0

Is it possible to tell an antivirus which specific virus type (worm, macro etc) to scan for? Assuming I know the type of virus and just want to save time and scan for it specifically instead of running it though the whole system.

Itay Gurvich
  • 9
  • 1
  • Every anti-virus software is different. Some might have such a feature, some might not. You might want to look in the manual or consult the support of your anti-virus software. – Philipp Jun 10 '17 at 11:35

2 Answers2

2

It is not possible with most antiviruses, the reason being that it would be "penny-wise, but pound-foolish".

Most of the resources employed by the antivirus are spent in opening files and reading them (uncompressing, etc.). More often than not, interpreting them from the various executable formats.

It is possible - not in all antiviruses - to reduce time by not scanning classes of objects (Office documents for macros, inside ZIP files, inside email archives, etc.).

But normally an antivirus uses a complicated and optimized "tree" or state machine to scan for viruses. It is not, in other words, something like

foreach signature in TenThousandSignatures do
    if filedata contains signature then
        call alarm
    end
end

which would benefit from replacing TenThousandSignatures with FiveMostProbableSignatures.

To be able to only scan for a single virus, you would need to have an optimized FSM for that one virus, and therefore one FSM for each virus you might want to choose. This would require, first, supplying a lot of FSM packages to the antivirus; and then when you wanted to scan for all viruses, or most of them, the time would be the sum of each time, since all those FSM's would not be integrated in a single one, and would need to run independently, their run time or resource requirements adding up.

That said, it is often done that antiviruses have several FSM packages and you can select the one you wish to employ: usually viruses, malware, adware, and PUA (Potentially Unwanted Applications) / PHA (Potentially Harmful Applications), such as patch droppers, cracks, hacking tools, password finders etc.. . Also, for convenience, you might get a "full database" FSM each first of the month, then the signature updates would be supplied daily as an additional, but much smaller, update package.

Also, some antiviruses use several strategies to scan for different virus families or technologies (polymorphic virus, heuristic scans, etc.), and you might be able to disable the strategies you aren't interested in. Each being independent of the others, the times there add up linearly, so deactivating undesired modules makes sense.

In such cases, the scan time is usually proportional to the number of FSM packages or scanning modules you activate (and, less clearly, proportional to the size/architecture of each).

Finally, there exist some targeted antiviruses that will only scan for their designated target, a single virus or a single virus family. I think ESET used to roll out some "quick response" tailored virus disinfectors for specific, "popular" viruses. Don't know if they still do that.

LSerni
  • 22,521
  • 4
  • 51
  • 60
  • Is there a set type of FSM AV use as a standard? Or do they vary from AV to AV? – Itay Gurvich Jun 09 '17 at 23:52
  • No, usually each firm has its own set of FSM - they actually usually are algorithmic machines more advanced (and specialized) than simple finite state automata. Heuristic engines are even more complex. And the algorithms that drive both, while approximately known, are proprietary in their details. – LSerni Jun 10 '17 at 10:50
0

To answer the question: I don't think so, but it is possible some AV products include this, i haven't used them all. But in any that i use or have ever used, no. All the checking is done via heuristics and known signatures.

To correct the case: you don't want to do this. If indeed an infection has happened there can be many different actors at play. say you know a certain type of malware is present, and you want to scan for others. But there was an underlying malware that is used to continually regenerate the malware you are looking for in the event it is destroyed. You would never find it.

This is the main reason i don't think AV companies in the main stream make these options readily available to end users. All end users want to save time. sometimes we have to swallow the cost though, for the good of us all.

EDIT: but to add to it, you dont need to sit there and watch it either, most of the big AVs out there have a background scan mode, designed to be low overhead. You can run a full scan for everything and carry on your merry way.

Nalaurien
  • 1,614
  • 9
  • 16