About Dr Solomon’s Anti-Virus
28
Dr Solomon’s Anti-Virus
Encrypted polymorphic virus detection
Along with generic virus variant detection, the scan engine now incorporates
a generic decryption engine, a set of routines that enables Dr Solomon’s
Anti-Virus to track viruses that try to conceal themselves by encrypting and
mutating their code signatures. These “polymorphic” viruses are notoriously
difficult to detect, since they change their code signature each time they
replicate.
This meant that the simple pattern-matching method that earlier scan engine
incarnations used to find many viruses simply no longer worked, since no
constant sequence of bytes existed to detect. To respond to this threat, Dr
Solomon’s researchers developed the PolyScan Decryption Engine, which
locates and analyzes the algorithm that these types of viruses use to encrypt
and decrypt themselves. It then runs this code through its paces in an
emulated virtual machine in order to understand how the viruses mutate
themselves. Once it does so, the engine can spot the “undisguised” nature of
these viruses, and thereby detect them reliably no matter how they try to hide
themselves.
“Double heuristics” analysis
As a further engine enhancement, Dr Solomon’s researchers have honed early
heuristic scanning technologies—originally developed to detect the
astonishing flood of macro virus variants that erupted after 1995—into a set of
precision instruments. Heuristic scanning techniques rely on the engine’s
experience with previous viruses to predict the likelihood that a suspicious file
is an as-yet unidentified or unclassified new virus.
The scan engine now incorporates ViruLogic, a heuristic technique that can
observe a program’s behavior and evaluate how closely it resembles either a
macro virus or a file-infecting virus. ViruLogic looks for virus-like behaviors
in program functions, such as covert file modifications, background calls or
invocations of e-mail clients, and other methods that viruses can use to
replicate themselves. When the number of these types of behaviors—or their
inherent quality—reaches a predetermined threshold of tolerance, the engine
fingers the program as a likely virus.
The engine also “triangulates” its evaluation by looking for program behavior
that no virus would display—prompting for some types of user input, for
example—in order to eliminate false positive detections. This double-heuristic
combination of “positive” and “negative” techniques results in an
unsurpassed detection rate with few, if any, costly misidentifications.
Summary of Contents for DR SOLOMON S ANTI-VIRUS 8.5
Page 1: ...Dr Solomon s Anti Virus Administrator s Guide Version 8 5 ...
Page 146: ...Using Dr Solomon s Anti Virus Administrative Utilities 146 Dr Solomon s Anti Virus ...
Page 166: ...Installed Files 166 Dr Solomon s Anti Virus ...
Page 184: ...Using Dr Solomon s Anti Virus Command line Options 184 Dr Solomon s Anti Virus ...
Page 216: ...Understanding iDAT Technology 216 Dr Solomon s Anti Virus ...