Can a standard antivirus find script viruses?

Started by Bravoman1, Jul 11, 2022, 02:51 AM

Previous topic - Next topic

Bravoman1Topic starter

Hi!

I don't know if anyone does this, but sometimes I copy all the server files or part of them to my local computer and check it with a regular antivirus.

It became interesting, if it can detect site viruses, embedded in php, js, html, etc. files?

What do you use to check files on the local computer?

Thank you in advance for your replies!
  •  

samfrank

All desktop antiviruses are "sharpened" for Windows and its viruses.

From experience, they can find 25% of php-malware.

It is better to use specialized solutions, plus check by "eyes".

My personal favorite is Ai-bolit and a couple of bash commands for finding specific code snippets.

With experience, it will become quite easy to identify infections even without additional scanners.

And if you don't have enough experience to distinguish "bad" code, then your way out (not ideal, of course) is to restore the backup, then scan by Ai-bolit or something like it, check and remove everything suspicious and install updates to CMS and components to the latest actual versions.
  •  

JacobLindS

Now Dr.Web has two specialized solutions — an agentless antivirus and a solution based on a light agent. These solutions differ in functionality and principle of operation.

The agentless solution is intended only for VMware — VMware has a specialized API that it provides to third-party vendors. Through that API, files are transferred to the VM where the interceptor driver is installed for analysis, and the program decides which ones to block.
This solution does not require installing any specific software inside the VM, which removes the issue of installation and long compatibility testing. However, that approach affects the work of the antivirus solution itself, because its hands are simply tied. Agentless antivirus can receive data, analyze and give a verdict, but it does not have the ability to conduct research inside the VM and apply modern logic. Obviously, the limited functionality greatly outweighs its advantages, so it does not suit us.

In our clouds, we use a solution for virtual environments based on a lightweight agent. In that case, a light agent is installed inside each VM, and computing operations are carried out on a special machine that contains an antivirus engine.
Such a VM is called an SVM. Lightweight agents inside a VM on Linux or Windows serve as transport, allowing you to intercept a file operation, a user's request for network access or devices connected to them — for instance, a flash drive - and then transfer that information for analysis to a dedicated VM.

Objects are analyzed on just one VM (SVM). This saves the resources of each machine, including checking gold images or other identical files. Having once checked such a golden image or file within the entire hypervisor or cluster, the solution will no longer waste resources on that operation, but will immediately give a verdict. This increases speed and at the same time reduces resource consumption. At the same time, the level of protection is only growing.

The solution works on the basis of several components.

Security Server (Security Virtual Appliance)
The multifunctional security appliance for virtualization supports redundancy for scalability and better reliability, contains the latest AV database and updates it regularly, transmits optimized updates to lightweight agents, manages the assignment of licenses to running VMs. To optimize malware scanning, it uses the "Shared Cache" technology.

Shared and local cache
The shared cache is stored on the SVM. Literally, it's a table with file hashes and their verdicts.
Each shared cache entry represents a unique file. Lightweight agents also use a local cache, which is stored in the VM's RAM and contains entries for each individual file. The combination of these methods greatly improves and optimizes the arduous task of scanning files.

The service, built on the basis of a solution from Dr.Web with a light agent, allows each of our clients to have their own settings, policies, a dedicated quarantine and manage a set of VMs with light agents placed in the way chosen for them. The client can customize parameters such as file scanning depth, quarantine location, and so on.

Thanks to its functionality, the solution:

The service is available on all our cloud installations — both in Elastic Cloud and in certified clouds for working with PD and GIS. Today, that allows our customers' VMs to feel comfortable in the insecure and caustic environment of the Internet.
The issue of regulation has also been resolved: the product has a FSTEC certificate, so the client does not need to look for some specific solution. He gets both "paper" and real protection in one bottle.
  •