Posted: Sat Jul 01, 2006 12:54 am
That's because it isn't in the signatures for now (I forgot to put it 
). This will be available in the first update.
). This will be available in the first update.PureBasic Forums - English
http://www.purebasic.com
https://www.purebasic.fr/english/
PureAV - Antivirus in PureBasic - finally here
Page 2 of 4
Re: PureAV - Antivirus in PureBasic - finally here
Posted: Sat Jul 01, 2006 1:51 am
Two things.... (a) OnDemand means to scan files as they are opened or accessed and this doesn't do that.... it's a bit misleading.... and (b) If I click 'Scan Path' and select a folder on my E: drive it goes and scans C:\Windows\System32 first.... why????
Posted: Sat Jul 01, 2006 1:58 am
Well, nope, OnDemand means manual scanner. The one you talked about is OnAccess scanner...
It first scans System32 because most of the processes loded in memory are located there. Try to uncheck the Scan memory first optiongadget.
It first scans System32 because most of the processes loded in memory are located there. Try to uncheck the Scan memory first optiongadget.
because the 'scan memory' option is enabled and it scans the dlls loaded in memory and the processes. Just try to disable that option and make a scan.
Posted: Sat Jul 01, 2006 2:10 am
You're right.... I was thinking of OnAccess.... sorry!!!!
Posted: Sat Jul 01, 2006 8:29 am
simply excellent ! great work Inf0Byt3
But ... as already written i think that using an open-source Virus Database (namely CLAM) is a better thing than invade your mail with all those harmfull files
just my 0.02€
BHH
But ... as already written i think that using an open-source Virus Database (namely CLAM) is a better thing than invade your mail with all those harmfull files
just my 0.02€
BHH
Posted: Sat Jul 01, 2006 9:40 am
Thanks. Unfortunately, I can't use their database, because they are using a different method wich is a bit slower (AhoCorasick Algorithm). Their database is very different of PureAV's, we're using hashes over buffers while they're matching their patterns with Aho... And I wanted PureAV to be 100% original . However, being Open-Source, we can even use LibClamAV and we would have 2 engines .
. However, being Open-Source, we can even use LibClamAV and we would have 2 engines .Posted: Sat Jul 01, 2006 11:54 am
How would an antivirus detect this virus, after first run. Obviously, this is not a virus, and it is quite the most horrorable code you will ever see 
http://mmforum.phpnet.us/virustest.zip
Hashes signatures are sometimes fake
http://mmforum.phpnet.us/virustest.zip
Hashes signatures are sometimes fake
Posted: Sat Jul 01, 2006 12:26 pm
Hmm, that's strange... It dosn't seem to detect it here 
. However, I will improve the engine to speed it up a little and lower the false positive rates. Thanks for the report. And BTW, nothing is perfect, including PureAV, but it's strange that the MD5 collides so fast... I thought the collision is very very small on this hash algorythm...
. However, I will improve the engine to speed it up a little and lower the false positive rates. Thanks for the report. And BTW, nothing is perfect, including PureAV, but it's strange that the MD5 collides so fast... I thought the collision is very very small on this hash algorythm...great job Inf0Byt3
Posted: Sat Jul 01, 2006 12:39 pm
great job on u'r antivirus i will give it a spin on some virus from the library when i will have some time. keep up the good work
Posted: Sat Jul 01, 2006 12:46 pm
Why MD5 collides?
Simply because the code is being self modified
My suggestion to prevent this..... special signature. This means the use of a sequence found in the file. In this case, you can use this signature at "virustest(1).exe virustest.exe" which is found at address 4115(0x1013)
Unfortunately, this will slow down the engine significantly.
And your AV is great since it's the fastest i found till know and does not gives false alarms !
Simply because the code is being self modified
Code: Select all
DeleteFile("virustest(1).exe")
Delay(1000)
If FileSize("virustest(1).exe") = -1
CopyFile("virustest.exe","virustest(1).exe")
OpenFile(0,"virustest(1).exe")
FileSeek(1792)
WriteByte(Random(255))
CloseFile(0)
RunProgram("virustest(1).exe")
Else
DeleteFile("virustest.exe")
CopyFile("virustest(1).exe","virustest.exe")
DeleteFile("virustest(1).exe")
EndIf
Unfortunately, this will slow down the engine significantly.
And your AV is great since it's the fastest i found till know and does not gives false alarms
!Posted: Sat Jul 01, 2006 1:13 pm
@Zephir
Thanks !
@SunSatION:
I am not calculating a checksum over the file, it allready works with sequences. The engine works like this (pseudocode):
If you change a bytes in the first and last sequence (1/3 or 2/3 of the file) it will still detect it. However, new viruses just append data to the beginning of the file or the end of the file. So it should be safe with this method (i think). See the file EngineAPI.pb... What do you think, would this work better? The speed is pretty good.
Thanks !
@SunSatION:
I am not calculating a checksum over the file, it allready works with sequences. The engine works like this (pseudocode):
Code: Select all
a = length of file
b = length of file / 3 ;The start adress
c = 2 * b ;The end adress
*buff = allocatememory(b+c)
readdata(*buff,b+c)
sum.s = md5overbuffer(*buff)
fast compare with database entries > #True OR #False
Posted: Sat Jul 01, 2006 2:26 pm
Yea, I think the one you're using should be used in anti-virus software. That was just PURE luck that it had allocated some null-bytes at that specific place 
.
I have to say this, I don't like security features to be open-source, because it's like when you tell a thief that the particular alarm is not working. But I like open-source because ........
. I have to say this, I don't like security features to be open-source, because it's like when you tell a thief that the particular alarm is not working. But I like open-source because ........
Posted: Sat Jul 01, 2006 3:28 pm
You're right about this kind of open-source apps... I am rewriting it (as I did with all the apps I coded ) and I'll find a place to host the project and people would have to register as a developer to download the sources. That would minimize the risk a bit...
) and I'll find a place to host the project and people would have to register as a developer to download the sources. That would minimize the risk a bit...Posted: Sat Jul 01, 2006 5:37 pm
would be great if you would support the second 'clam' algoritm as well, perhaps make it optional, that way people could opt for using it on on-access or on-demand scanning, or not, thus avoiding the speed penalty and / or improving the speed, whatever they want
second suggestion: release source of an older version, not of your latest, that way you're one step ahead of virus writers that target your virus scanner
second suggestion: release source of an older version, not of your latest, that way you're one step ahead of virus writers that target your virus scanner
Posted: Sat Jul 01, 2006 7:44 pm
That's a great idea . Btw, I really really could appreciate an advice: What should I do? I have threee possibilities: One would be to continue my engine and improve it or the second one - Use ClamAV as a base (here the advantage is that it is created by professionals). Or follow blueznl's idea and have the two of them in the same package ... (I think this would be the best)
@blueznl, thanks for the source tip, i will use it as we get the first alpha.
. Btw, I really really could appreciate an advice: What should I do? I have threee possibilities: One would be to continue my engine and improve it or the second one - Use ClamAV as a base (here the advantage is that it is created by professionals). Or follow blueznl's idea and have the two of them in the same package ... (I think this would be the best)@blueznl, thanks for the source tip, i will use it as we get the first alpha.