What is a file signature when it comes to AV software???

closed account (3hMz8vqX)
Hi all,
What is a file signature when it comes to AV software???
Can anyone tell me how an AV searches a file for signature ?
Hi,

File Signature identifying in a AV software, is a feature\detection algorithm which, checks the files bytes and analyses it - this type of scanning is not highly-effective in modern day - and even so if the AV does not support Network updates and file-signature updates. As it depends on external sources to analyse and pass on signatures to local PC.

Technical Details:

To begin with AV will place hooks on vital API's such as:

NtOpenFile
NtWriteFile
NtDeleteFile

and other File System API's in the Kernel level. This allows the AV to pick up and files which have dropped\Opened - this allows the AV to know what files became active & then all active files (which did some movement) will be scanned, normally all AV's tend to scan the EOF of the file as normally Malware will add IP, Port, C&C and other important Configuration data of the Malware.

If the EOF has specific bytes like say, 108.445.235.578 at the end of the file, it is pretty obvious it is not any opcode but a IP, to elaborate more AV use GetHostByName\GetHostByAddr or NT equalvent function to check whether the string is IP or not, if the bytes are IP - they tend to delete a important part of the file, so that the file is "crippled" and is deemed "safe", then moved to quarintine.

That is easy to implement and is called - File Signature based heuristics.

As for Hard coded, File signature checking - it occurs when certain bytes of the files let's say, 34th => 50th and finally 64th

have certain values, which identifies the file uniquely - again the AV solutions will cripple and quarantine it.

Then there is MD5 file checking - this in which a virus files MD5 value is compared with a file and if the MD5 values between both files is NULL or in other words nothing, the same happens:

AV cripples and quarantines it.

***NOTE*** Quarantine in nothing but a folder of a AV solutions, in which all crippled files are sent and are even more locked via ACLS\DACLS


Good Luck!

Last edited on
closed account (3hMz8vqX)
Thankyou very much!!!
now in your opinion which is better:
heuristic or signature based detection???
Regards,
Aravind.
Hi,

No Problem, heuristic is always better than signature as heuristic can use local algorithms to detect malware(s), without depending on importing signature files from remote servers.
On other hand signature based detection, NEEDS to have signature files in order to successfully work.

In addition, once heuristics is developed and working successfully - it will be able to detect more malware(s) than a signature based detection module can detect.

Good Luck!
Last edited on
closed account (3hMz8vqX)
Thankyou very much!!!
Stay tuned for more questions :D
Topic archived. No new replies allowed.