Over the past few years, the explosion of new polymorphic viruses has forced antivirus companies to investigate new virus scanner detection techniques. At first, few polymorphic viruses existed. When a virus was too complex to detect with traditional algorithmic or string scanner technology, researchers wrote highly specialized detection programs (in assembly language or another high level language) to address each polymorphic virus. This process was quite expensive and often required weeks or even months of work.

Today, the increasing number of polymorphic viruses makes specialized detection even more costly. With different nonpolymorphic viruses being written and released on a frequent basis, antivirus producers can’t afford to spend long hours writing specialized detection programs on the minority of polymorphic viruses. Consequently, antivirus researchers have developed an entirely new technique for detecting polymorphic viruses named generic decryption (GD).

Thus far, generic decryption has proven to be the most successful technique for detecting polymorphic viruses. The GD scheme is based on the following assumptions: First, the polymorphic virus to be detected must contain at least a small section machine of code that is consistent from one generation to the next, even if this code is encrypted. Second, if the polymorphic virus executes, the decryption routine of the virus must be able to properly decrypt and transfer control to this static viral code.

The GD scheme scans for polymorphic file viruses in the following manner: The scanner executes the target file’s machine code inside a fully contained virtual machine; the emulated program executes as if it were running normally under DOS. However, because the program executes in a virtual machine, it can’t affect the actual state of the computer in any way. If the target file is infected by a virus, this emulation proceeds until the virus has decrypted itself and transferred control to the unchanging virus body. After this decryption finishes, the scanner searches the decrypted regions of virtual memory for virus signatures to determine the virus strain.

Rather than identifying the virus based on its changing polymorphic decryption routine (as did the earlier algorithmic definitions), this scheme tricks the virus into decrypting itself and revealing its innards. However, if a virus doesn’t satisfy both preconditions described above, this scheme isn’t guaranteed to work. Specifically, if the virus fails to decrypt itself, or if it doesn’t contain at least a small unchanging body of machine language instructions, then the GD scanner is unable to scan for signatures and detect the virus. Fortunately, the majority of known polymorphic viruses do comply with these requirements, making them susceptible to the GD scheme.

Like any other antivirus technique, for this technology to be marketable, it must be fast. Fortunately, antivirus researchers have identified intelligent ways to limit the number of emulated instructions while still detecting most polymorphic viruses.

The GD-based technique offers the best detection capabilities of any of the discussed schemes. It can detect viruses that use arbitrarily complicated encryption schemes and can exactly identify the strain of a polymorphic virus in an infected file. In many instances, the development time required to detect a new polymorphic virus can be orders of magnitude less than that required by traditional methods. In addition, because the virus decrypts itself during emulation, information that would normally be encrypted inside the viral body can be located and used to repair infected files.

Today, major antivirus companies are beginning to integrate GD technology with their existing virus scanner technology. In many cases, antivirus companies can’t afford to completely switch over to a new technology as it is honed and perfected. Therefore, most antivirus scanners currently in use actually implement more than one of the virus scanning techniques described earlier. Although this sometimes can slow down the product, the various scanner algorithms complement each other to provide more well-rounded detection capabilities.

The following list examines how virus scanners perform in each of the seven critical categories:

•  Virus scanners require a trained engineer (or automated process) to analyze and produce a signature for each and every new virus that needs to be detected using scanner technology. Antivirus companies usually have a dedicated, full-time staff to update the antivirus product scanner component.

•  A well-written virus scanner can potentially detect every virus. However, the virus scanner can only detect new viruses after an antivirus researcher has a chance to update the scanner with the proper signatures. Therefore, the scanner is incapable of detecting new viruses or modified versions of existing viruses.

•  Properly designed scanners have a low false-positive rate. Algorithmic virus signatures intended to detect polymorphic viruses by locating their decryption routine may sometimes false-identify on uninfected programs. These programs often have similar machine language content to the polymorphic virus’ decryption routine, which confuses the algorithmic scanner.

•  Properly designed scanners have a low false-negative rate.

•  While most virus scanners are designed to operate quickly, today’s users have many, many files. Scanning a gigabyte hard drive can take several minutes or longer. The user must regularly scan incoming floppy disks and the hard drive contents any time new software is added. Memory-resident virus scanners can also be used. These are slightly less intrusive and only check files and floppy disks when they are accessed.

•  Virus scanners must be updated frequently, perhaps as often as monthly or quarterly. The user can often obtain updated virus signature data files electronically without worrying about updating the actual executable antivirus program.

•  The virus scanner can be used to detect viruses before they infiltrate the computer or after.