Hacker News new | ask | show | jobs
by integricho 1788 days ago
I don't believe they use regular expressions.
1 comments
pmalynin 1788 days ago
Why not? I.e. is that from experience on working on anti malware remediation systems?
link
eurasiantiger 1788 days ago
What would it match against? ASCII strings? Add a whitelisted string and make your malware pass.

The heuristics are much more complex than that, cf. spamassassin rules.

link
pwdisswordfish8 1788 days ago
Opcode sequences. Regular expressions may be applied to any formal language, not just ones based on human-readable alphabets.
link
eurasiantiger 1788 days ago
That kinda makes sense, thanks.

However, wouldn’t this kind of heuristic be extremely simple to counter by obfuscating the machine code, e.g. by inserting complex noops and using threaded subroutines which individually look innocuous? Or, are this kind of techniques looking at known syscall patterns or something like that, and ignoring the general program flow?

To me, regex doesn’t seem applicable to static analysis of machine code, but what do I know :)

link
dannyw 1788 days ago
antiviruses are composed of multiple systems and techniques. Regexp is just one.
link
eurasiantiger 1788 days ago
That also makes sense. Got any further reading?
link