Let's say I created a file compression library, and this library was used in 1000 (non malicious) programs. But now a malware developer has decided to create a malware and use my library to compress some files.
Based on my little knowledge on how an Antivirus works, it selects a group of strings of bytes from the malware and store it in its database. Now when the Antivirus scans a program that has these strings of bytes, it alerts the user that this is a malware.
But what if the Antivirus selected a string of bytes that corresponds to a portion of my library's code, wouldn't this mean that my library is now detected as a malware (and hence the 1000 non malicious programs are now detected as a malware)?
There are two kinds of techniques to detect malwares, The first is by the file signature, for example Kaspersky receive every day a huge ammount of malicious code that will be analysed by its experts and then generate a signature for each one of them. So, when a file is analysed by an antivirus, it compare signature with all the signatures in its database. and then return the result to the user. The second way to determin is a software is malicious, is by using data mining techniques. which is take as an input the static & dynamic analysis results of the software, and then return a result. In this case, it can return a false positive result, depending on the antivirus.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With