Home » Questions » Computers [ Ask a new question ]

How new AV companies deal with signature database?

How new AV companies deal with signature database?

How a new Internet-Security/Anti-Virus startup prepares its malware database? I have seen some new products that are able to detect viruses that were on the wild 10-15 years back.

Asked by: Guest | Views: 72
Total answers/comments: 1
Guest [Entry]

"Anti-Virus companies have two aspects to handle,

the signatures they need to match, and
the technology used to match signatures

Signatures themselves are pretty well standardized (with quantified false-positive characteristics).
The technology would be proprietary and govern how the signatures are used.

So, a new company would pickup a standard database from some source and 'run' their custom translators to convert it to a database that will work with their implementation.
The company will take their call on a balance between easy-conversion and optimization for their implementation.

A few references for further reading,

SNORT rules: Sourcefire Vulnerability Research Team™ (VRT) Rules
Writing ClamAV Signatures. Alain Zidouemba. March 4, 2009 (PDF file)
PE Sig (linked from here among other things)

PE Sig is a tool written in Ruby that generates ClamAV® signatures for portable executable files.
For more information on PE Sig check out Brian Caswell's write up on the VRT Blog"