Architecture and working of an Antivirus Engine
Antivirus is one of the inevitable part of a system, whether at home, office or even on gadgets, the prime concern is that of security of the device, system. But have you ever wondered that how the Antivirus works? In this resource we are having a detailed discussion on the Antivirus Architecture, as well as the algorithms which they follow.
Architecture of an Antivirus Engine
The antivirus engine has a very interesting layeral architecture. There are around five layers; each has its own specialty as well as the functionality attached to it. The first one is the User Interface layer which has the functionality of enabling the interface. The second layer is of the Engine Core, which follows a particular algorithm. The third layer contains File System Interface, File Type Scanner, Memory scanner, Decompression and code emulator. The last but not the least layer is the Hardware.
Working of an Antivirus Engine
Whenever we attach any external drive into our system, the very first step we perform is the security of the system. We try to scan the drive, which so ever is attached by using antivirus we have installed on our system.
- In order to understand how antivirus engine works, it is very necessary to understand the basic architecture and details so that when the one runs on the system, each and every detail can be analyzed.
- It is not so evident that every time we have a new version of a particular Antivirus engine, then the core is made from the scratch, it is sometimes revised from the earlier one, so the load is minimized.
- The antivirus engine contains an Engine core, the second layer is dedicated to the file system interface, scanner and emulators.
- The engine core has the functionality to intact the entire software together. In order words it acts as a sticky substance which is ready to call the desired module, when required.
- The basic requirement is to have a scan engine, some prefer to have third party scan engines and it is very clear that they are not considered as part of the framework.
- But some of the most popular and genuine used software's have their own scan engines. The Scanner used in these scan engines are their own scanner.
- There are generally two scanning algorithms, one is a heuristic based and other is signature. The scan string based technologies search in the given file and looks for a particular matching string.
- When the scanner founds the already defined or predefined strings then the necessary actions are performed by the engine.
- When following heuristic based scanning algorithms, the string is not looked but we look for certain instruction or commands in the files.
- In order to understand better, when certain codes is encrypted then we tend to find decryption code, instructions by following the heuristic scanning algorithms.
- So when we select a particular file or folder, then it passes through number of steps, which includes submitting a file to scan engines, scanning based on algorithms and then appropriate actions are performed.
- The processing of file is one of the most important phase of any antivirus engine. We have certain modules which are designed appropriately.
- The Random Access Memory is generally accessed by the scanning blocks, there are memory scanners which perform the appropriate actions on the memory.
- We have emulators and its function is similar to any other emulator. It creates its own virtual environment. There are several benefits of having an emulator attached to it.
- The emulator has the ability to determine which action will be performed and what effect can be there on the whole system, if the malware is allowed to run.
- Another important module which runs after a particular time interval and acts is the update module. Every day new definitions are created and that has to be added in the database as well.