17 replies to this topic

[Tonchi]

I have a MD5 code for creating signatures for some user input but what I want is to search local disk or full computer for viruses with MD5 to compare those signatures with signatures in txt database...How can I do that search? Is there any tutorial or can someone give me a code?

[WingedPanther73]

That sounds like a really bad idea. Let me explain my reasoning:

Let's say your signatures is 12345. If you have a 2Mb file, you have to hash 5 characters around 2 million times, rather than just looking for the five characters. Which do you think will be more efficient?

[Tonchi]

and what do you suggest? which type of alghoritm will be good

[Luthfi]

I don't think you can use MD5 hash to find virii signatures. Virii signatures are not the same with file signatures. Virus signature is there so the virus code can avoid reinfect already infected file.

Virii can place themselves in arbitrary location in infected file. Therefore if you want to find virii using MD5 hash, you have to MD5 hash the file multiple times, perhaps as many as the file size minus the size of the virus. Very ineffective and time consuming. Not too mention that the longer you hold a file, the more the possibility you will collide with another process/activity that need access to the file.

For this, the good algorithm is by directly searching the virus signature in the examined file.

[Tonchi]

and with wich algorithm I can do that?

[Luthfi]

You don't need fancy algorithm for this. Open the file as stream of bytes, then inspect the bytes to see if any virii signatures found within it. Similar like you would to find a certain substring from a larger string of characters.

[papabear]

finding viruses using the file signatures or the MD5 of it was the old method used by anti virus to find and detect viruses.. they call it "Signature-Base Detection" You can use this method in creating a simple and lightweight antivirus if you wish so, however there are several new viruses that doesn't have signature yet or not yet known.. Why not try to research about Heuristics Analysis?

[WingedPanther73]

and what do you suggest? which type of alghoritm will be good

http://msdn.microsoft.com/en-us/library/ms228630%28v=VS.80%29.aspx

[Tonchi]

finding viruses using the file signatures or the MD5 of it was the old method used by anti virus to find and detect viruses.. they call it "Signature-Base Detection" You can use this method in creating a simple and lightweight antivirus if you wish so, however there are several new viruses that doesn't have signature yet or not yet known.. Why not try to research about Heuristics Analysis?

I was trying with Heuristic Algorithms but I was not able to find any code example in any language. Neither C/C++ nor .NET. I'm searching for that algorithm for about half a year :/

[Tonchi]

is this book good for beggining http://www.cs.nott.a...pdf/cag-phd.pdf

[papabear]

is this book good for beggining http://www.cs.nott.a...pdf/cag-phd.pdf

yes try to read that ebook I think it would be a good book as I scan it.. for heuristic analysis.. you must have something like a "Virtual Machine" to run a program and analyze what it does..

[Tonchi]

it's fascinating for me that whenever i want to find something on google i can't find and when i search something randomly then i find what i was trying to find before