[Solixious]

Actually I wanted to make a simple anti virus software, but I don't quite know how to differentiate between a virus and a normal file. Could someone please help me understand how to make my code differentiate between a virus and a safe file? I'd be making this in java or c++ if someone helps me at this point of time.

[narc0tics]

You'll often notice RAT's covered as svchost.exe, crss.exe, winlogon.exe, nvvsvc.exe - If you can make it delete copies of those, it would be a good start. Also make sure that it checks the %temp% folder for suspicious files. Some of the virusses may be 'hidden' so turn the 'View hidden files and extensions' on and check the folder C:\Install\ for hidden files(If you got that folder, of course) and as last, make it check the roots.

[intimos]

Actually I wanted to make a simple anti virus software, but I don't quite know how to differentiate between a virus and a normal file. Could someone please help me understand how to make my code differentiate between a virus and a safe file? I'd be making this in java or c++ if someone helps me at this point of time.

Listen now my friend..I was making antivirus software when i was 17yrs..
one good programmer taught me what is the difference between virus and a normal file.First,you have to develop some heuristic technique.I will explain everything that i know.First , the difference between virus and normal program is that the normal program uses standard api calls,and uses standard register keys.Virus DOES NOT USE ONLY standard components of the software,often virus has power to write some non-temporary informations and manipulate with that.
To recognize virus,you need to ANALYZE what program is doing.Is it hidden? is it installed in non-accessible folder? Is it writing wrong parameters or some unknown information?
That's the answer of all..and when you remember some symptomatics , then you make database with information for recognizing that symptoms..after few years you will develop some good software...

[Solixious]

Why do anti viruses require data bases?

[Coder-san]

Why do anti viruses require data bases?

Because differentiating between normal file and virus is not an easy task.
Malwares do not have a label on their head. Therefore, they are first identified by their characteristics by some analyst softwares in AV corps. Then the software outputs "virus signatures" of those malwares. Those signatures can be used to determine whether a file is a malware or not.
Then the softwares upload the found signatures and add to the existing database, and finally your AV downloads the update and starts detecting the malwares from the marked virus signatures.

[Solixious]

Thank's Coder San.. I guess I'll have to work on these details a bit more before I blindly start my project on anti viruses..

[anrichfosters]

Thank you Intimos.. Its been a big help. not only for us and also to all person that needs to understand the difference between normal program and virus.. Cheers

[Jacob]

Why do anti viruses require data bases?

Because differentiating between normal file and virus is not an easy task.
Malwares do not have a label on their head. Therefore, they are first identified by their characteristics by some analyst softwares in AV corps. Then the software outputs "virus signatures" of those malwares. Those signatures can be used to determine whether a file is a malware or not.
Then the softwares upload the found signatures and add to the existing database, and finally your AV downloads the update and starts detecting the malwares from the marked virus signatures.

along with this, aren't their Checksums of each file before its released (unless privately made) yet still checksums on viruses. If the AV doesnt register the checksum of say, system file svchost.exe, to be the checksum in the microsoft databse, its registered as infected. Then the checksum of the svchost.exe file is scanned, and looked up in the database(virus definitions) of the AV and finds the virus matched, posts it as that, etc etc,

user: 1234darkmaster, made an antivirus, although it only had about 150 definitions, it was an antivirus. (i think only scantime sadly D

[Solixious]

When AV stays active in tray or at background, to monitor the files being created, transfered or removed, wont it occupy too much of the computer RAM?