Robert Schneider

What the Virus: a Behavior-aware Multi-engine Malware Scanning Service Robert Schneider

Anti-virus software is a key security technology on today's end user systems. Current anti-virus engines use two complementary techniques to detect malware. One is to statically scan potential malware sample files for certain patterns which are known ("malware signatures"). The other is to dynamically detect typical malicious behavior (e.g., modifications of registry keys, DLL injections etc.) upon execution of a sample. No anti-virus product can reliably detect malware. Rather, all products are plagued by false positives and false negatives. An interesting approach to improve the reliability of detection is to run several anti-virus products on a given malware sample. There are several online scanning services, that implement this approach. However, for performance reasons these services only use the static signature detection functionality of the anti- virus products, and thus do not take advantage of the full functionality of current anti-virus engines. This book explains how to overcome this limitation and to build an efficient online malware scanning service that fully utilizes the capabilities of current anti-virus engines.