how can i like scan file to see if they are a virus ???

[XxEvilxX]

how can i like scan file to see if they are a virus ???
i want to make a virus dectertor my self

[Libero]

I have made an app called Watchdog. The people at work use it to watch dirs or files for some changes. It calculates the the filelen (filesize) and compare it every time it makes a scan to the old results. U can keep the old results in a *.inifile or in the registry so you can use it every time you start your app. Thats even good for people who got a document on a server and waiting for other people to for ex fill in something in that document, then he dont have to check it every hour, the app does it for him.
Good luck and i hope to hear from you when you got some results. (I got the code for filesize of a dir if u want).

[Sophtware]

Hey Libero i would like the code if possible!Post it here in this topic if you can!
Thanks!!

[Paul282]

What kind of virus's will you look for? The easy was is like is written above but if many files change how will you know if there is a virus?

sure exe and dll files shouldn't change but macro viruses in word and excel???

there are many types, proper virus scanners search the gaps of the PE format know signatures or new calls added in, sometime they are as simple as a .com file, if an executable file is called withough the exe then com will execute first when the viurs has loaded the exe is called as usual, no curruption of the exe. (although mainly a dos problem)

One of the patches I saw from a virus vendor for the "I Love You" virus merely checked the subject line of the mail and not even the attachment. so the newer version that changed the name completely defeated it, but that was a poor effort by the virus company.

I think you'll need to do a bit more research on exactly what you want to build, a propper virus scanner is not a small job.

[Libero]

Observe! You can´t look for a specific virus with this. But you can watch every change.

With a commandbutton and a textbox.


Private Sub Command1_Click()
Dim FileName As String
Dim FileSize As Currency
Dim Directory As String
Directory = "C:\"
FileName = Dir$(Directory)
FileSize = 0
Do While FileName <> ""
FileSize = FileSize + FileLen(Directory & FileName)
FileName = Dir$
Loop
Text1.Text = Str$(FileSize)

End Sub

[Paul282]

Interesting idea,

You should use a recursive algorithm to scan the directories and throw the data into a UDT.

Then you could write a report page...

how far have you got with your actual version? (I gather that this is just a snippit)

Cheers

[Sophtware]

I Really dont understand how a anti virus scans for viruses..i know that it searches for changes in files but thats it

Now Here's the dumb question...
Does a anti virus actually search for specific code that a virus would have? or does it just search for the names of the virus and other stuff that was listed above?

If the anti virus doesnt search for the code itself...maybe adding a "code searcher" feature to the anti virus might make it more effective. i guess it would have to come with a decompiler/disassembler for EVERY computer language out there..so it could do the job (hate to see the size of that baby..hee hee).If the anti virus has this abilty already ..i didnt know cause i dont understand how it works completey yet.
Later :0)

[Paul282]

The virus software programs have an option for full search (otherwise they just check system files, memory and a other files when they change against a checksum)

this full search actually scans each file for a "signature", the files are not decompiled (this would not really be possible) but the binary versions searched. The anti virus software holds a database of signatures to look for, which is why you need updates.

a virus signature is just a string of bits or bytes (or pattern at a certain point of an exe etc) that anti virus vendors know indicate a virus to be present in a file.

it's just pattern matching for known virus patterns. you're entire drive can be searched which is very time consuming, especially for files that may need to be decompressed first.

[Libero]

>Paul282 Can you please explain what you mean with the recursive algorithm and UDT. I would be very happy to update my software with more sofisticated things. My app works like this: First i have to make a choice if i should watch a specific file or a directory, then the program make a scan each 10 sec. If the file or dirsize have changed since the last scan, then the user will be notified with a messagebox or with a soundnotification. The program now update the new size. When i close my app i store the sizes in a inifile, so i can resume the scans. It also store file/dirname and date/time in a .dat file so i can log every chnges. I would appreciate new ideas.

[Sophtware]

Now i understand a little better..hee hee i was wondering how the "iloveyou" virus got passes all the anti v's, since iloveyou was still a worm..like morris,happy99..whatever others there is i wondered why the anti v didnt cath it...and thats why all the modifiying worms that came from iloveyou still affected people..ok kool now i know.

[Paul282]

A recursive algorithm is one that calls itself..

to put it in pseudo code

Code:

Sub GetFiles(Directory as string)

    get files for path "Directory"

    if file is a Directory then
        GetFiles(filePath) ' calls itself
    else
        Add to list
    end if

end function

If you look around for the quicksort algorithm it's recursive. When writing your own you have to be a bit careful of memory and infinite loops can be a problem.

In the above function a directory is search and when a file found is a directory it is search too, so it keeps going till all the directories and sub directories have been searched.

a UDT is a User Defined Type (or a Struct in C/C++), you are probably familiar with them, arrays of UDTs are very good for holding data in memoery like a DB without having to go all the way to classes and objects, and often cleaner and smaller than multi-dimensional arrays