NoVirus AntiVirus

[WolfWorld]

You want to know how to speed up?

1. Store all string in non-encrypted form

2. USE StringRegExp !!! then after it detected use the number of match to check!

[Influx]

Thanks for telling me that, however, the encryption itself has a 10 millisecond difference.

secondly I do not know who to use string regular expression or and string expressions or formatting.

Also this would still be extremely slow compared to a C++ DLL.

[WolfWorld]

Also this would still be extremely slow compared to a C++ DLL.

The answer is no It will be as fast as c++.

Don't forget. StringRegExp is calling into the c++ it self(Autoit), it self is not a script.

So the speed will be fast as c++(the same)

Use this like stringinstr('teststring123456','notinstring')

stringinstr('teststring12345','ing12345')

and so on

Instead use

$array = StringRegExp('teststring123456', 'notinstring|ing12345|test', 3)
    for $i = 0 to UBound($array) - 1
        msgbox(0, "Virus signature", $array[$i])
    Next

If a virus is found it will return the binary string of the virus now you can search for that string.

Just run it and you will understand.

Am sure that this will make it as fast as a normal anti virus ^ ^.

Autoit is not my main language/script I use Delphi with c++ DLL. I think this combination is the best.

But Autoit even its hell slow but the function is all there, there is no need to recompile or do anything complicated

Edited January 16, 2009 by athiwatc

[neology]

use sqlite is better i guest..

[WolfWorld]

use sqlite is better i guest..

What?

SQL will only slow it down.

SQL is very good for searching but there is no function for a search like this, It need to be opposite this. Like having Virus in the databases and call search function on each of the virus signature. This will make it slower.

Loading the signature in to the memory will help and use the function I posted will work just fine

You know why? Cause thats how KENDOS Is build the only thing KENDOS lack is signature so i banned it. lol

Edited January 16, 2009 by athiwatc

[neology]

yes, of course..loading the signature to the memory might be faster..how about thousands signatures to be loaded?the starting of the program might slow..

sqlite can be use to find the signature..

$sql_query = "SELECT * FROM Database WHERE Signature='<file signature here>'

firstly, may i know what the 'signature' you use to compare the file with database?

file's MD5?strings?

[WolfWorld]

yes, of course..loading the signature to the memory might be faster..how about thousands signatures to be loaded?the starting of the program might slow..

sqlite can be use to find the signature..

$sql_query = "SELECT * FROM Database WHERE Signature='<file signature here>'

firstly, may i know what the 'signature' you use to compare the file with database?

file's MD5?strings?

We use what's call a binary code which is a computer language(OS reading it).

Like call function will have it's own code and jump will also

jump 05E87F is not the same as jump 05E880

This is call a signature, when these command is in a line like

call XXX

JUMP XXX

RET XXX

Yes In Autoit the variable that handle that will change to string.

If these is the virus signature this mean this line belong to this virus or this type of virus(In this case Virus refer to also malware spyware)

And does not belong to any clean file, We are safe to say that this is a signature of the program(virus)

The best possible signature is the shortest string/binary that is possible in the virus program in the virus part and will not match any other clean files

MD5 will work but now days virus can just add something like Call XXX and call back which will change the MD5 COMPLETELY.

Which will not work.

And yes we can get information by

$sql_query = "SELECT * FROM Database WHERE Signature='<file signature here>'

BUT am not talking about getting information. Getting information can take minutes no one will care at all as long as the virus is detected and display.

Am talking about scanning the file.

Edited January 16, 2009 by athiwatc

[WolfWorld]

Here you go Modify Version you can take my name out ^ ^ just added too let you see

^ ^ only take 0.82 second to scan the exee of no virus

anti.rar

[neology]

And yes we can get information by

$sql_query = "SELECT * FROM Database WHERE Signature='<file signature here>'

BUT am not talking about getting information. Getting information can take minutes no one will care at all as long as the virus is detected and display.

Am talking about scanning the file.

i'm agree with this..

for a single file, maybe nobody will care.

BUT, how about a bundle of files?hundreds?thousands?

it's really2 a get long time..

for scanning the files, i don't really care what method you use, md5 base..strings base or what ever it is..using the machine code maybe too advanced for the beginner as i am and others..

AutoIt itself does not support this..we used what AutoIt can do for us..

i'm wonder if AutoIt have the machine code 'reader'..

[Influx]

very nice with the modification use stringregex howeveer i added a file to the database (in the .ini and the .txt) scanned the file and it wasnt detected, so something is not right.

also here is updated GUI thanks to ashley(will also be infirst post)

expandcollapse popup

#Region ;**** Directives created by AutoIt3Wrapper_GUI ****

#AutoIt3Wrapper_Version=Beta

#AutoIt3Wrapper_Icon=C:\Users\GoTTsProfeT\Downloads\counterstrike-3.ico

#AutoIt3Wrapper_Compression=4

#AutoIt3Wrapper_Res_Comment=NoVirus AntiVirus

#AutoIt3Wrapper_Res_Description=NoVirus AntiVirus

#AutoIt3Wrapper_Res_Fileversion=0.0.1.29

#AutoIt3Wrapper_Res_LegalCopyright=On Demand Programmers Of America

#AutoIt3Wrapper_Res_Language=1033

#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****

#include <EditConstants.au3>

#include <GUIConstantsEx.au3>

#include <StaticConstants.au3>

#include <WindowsConstants.au3>

#include <string.au3>





$GUI = GUICreate("No Virus", 562, 403)

GUISetFont(10, 400, 0, "Papyrus")

$Label1 = GUICtrlCreateLabel("No Virus", 216, 16, 133, 55)

GUICtrlSetFont(-1, 24, 400, 0, "Papyrus")

$Label2 = GUICtrlCreateLabel("Please select a file to scan! Either type the file path in the box provided below or click Browse", 8, 80, 545, 25)

$Filepath = GUICtrlCreateInput("", 16, 112, 345, 29)

$Browse = GUICtrlCreateButton("Browse", 376, 112, 75, 25, 0)

$Scanbutton = GUICtrlCreateButton("Scan File!", 464, 112, 75, 25, 0)

$Fileinfofeilds = GUICtrlCreateGroup("File info:", 16, 152, 529, 161)

$Filepathlable = GUICtrlCreateLabel("File path:", 32, 184, 490, 25)

$Filesizelable = GUICtrlCreateLabel("File size:", 32, 216, 490, 25)

$Virustypelable = GUICtrlCreateLabel("Virus type:", 32, 280, 490, 25)

$Filestatuslable = GUICtrlCreateLabel("File status:", 32, 248, 490, 25)

GUICtrlCreateGroup("", -99, -99, 1, 1)

$Scaninfofeilds = GUICtrlCreateGroup("Scan info:", 16, 320, 529, 65)

$Timetakenlable = GUICtrlCreateLabel("Time taken to preform scan:", 32, 352, 490, 25)

GUICtrlCreateGroup("", -99, -99, 1, 1)

GUISetState(@SW_SHOW)



If $cmdline[0] > 0 Then

    GUICtrlSetData($Filepath, StringRegExpReplace($cmdlineraw, '"', ''))

    ControlClick("No Virus", "", "Scanbutton")

EndIf



$flag = 0

While 1

    $nMsg = GUIGetMsg()

    Switch $nMsg

        Case $GUI_EVENT_CLOSE

            Exit





        Case $Browse

            GUICtrlSetData($Filepath, FileOpenDialog("Select a File to Scan", @WorkingDir, "All Files(*.*)"))



        Case $Scanbutton

            ProgressOn("Scanning File", "Scanning Requested File", "Scanning " & GUICtrlRead($Filepath))

            $timer = TimerInit()

            $test = Binary(FileRead(GUICtrlRead($Filepath)))

            ProgressSet(40)

            $database = FileRead(@ScriptDir & "\database.viri")

            ProgressSet(46)

            $db = StringSplit($database, ";")

            ProgressSet(50)

            $xy = UBound($db) - 2

            For $i = 1 To UBound($db) - 2

                ProgressSet($i / $xy * 100 + 50)

                ConsoleWrite($i / $xy * 100 & @CRLF)

                $db2 = StringSplit($db[$i], "=")



                If StringInStr($test, _StringEncrypt(0, $db2[2], "odpoaviri"), 1, 1) Then



                    GUICtrlSetData($Filepathlable, 'File path: ' & GUICtrlRead($Filepath))

                    GUICtrlSetData($Filestatuslable, 'File status: Infected')

                    GUICtrlSetData($Virustypelable, 'Virus type: ' & $db2[1])

                    GUICtrlSetData($Filesizelable, "File size: " & FileGetSize(GUICtrlRead($Filepath)) & ' Bytes')

                    GUICtrlSetData($Timetakenlable, 'Time taken to preform scan: ' & StringLeft(TimerDiff($timer) / 1000, 10) & ' Seconds')

                    $flag = 1

                    ExitLoop

                EndIf



            Next

            ProgressOff()

            If $flag = 1 Then

                MsgBox(16, "Complete", "Scan Completed")

                $flag = 0

            Else

                GUICtrlSetData($Filepathlable, 'File path: ' & GUICtrlRead($Filepath))

                GUICtrlSetData($Filestatuslable, 'File status: Not infected!')

                GUICtrlSetData($Virustypelable, 'Virus type: N/A')

                GUICtrlSetData($Filesizelable, "File size: " & FileGetSize(GUICtrlRead($Filepath)) & ' Bytes')

                GUICtrlSetData($Timetakenlable, 'Time taken to preform scan: ' & StringLeft(TimerDiff($timer) / 1000, 10) & ' Seconds')

                MsgBox(64, "Complete", "Scan Completed")

            EndIf




    EndSwitch

WEnd

[Influx]

also in case you all want to know, this pulls a string of binary from the .exe and stores it in a database, then scans that by the contents of the selected file.

[ptrex]

@all

I very much doubt that SQLite will be any slower at all, when used corrextly.

1. User the IN Memory DB to store all the signatures in.

2. Create an INDEX on the table that contains the signatures.

Regards

ptrex

[WolfWorld]

Something is not right, YES.

But I got another idea which is SUPER fast

Which is Multithreading. Am making it just wait.

StringInStr is not tread-safe?

Edited January 18, 2009 by athiwatc

[Influx]

stringinstr is extremely slow

stringregularex is much faster however I have failed to make a working example yet.

[WolfWorld]

But StringRegExp Works on my PC?

Can you send me a virus in that signature?

[join]

plz fix link, dosn´t work anymore, thx!

[Digisoul]

Im giving you a 1 more Fast tech,

1st 1024 bytes of any PE file(executable) are always different ,

you can make a scanner like that:

1. make your data base in .ini file,

2. scanner will get the first 1024 bytes

2. match that bytes in the .ini file

2.1 if the bytes match it will return value (name of the virus).

you can use different ways to protect DB (.ini)

and use "WINAPI Create file" & "WINAPI Read File" instead of File Read,it will give you more reliability.

Edited March 12, 2009 by Digisoul

[timistar]

somebody can send my or repost the zip with the file database.viri the link is dead

thx

[BasicOs]

Hi,

you would try to remove your not-tested antivir searching engine out of your antivir-script, and use an improved and tested one instead.

like Clam´s engine, GPL, you can reuse legally.

And concentrate further efforts into other issues like

1.-Interface,

2.-Real time (RAM LIVE SEARCH+DEVICES SEARCH. I/O)

3.-AutoInstallscript

4.- Extra features like adding spybot, or other engines.

5.- Adding register, hard and soft simple testing.

Search for Clam links here:

#655647

Edited March 13, 2009 by BasicOs

[jeantje]

Either try mine CatchIt! it's actually just a modified version of NoVirus Antivirus but i just can say that it's faster and it can use open signatures like 7D24[A-Z0-9]+24482B.

Greetings Jean