Want to develop Antivirus

[MacMike]

Hello Everyone,

I am almost finish learning Algorithm in C programming language. My Goal is and i wanna develop antivirus software.

My Question is where should i start? 
I am looking for your valuable opinion.

Thanks 

[Kurapica]

Man, I love you, in a manly way of course !

What you mentioned that you have learned is not enough to do that, you need more

experience before jumping to a complicated project like an AV.

Edited December 4, 2018 by Kurapica

[atom0s]

You have a long way to go before you will even come close to writing any type of anti-virus that has any real usage/purpose. Simple understandings of C are not going to get you that far. 

You need to have a very good understanding of a low-level language such as C and C++ in general and ASM. Along with that, you need to take the time to really learn the inner workings of Windows and the much lower level aspects of the OS. Your AV is going to need to do kernel level things (drivers), hooks, etc. if you expect to handle any type of real detections and protections today. With how low-level things have gotten with things like rootkits and other forms of virus/malware, doing things in user-mode is never going to be enough.

Based on your post, you are really far from any of this. Take the time to learn what you are doing otherwise you are going to produce garbage that no one will want to use.

[MacMike]

2 hours ago, atom0s said:

You have a long way to go before you will even come close to writing any type of anti-virus that has any real usage/purpose. Simple understandings of C are not going to get you that far. 

You need to have a very good understanding of a low-level language such as C and C++ in general and ASM. Along with that, you need to take the time to really learn the inner workings of Windows and the much lower level aspects of the OS. Your AV is going to need to do kernel level things (drivers), hooks, etc. if you expect to handle any type of real detections and protections today. With how low-level things have gotten with things like rootkits and other forms of virus/malware, doing things in user-mode is never going to be enough.

Based on your post, you are really far from any of this. Take the time to learn what you are doing otherwise you are going to produce garbage that no one will want to use.

i think i must finish algorithm and data structure first and then learn internal of windows.

 

Edited December 5, 2018 by MacMike

[evlncrn8]

did you read ANY of what atom0s or Kurapica said at all ? finishing your data  structure and algo is POINTLESS as it will most likely change once you learn more c/c++, asm, drivers, and os stuff internals..

also bear in mind that there are already existing very good anti virus products out there already, so how on earth do you think you'll even be able to compete with those ? dont run before you can walk

Edited December 5, 2018 by evlncrn8

[MacMike]

What if i reverse engineer an existing antivirus and develop my own.
Thanks for your comment.

Edited December 5, 2018 by MacMike

[Kurapica]

11 hours ago, MacMike said:

What if i reverse engineer an existing antivirus and develop my own.
Thanks for your comment.

I think it's the best idea, you can later share your findings with the rest of the community, I'm sure we can learn from this.

[MacMike]

26 minutes ago, Kurapica said:

I think it's the best idea, you can later share your findings with the rest of the community, I'm sure we can learn from this.

Sure, Thanks. Meanwhile  if i need any help i will post here.
thanks 

[Peter Ferrie]

This is a worthy idea and should be encouraged.

To write a simple anti-virus program requires only some checksumming or pattern-matching.

You can checksum an entire file and compare the sum to a list of known bad sums, and report if you find a match.  However, this will detect only that single file and will miss all variants of it.

You can use pattern-matching to look for sequences of bytes in the file, and report if you find a match.  This will detect some variants of the file, if only other bytes are changed.

This will get you started.  As you add more  sums and patterns, you'll see that the performance degrades quickly.  At that point, you might begin to research different ways to perform multiple pattern-matching simultaneously, instead of one-at-a-time.

Pattern-matching can be made faster if you parse the file format to locate specific areas of interest (like the entrypoint of the file, for example).

There are also checksumming algorithms that are faster but weaker - there can be many common files that have the same sum - or slower but stronger (fewer files found easily with the same sum).

 

[evlncrn8]

@Peter Ferrie - are there any cuda based scanners ? i was considering doing cuda for pid, i got the loading pe into memory bit done, but then i hit a little hurdle trying to do everything in asm.. so delayed it for pid 7 

[DelphiMan]

NOTHING IMPOSSIBLE  "BUT"  YOU NEED A STRONG TEAM WITH HUGE EFFORT AND EXPERIENCE AND LONG TIME TO SEE THE FIRST RESULTS.

[Techlord]

5 hours ago, Peter Ferrie said:

This is a worthy idea and should be encouraged.

To write a simple anti-virus program requires only some checksumming or pattern-matching.

You can checksum an entire file and compare the sum to a list of known bad sums, and report if you find a match.  However, this will detect only that single file and will miss all variants of it.

You can use pattern-matching to look for sequences of bytes in the file, and report if you find a match.  This will detect some variants of the file, if only other bytes are changed.

This will get you started.  As you add more  sums and patterns, you'll see that the performance degrades quickly.  At that point, you might begin to research different ways to perform multiple pattern-matching simultaneously, instead of one-at-a-time.

Pattern-matching can be made faster if you parse the file format to locate specific areas of interest (like the entrypoint of the file, for example).

There are also checksumming algorithms that are faster but weaker - there can be many common files that have the same sum - or slower but stronger (fewer files found easily with the same sum).

 

These days, I would say that without proper heuristics checking in place, the AV would be of very limited use. While I agree that pattern matching is still used, it is far less useful than it was several years ago. We also need to implement solutions to bypass malware techniques that would try to shut down the AV processes and lot more.

I agree with the general ideas of the others in this thread that creating a new AV software is not something that a beginner should embark upon. If they are doing it for their own learning and understanding then it is fine but not as a commercial venture or to use it in production.

A much better first step would be to dissect existing AV software and see how they function.

[Peter Ferrie]

On 12/7/2018 at 11:52 AM, evlncrn8 said:

@Peter Ferrie - are there any cuda based scanners ? i was considering doing cuda for pid, i got the loading pe into memory bit done, but then i hit a little hurdle trying to do everything in asm.. so delayed it for pid 7 

There is a library from Intel for GPU-based string-scanning, but it's specific to Intel GPUs.

There are currently no general-purpose scanners on CUDA.  Yours could be first! 🙂

[Peter Ferrie]

On 12/7/2018 at 4:31 PM, Techlord said:

These days, I would say that without proper heuristics checking in place, the AV would be of very limited use. While I agree that pattern matching is still used, it is far less useful than it was several years ago. We also need to implement solutions to bypass malware techniques that would try to shut down the AV processes and lot more.

I agree with the general ideas of the others in this thread that creating a new AV software is not something that a beginner should embark upon. If they are doing it for their own learning and understanding then it is fine but not as a commercial venture or to use it in production.

A much better first step would be to dissect existing AV software and see how they function.

 

 

A project for the sake of a project is worth writing, regardless of what exists now.  Imagine if Linus had been discouraged by someone because Unix existed already. 🙂

There are many features that modern AVs have, but these were added over time, and the same can be done for this project.  These features become goals, once the base is done.

To dissect existing AV software via anything other than observation of behaviour could prevent someone from inventing something new, because now the ideas are influenced by what was seen.

 

[Progman]

Considering most of us do not slow our computers down with such an invasive anti-virus tool, it is really hard to justify such a security tool as being useful.  Software signing, kernel drive protections, etc and so forth have largely made running software more of an issue of trust and thereby eliminated the need to play this cat and mouse game.  This game just pushes on to decidability and the halting problem, and really do you want a tool on your machine trying to heuristically solve all of these, an immensely complex task.  Probably you need an extra computer server to do your dedicated antivirus processing tool.  Otherwise, most of these big companies are using common tricks and scare tactics to get normal people to "feel" safe but there is no evidence such tools are genuinely needed or even can do anything against the cutting edge problems.  And as for the big power players they will just hack your BIOS and lower, and its still useless when your whole system is hypervised - something a higher percentage of people in the RE world already have installed...but most people who cannot see the empire's handlers and boogiemen somehow believe they are "free" and "independent"...laugh

[Kurapica]

Some common sense can be a better alternative to a commercial AV, save money, CPU cycles and HDD/SSD life, personally

I don't use an AV, in my humble opinion which can be proven wrong, an AV is no different from the green lock in our browser's address bar, it's just

there to give you the illusion of "your connection is secure" but most of you know the rest of the story, let's not start a paranoia circus

[Lumusfor]

There is no real role for an anti-virus software IMO, unless it's for computer illiterate users.

[atom0s]

15 hours ago, Lumusfor said:

There is no real role for an anti-virus software IMO, unless it's for computer illiterate users.

They are generally aimed at those easily scared by flashy words like "virus", "infected" and the scare tactics that all their data will be lost, and they are going to be targeted by randomware. The people that fall for this stuff are those that generally also fall for ads on sites that flash/blink and tell them they won a million dollars. In some regards it's helpful for those kinds of people but in most cases most AVs fail to keep up with bleeding edge stuff and fail to really protect anyones system at all. Then they themselves eat up the resources of the system and suggest buying other products to speed up their system by the same company etc. It's a cycle of scamming.