Strings/signatures comparison of AntiViruses
Does signature-based AntiVirus software match each currently-scanned file with all strings/signatures that exist in the database? Does it need to pass through all signatures in order to compare them with a file? The comparison is done from the "database to the file" not from the "file to the database", is that true ?
The second question: Is it possible to extract the strin开发者_运维问答g/signature (NOT Hash for whole file) by AV engine from a file first, and then see whether that string is in the database or not? Is there any known AV does this way?
Typically how this is done is that the database of known virus signatures is used to build a state machine (often something very similar to the Aho-Corasick string search algorithm). Then, each file that is to be checked is run through the state machine. This turns out to be surprisingly fast, as all matching virus signatures can be found with a single pass through the file.
精彩评论