The Smarter Anti-virus System
Zoner Antivirus is a modern anti-virus system, made for Windows and Linux. ZAV’s core is newly designed and is high-performance. It can serve both the large mail servers of major corporations and the workstations of home and business users.
ZAV uses a number of the latest technologies, making it a heavyweight player on the field of virus detection systems. These technologies naturally include the standard sample-based detection algorithms and archive file unpackers; more interestingly, they include dynamic emulation of compiled and interpreted programs; static, dynamic, and run-time heuristics; and both non-generic and generic decoders for programs encrypted using run-time packers. The system’s code is internally optimized for the needs of today’s computers, and it can make use of parallel data processing abilities. It thus excels in its very high speed, enabling it to take the liberty of performing deeper than usual analysis. Thus both home and business computers will be able to run it without problems, as will mail servers under heavy loads that rely on a high-performance, stable software infrastructure. And ZAV was designed especially for this kind of environment. When combined with the ZAV Sandbox technology, Zoner Antivirus gives detection abilities a new dimension.
This is the best-known type of detection. If a virus body contains sufficient unique data, then it can be detected by comparing file contents to that particular data. Many viruses can be detected using this method; many others, in light of their complexity and their constantly-changing code, cannot.
Dynamic Code Emulation
This is a technique that serves for the detection of complex infiltration types, including the very most complex ones. These very often tend to have random, constantly-changing encryption, and it is not possible to properly distinguish them using static signatures. This complicated detection method, to put it simply, simulates the execution of the program by the computer’s processor. (It must therefore simulate a part of the processor’s functionality.) The advantage that this technique has when fighting polymorphic viruses (those with a static body encoded using changing encryption, unlocking itself using a changing decoder) and metamorphic viruses (randomly generated code for the virus itself, with or without a random decryptor) is that it can let the virus do a simulated run (that is, not letting the virus run for real, but for “pretend,” for investigation) until it blows its cover. That is, for example, until the moment when the polymorphing part of its code is decoded into a static form, at which point it can be detected using signature-based detection. The core of the Zoner AntiVirus system also contains a script interpreter that enables the detection of even complex, encrypted scripted viruses.
Dynamic heuristic analysis
Je společně s dynamickou emulací kódu silnou zbraní proti neznámým havětem, která nehledá v kódu statické signatury, ale zkoumá chování programu jako takového po jeho simulovaném spuštění. On the basis of suspicious signs that are gathered during the test, the core determines the likelihood of an unknown infiltration type being present.
Static heuristic analysis
This supplements the dynamic analysis. Its purpose is to get an initial quick “feel” for a file and classify it if possible before emulation occurs, which is also used to determine more precisely how to proceed from there. It likewise does not make use of concrete signatures. It is instead governed by general suspicions, which enables it to detect even viruses that are not yet known.
Run-time heuristic analysis
This a “preliminary” analysis. This method handles analysis of content, which is evaluated during scans of all files. Before running the more sophisticated and time-intensive tests, the core tries to determine if a similar file has perhaps recently been detected as an infiltration. In the case where the number of appearances of such files exceeds a certain limit, the files start to be automatically detected as suspicious. Although it is not recommended to use this technique on workstations during a full-disk scan, on mail servers, it can bring a timely stop to a large virus epidemic, even one of entirely unknown origin.
Targeted and Generic Decryptors
Both legitimate and hostile applications often have their code encrypted in some way. To overcome this security envelope, a program generally needs to emulate somewhere between a thousand and several million processor instructions, which can be quite time-consuming. This is because it takes from 100 to 1000 emulator instructions to emulate a single real instruction. This is not a problem when the number of instructions to emulate is small, but when it is large, it can take quite a while. For this reason, the code emulator contains several independent plug-ins that can utilize and influence the flow of emulation. Some such modules serve for quick decompression targeted at concrete decoding envelopes, so as to speed up the emulation process as much as possible. Other modules serve to speed up emulation without regard to envelope type, which in practice means recompiling a part of any relatively long section of unsafe code into a safely executable form, then running it in a controlled environment. This lets emulation achieve dizzying speeds while still retaining a very high analyzed-instruction count and strong stability.
Archive File Decompressors
Today, there are many archivers, packers, installers, and software wrapping systems in use. They are able to join multiple files into one and to reduce that file’s size using compression, and (if desired) to password-protect it too. This means that any good anti-virus system must be able to support these file formats. The ZAV core has an archive unpacker built in. The unpacker can be used on both Windows and Linux.
No anti-virus software would be complete without a detailed update system. ZAV’s development has taken this into account. Zoner AntiVirus has been designed in such a way as to meet several important conditions: security, accessibility, and scalability, making it possible to give different users different priorities, and enable the downloading of only the missing parts of an anti-virus database (“incremental updating”). This way of doing things minimizes network bandwidth load and ensures that every update reaches every user.
In some cases, emulation alone is not enough for complete analysis of a suspect program, because it is not in the emulator’s power to completely simulate the operating system’s whole environment. This is where ZAV Sandbox comes into play. This is a newly-developed server-side virtualization technology that enables code to be run safely in a protected environment from which the virus cannot escape; in fact, it cannot even determine that it is in such an environment at all. All activities by a virus that is running in this fashion are analyzed and recorded, and after detailed test results are sent off, the system is completely refreshed (everything that has been modified and infected disappears). This whole process takes place within the high-performance, secured ZAV server, and thus the user’s data remains protected.
It is important for the virus laboratory to receive sufficient feedback from its users; otherwise, the detection system will not be effective and will not react in time to new threats. Zoner AntiVirus offers its users the option of automatically notifying the virus lab of the existence of any new virus and sending it to the virus lab over a secure channel. This system never sends any samples that have already been found somewhere, so it causes no unnecessary extra network load.
Zoner AntiVirus has seen extensive testing on large servers, where it processes millions of e-mails per day. We use this sort of long-term testing to ensure an inflow of suspect and infected files for the virus lab and an accordingly stable system overall for our users.
Current Virus Activity
If you suspect that a file might be infected and you thus want to determine what a given program is doing, you can send a file for us to analyze. We will evaluate the given program's behavior and send you back detailed results.