"Malicious Code Detection Technologies"
There is a whitepaper (PDF) by Kaspersky titled “Malicious Code Detection Technologies” which describes some basic concepts of AV technology.
Two components:
- technical component: selects the data that will be analyzed
- analytical component: decision making system
Technical component (listed in terms of increased levels of abstraction):
- scanning files: simple comparison of bytes
- emulation: focus on events in a fully contained, controlled and separate environment
- virtualization / sandboxing: restrictions on interactions with the operating system; occurs in real world
- monitoring system events: simultaneous observation of all programs to understand their impact on the operating system (e.g. by intercepting system calls)
- scanning for system anomalies: analyze if the system status is “healthy” or “unhealthy”
Practical facets of the technical component:
- resource consumption
- security
- protection
Analytical component (listed in terms of increased levels of sophistication):
- simple comparison: compare a single object / action to a sample and decide wether “yes” or “no”
- complex comparison: copmarison of one or multiple objects / actions with corresponding samples and decide a probability
- expert systems: sophisticated analysis of data
Practical facets of the analytical component:
- proactivity
- false positive rate
- level of user involvement