when try same trick function templates, msvc throws error: error c2768: 'func' : illegal use of explicit template arguments here's code: template <typename signature> void func(); template <typename r, typename a1> void func<r(a1)>(); what should make work? you cannot partially specialize function template, not supported language. can create partially specialized class template static member function, , possibly trampoline function instantiate class template , invoke static function. something this: namespace detail { template<typename signature> struct helper; template<typename r, typename a1> struct helper<r(a1)> { static void call() { // stuff r , a1... } }; } template<typename signature> void func() { detail::helper<signature>::call(); }
Read more

algorithm - What are some ways to combine a number of (potentially incompatible) sorted sub-sets of a total set into a (partial) ordering of the total set? -

-
i have sorting problem i'm pretty sure doesn't have canonical "answer" - has number of different approaches, each pros/cons. i'm interested in hearing different approaches. suppose bunch of people {p_i | i=1,...,m} ranking favorite ice cream flavors. in total there n different flavors, single person p_i ranks n_i << n flavors or familiar with. i'm interested in combining these sub-rankings plausible overall ranking of n flavors. for concrete situation: m , n both 1000 (by coincidence), , each n_i 20 . can assume there's enough overlap in flavors people rank such no flavor "isolated". again, i'm interested in hearing different ways approach this, if there isn't single clear answer. thanks! one way approach problem construct directed cyclic graph representing of constraints on ordering of elements. nodes in graph represent different elements compared , have edge first node second node if had ranked first e...
Read more

How to call a javascript function after the page loads with a chrome extension? -

-
there's function on page want call after loads. not own page, can't insert html it. can please provide specific examples how chrome extension or greasemonkey? (function submitaction() ). both chrome extensions , greasemonkey offer ways specify when script inject if executed. in chrome extension, you set in manifest : "content_scripts": [ { "run_at" : "document_idle", in greasemonkey compatible userscripts, set in metadata // @run-at document-end in both cases, have add script if want ensure resources loaded when function executed : document.addeventlistener('load', submitaction);
Read more