As said above, many anti-virus programs use signatures to detect infection of known viruses. When a virus is successfully analyzed, security experts find out a unique bit pattern in the virus called the signature of the virus. Later, when a computer gets scanned for viruses, the signature is matched with a new virus to detect it.

In Polymorphism, the virus writers keep changing some instructions in the new generations so that signature matching fails in the new infections. The virus modifies some pieces of its body to look dissimilar in the new infections. And, in the new generations, they again construct a different decryptor for the next infection.

The main difference between Oligomorphism and Polymorphism is, Polymorphic viruses have the capability of creating an infinite number of new decryptors. And, each new decryptor may use several encryption techniques to encrypt the main virus body. As a result, Polymorphic viruses are much more difficult to detect.

Metamorphism

In Metamorphism, the virus writers mutate the virus body with different looking, but similar functioning instructions. As a result, the virus’s body looks different in the new infections and it becomes difficult for the anti-virus programs to detect them. These viruses are usually not encrypted.

Virus Detection Techniques

Techniques of virus detection also evolved much and security experts started applying new techniques to detect viruses. Some most popular virus detection techniques are mentioned below :

String Scanning

In this method, the signature string is scanned in the new virus using some special conditions in the byte comparison process. It uses wildcards, generic degrees, etc to match the signature.

Bookmarks

This technique is used to reduce false positives in detecting viruses. Several techniques can be used as Bookmarks, for example, the offset of virus signature from the beginning of the virus code may be a good Bookmark.

Smart Scanning

Virus writers often conceal their code with a set of dummy instructions like NOP. In Smart Scanning, junk instructions like NOP or address of data and subroutines, etc. are first removed from the virus body and then the virus is scanned for signature matching. This technique is mainly used to detect macro viruses written in text format.

Skeleton Detection

This technique was invented by Russsian virus researcher Eugene Kaspersky, who is also the founder of Kaspersky Anti-Virus.

This method works by removing a set of instructions from a file that does not probably belong to the virus code and then the scanning process starts. It parses statements one by one to remove unimportant statements and blank gaps and gets the skeleton of the code. And, the skeleton is then searched for virus signatures.

Exact Identification

In this method, more than one number of constant bytes in the virus code is searched for scanning. As a result, the number of false positives in virus detection improves much.

Heuristics Analysis

In this method, a number of heuristics are used to detect infections of viruses. Some commonly used heuristic flags may be :

• The possible gap between sections
• Suspicious section characteristics
• Suspicious code section name
• Multiple or suspicious PE Headers
• Suspicious imports from kernel
• Suspicious code redirection

Static Decryptor Detection

This method is used to detect encrypted viruses. String scanning specific to the particular virus is used to detect the decryptor of the virus.

X-RAY Scanning

When an encrypted virus is first detected, the plaintext body of the particular virus is obtained. And, on some specific parts of the plaintext code like top and tail of the file, entry points, etc, a number of encryption techniques commonly used by the virus writers are applied. Using those, the signature is scanned in an unknown virus.

This technique is normally used in Polymorphic viruses. But, the problem with this method is it is very time-consuming.

Code Emulation

This technique is widely used to detect viruses. In this method, a virtual environment simulates the CPU, memory, storage resources and some necessary functions of an Operating Systems and the virus code is made to run in that environment. Once the code runs, the behavior of the code is observed and analyzed. And, that information is utilized to detect new infections of the virus.

Disadvantages of traditional virus detection techniques

Though the techniques of virus detection improved a lot over time, they have their own disadvantages, which eventually made traditional anti-virus programs ineffective. A number of them are mentioned below :

• The signature scanning method usually maintains a database of signatures of known viruses, using which unknown viruses are scanned. But, as the number of viruses started increasing drastically over time, it became quite impractical to maintain such databases of virus signatures.
• The signature database does not contain signatures of newly found viruses until they are analyzed successfully and added to the database. This makes traditional anti-virus programs quite ineffective in detecting new viruses.
• Traditional techniques for detecting viruses are ineffective for detecting Zero-day threats.
• Hackers often use techniques like crypters, server-side polymorphism, etc which make much difficult for the traditional anti-virus programs to detect them.

What is NGAV or the Next Generation Anti-Virus?

Next Generation Anti-Virus or NGAV is a technique that relies on machine learning to dissect new viruses in an automated way. It uses some dynamic analysis approach to detect viruses, instead of relying on analysis based on previously captured samples of viruses. As a result, they are much more effective in detecting new viruses and Zero-day threats (What are Zero-Day Threats ?) than the traditional anti-virus programs.