简单描述杀毒软件的运作方式

来自CISSP OSG

Antimalware Software

The vast majority of these packages use a method known as signature-based detection to identify potential virus infections on a system. Essentially, an antivirus package maintains an extremely large database that contains the telltale characteristics of all known viruses. Depending on the antivirus package and configuration settings, it scans storage media periodically, checking for any files that contain data matching those criteria. 

Many antivirus packages also use heuristic mechanisms to detect potential malware infections. These methods analyze the behavior of software, looking for the telltale signs of virus activity, such as attempts to elevate privilege level, cover their electronic tracks, and alter unrelated or operating system files. This approach was not widely used in the past but has now become the mainstay of the advanced endpoint protection solutions used by many orga- nizations. A common strategy is for systems to quarantine suspicious files and send them to a malware analysis tool, where they are executed in an isolated but monitored environment. 

Antimalware software also includes centralized monitoring and control capabilities that allow administrators to enforce configuration settings and monitor alerts from a centralized console.

注：首先要有各个病毒文件的签名，扫描的时候计算并对比签名即可。我想病毒库中应该还有特征值，根据特征值来直接判断软件是否为病毒。启发式判断是否是病毒：通过分析软件的行为，看看软件是否要提权、掩盖访问痕迹、改变系统文件等。

Integrity Monitoring

Other security packages, such as file integrity monitoring tools, also provide a secondary antivirus functionality. These tools are designed to alert administrators to unauthorized file modifications. It’s often used to detect web server defacements and similar attacks, but it also may provide some warning of virus infections if critical system executable files, such as command. com, are modified unexpectedly. These systems work by maintaining a database of hash values for all files stored on the system.

Advanced Threat Protection

Endpoint detection and response (EDR) packages: Besides traditional antimalware protection, it also provide additional checks: 

a) Analyzing endpoint memory, filesystem, and network activity for signs of malicious activity.

b) Automatically isolating possible malicious activity to contain the potential damage

c) Integration with threat intelligence sources to obtain real-time insight into malicious behavior elsewhere on the internet.

d) Integration with other incident response mechanisms to automate response efforts

User and entity behavior analytics (UEBA) packages pay particular attention to user-based activity on endpoints and other devices, building a profile of each individual’s normal activity and then highlighting deviations from that profile that may indicate a potential compromise.

注：通过EDR分析内存，文件系统，网络活动情况；隔离可疑文件；通过UEBA行为分析来判断软件是否可能是病毒。