How do antivirus programs detect viruses? [closed]

问题

Closed. This question is off-topic. It is not currently accepting answers.

---

Want to improve this question? Update the question so it's on-topic for Stack Overflow.

Closed 3 years ago.

How do anti-virus programs detect if something is a virus or trojan?

I'm from Turkey, please keep the English simple if possible, thanks.

回答1:

There are three basic ways to find viruses. You can scan files to see if they have virus code in them from known viruses. You can scan files to see if the code will do virus-like things. You can wait until a program does something it should not do, and flag the program as infected.

You would scan files when they are first created, and you would also do it on a schedule after that. You would have to install a kernel driver in order to watch what programs do and stop them from doing malicious things.

Many anti-spyware programs work exactly the same way. For example, Spybot S&D can watch for Registry changes that could be spyware installations.

回答2:

There are different types of virus detection. Some of the different techniques they use are

1) Look at binary makeup of file for match or partial match in database of known viruses and trojans (most common technique)

2) Watch what program does and see if it ever does anything similar to viruses/trojans

3) Analyze program code (sometimes disassemble program code) and look for malicious things. This is often very difficult and usually only advanced detection programs do this.

回答3:

Signature-based detection - detects by comparing a virus signature ( a binary pattern of known viruses) against files being scanned.

Heuristic-based detection - detects behavior in and patterns of code that indicates a virus may be present. Suspicious Code is ran in a runtime virtual environment to further test for virus behavior. This can find new viruses not in the virus definitions.

Behavioural-based detection - Detects viruses when they are run based on the behavior the virus exhibits

Sandbox detection - similar to behavior based, this method Executes a potential virus in a runtime environment and monitors behavior

Here's a more complete reading

回答4:

They use signatures, or definitions of what a virus looks like, and compares them to files it scans.

See this article from SciAm for a good explanation.

回答5:

Antiviruses find viruses by watching the registry, looking at a program's code, looking at it's list of common viruses, or even looking on the internet to see if other people/software have classified it as a virus.

来源：https://stackoverflow.com/questions/1396443/how-do-antivirus-programs-detect-viruses