Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How does an Antivirus knows not to detect non malicious code?

Let's say I created a file compression library, and this library was used in 1000 (non malicious) programs. But now a malware developer has decided to create a malware and use my library to compress some files.

Based on my little knowledge on how an Antivirus works, it selects a group of strings of bytes from the malware and store it in its database. Now when the Antivirus scans a program that has these strings of bytes, it alerts the user that this is a malware.

But what if the Antivirus selected a string of bytes that corresponds to a portion of my library's code, wouldn't this mean that my library is now detected as a malware (and hence the 1000 non malicious programs are now detected as a malware)?

like image 682
user6088487 Avatar asked Apr 02 '16 03:04

user6088487


1 Answers

There are two kinds of techniques to detect malwares, The first is by the file signature, for example Kaspersky receive every day a huge ammount of malicious code that will be analysed by its experts and then generate a signature for each one of them. So, when a file is analysed by an antivirus, it compare signature with all the signatures in its database. and then return the result to the user. The second way to determin is a software is malicious, is by using data mining techniques. which is take as an input the static & dynamic analysis results of the software, and then return a result. In this case, it can return a false positive result, depending on the antivirus.

like image 53
Mohamed Kamel Bouzekria Avatar answered Sep 18 '22 10:09

Mohamed Kamel Bouzekria