# Computer Security - lesson 19
#### Stefano Zanero
###### 23 June 2016
# Antivirus and Anti-malware

Commercial products for antivirus employ __signature based detection__ or __heuristics__
but they never apply __behavioral detection__ that is limited to the research field.
This is basically because commercial products are focused on __detecting__ malware
and not __analyzing__ its behaviour.

## Viruses and Worm stealth techniques.

- __Polimorphism__ is when the virus changes its shape with every infection,
for example encrypting the malicious payload every time with a different key.
The problem in this case for analyzers is that often signatures recognize
the dectyptor code and not the malicious code, so one signature mathes 100s viruses.

- __Packing__ is used by malware to encrypt the code but also used my DRM software.

# Rootkits
The word __rootkit__ originally meant the set of software to gain root access and 
maintain it on a machine.

__Userland__ rootkits would require trojanize lots of utilities that otherwise could
be used to detect the attack, like `ls, du, netstat...`

It is much simpler but more difficult to have a __kernel__ exploit.

For computers it is a very important issue the __supply chain__, or the fact that
you cannot ensure that the vendors of all the components of your computer 
or the oem vendor haven't compromised your device.