What kind of system is T21?T21 is the file-based scanning software, using two scanning methods:
1. Traditional "static signature" scan mode
2. Self-created detection strategy based on the "behavior"
Mainly scan some unknown new viruses, or variants of the virus, as well as the dangerous files with malicious behaviors.
What is a static signature?The static signature is, in a known virus file, by extracting some unique code with malicious behavior, and then combining the codes together, to form a signature. Any file containing these signature code, is considered as a harmful file.
Disadvantages of static signature: it is difficult to detect variants of viruses, or the latest unknown viruses
Static signature also has the advantage: fast detection speed, with low false detection rate.
What is the "behavior-based" detection strategy?"Behavior-based" detection method is completely different from the traditional static signature method, and it is a new detection strategy.
In the computer, there are a lot of behaviors that are not friendly. For example:
1. Intercept network data in the background of the operating system
2. Transfer the local data to a machine on the network without the user's consent or without the user's knowledge
3. Modify data of some normal software without permission
4. Collect the browser's personal privacy data
5. Pop up ads forcedly without the user's consent
6. Call some executable files that have been identified as viruses
7. Have frequent data communication with websites that have been proved to contain fraud, malicious behaviors.
8. Install the driver in the system to monitor a variety of data
... and other various unfriendly behaviors
By analyzing the code of an executable file, and establishing a virtual environment to simulate the operation of the executable file, in the course of the operation, the various bad behaviors will have accumulated scores. According to the final score, a file may be defined as one of the following types:
1. Normal file
2. File with suspicious behavior
3. Dangerous file with obvious malicious behavior
The various actions of the executable fileHow does the server work?The server compares the file signatures uploaded by the client with a large database to determine whether it is a potentially dangerous file.
If the file is not recorded in the database, this file will be listed as an unknown file which then will be put into a virtual environment and run; the "behavior-based" detection strategy will be started to determine whether the file containing a lot of malicious behaviors.
Client and server workflow:Step 1: The client scans all the executable files, the file content is calculated as a hash value, and uploaded to the server (At this moment, it is the hash value of the file content instead of the file content itself is uploaded to the server.)
Step 2: the server based on this hash value, find in a large database, to determine whether the file is a normal, malicious or dangerous file.
In this step, if the database has a corresponding hash value, it will return the results to the client, the process to determine the file is ended, without the following steps; if there is no corresponding hash value in the database, information is sent to tell customers it is an unknown file which needs to be uploaded to the server for further complex analysis.
Step 3: The client uploads the unknown file to the server.
Step 4: The server compares the "static signature" with the file, and if the comparison fails, then the file will be executed in a virtual environment and the "behavior-based" detection strategy is enabled to monitor the behaviors of the file. Finally, according to the various acts of the file, assess the risk factor, and return the result to the client.
Workflow chart:
On the issue of false positivesFalse positive may occur to antivirus software, while this system (T21) also has a certain false positive rate. Therefore, in case that you have any questions to the detection results of the T21, you can use other antivirus software to check. This software is compatible with any other antivirus software.
Will my personal privacy in my computer be compromised?Will not.1. The communication between each client and the server is independent, and each client's data will not exchange with each other.
2. The T21 only scans executable files in the computer, such as: (EXE, DLL files). As for other types of files, the system is not going to deal with.
3. The unknown files uploaded to the server, are used only for analysis, and to extract the virus code as a signature (if the file is a virus). The file will be destroyed later. The file will not be made public, nor will it be provided to anyone or any organization.
Why should I tell you the working principle of the system (T21)?I hate computer viruses very much, so I would like to share my good idea, in the hope of the computer security technical staff may read it, and think about it in this direction. I wish to contribute to the cause of computer security, so that everyone can be away from the computer virus, no longer suffering all kinds of losses. This is my purpose to create this blog.
Other articles:
What kind of system is T21?