What kind of system is T21?
March 22, 2017
What kind of system is T21?
T21 is the file-based scanning software, using two scanning methods:
1. Traditional "static signature" scan mode
2. Self-created detection strategy based on the "behavior"
Mainly scan some unknown new viruses, or variants of the virus, as well as the dangerous files with malicious behaviors.
What is a static signature?
The static signature is, in a known virus file, by extracting some unique code with malicious behavior, and then combining the codes together, to form a signature. Any file containing these signature code, is considered as a harmful file.
Disadvantages of static signature: it is difficult to detect variants of viruses, or the latest unknown viruses
Static signature also has the advantage: fast detection speed, with low false detection rate.
What is the "behavior-based" detection strategy?
"Behavior-based" detection method is completely different from the traditional static signature method, and it is a new detection strategy.
In the computer, there are a lot of behaviors that are not friendly. For example:
1. Intercept network data in the background of the operating system
2. Transfer the local data to a machine on the network without the user's consent or without the user's knowledge
3. Modify data of some normal software without permission
4. Collect the browser's personal privacy data
5. Pop up ads forcedly without the user's consent
6. Call some executable files that have been identified as viruses
7. Have frequent data communication with websites that have been proved to contain fraud, malicious behaviors.
8. Install the driver in the system to monitor a variety of data
... and other various unfriendly behaviors
By analyzing the code of an executable file, and establishing a virtual environment to simulate the operation of the executable file, in the course of the operation, the various bad behaviors will have accumulated scores. According to the final score, a file may be defined as one of the following types:
1. Normal file
2. File with suspicious behavior
3. Dangerous file with obvious malicious behavior
The various actions of the executable file
How does the server work?
The server compares the file signatures uploaded by the client with a large database to determine whether it is a potentially dangerous file.
If the file is not recorded in the database, this file will be listed as an unknown file which then will be put into a virtual environment and run; the "behavior-based" detection strategy will be started to determine whether the file containing a lot of malicious behaviors.
Client and server workflow:
Step 1: The client scans all the executable files, the file content is calculated as a hash value, and uploaded to the server (At this moment, it is the hash value of the file content instead of the file content itself is uploaded to the server.)
Step 2: the server based on this hash value, find in a large database, to determine whether the file is a normal, malicious or dangerous file.
In this step, if the database has a corresponding hash value, it will return the results to the client, the process to determine the file is ended, without the following steps; if there is no corresponding hash value in the database, information is sent to tell customers it is an unknown file which needs to be uploaded to the server for further complex analysis.
Step 3: The client uploads the unknown file to the server.
Step 4: The server compares the "static signature" with the file, and if the comparison fails, then the file will be executed in a virtual environment and the "behavior-based" detection strategy is enabled to monitor the behaviors of the file. Finally, according to the various acts of the file, assess the risk factor, and return the result to the client.
Workflow chart:
On the issue of false positives
False positive may occur to antivirus software, while this system (T21) also has a certain false positive rate. Therefore, in case that you have any questions to the detection results of the T21, you can use other antivirus software to check. This software is compatible with any other antivirus software.
Will my personal privacy in my computer be compromised?
Will not.
1. The communication between each client and the server is independent, and each client's data will not exchange with each other.
2. The T21 only scans executable files in the computer, such as: (EXE, DLL files). As for other types of files, the system is not going to deal with.
3. The unknown files uploaded to the server, are used only for analysis, and to extract the virus code as a signature (if the file is a virus). The file will be destroyed later. The file will not be made public, nor will it be provided to anyone or any organization.
Why should I tell you the working principle of the system (T21)?
I hate computer viruses very much, so I would like to share my good idea, in the hope of the computer security technical staff may read it, and think about it in this direction. I wish to contribute to the cause of computer security, so that everyone can be away from the computer virus, no longer suffering all kinds of losses. This is my purpose to create this blog.
Other articles:
What kind of system is T21?
T21 is the file-based scanning software, using two scanning methods:
1. Traditional "static signature" scan mode
2. Self-created detection strategy based on the "behavior"
Mainly scan some unknown new viruses, or variants of the virus, as well as the dangerous files with malicious behaviors.
What is a static signature?
The static signature is, in a known virus file, by extracting some unique code with malicious behavior, and then combining the codes together, to form a signature. Any file containing these signature code, is considered as a harmful file.
Disadvantages of static signature: it is difficult to detect variants of viruses, or the latest unknown viruses
Static signature also has the advantage: fast detection speed, with low false detection rate.
What is the "behavior-based" detection strategy?
"Behavior-based" detection method is completely different from the traditional static signature method, and it is a new detection strategy.
In the computer, there are a lot of behaviors that are not friendly. For example:
1. Intercept network data in the background of the operating system
2. Transfer the local data to a machine on the network without the user's consent or without the user's knowledge
3. Modify data of some normal software without permission
4. Collect the browser's personal privacy data
5. Pop up ads forcedly without the user's consent
6. Call some executable files that have been identified as viruses
7. Have frequent data communication with websites that have been proved to contain fraud, malicious behaviors.
8. Install the driver in the system to monitor a variety of data
... and other various unfriendly behaviors
By analyzing the code of an executable file, and establishing a virtual environment to simulate the operation of the executable file, in the course of the operation, the various bad behaviors will have accumulated scores. According to the final score, a file may be defined as one of the following types:
1. Normal file
2. File with suspicious behavior
3. Dangerous file with obvious malicious behavior
The various actions of the executable file
How does the server work?
The server compares the file signatures uploaded by the client with a large database to determine whether it is a potentially dangerous file.
If the file is not recorded in the database, this file will be listed as an unknown file which then will be put into a virtual environment and run; the "behavior-based" detection strategy will be started to determine whether the file containing a lot of malicious behaviors.
Client and server workflow:
Step 1: The client scans all the executable files, the file content is calculated as a hash value, and uploaded to the server (At this moment, it is the hash value of the file content instead of the file content itself is uploaded to the server.)
Step 2: the server based on this hash value, find in a large database, to determine whether the file is a normal, malicious or dangerous file.
In this step, if the database has a corresponding hash value, it will return the results to the client, the process to determine the file is ended, without the following steps; if there is no corresponding hash value in the database, information is sent to tell customers it is an unknown file which needs to be uploaded to the server for further complex analysis.
Step 3: The client uploads the unknown file to the server.
Step 4: The server compares the "static signature" with the file, and if the comparison fails, then the file will be executed in a virtual environment and the "behavior-based" detection strategy is enabled to monitor the behaviors of the file. Finally, according to the various acts of the file, assess the risk factor, and return the result to the client.
Workflow chart:
On the issue of false positives
False positive may occur to antivirus software, while this system (T21) also has a certain false positive rate. Therefore, in case that you have any questions to the detection results of the T21, you can use other antivirus software to check. This software is compatible with any other antivirus software.
Will my personal privacy in my computer be compromised?
Will not.
1. The communication between each client and the server is independent, and each client's data will not exchange with each other.
2. The T21 only scans executable files in the computer, such as: (EXE, DLL files). As for other types of files, the system is not going to deal with.
3. The unknown files uploaded to the server, are used only for analysis, and to extract the virus code as a signature (if the file is a virus). The file will be destroyed later. The file will not be made public, nor will it be provided to anyone or any organization.
Why should I tell you the working principle of the system (T21)?
I hate computer viruses very much, so I would like to share my good idea, in the hope of the computer security technical staff may read it, and think about it in this direction. I wish to contribute to the cause of computer security, so that everyone can be away from the computer virus, no longer suffering all kinds of losses. This is my purpose to create this blog.
Other articles:
What kind of system is T21?
Copyright: This article can be reproduced only in whole with source indicated.
Leave a Reply
Your email address will not be published. Required fields are marked *
Your email address will not be published. Required fields are marked *
If you need help, please leave a message, try to match the picture, and I will reply as soon as possible to each question.
User Reply & Help
»[May 02, 2019]
Ahmed Ali Shah say: Cool. Android Fastboot Reset Tool is one of the best way to unlock android devices. I think it is th ......
Reply: Thank you for your attention. According to the monitoring, this executable file should be infected b …View >>>
Ahmed Ali Shah say: Cool. Android Fastboot Reset Tool is one of the best way to unlock android devices. I think it is th ......Reply: Thank you for your attention. According to the monitoring, this executable file should be infected b …View >>>
»[April 27, 2019]Sergei Zolotarev say: I am playing CDs on my computer or listening to MP3 music on my hard disk. But when I run Photoshop ......
Reply: This kind of fault may be caused by the computer configuration being too low. For example, the CPU f …View >>>
Sergei Zolotarev say: I am playing CDs on my computer or listening to MP3 music on my hard disk. But when I run Photoshop ......Reply: This kind of fault may be caused by the computer configuration being too low. For example, the CPU f …View >>>
»[April 09, 2019]Guest say: The CPU is a newly purchased boxed Celeron D 2.8GHz. The motherboard is a Mercedes 865PE. The temper ......
Reply: This happens because the objects detected by the two are different. AID32 and HWiNFO detect the temp …View >>>
Guest say: The CPU is a newly purchased boxed Celeron D 2.8GHz. The motherboard is a Mercedes 865PE. The temper ......Reply: This happens because the objects detected by the two are different. AID32 and HWiNFO detect the temp …View >>>
»[April 05, 2019]amlan say: When I played a song on my computer, I sometimes plugged in the earphones and found that the sound o ......
Reply: This situation can be caused by the following reasons:The impedance of the headset. Normally used he …View >>>
amlan say: When I played a song on my computer, I sometimes plugged in the earphones and found that the sound o ......Reply: This situation can be caused by the following reasons:The impedance of the headset. Normally used he …View >>>
»[March 26, 2019]Alok say: When the scanner is turned on, the "SCSI card not found" error message appears. What happened?
Reply: This is because the fuse is set on the SCSI card. When a bad circuit condition (voltage instability …View >>>
Alok say: When the scanner is turned on, the "SCSI card not found" error message appears. What happened?Reply: This is because the fuse is set on the SCSI card. When a bad circuit condition (voltage instability …View >>>
»[March 06, 2019]utkrasht say: My computer uses the Geforce2 MX400 graphics card, but it is not very smooth when playing some 3D ga ......
Reply: From the enumerated phenomenon, there may be problems with high-end video memory. In general applica …View >>>
utkrasht say: My computer uses the Geforce2 MX400 graphics card, but it is not very smooth when playing some 3D ga ......Reply: From the enumerated phenomenon, there may be problems with high-end video memory. In general applica …View >>>
Copyright © 2016-2023 mygoodtools.com All rights reserved.