How to write signatures database for AntiVirus?

i wrote small code in C to scan all files & folders in my hard drive... and it also can read the upper part of the binary code of executable files (like .exe ) and compare it with an inline single binary signature (in hexadecimal representation) . It can show a message if the signature matches the bin code of any scanned file.

We notice that i saved the sample signature in an array because it is just one signatur开发者_C百科e. What i have to do if i want to add lots of other signatures! I need to use a database! But what kind of database do i need? and shall i need to use SQL query to get and compare the signatures! what kind of database do the commercial antiviruses (Kaspersky, Symantic, ..etc) use? any idea plz?

Berkeley DB is a free/open source embedded database library that is basically a key-value store on disk (search tree or hash table, depending on settings). It's even simpler than SQLite because it avoids the idea of relational data and SQL.

You could use virus signatures as keys and their names as values, for example.

SQLite might be a good choice for your application. It's a light footprint SQL engine as compared to full blown RDBMS systems like SQL Server / Oracle, etc.

A side note: you might consider keeping this database in a location other than the system in question. It seems as if you are concerned about malicious users modifying the contents of your drive. If so, those same users could easily be aware of your scheme and ensure that any files they change are also reflected with a new hash value in your database, so when you go to do a comparison, they will always match. If instead, you run your program, store the hash values in a database that is on a different system, you can be more comfortable that your database wasn't compromised, because both systems would have to have been taken over.

professional avs don't use sql to match virus signatures. it;s a much more complicated process. take a look at http://sourceforge.net/projects/clamwin/ if you are interested in the subject. Or on Kaspersky 2008 leaked sources ...