Anti-virus Software & Encryption Algorithm

Index

• Intro on anti-virus software,
• How signature work
• Polymorphic & Metamorphic
• Hashing Algo.
• working of SHA-1
• Different types of hashing Algorithms(AES, DES,)
• symmetric and asymmetric encryption

Introduction

Antivirus software checks a file for viruses, worms, or malware, it uses what's called a signature.

What is a Signature & how it work ?

• A signature is like a unique fingerprint of a known virus/malware. It could be:
• A specific pattern of bytes (sequence of 0s and 1s) inside a file.
• A hash value (like an MD5 or SHA-256 checksum) of a malicious file.
• A snippet of suspicious code.

How Antivirus Uses It:

• The antivirus maintains a database of these signatures (containing thousands or millions of known threats).
• When you scan a file, the antivirus compares it against this signature database.
• If there's a match, the antivirus flags the file as malicious.

Types of Signature Techniques:

• Byte Pattern Matching:

Example: If a known malware always has the byte pattern 4D 5A 90 00, the antivirus searches for that.

• Hash Matching:

Example: If malware.exe has SHA-256 hash abc123..., then any file matching that exact hash is instantly flagged.

• Heuristic Signature(Only NGAV):

More advanced—instead of exact matches, it detects similar behaviors or suspicious structures based on the signature.

Limitations:

• New/unknown malware won't have a known signature yet—that's why signature-based detection can miss new viruses (zero-day threats).
• That's why modern antivirus also uses behavioral analysis, machine learning, and other techniques alongside signatures.

Q. How hash databases are updated ?

• The Security researchers & Big MNCs (like virus total, McAfee, etc. ) gathers suspicious files, emails, hacked machines.
• Analyze the files, perform reverse engineering, break the code, disassemble it understand the file architecture, pattern and behavior.
• creates a new signature after analysis.
• These process performed day to day and update the signature in databases and software.

Q. what is Polymorphic and Metamorphic?

• polymorphic is a type of malware which change their code every-time they infect the machine.
• Metamorphic is the type of malware which completely rewrite themselves while keeping the functions same.

💡Prevention: use Heuristic & Generic signature (broad pattern look for entire family of the malware) to understand the behavior.

Q. How malware analysis performed ?

• The cyber security researcher performs the activity in a isolated environment they deploy a sandbox or FLARE VM environment using virtual machine to test the specific file.

Hashing Algorithm

• A hash value, also known as a checksum or fingerprint, is a unique alphanumeric string that represents the file.
• A hash function is applied which intakes variable length input data and produces a fixed length output in form of alphanumeric hash.
• It’s a one way means reverse can’t produce the actual data.
• It ensure one input change produces a big change in hash

Message digest(MD5) (older)

• output size 128 bit
• input splitting: Break your file into 512-bit block
• Initialize state: use 4 fixed words of 32-bit numbers (A,B,C,D) → 128-bit Hash
• round 64, means each block goes through 64 round bitwise operations modifies A,B,C,D
• security weak( can be broken)

SHA-1 (Secure Hash Algorithm 1)

• output: 160-bit
• input: break file into 512-bit long.
• Initialize state: 5 words A,B,C,D,E
• Round: 80 Rounds. each block performs bitwise operation
• security: can be breakable

SHA-256 (Part of SHA2 family) (New)

• Output: 256-bit long
• Input: split file into 512-bit blocks
• Initialize state: 8 words A,B,C,D,E,F,G,H
• Round: 64 rounds, additional modulo 2^32 used.

Working Of SHA-1

• Input: variable length.
• Output: Fixed length 160 bits Hash value.

The SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function that processes input data to produce a fixed-size 160-bit (20-byte) hash value, known as the message digest.

Here's how the algorithm works:

1. Pre-processing

• Padding the Message: Append a single '1' bit to the end of the original message. Add '0' bits until the message length is 64 bits shy of a multiple of 512. Append the original message length as a 64-bit big-endian integer.
• Parsing the Message: Divide the padded message into 512-bit blocks.

2. Initializing Hash Values

Set initial hash values (in hexadecimal):

• h0 = 0x67452301
• h1 = 0xEFCDAB89
• h2 = 0x98BADCFE
• h3 = 0x10325476
• h4 = 0xC3D2E1F0

3. Processing Each 512-bit Block

For each block:

• Break into Words:Divide the block into sixteen 32-bit big-endian words: W[0] to W[15]
• Extend to 80 Words:For i from 16 to 79: W[i] = (W[i-3] XOR W[i-8] XOR W[i-14] XOR W[i-16]) left-rotated by 1 bit.
• Initialize Working Variables: a = h0, b = h1, c = h2, d = h3, e = h4
• Main Loop (80 Rounds):

For i from 0 to 79:Determine the function f and constant k based on the round: 0 ≤ i ≤ 19: f = (b AND c) OR ((NOT b) AND d) k = 0x5A827999 similarly till .....79

Compute:

• temp = (a left-rotated by 5) + f + e + k + W[i]

Update variables:

• e = d,
• d = c,
• c = b left-rotated by 30,
• b = a,
• a = temp

Add This Block's Hash to Result:

• h0 = h0 + a
• h1 = h1 + b
• h2 = h2 + c
• h3 = h3 + d
• h4 = h4 + e

4. Produce the Final Hash Value

Concatenate h0, h1, h2, h3, and h4 to form the final 160-bit hash value.

What are DES, AES, and SHA?

DES (Data Encryption Standard)

• Type: Symmetric encryption algorithm
• Key Size: 56 bits
• Block Size: 64 bits
• Status: Outdated and considered insecure due to small key size
• Used for: Confidentiality (encrypting data)

AES (Advanced Encryption Standard)

• Type: Symmetric encryption algorithm
• Key Sizes: 128, 192, or 256 bits
• Block Size: 128 bits
• Status: Strong and widely used today
• Used for: Confidentiality (encrypting sensitive data)

SHA (Secure Hash Algorithm)

• Type: Hashing algorithm (not encryption)
• Versions: SHA-1 (160-bit), SHA-256, SHA-384, SHA-512
• Used for: Integrity, not confidentiality. It generates a fixed-size "fingerprint" of data
• Cannot be reversed like encryption — it’s one-way

Q. Which Type of Encryption is Used for Confidentiality?

Symmetric Encryption is used for confidentiality — this means:

• The same key is used for both encryption and decryption
• Examples: AES, DES, 3DES

AES is the most secure and recommended symmetric algorithm for confidentiality today.

Q. Where Is Asymmetric Encryption Used?

Asymmetric encryption (also called public-key cryptography) uses:

• A public key to encrypt
• A private key to decrypt

The keys are different, and knowing the public key does not reveal the private key.

Examples of Asymmetric Algorithms:

• RSA (Rivest–Shamir–Adleman)
• Diffie-Hellman (DH)

Real-World Workflow Hybrid Key encryption(symmetric + Asymmetric algorithm)

Example (e.g. HTTPS):

1. Client gets the server’s public key via a certificate.
2. Client encrypts a session key with the public key.
3. Server decrypts it using its private key.
4. Both now use that symmetric key (AES) to communicate securely.

So, asymmetric is used to establish trust and exchange keys, but the actual data encryption is usually done with faster symmetric algorithms (like AES) for performance.