How virus databases work?

[KapnKlaus]

Is there a searchable database they pull from so that newly submitted threats from one company can be used across companies to protect the world against threats or does each company have a proprietary database, that only they know the virus definitions for?

Vulnerabilities are catalogued in a searchable format so companies can patch them, I would assume viruses are a mix of both public and proprietary databases?

[Kisai]

34 minutes ago, KapnKlaus said:

Is there a searchable database they pull from so that newly submitted threats from one company can be used across companies to protect the world against threats or does each company have a proprietary database, that only they know the virus definitions for?

Vulnerabilities are catalogued in a searchable format so companies can patch them, I would assume viruses are a mix of both public and proprietary databases?

 

A mixture of A and B. Many AV companies work together on researching emergent threats, but viruses aren't as static as they were before the internet. Before the internet, you could have an AV product that is years out of date. The internet opened up an entire variety of the polymorphic virus/worm/trojan/malware which changes it's identity (like how HIV works in human populations) so you can't just go "this hash is this virus, nuke it", now that signature is only unique to that version.

 

Most AV products are now "cloud" based, and thus push updates hourly/daily based on emergent threats instead of keeping signatures of millions of viruses going back to 1980, that can't run on current PC's (eg DOS) or don't work on that version of the OS (eg macro viruses designed to work on Office 97 or older versions of Skype, AIM, etc.)

 

[homeap5]

Hmmm, you know - I always wonder how it REALLY works. Let's see - mr. XX write new virus and infect few computers somehow. Then virus spreads and infect other computers (different ways). Probability that virus infect company AAA which makes AV software and react instantly, is near zero. So they need user reporting with samples, right? But 99,99% of users (or even more) never think about sending viruses to AAA company, they just format / remove virus / whatever. Even if 0,001% wants to report and send sample - how many people from that 0,001% can detect virus, find it on computer and report it? It's almost impossible. But still AV software is up-to-date SOMEHOW. HOW the f*** they do that? If I wrote virus (for example) and send it to my friends, how company AAA detects that and react? This is what I don't understand. And even if I don't believe in conspiracy theories, they're the most logical explanations - AV creators adds lot of viruses they created themselves. I know, that is not true, but I cannot see how they can update virus definitions every week by dozens of new threads.

[KapnKlaus]

13 hours ago, homeap5 said:

Hmmm, you know - I always wonder how it REALLY works. Let's see - mr. XX write new virus and infect few computers somehow. Then virus spreads and infect other computers (different ways). Probability that virus infect company AAA which makes AV software and react instantly, is near zero. So they need user reporting with samples, right? But 99,99% of users (or even more) never think about sending viruses to AAA company, they just format / remove virus / whatever. Even if 0,001% wants to report and send sample - how many people from that 0,001% can detect virus, find it on computer and report it? It's almost impossible. But still AV software is up-to-date SOMEHOW. HOW the f*** they do that? If I wrote virus (for example) and send it to my friends, how company AAA detects that and react? This is what I don't understand. And even if I don't believe in conspiracy theories, they're the most logical explanations - AV creators adds lot of viruses they created themselves. I know, that is not true, but I cannot see how they can update virus definitions every week by dozens of new threads.

The viruses are detected using heuristics algorithms (which are part of the AV software) the software then reports the virus sample to the company and it is submitted in one of the update files to all other owners of the AV software.

[homeap5]

5 hours ago, KapnKlaus said:

The viruses are detected using heuristics algorithms (which are part of the AV software) the software then reports the virus sample to the company and it is submitted in one of the update files to all other owners of the AV software.

Sorry, but virus creators have the same access to av software as regular user. If you want to create virus, for sure you'll check is your virus detectable.

[KapnKlaus]

46 minutes ago, homeap5 said:

Sorry, but virus creators have the same access to av software as regular user. If you want to create virus, for sure you'll check is your virus detectable.

Yes, that is why the AV software uses heuristics 

[homeap5]

1 hour ago, KapnKlaus said:

Yes, that is why the AV software uses heuristics 

You missed my point. Of course it uses heuristics, but if I made a virus (in theory), I'll check if AV with heuristic detects it and made virus that AV don't even notice.

Look how many people have problem with viruses - and they all uses modern AV software with heuristics detection, cloud detection etc. Viruses perfectly coexisting with AV software.

[Ominous]

they make the viruses to get you to buy the antivirus software and then just detect them, big brain move

 

 

 

We won't really know exactly how these systems work for obvious reasons though I think it's like this:

1. The AV on someones computer scans for viruses and matches any existing similarities on AV databases.
2. If something is known to be bad it will "quarantined" there.
3. If the files scanned don't match any known malicious code then it will try:
   • Behavioural detection, catching it when it runs
   • Placing the virus in a runtime environment and monitor its behaviour
   • Heuristic analysis of the code which will then check if there is potential for a virus.  (This is the main method of finding new viruses)
4. If it finds something new, it'll upload its signature and whatnot to the AV company.  It'll then be checked for in future scans.

 

13 hours ago, homeap5 said:

Of course it uses heuristics, but if I made a virus (in theory), I'll check if AV with heuristic detects it and made virus that AV don't even notice.

This is how new viruses are created and it's much easier said than done.  Besides, heuristic engines are updated constantly as human researchers add behavioural patterns to them when they find them.  When someone makes a virus that hasn't been found yet, they usually only last a few days before being detected.

[KapnKlaus]

16 hours ago, homeap5 said:

You missed my point. Of course it uses heuristics, but if I made a virus (in theory), I'll check if AV with heuristic detects it and made virus that AV don't even notice.

Look how many people have problem with viruses - and they all uses modern AV software with heuristics detection, cloud detection etc. Viruses perfectly coexisting with AV software.

I did not miss the point. Heuristics are detection algorithms, they observe application behavior and if something is suspicious they flag it either for manual review or for detection. If a virus is made on one machine and is not detected it is only a matter of a few hours or days before it will be detected.

This is how Heuristics works.

[KapnKlaus]

On 8/6/2019 at 3:41 AM, Kisai said:

 

A mixture of A and B. Many AV companies work together on researching emergent threats, but viruses aren't as static as they were before the internet. Before the internet, you could have an AV product that is years out of date. The internet opened up an entire variety of the polymorphic virus/worm/trojan/malware which changes it's identity (like how HIV works in human populations) so you can't just go "this hash is this virus, nuke it", now that signature is only unique to that version.

 

Most AV products are now "cloud" based, and thus push updates hourly/daily based on emergent threats instead of keeping signatures of millions of viruses going back to 1980, that can't run on current PC's (eg DOS) or don't work on that version of the OS (eg macro viruses designed to work on Office 97 or older versions of Skype, AIM, etc.)

 

I just contacted my favorite antivirus company and was told they use only their own database.

Pretty cool. That would also explain why some antivirus companies are awful and others are amazing.