EXECUTIVE WHITE PAPER

Advanced Virus Detection

Scan Engine and DATs
Comprehensive scanning technology for today’s threats and tomorrow’s
Advanced Virus Detection Scan Engine and DATs EXECUTIVE WHITE PAPER

Table of Contents

Abstract.............................................................................................................................................................................3
The developing threat .......................................................................................................................................................4
Don Quixote in the floppy disk era: 1986–1994 ............................................................................................................4
Macro viruses reign supreme: 1995–1998....................................................................................................................4
Viruses affect the bottom line: 1998 and the new millennium.......................................................................................5
®
McAfee next generation scanning technology ................................................................................................................6
Battle-tested engine technology....................................................................................................................................6
Versatile language base................................................................................................................................................6
· Efficient virus variant detection...........................................................................................................................6
· Accurate virus detection .....................................................................................................................................8
· Faster “find and fix” solutions .............................................................................................................................8
· ActiveDAT ..........................................................................................................................................................9
· Update stability...................................................................................................................................................9
· Cleaning .............................................................................................................................................................9
Encrypted virus detection..............................................................................................................................................9
· Polymorphic virus detection ...............................................................................................................................9
· Generic decryption of polymorphic viruses ......................................................................................................10
Advanced heuristic analysis........................................................................................................................................11
· Negative heuristics ...........................................................................................................................................11
· False alarm elimination ....................................................................................................................................11
· Macro heuristics ...............................................................................................................................................12
· Win32 PE heuristics .........................................................................................................................................12
· Virus scanning sensitivity tools ........................................................................................................................12
Internet virus code scanning .......................................................................................................................................12
· Java applets .....................................................................................................................................................12
· ActiveX controls................................................................................................................................................12
· Scripting viruses ...............................................................................................................................................12
Packers and archives ..................................................................................................................................................13
· Trojans and their use of Win32 compression utilities.......................................................................................13
Recursive decompression scanning ...........................................................................................................................13
· ZIP file virus detection ......................................................................................................................................13
Summary.........................................................................................................................................................................14

2
Advanced Virus Detection Scan Engine and DATs EXECUTIVE WHITE PAPER

Abstract
Businesses worldwide have lost a total of US$7.6 billion in the first two quarters of 1999 at
the hands of Melissa, the Explore.Zip worm and other viruses. This is a conservative
number in that not everyone tracks cost, and most companies tend to undercount and
underreport.
—Michael Erbschloe, Computer Economics Inc., June 18, 1999

Computer Economics Virus Impact Update

Computer Economics has tracked the economic impact of computer virus and malicious
code attacks for several years. Computer Economics determined that the economic impact
of virus attacks on information systems around the world amounted to $17.1 billion in 2000.
—Computer Economics Inc., August 14, 2001

The war against viruses continues to escalate, with losses in the billions of dollars. While virus defense systems of the
past kept pace with the then adolescent stage of virus patterns, scanners for the new millennium have evolved
greatly. Their in-depth inspection techniques and statistical behavior pattern matching reflect the equally evolved
nature of today’s threats.

No longer is such code isolated to floppy disks or a particular make of computer. In an interconnected web of
networks, today's viruses have erased borders and have emerged as complex security threats. Fighting the war has
forced security providers to effect the same level of change. The end result is advanced engine designs and next-
generation scanning technology unlike anything the industry has ever seen.

The particulars of these evolutionary virus scanning changes, a clear description of their impact, and an
outline of new virus warfare weaponry for businesses are discussed in this white paper.

3
Advanced Virus Detection Scan Engine and DATs EXECUTIVE WHITE PAPER

The developing threat

Don Quixote in the floppy disk era: 1986–1994
It may have looked like a fight against windmills in previous decades as anti-virus pioneer John McAfee, an
engineer at US defense systems leader Lockheed, wrote “programs that decoded other programs.” In his time,
the mid 1980’s, it was a $20 bet with fellow engineers that spurred his development of the first anti-virus weapon,
not thousands of virus outbreaks.

As a result of such a limited virus environment, anti-virus protection such as McAfee’s first anti-virus scanner was
simplistic in nature. Using hypotheses of what future threats could occur, the defense was based more on remote
threats rather than real-world crises. Virus samples had to be collected from a small circle of acquaintances,
haphazardly, in unsecured environments. Designed with his “friend vs. foe” expertise, developed through his
years in the defense industry, McAfee’s early scanners used pattern matching techniques. These scanners had to
fully identify a known virus, then match a fix against it. “Friendly” code, or code that could not be fully matched to
know threats, was allowed through—with the hope that no new virus was embedded in the file.

At around the same time, in the UK, Dr. Alan Solomon began his investigations into the emergent virus threat. His
expertise in the field of data recovery drew him into the field of virus detection. Dr. Solomon was asked to
examine a suspect floppy disk with the volume label “© Brain.” His analysis confirmed that the boot sector
contained executable code designed to install itself in memory and copy itself to other floppy disks. This was
Brain, the first PC virus. Unlike today, when more than 200 new viruses appear every month, it was still possible
in 1986 for some “experts” to even question the existence of viruses. However, this became increasingly difficult
in the years that followed. The development of detection and cleaning routines for these early viruses formed the
first building blocks of the Dr Solomon's scanning engine, which today, in its fourth generation, lies at the heart of
McAfee's security solutions.

By the early 1990s, well-known viruses like Stoned, Jerusalem, and Cascade began to circulate around the PC-
user community. Most file-transfers took place using floppy disks and many of these early viruses were boot
sector infectors, spreading only via floppy disks. Scanners remained localized, reading floppy disks upon access,
and matching suspicious code to known viruses only. John McAfee, Alan Solomon, and other anti-virus
researchers around the world could spend days analyzing a sample, since an outbreak was unlikely unless many
diskettes with the infection were passed around. Few viruses, or virus incidents, drew serious media attention
before March 1992, when the world’s media focused on Michelangelo virus and its potential threat to data. One of
the by-products of the Michelangelo incident was that corporations found other viruses lurking in their systems
and began to take the virus threat seriously.

The early 1990s saw a growing sophistication in the development of viruses. More and more viruses started to
incorporate stealth techniques, designed to prevent PC-users from noticing changes made by the virus (an
increase in file-size, for example). Some virus writers began to variably-encrypt their code, to prevent anti-virus
programs from using a simple search “string” to identify the virus. These polymorphic viruses forced anti-virus
vendors to develop more advanced techniques for analyzing disks and files.

Macro viruses reign supreme: 1995–1998

Scanning technology had to be further updated to combat a huge surge in the number of viruses in the mid-
1990s. Just as corporations were becoming aware of the need to scan incoming floppy disks before they were
used in the organization, a new type of virus changed the nature of the threat. Concept virus—the first macro
virus—appeared in July 1995. Macro viruses took advantage of the macro writing language used within
Microsoft’s Office applications, “cashing-in” on the fact that these applications were fast becoming the standard
within the PC world. Macro viruses were easy to write, unlike their predecessors, which required low-level
programming skills. They were application-specific, so they were able to spread across multiple platforms and
operating systems. They infected data files and spread further and faster than viruses had ever done before
thanks to the emergence of email as a key business tool.

4
Advanced Virus Detection Scan Engine and DATs EXECUTIVE WHITE PAPER

Scanners, as a result, were stretched to the limits. Advanced algorithms had to be designed and implemented, to
detect and remove macro viruses. While infected floppy disks could be isolated and quarantined for later
cleaning, macro viruses afforded scanners no such luxury. New virus definitions had to be delivered within hours,
to prevent rapid proliferation. And cleaning now became essential.

Viruses affect the bottom line: 1998 and the new millennium
Today it’s no longer simply a virus threat. Internet worms, Trojans, and backdoors are now a significant—and
growing—threat, alongside EXE infectors and macro viruses. Increasingly, the term “malware” is used to
encompass all threats. Macro viruses are no longer the dominant force they were. Internet worms account for
over 70% of all threats. Many of today’s viruses and worms are “mailers” and “mass-mailers”. They infect by
“hijacking” the email system, using it to spread automatically. They affect vast numbers of computers in locations
throughout the world. The connectivity provided by the Internet means that viruses and worms only have to hit
once to strike deep. Lightening speed connections make time-consuming grunt-scans obsolete, and the sheer
number of viruses—over 60,000—makes pure pattern matching impossible. Together with the dramatic increase
of viruses per month, the advanced nature of virus attacks has had a marked effect on the nature of scanning
technology.

5
Advanced Virus Detection Scan Engine and DATs EXECUTIVE WHITE PAPER

McAfee® next generation scanning technology

By integrating several old and new technologies, McAfee has engineered technical advantages formerly unavailable
in any cohesive scanning solution in the marketplace. The new McAfee integrated detection and cleaning engine has
marked a change in approach to virus defense. This re-engineered scan engine brings several advantages.

· Mature technology
· Versatile language base
· Advanced heuristic analysis
· Expanded scanning capabilities
· Generic detection and cleaning

Battle-tested engine technology

In the early days, the developers of anti-virus solutions faced the challenge of having to create their software with no
guidelines or precedents. However, today’s anti-virus developers use earlier examples and lessons learned to find
clues that can help to combat present and future threats. Such a history helps developers to add new features, or
change the scope of existing features.

Besides using history to their advantage, researchers at McAfee have taken advantage of other phenomena.
Documented software industry trends reveal that first generation technologies inevitably contain technical
inefficiencies that are difficult to measure in a laboratory setting prior to product integration. It’s only real-world testing
across multiple platforms, in large-scale environments, that allows scanning techniques to be benchmarked. Once
measured in the real world, scanning technology can then be further honed and re-engineered to suit specific
customer requirements. Later scan engine implementations incorporate all the previously learned techniques and are
battle-tested for use in mission-critical applications.

The McAfee scan engine is in its fourth generation. The engine has a strong pedigree, battle-tested prior to 1998
through several versions of Dr Solomon's Anti-Virus Toolkit. With superior levels of detection and cleaning achieved
over many years of research and refinement, the scan engine was also optimized for use in a variety of point products
across the network. Late in 1998, this technology was integrated into the entire McAfee product line, from desktop
and server products to the demanding environments of email servers and Internet gateways. Moreover, a large
number of application and managed service providers use the scan engine SDK (Software Developers Kit) to
integrate McAfee’s advanced scanning technology directly into their own solutions, allowing them to deliver the
protection their customers demand.

Versatile language base

As the nature of the threat changes, so do anti-virus scanners. This includes the McAfee scanners, which now
incorporate features specifically geared towards the latest threats. Specifically, the technical design of an anti-virus
defense engine can critically affect its ability to detect and clean new virus strains as they emerge. If too narrow in
design, the engine may miss new variants and new virus types. If too open-ended, it may drain performance and
affect too many components in a routine computer task list. In addition, it may generate a large number of false
positives that take up system resources and distract IT personnel from mission-critical activities. During an outbreak
in particular, engine design—and the language on which its detection routines are based—can drastically affect its
speed and the accuracy of its detection and cleaning.

· Efficient virus variant detection

The McAfee scan engine uses Virtran, a unique proprietary language invented and perfected by renowned anti-
virus expert, Dr. Alan Solomon. Since it is specifically designed for virus detection and cleaning, the engine
applies an efficient method for detecting numerous virus variants with little code. This is sometimes referred to as
a “generic” detection method.

Virtran works by enabling the scanner to locate the specific point in a file, boot sector or MBR (Master Boot
Record) containing the virus code. The scanner does not need to “grunt-scan,” or scan from one end of a file or
sector to the other, checking for virus code. McAfee AVERT (Anti-Virus Emergency Response Team) researchers
6
Advanced Virus Detection Scan Engine and DATs EXECUTIVE WHITE PAPER

can determine where in the file the virus code is located and then program the engine to look in this specific
location. This knowledge, built into the virus definition file (DAT), allows the scanner simply to search for the virus
in a specific location within the file. If the specific sequence of bytes sought for (sometimes called a signature or
virus definition) is not there, the file is reported to be clean.

The huge experience of the McAfee AVERT team, with its many combined years in analyzing viruses, worms and
other malicious code, means that McAfee researchers have become expert in recognizing which parts of a virus
are likely to appear in any new variants of a virus. So detection algorithms use as few “static” strings as possible,
making detection of a virus and its variants more and more “future-proof”. This technology makes it possible to
find and remove many viruses of the same family with a single definition—while some anti-virus products are
forced to create detection routines for each one individually. This technology, developed over several years, has
brought enormous benefit to McAfee customers, who get proactive detection against viruses that don’t yet exist.

N on-optimized McA fee

scan engine scan engine
Inefficiency: 500% Inefficiency: 0%

File File

En gin e En gin e

“G runt-scanning” Virtran
single-point scanning

Single-point virus scanning enabled by McAfee’s use of the Virtran language provides faster and more
accurate virus detection.

7
Advanced Virus Detection Scan Engine and DATs EXECUTIVE WHITE PAPER

· Accurate virus detection

Virtran makes it easier for McAfee AVERT researchers to add a new driver quickly and easily, thus ensuring a
high level of detection and cleaning. As stated, this technology makes it possible to detect and remove many
viruses of the same family using a single driver, without the need to write detection and cleaning routines for each
one individually. One example of this is the way that McAfee AVERT researchers were able to deal with a
1
collection of 15,000 viruses submitted to McAfee in September 1998 by a skilled, anonymous virus writer. The
McAfee scan engine was able to detect and clean over 14,000 of these viruses using just eight Virtran drivers.

While other anti-virus vendors are only now moving towards a “generic” detection approach, McAfee has been
using this methodology for several years. These years of experience mean that McAfee is also able to clean
these viruses—something that is incredibly difficult to achieve. This technology has protected McAfee customers
against threats from major virus outbreaks, including AnnaKournikova, Homepage, Badtrans.b, Fbound.c, Klez..h,
Frethem, and many other viruses and worms—long before they appeared in public.

· Faster “find and fix” solutions

As discussed, virus developers can no longer “sleep on it” when it comes to developing fixes for new viruses.
Demands of corporate environments, prone to bottom line crises, and the huge scope of viruses spread over the
Internet, have forced developers to compress the “virus fix” time period. Virus definitions must be posted
immediately, sometimes with updates hourly in such cases. The unique nature of Virtran offers not only more
efficient and more accurate virus detection, but also greatly affects the speed at which virus cleaning definitions
can be developed. Using Virtran, a member of the McAfee AVERT research laboratory can write a detection and
cleaning definition that covers an entire family of viruses (rather than just one particular virus) very quickly. Built-in
components of the McAfee scan engine, usually referred to as “verbs,” provide a variety of technical routines for
virus cures.

Co d e R e d.a

V er b
M c A fe e w i th
Co d e R e d.b

s c a n e n g in e n e w fi x e s
Co d e R e d.c

V er b V er b

The efficient architecture of the McAfee scan engine, using Virtran, enables virus researchers to draw
quickly on the library of existing engine verbs to develop new language structures that detect entire
families of viruses. These updates are normally released weekly as part of the DAT update, although
more frequently in outbreak scenarios. Inferior designs avoid integration and simply add code upon code
until the product becomes bloated.

1 Virus writers occasionally release viruses in security vendor environments in the hope that the virus will attack a commercial product and exploit a vulnerability. In this
case, it is unclear why the virus writer chose to expose the large private collection to a commercial vendor. Rather than cause damage, the submitted collection actually
helped McAfee speed its research into new strains of viruses by providing virus samples for which we could produce fixes before the viruses went public.

8
Advanced Virus Detection Scan Engine and DATs EXECUTIVE WHITE PAPER

· ActiveDAT
Even greater flexibility has been built into the McAfee scan engine with the inclusion of ActiveDAT technology.
ActiveDAT supplements the already powerful Virtran verbs with MicroC instructions. This means that scan engine
functionality can be extended “on the fly” - to deal with new attack mechanisms - simply by including a new DAT
file. ActiveDAT technology was added in March 2000 and has since allowed McAfee to provide seamless
detection for a number of new threats, including Jini.a1 and ZMist.

· Update stability
The original McAfee scan engines that updated virus defense systems by adding code, or by expanding pattern
matching capabilities, are primitive compared to today’s scanning technology. Virtran’s integration into the scan
engine stabilizes the defense system and ensures there are no detection misses and that virus cleaning is
effective.

This design feature also eases the task of developing virus cleaners, a prime benefit in the event of a virus
outbreak. While “grunt-scanning” methods waste time in detecting viruses, the McAfee scan engine helps
developers spend less time figuring out detection routines and more time getting fixes out to customers quickly,
before virus infiltration is widespread. Yesterday’s method of building code upon code cannot adequately protect
against current virus threats.

· Cleaning
Cleaning is essential. If an anti-virus scanner simply flags an infection, the user or system administrator must
replace the file—either from an original master disk or CD (EXE files) or from a backup (documents,
spreadsheets, etc.). However, if the scanner is able to clean the infected file, business continuity is maintained,
down-time is minimized, and costs are reduced. The difference between cleaning and not cleaning files means
that either your anti-virus program is able restore your hard work or it is not. For the second option, it will display a
pop-up message telling you that the file is infected and should be deleted and replaced with a clean backup. In
this event, there are two things to consider. 1) You will lose all incremental work carried out since your last
backup. 2) You do have a backup, don’t you?

Encrypted virus detection

Earlier virus scanning designs took into consideration very few types of viruses, since very few existed. As mentioned,
floppy disks carried the majority of viruses until a new type, macro viruses, appeared. Today, it’s important for a virus
detection engine not only to detect a wide variety of virus variants—including 32-bit EXE infections, script-based
threats and Remote Access Trojans—but also to detect the more difficult types of viruses. The fourth generation
McAfee scan engine has a technical advantage in this area, particularly in its detection of variably-encrypted,
polymorphic viruses.

· Polymorphic virus detection

Virtually unheard of in the early 1990’s, the number of polymorphic viruses has continued to rise, using encryption
to hide and so continue to spread. For most viruses, it is possible to identify a virus using a specific sequence of
bytes. This sequence of bytes is stored within the driver, or DAT file. If the sequence of bytes matches the
sequence in the driver, then the file is flagged as infected. However, a polymorphic virus is variably-encrypted.
The sequence of bytes in the virus code changes with each infection and there is no constant sequence of bytes
for which to search. Polymorphic viruses are known to be difficult to detect and remove, as they constantly
change their shape to outmaneuver pattern matching detection methods.

9
Advanced Virus Detection Scan Engine and DATs EXECUTIVE WHITE PAPER

d a
a b
b c
e d
c e

Byte sequences Byte sequences

e b
a e
b a
d c
c d

Polymorphic viruses are one of the more difficult virus types for scanners to detect because of their dynamic
nature. Such viruses change their sequence of bytes with each infection. The McAfee scan engine includes
the Generic Decryption Engine (GDE) for specialized polymorphic virus detection.
· Generic decryption of polymorphic viruses
The McAfee scan engine includes a module called the Generic Decryption Engine (GDE) that provides excellent
capabilities to detect and remove polymorphic viruses. The GDE analyzes the algorithm used in the decryptor-
loader of the polymorphic virus—that is, the code segment that the virus uses to decrypt its own code before
executing. The GDE then applies the algorithm to the encrypted code, using it to “see through” the encryption
used by the virus. Once the virus code has been decrypted in this manner, a standard sequence may be used to
identify the virus positively. This enables the engine to find all the instances of a polymorphic virus. In addition, it
does not produce false alarms and enables the engine to clean the infected file or disk sector. Use of the GDE
also affects the speed of understanding and recognizing new virus strains, even as they change. For corporate
enterprises, this rapid polymorphic detection rate helps prevent further spread or virus damage.

10
Advanced Virus Detection Scan Engine and DATs EXECUTIVE WHITE PAPER

P o lym o rp hic viru s S a m e po lym orp h ic viru s,

A lg orith mic a naly s is
ch an g ed a n d en cryp te d

X Y Z 21 X YZ 21
D ecr yp tor -
l oad er
Y Z X 23
G DE YZ X 2 3 G DE
13Z X Y
13 ZXY

The Generic Decryption Engine (GDE), exclusive to the McAfee scan engine, analyzes polymorphic viruses to
determine a sequenced encryption routine. Once the GDE determines the sequence, it then applies the
encryption routine to the next appearance of the same polymorphic virus to detect it, even in its changed
form.
Advanced heuristic analysis
Perhaps the most exciting development in today’s new levels of virus detection and cleaning is the approach towards
intelligently estimating whether or not something is a virus. Most major anti-virus approaches today use some form of
heuristic analysis, to detect new viruses that have not been seen before. This involves searching through the code in
a file to determine whether that code takes actions that appear to be actions typical of a virus. The more virus-like
code that is found, the more likely that a virus is present. Once the level of virus-like code is found to reach a pre-
determined threshold, the scanner reports a possible infection. While virus scanners of the past could rely just on
tables of signatures to match against known viruses, the significant rise in the number of new viruses prompted
McAfee to find newer ways to catch unknown viruses. Catching them before they became widespread and caused
damage became a priority, as companies hooked up to the Internet, leaving their corporate assets vulnerable to
outsiders.

· Negative heuristics
While most organizations seek tight control over security, CIOs understand that there’s a trade-off that could
result is an inability of the business to perform basic functions. If security technologies shut down functions at the
user’s every turn, security just becomes an obstacle. With anti-virus scanners in particular, the danger is a high
level of false positives. Weaker scanning technologies generate many false alarms because of the inefficiencies
of their detection routines.

The McAfee scan engine uses not only traditional heuristic analysis techniques, but also performs a sophisticated
“non-virus” identification approach called "negative heuristic" analysis. While the scanning engine is searching
through code to determine whether it contains any virus-like commands, it also searches for code that is distinctly
not like a virus. The combination of “positive” and “negative” heuristics enables a simultaneous, bi-directional
virus analysis. It is an approach that reflects the changed nature of viruses, and the realization that to be a virus
defense expert, one must think like the virus writers and try and second-guess their hiding places.

· False alarm elimination

The double heuristics approach also reduces the risk of false alarms. This is of key importance in today’s
enterprise, in which the IT department deals with hundreds of technologies and management tools, and can not
afford to divert attention away from another task to deal with threats that are, in fact, just engine inefficiencies.
Eliminating false alarms removes another disruption and works toward more seamless virus defense operations.

11
Advanced Virus Detection Scan Engine and DATs EXECUTIVE WHITE PAPER

· Macro heuristics
To deal with the large numbers of macro viruses, McAfee’s advanced heuristic scanning includes macro
heuristics. The threat from macro viruses is much reduced compared to previous years. Nevertheless, macro
viruses still represent a threat to corporate systems. They often infect Microsoft Office files by inserting unwanted
words or phrases. The combined scanning method of positive and negative heuristics in the McAfee engine
significantly improves macro virus detection rates.

· Win32 PE heuristics
One of the major reasons for updating your anti-virus scanner is to ensure that you get the best possible detection
and cleaning from your product. The McAfee scan engine is updated regularly with new and enhanced
capabilities. The 4160 engine includes improved Win32 heuristics, to allow detection of even more new viruses
targeting 32-bit Windows files (programs that run under Windows 9x, Windows NT4, Windows 2000, Windows
ME, and Windows XP) even before they have appeared. This advanced protection reduces the risk of McAfee
customers being hit by a new virus before they have an opportunity to update their protection.

· Virus scanning sensitivity tools

Some of the more primitive heuristic scanners offer tools to adjust the sensitivity of the scan—to reduce the risk of
false alarms. The McAfee scan engine’s advanced heuristic analysis is optimized to avoid false alarms through
extensive QA testing and requires no such tools. This is of particular importance for large corporations that make
use of a wide variety of applications. With first generation anti-virus scanners, such companies could generate
huge false alarms lists. Anti-virus defense systems that promote the use of sensitivity tools are frequently
attempting to disguise inefficiencies in their scanning technology, many of which are left over from the floppy disk
virus era.

Internet virus code scanning

An emerging threat to computer users with Internet connectivity is the potential of hostile code that is automatically
downloaded and executed on a user’s computer when connecting to sites on the Internet. Although only a few
specific malicious applets have been discovered at this time, malicious code, also known as “mobile code,” has the
strong potential of being the preferred vehicle of future virus writers. Various experts define Internet-borne code
differently. Internet code, as referred to here, includes Java and ActiveX.

Although such Internet code is, in fact, more reminiscent of a security breach rather than a virus, viruses are
increasingly using multiple forms to carry out attacks. The extensible and efficient McAfee scan engine includes
defense capability against both Java and ActiveX.

· Java applets
“Java applets” refers to executable code written in Java, a Sun Microsystems technology, that is frequently found
on Web sites in the form of animation such as a rotating stock ticker. Java is also used increasingly in corporate
applications such as Lotus Notes, and in intranet tools. Java applets are automatically and transparently run
through a Java Virtual Machine that is part of commonly used Internet browsers like Netscape Navigator. The
extensible and efficient McAfee engine includes defense against malicious Java applets that break Java Virtual
Machine sandbox restrictions or perform otherwise potentially hazardous actions.

· ActiveX controls
“ActiveX controls” refers to executable code written in ActiveX, a Microsoft technology, also found frequently
throughout the World Wide Web. ActiveX controls automatically and transparently run through Web-based
browsers such as Internet Explorer. The extensible and efficient McAfee scan engine includes defense against
malicious ActiveX controls, particularly important due to the lack of an advanced security model for ActiveX code.

· Scripting viruses
VisualBasic Script is scanned through a similar heuristic method to that used by the macro heuristic engine.

12
Advanced Virus Detection Scan Engine and DATs EXECUTIVE WHITE PAPER

Packers and archives

· Trojans and their use of Win32 compression utilities
Trojans are possibly the main threat in today’s mail-centric world and the McAfee scan engine has been
expanded and extended to deal with this threat.

First, Windows applications can be “packed”—this is a technique used to make the program physically smaller,
while still allowing the program to run as it did before. These “packers” are quite often used legitimately—which
some anti-virus vendors conveniently ignore, classifying any file that has been “packed” as being a potential
threat! This causes huge amounts of work for the IT department, ensuring that users are not worried
unnecessarily about these innocent files.

However, the problem with packers is that they change the sequence of code within the file in the same way as a
polymorphic virus does. The McAfee scan engine deals with packers in the same way as it deals with
polymorphic viruses. It is able to decrypt hundreds of different variants of these packers—thereby enabling Trojan
horse identification to proceed even when the author decides to re-package the Trojan in a different physical
form. Those anti-virus vendors that do not support these packers have to write additional detection routines for
each different packed variant—and they can’t do this proactively.

Second, the McAfee AVERT team has developed a major breakthrough in detection of Trojans—a technique that
is independent of the packers used to “hide” the Trojan. Using this method, a single driver can be used to identify
the Trojan whether it has been packed with WWPack, Petite, Neolite, or any of the hundreds of variants of
packers available.

Recursive decompression scanning

The purpose of file-compression is to reduce the size of the data being stored on disk or transferred across the
Internet and utilities like PKZIP and WinZip are now commonly used. Of course, it may not always be apparent that a
file is compressed. Software may arrive as a self-extracting archive. Such programs automatically de-compress when
run, so the user is unlikely to know that the file is compressed.

When a file is compressed, the bytes within the file are re-arranged as part of the space-saving process. If the file is
infected, the bytes belonging to the virus are also re-arranged and the characteristic “string” that an anti-virus program
looks for may no longer exist. There could be a “hidden threat” lurking within any compressed or archive file. For this
reason, it’s essential for anti-virus programs to understand different compression formats and to be able to scan these
files for viruses.

· ZIP file virus detection

The McAfee scan engine is able to detect viruses within the most commonly used compression methods,
including PKZIP, ARJ, PKLITE, LZEXE Microsoft compression, RAR, TAR, GZIP, and many others—protecting
McAfee customers from the “hidden threat” that may lie within the compressed file. This scanning is done
recursively. The McAfee scan engine is able to look recursively within several layers of compression—through a
ZIP file within a ZIP file inside an ARJ, for example.

13
Advanced Virus Detection Scan Engine and DATs EXECUTIVE WHITE PAPER

Summary

Virus defense was once a localized, simple process that involved matching known threats against a list, with no
delivery deadlines or virus fix timetables. In the networked world of the Internet, such weapons are almost obsolete,
and the demands of virus defense users have changed. Today’s scanning technology requires updated capabilities
against new world threats, as well as new techniques to speed the development of virus definitions. In addition, the
McAfee scan engine has evolved significantly in order to catch viruses that have never before been seen. McAfee
scanning technology, tested in real-world scenarios, versatile in its infrastructure, efficient and broad in its scanning
abilities and advanced in several key technical areas of virus defense engine design, offers an unprecedented
approach in the continuing war against viruses, worms, and other malicious code. Its flexible design and novel
architecture also allows McAfee to respond quickly as new threats appear. These attributes have made the McAfee
scan engine the industry’s leading virus defense weapon—for corporations, for military and government organizations
fighting multi-national virus attacks and for providers of application and managed services.

McAfee, the global leader in Internet security solutions and services, provides solutions for today's demanding e-
business environments and stands ready for the threats of tomorrow.

Network Associates, McAfee, AVERT, and PrimeSupport are registered trademarks or trademarks of Network Associates, Inc. and/or its affiliates in
the US and/or other countries. Sniffer® brand products are made only by Network Associates, Inc. All other registered and unregistered trademarks
in this document are the sole property of their respective owners. ©2002 Networks Associates Technology, Inc. All Rights Reserved.
6-AVD-AVP-002/1102

14