none
Possible to make an anti-virus in VB?

    Question

  • Is it possible to make an anti-virus in vb? Like for example the ability to scan through many files and find the memory encryption of each. (What i meant was like 442FSET5, Something like that). And the possibility to remove all files related to the specific virus or code? If so, then can you guys help me get a jump start on this?
    Wednesday, December 16, 2009 6:46 PM

Answers

  • Hi – I think my information can help:

    To make a virus scan-engine you’ll need to know a lot about viruses, antivirus techniques and virus signatures.

    I’ll start off by explaining:

    Terms note: In this post and in this thread we are not speaking about real human body viruses or something that is related to human health.

    What is a computer virus?
    A computer virus is a term that refers to a bit of source code written in C/C++ or any other language that has a sequence of bytes which are assembler instructions that can perform damaging actions to a personal computer (PC). A virus code can typically be 2 500 bytes or even more.  

    What is a virus signature?
    Virus signature is a term that refers to any sequence of bits that can be used to accurately identify the presence of that particular virus in a given file or range of memory.

    How does an antivirus program determine whether a file is infected or not?
    Generally speaking antivirus software’s use two basic techniques to detect viruses one is called “signature scanning” (specific) and the other is called “Heuristics” (generic) each of them is different. The standard option that is always enabled is “signature scanning” – when an antivirus selects a file, it will first check the FILE_HEADER which allows the antivirus to determine whether this specific file is a executable one or something else, to do this the antivirus checks the first FILE_HEADER signature: PE (Portable Executable) and the MZ (Mark Zbikowski initial) format are the common today. As the antivirus finds the signature it checks with-in its own verification() method.

    PE signature = 0x5045h
    MZ signature = 0x4D5Ah

    After that the virus has managed to determine the file type by checking the FILE_HEADER signature, then the antivirus starts scanning deeply inside the file to check for similar signatures like those in the *.vps, *.dat or any customized db-type file.

    As I described “Heuristics” is another method which antivirus software’s use to check files for infection, Heuristics is a method that is generic and uses generic characteristics of the computer virus – so the Heuristics method can detect all types of computer viruses and can also in some situations detect unknown computer viruses.

    Conclusion: Well the signature scanning is more specific and follows some rules and bases of how to scan and detect a virus, while Heuristics is more generic and can detect all kinds of stuff.

    Now to the point: I would not recommend you Visual Basic (VB) for a task like this one, I’ll prefer C/C++ and C#, because, with C# you came some more efficient code also you’ll then able to easy P/Invoke the C++ written functions.  

    For more information: Below are some threads were I have provided full information
    http://social.msdn.microsoft.com/Forums/en-US/windowssecurity/thread/1b23cadf-aa7e-44fe-9f35-01d3d6561d10
    http://social.msdn.microsoft.com/Forums/en-US/vbgeneral/thread/74a7566c-391a-4db1-b8eb-30c723db0358/

    If you have any questions feel free to ask.

    I hope this information was helpful…

    Have a nice day…and a nice weekend...

    Best regards,
    Fisnik


    Coder24.com
    • Proposed as answer by ShariqDON Saturday, December 19, 2009 9:52 PM
    • Marked as answer by Martin_XieModerator Thursday, December 24, 2009 3:24 AM
    Saturday, December 19, 2009 4:17 PM
  • To me i will say no, you needs unmanaged code (C++)  to do that but i have seen some sample articles with .net. So is up to you.

    Sample article with C#: http://www.codeproject.com/KB/cs/Kill_Brontok.aspx

    Similar thread : http://social.msdn.microsoft.com/Forums/en-US/windowssecurity/thread/1b23cadf-aa7e-44fe-9f35-01d3d6561d10

    Anti virus forum : http://social.technet.microsoft.com/Forums/en-US/exchangesvrantivirusandantispam/threads


    Virus Library : http://vx.netlux.org/lib/


    kaymaf



    If that what you want, take it. If not, ignored it and no complain
    Wednesday, December 16, 2009 7:24 PM

All replies



  • This is not so hard to scan the files,

    But to do an anti-virus it is not only to find the signature and delete the file.

    1) you need to have access at a database that hold all the virus definition. and this database have to be updated every days since these definition change all the time.

    2) to remove a virus, it is often useless to delete the file, (I will not explain how this work here, politic of the site about the information on how to create a virus). The virus will recreate the file as soon you will have it deleted.

    3) Your application have to be very smart also, a lot of virus does put their definition in the headers of all the .EXE and .DLL file of your computer, so if you are not carefull with what you delete, your anti-virus will delete all these file from the computer, including your operating system and applications. (Using this technic, a virus may even make the anti-virus to delete itself)

    4) I will stop here, or I will get to point 100)

    So, yes it is possible, but make sure that you know about virus otherwise you will have some LARGE problems.
    Wednesday, December 16, 2009 7:18 PM
  • To me i will say no, you needs unmanaged code (C++)  to do that but i have seen some sample articles with .net. So is up to you.

    Sample article with C#: http://www.codeproject.com/KB/cs/Kill_Brontok.aspx

    Similar thread : http://social.msdn.microsoft.com/Forums/en-US/windowssecurity/thread/1b23cadf-aa7e-44fe-9f35-01d3d6561d10

    Anti virus forum : http://social.technet.microsoft.com/Forums/en-US/exchangesvrantivirusandantispam/threads


    Virus Library : http://vx.netlux.org/lib/


    kaymaf



    If that what you want, take it. If not, ignored it and no complain
    Wednesday, December 16, 2009 7:24 PM


  • I will say no also as far as creating an antivirus,

     but yes to the OP question about if he can scan and delete files with VB upon finding a virus signature
    Wednesday, December 16, 2009 7:28 PM
  • To me i will say no, you needs unmanaged code (C++)

    I will say no also as far as creating an antivirus,

     but yes to the OP question about if he can scan and delete files with VB upon finding a virus signature
    is it safe to make an antivirus like software with managed code assembly and then protect executables and other libraries with .net Reactor or Dotfuscator like software?
    Wednesday, December 16, 2009 7:53 PM


  • It is never safe to do your own anti-virus

    a single bug can cost you all you have in your computer if not your identity.

    If it is not from a bad behaviour of you application, it is from a virus that was not recognized and that stay installed in your machine
    Wednesday, December 16, 2009 8:04 PM
  • There is never much "personal info" on my account. To me my computer is almost like a development device. I will always have a backup of at least 3-anti viruses to catch viruses.
    Wednesday, December 16, 2009 9:04 PM
  • Hi – I think my information can help:

    To make a virus scan-engine you’ll need to know a lot about viruses, antivirus techniques and virus signatures.

    I’ll start off by explaining:

    Terms note: In this post and in this thread we are not speaking about real human body viruses or something that is related to human health.

    What is a computer virus?
    A computer virus is a term that refers to a bit of source code written in C/C++ or any other language that has a sequence of bytes which are assembler instructions that can perform damaging actions to a personal computer (PC). A virus code can typically be 2 500 bytes or even more.  

    What is a virus signature?
    Virus signature is a term that refers to any sequence of bits that can be used to accurately identify the presence of that particular virus in a given file or range of memory.

    How does an antivirus program determine whether a file is infected or not?
    Generally speaking antivirus software’s use two basic techniques to detect viruses one is called “signature scanning” (specific) and the other is called “Heuristics” (generic) each of them is different. The standard option that is always enabled is “signature scanning” – when an antivirus selects a file, it will first check the FILE_HEADER which allows the antivirus to determine whether this specific file is a executable one or something else, to do this the antivirus checks the first FILE_HEADER signature: PE (Portable Executable) and the MZ (Mark Zbikowski initial) format are the common today. As the antivirus finds the signature it checks with-in its own verification() method.

    PE signature = 0x5045h
    MZ signature = 0x4D5Ah

    After that the virus has managed to determine the file type by checking the FILE_HEADER signature, then the antivirus starts scanning deeply inside the file to check for similar signatures like those in the *.vps, *.dat or any customized db-type file.

    As I described “Heuristics” is another method which antivirus software’s use to check files for infection, Heuristics is a method that is generic and uses generic characteristics of the computer virus – so the Heuristics method can detect all types of computer viruses and can also in some situations detect unknown computer viruses.

    Conclusion: Well the signature scanning is more specific and follows some rules and bases of how to scan and detect a virus, while Heuristics is more generic and can detect all kinds of stuff.

    Now to the point: I would not recommend you Visual Basic (VB) for a task like this one, I’ll prefer C/C++ and C#, because, with C# you came some more efficient code also you’ll then able to easy P/Invoke the C++ written functions.  

    For more information: Below are some threads were I have provided full information
    http://social.msdn.microsoft.com/Forums/en-US/windowssecurity/thread/1b23cadf-aa7e-44fe-9f35-01d3d6561d10
    http://social.msdn.microsoft.com/Forums/en-US/vbgeneral/thread/74a7566c-391a-4db1-b8eb-30c723db0358/

    If you have any questions feel free to ask.

    I hope this information was helpful…

    Have a nice day…and a nice weekend...

    Best regards,
    Fisnik


    Coder24.com
    • Proposed as answer by ShariqDON Saturday, December 19, 2009 9:52 PM
    • Marked as answer by Martin_XieModerator Thursday, December 24, 2009 3:24 AM
    Saturday, December 19, 2009 4:17 PM
  • Crazzypennie said:

    1) you need to have access at a database that hold all the virus definition. and this database have to be updated every days since these definition change all the time.

    My replay to that:

    Yes, the antivirus manufacturer needs to have a custom database (DB) to hold his/her virus signatures, and yes they need to become updated very often.


    Crazzypennie said:

    2) to remove a virus, it is often useless to delete the file, (I will not explain how this work here, politic of the site about the information on how to create a virus). The virus will recreate the file as soon you will have it deleted.

    My replay to that:

    No it isn't useless, since, antivirus softwares works under multitasking it's why an antivirus program can monitor many directories, scan directories etc while it is removing another virus from the PC. It depends, the antivirus can kill the main target virus file, as the main target is down, so will all the other. Many viruses do not create new files, instead they just make copies of them selves and then they continue to follow their instructions.

    Viruses has nothing to do with "politics" the only PC security related topic that can be connected to Politics is "hacking", today, nations around the world protect their privacy by employing people who know how to hack.

    Crazzypennie said:

    3) Your application have to be very smart also, a lot of virus does put their definition in the headers of all the .EXE and .DLL file of your computer, so if you are not carefull with what you delete, your anti-virus will delete all these file from the computer, including your operating system and applications. (Using this technic, a virus may even make the anti-virus to delete itself)
    My replay to that:

    hahaha, no, no, a virus cannot change an antivirus *.exe file. Viruses do not attack antivirus softwares or regular files by user, moreover, viruses have been trying to modify the "virus signature" databases, to make it impossible for antiviruses to detect viruses. That's the only thing that has occured in the past, todays antivirus softwares however, encrypt their signature files.

    What you're talking about here is a sort of techinoque I was thinking of 2,5 years ago when I wanted to make my own virus in C#.

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Monday, December 21, 2009 9:38 AM

  • Crazypennie said:

    It is never safe to do your own anti-virus

    a single bug can cost you all you have in your computer if not your identity.

    If it is not from a bad behaviour of you application, it is from a virus that was not recognized and that stay installed in your machine

    hmm? Maybe it isn't, but keep-in-mind that antivirus software’s that you find on the market today, are also made by humans and not robots or aliens or Einstein (a German scientist). All antivirus software’s Symantec, Norton, Kaspersky, ClamAV, Windows Defender, Microsoft Security Essential, Eset NOD32 antivirus and many others, all these are actually made by humans. So what makes you trust them then? Is it not better to make your own antivirus (if you have the knowledge) then?

    If you have the knowledge and the power to do something then go ahead and do that, it would be much better if you would have your own antivirus software, and you did not need to pay to get one which you can trust.,

    Have a nice day…

    No matter how much time it takes to make your own antivirus, if you have passion and you enjoy it then by all means continue…

    Best regards,
    Fisnik      


    Coder24.com
    Monday, December 21, 2009 9:48 AM
  • is it safe to make an antivirus like software with managed code assembly and then protect executables and other libraries with .net Reactor or Dotfuscator like software?

    Well it depends, from some perspectives however, it can be very safe and from other not.
    But I can recommend you to combine it, like C++ and C# in one app, so you P/Invoke
    your C++ functions.

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Monday, December 21, 2009 9:53 AM

  • My replay to that:

    No it isn't useless, since, antivirus softwares works under multitasking it's why an antivirus program can monitor many directories, scan directories etc while it is removing another virus from the PC. It depends, the antivirus can kill the main target virus file, as the main target is down, so will all the other. Many viruses do not create new files, instead they just make copies of them selves and then they continue to follow their instructions.

    Viruses has nothing to do with "politics" the only PC security related topic that can be connected to Politics is "hacking", today, nations around the world protect their privacy by employing people who know how to hack.

    I did not say that this virus cannot be removed,

    An application that only scan and delete like the OP whant to do files does not removed this kind of virus, It has to be smarter than that.











    Monday, December 21, 2009 2:14 PM

  • My replay to that:

    hahaha, no, no, a virus cannot change an antivirus *.exe file. Viruses do not attack antivirus softwares or regular files by user, moreover, viruses have been trying to modify the "virus signature" databases, to make it impossible for antiviruses to detect viruses. That's the only thing that has occured in the past, todays antivirus softwares however, encrypt their signature files.

    What you're talking about here is a sort of techinoque I was thinking of 2,5 years ago when I wanted to make my own virus in C#.




    Hahaha

    Just a few byte added in the headers of an exe file does make an antivirus to delete the file ( algorythm base on the 133 byte application)

    Just tried 5 minutes ago and McAfee deleted a copy of Excel.exe, and without warning, just a pop up window saying "A trojan was removed"

    You can also inject a trojan at any entry point of any DLL file. Just need a bit of knoledge of assembler or to know where to Google.

    Once it is done, what can the antivirus can do, it is too late, the file is corrupted ??

    Better to catch me before it gets done !!!

    ----
    Why if it is workiing in my computer, it wouldn't work in any computer???
    Monday, December 21, 2009 2:25 PM

  • My replay to that:

    No it isn't useless, since, antivirus softwares works under multitasking it's why an antivirus program can monitor many directories, scan directories etc while it is removing another virus from the PC. It depends, the antivirus can kill the main target virus file, as the main target is down, so will all the other. Many viruses do not create new files, instead they just make copies of them selves and then they continue to follow their instructions.

    Viruses has nothing to do with "politics" the only PC security related topic that can be connected to Politics is "hacking", today, nations around the world protect their privacy by employing people who know how to hack.

    I did not say that this virus cannot be removed,

    An application that only scan and delete like the OP whant to do files does not removed this kind of virus, It has to be smarter than that.












    Yes, seems like the OP wants to make a basic scanner like AVG Antivirus.
    Coder24.com
    Monday, December 21, 2009 6:03 PM

  • My replay to that:

    hahaha, no, no, a virus cannot change an antivirus *.exe file. Viruses do not attack antivirus softwares or regular files by user, moreover, viruses have been trying to modify the "virus signature" databases, to make it impossible for antiviruses to detect viruses. That's the only thing that has occured in the past, todays antivirus softwares however, encrypt their signature files.

    What you're talking about here is a sort of techinoque I was thinking of 2,5 years ago when I wanted to make my own virus in C#.




    Hahaha

    Just a few byte added in the headers of an exe file does make an antivirus to delete the file ( algorythm base on the 133 byte application)

    Just tried 5 minutes ago and McAfee deleted a copy of Excel.exe, and without warning, just a pop up window saying "A trojan was removed"

    You can also inject a trojan at any entry point of any DLL file. Just need a bit of knoledge of assembler or to know where to Google.

    Once it is done, what can the antivirus can do, it is too late, the file is corrupted ??

    Better to catch me before it gets done !!!

    ----
    Why if it is workiing in my computer, it wouldn't work in any computer???

    I know that it works though EntryPoints etc, as I have provided other users with such facts.
    You can apply assembler knowledge and you can also use other methods to detect viruses
    or injected data, and that’s through HEX data and by applying checksum technique you
    can verify if that specific file has been modified and you can also run a check to find
    those modifications by comparing with back-up modifications of original file data.


    Coder24.com
    Monday, December 21, 2009 6:22 PM


  • Coder24

    I have read in the pass a few thread that you made about anti virus, and I know that you know what you are talking about.

    My point is only that it may be a bad advice to give to somebody that It is easy to make an anti virus and have a real protection from it.

    To do an anti virus, (and you know it), it takes a lot of knowledge, much more than what this OP appear to have.

    I do not think that if he want to learn, he cannot , but he need to understand that scaning a hard disk to delete the file that have a certain signature, like he want to do, does no protection at all. By the time he does the scan, the virus will have done what he was made to do
    Monday, December 21, 2009 9:00 PM
  • Hi Crazypennie:

    Thanks! Well, I understand your point, and yes it is (but you can make a real-time protection from it, and there again the key to success is knowledge). Yes, it takes a lot of knowledge and study; however, I’ve been working in this field for some years now.

    I think he can learn it, but it might take a lot of time for him, or I am not sure, no comments on the learn part that you posted.

    When it comes to making a specific virus scanner like “Virus removal tool” – you’ll need to have the original virus source code (as I said before) and you’ll need to test run that code on a virtual machine, as you study that specific virus code, you’ll actually make two different signatures. The first signature is the signature that tells your program that this specific file is the virus itself and the other signature is the injected data which the virus has inject into PE-format files or MZ-format files.

    Since, you must also find the infected files, and the signatures that will be added when the infection has occurred are always the same, if the virus doesn’t use CPU instructions like “goto” or moreover, they rewrite themselves every time they infect a file, this term is often called: “metamorphic” (self-modifying code).

    Anyway, if somebody on this forum has problems with viruses, scanners or anything related to this topic or security, feel free to ask questions.

    Have a nice day…

    Best regards,
    Fisnik
        


    Coder24.com
    Tuesday, December 22, 2009 4:31 PM

  • Crazypennie said:

    It is never safe to do your own anti-virus

    a single bug can cost you all you have in your computer if not your identity.

    If it is not from a bad behaviour of you application, it is from a virus that was not recognized and that stay installed in your machine

    hmm? Maybe it isn't, but keep-in-mind that antivirus software’s that you find on the market today, are also made by humans and not robots or aliens or Einstein (a German scientist). All antivirus software’s Symantec, Norton, Kaspersky, ClamAV, Windows


    Exact, humans, not one person and probably all those companies have big testing teams.

    Beside that, they are responsible as something goes wrong because of a simple bug.


    Success
    Cor
    Tuesday, December 22, 2009 6:01 PM
  • haha, all humans do mistakes.
    Nobody is perfect, even if these companies
    make advanced antivirus softwares they still
    fail to combat all viruses on the web.

    Also, there's dozens of ways to defeate virus signatures.

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Tuesday, December 22, 2009 6:07 PM
  • Thank you for all your answers. Btw I am not making this anti-virus for commercial use, not yet that is =D. I am pureply making this anti-virus for my personal gain, in a way adding more security. The purpose of this project is for educational-use, to learn how viruses work, and how anti-viruses worka s well.
    Tuesday, December 22, 2009 6:43 PM
  • Thank you for all your answers. Btw I am not making this anti-virus for commercial use, not yet that is =D. I am pureply making this anti-virus for my personal gain, in a way adding more security. T he purpose of this project is for educational-use, to learn how viruses work, and how anti-viruses worka s well.

    Now that sounds familiar.

    Your personal motives are totally irrelevant.
    Defending them when no one has accused you of anything just makes you look all the worse.

    It is the motives of those malicious few that are the real cause of the worry.
    They don't even need to log in to see the answers and solutions to questions.
    They can remain totally anonymous, just as they wish.



    Mark the best replies as answers. "Fooling computers since 1971."
    Tuesday, December 22, 2009 7:12 PM
  • Thank you for all your answers. Btw I am not making this anti-virus for commercial use, not yet that is =D. I am pureply making this anti-virus for my personal gain, in a way adding more security. T he purpose of this project is for educational-use, to learn how viruses work, and how anti-viruses worka s well.

    Now that sounds familiar.

    Your personal motives are totally irrelevant.
    Defending them when no one has accused you of anything just makes you look all the worse.

    It is the motives of those malicious few that are the real cause of the worry.
    They don't even need to log in to see the answers and solutions to questions.
    They can remain totally anonymous, just as they wish.



    Mark the best replies as answers. "Fooling computers since 1971."

    I agree.
    Coder24.com
    Tuesday, December 22, 2009 7:26 PM
  • Yes,

    An Antivirus basically is a "string file searcher engine" because basically a informatic virus is a string code into a specific file area(first 400kb file info)  only you need  is compare two string (dictionary string) vs File string.

    Nowaday the Bussines Rules and Algorithms Define how the antivirus works and detect virus, into a file, in memory...etc

    Only you need a class(engine) and a Interface... with a virus dictionary(create some txt file with you string "virus" could be rigth)

     

    Nice day

    Monday, February 21, 2011 9:03 PM
  • i can tell you that a antivirus can be maked in vb i am programer for 6 years and more and i make one and that use 10.000.000 sigs and it is having heur scan and protection and other stufs Like Id protection Web protection and other things it is only you that have to mkae it i can make av in every programing lenguje!
    Tuesday, October 04, 2011 11:59 AM
  • i have a major problem with anti-virus .

    really now i am cring i am so sad becouse all anti virus detect my programs as a virus .

    my programs is so helpfull for humans , my programs is medical programs not a virus .

    please microsoft help me to reslove that.

    pleaseeeeeeeee.

    my mail is strongman.jordan@hotmail.com

    iam sooooooooo sad

    Sunday, February 12, 2012 8:35 AM
  • i have a major problem with anti-virus .

    really now i am cring i am so sad becouse all anti virus detect my programs as a virus .

    my programs is so helpfull for humans , my programs is medical programs not a virus .

    please microsoft help me to reslove that.

    pleaseeeeeeeee.

    my mail is strongman.jordan@hotmail.com

    iam sooooooooo sad

    Jordan,

    Create your own new question, using the threads in forums of others has seldom sense.


    Success
    Cor

    Sunday, February 12, 2012 10:01 AM
  • Hi! just came to know about this site when i was searching for information about anti virus coding.This form was really helpful in understanding many things about the virus and anti-virus.i,m also working on developing an anti-virus ,but sadly in stuck with the possible was of detection of virus i'm new to coding don't have good hold with c# language i have an idea of how to code it but dont know how to do so. In other words  i have an algorithm but dont know the method of how to start coding it can any body help me to get a good start so that i can continue later 

    thank you in advance

    Monday, March 05, 2012 4:18 PM
  • this can be a problem becose most viruses are written in c/C++/c#

    try ruby or python


    kitty

    Sunday, July 01, 2012 5:34 PM