PureAV - Antivirus in PureBasic - finally here

[Inf0Byt3]

That's because it isn't in the signatures for now (I forgot to put it ). This will be available in the first update.

[Phoenix]

Two things.... (a) OnDemand means to scan files as they are opened or accessed and this doesn't do that.... it's a bit misleading.... and (b) If I click 'Scan Path' and select a folder on my E: drive it goes and scans C:\Windows\System32 first.... why????

[Inf0Byt3]

Well, nope, OnDemand means manual scanner. The one you talked about is OnAccess scanner...

It first scans System32 because most of the processes loded in memory are located there. Try to uncheck the Scan memory first optiongadget.

because the 'scan memory' option is enabled and it scans the dlls loaded in memory and the processes. Just try to disable that option and make a scan.

[Phoenix]

You're right.... I was thinking of OnAccess.... sorry!!!!

[buzzqw]

simply excellent ! great work Inf0Byt3

But ... as already written i think that using an open-source Virus Database (namely CLAM) is a better thing than invade your mail with all those harmfull files

just my 0.02€

BHH

[Inf0Byt3]

Thanks. Unfortunately, I can't use their database, because they are using a different method wich is a bit slower (AhoCorasick Algorithm). Their database is very different of PureAV's, we're using hashes over buffers while they're matching their patterns with Aho... And I wanted PureAV to be 100% original . However, being Open-Source, we can even use LibClamAV and we would have 2 engines .

[SunSatION]

How would an antivirus detect this virus, after first run. Obviously, this is not a virus, and it is quite the most horrorable code you will ever see

http://mmforum.phpnet.us/virustest.zip

Hashes signatures are sometimes fake

[Inf0Byt3]

Hmm, that's strange... It dosn't seem to detect it here . However, I will improve the engine to speed it up a little and lower the false positive rates. Thanks for the report. And BTW, nothing is perfect, including PureAV, but it's strange that the MD5 collides so fast... I thought the collision is very very small on this hash algorythm...

[z3phir2003]

great job on u'r antivirus i will give it a spin on some virus from the library when i will have some time. keep up the good work

[SunSatION]

Why MD5 collides?

Simply because the code is being self modified

Code: Select all

DeleteFile("virustest(1).exe")
Delay(1000)
If FileSize("virustest(1).exe") = -1
  CopyFile("virustest.exe","virustest(1).exe")
  OpenFile(0,"virustest(1).exe")
  FileSeek(1792)
  WriteByte(Random(255))
  CloseFile(0)
  RunProgram("virustest(1).exe")
Else
  DeleteFile("virustest.exe")
  CopyFile("virustest(1).exe","virustest.exe")
  DeleteFile("virustest(1).exe")
EndIf

My suggestion to prevent this..... special signature. This means the use of a sequence found in the file. In this case, you can use this signature at "virustest(1).exe virustest.exe" which is found at address 4115(0x1013)
Unfortunately, this will slow down the engine significantly.

And your AV is great since it's the fastest i found till know and does not gives false alarms !

[Inf0Byt3]

@Zephir
Thanks !

@SunSatION:
I am not calculating a checksum over the file, it allready works with sequences. The engine works like this (pseudocode):

Code: Select all

 a = length of file
 b = length of file / 3 ;The start adress
 c = 2 * b ;The end adress
 *buff = allocatememory(b+c)
 readdata(*buff,b+c)
 sum.s = md5overbuffer(*buff)         
 fast compare with database entries > #True OR #False 

If you change a bytes in the first and last sequence (1/3 or 2/3 of the file) it will still detect it. However, new viruses just append data to the beginning of the file or the end of the file. So it should be safe with this method (i think). See the file EngineAPI.pb... What do you think, would this work better? The speed is pretty good.

[SunSatION]

Yea, I think the one you're using should be used in anti-virus software. That was just PURE luck that it had allocated some null-bytes at that specific place .

I have to say this, I don't like security features to be open-source, because it's like when you tell a thief that the particular alarm is not working. But I like open-source because ........

[Inf0Byt3]

You're right about this kind of open-source apps... I am rewriting it (as I did with all the apps I coded ) and I'll find a place to host the project and people would have to register as a developer to download the sources. That would minimize the risk a bit...

[blueznl]

would be great if you would support the second 'clam' algoritm as well, perhaps make it optional, that way people could opt for using it on on-access or on-demand scanning, or not, thus avoiding the speed penalty and / or improving the speed, whatever they want

second suggestion: release source of an older version, not of your latest, that way you're one step ahead of virus writers that target your virus scanner

[Inf0Byt3]

That's a great idea . Btw, I really really could appreciate an advice: What should I do? I have threee possibilities: One would be to continue my engine and improve it or the second one - Use ClamAV as a base (here the advantage is that it is created by professionals). Or follow blueznl's idea and have the two of them in the same package ... (I think this would be the best)

@blueznl, thanks for the source tip, i will use it as we get the first alpha.