CatchIt! AntiVirus

[jeantje]

Check my new virusscanner, scanning based on the source of NoVirus

Ideas are welcome!

Downloads: http://www.whopsi.com/OLD/count.php?id=3&ext=.png

Download: CatchIt! Beta 1 + Database

Download: Plain Database + Database Tools + EICAR TEST Virus

expandcollapse popup

#cs ----------------------------------------------------------------------------

 AutoIt Version: 3.3.0.0
 Author:         Jeantje

 Script Function:
    Scanning Files for Virus Signs

#ce ----------------------------------------------------------------------------

#NoTrayIcon
#include <WindowsConstants.au3>
#include <StaticConstants.au3>
#include <GUIConstantsEx.au3>
#include <EditConstants.au3>
#include <String.au3>
#include <File.au3>

$VER = IniRead("config.ini","CatchIt!","Version","")
$DEF = IniRead("config.ini","CatchIt!","DEF_File","DATABASE\MAIN.CDB")

$GUI = GUICreate("CatchIt! " & $VER, 562, 403)

GUISetFont(10, 400, 0, "Papyrus")

$Label1 = GUICtrlCreateLabel("CatchIt!", 216, 16, 133, 55)

GUICtrlSetFont(-1, 24, 400, 0, "Papyrus")

$Label2 = GUICtrlCreateLabel("Please select a file to scan! Either type the file path in the box provided below or click Browse", 8, 80, 545, 25)

$Filepath = GUICtrlCreateInput("", 16, 112, 345, 29)

$Browse = GUICtrlCreateButton("Browse", 376, 112, 75, 25, 0)

$Scanbutton = GUICtrlCreateButton("Scan File!", 464, 112, 75, 25, 0)

$Fileinfofeilds = GUICtrlCreateGroup("File info:", 16, 152, 529, 161)

$Filepathlable = GUICtrlCreateLabel("File path:", 32, 184, 490, 25)

$Filesizelable = GUICtrlCreateLabel("File size:", 32, 216, 490, 25)

$Virustypelable = GUICtrlCreateLabel("Virus type:", 32, 280, 490, 25)

$Filestatuslable = GUICtrlCreateLabel("File status:", 32, 248, 490, 25)

GUICtrlCreateGroup("", -99, -99, 1, 1)

$Scaninfofeilds = GUICtrlCreateGroup("Scan info:", 16, 320, 529, 65)

$Timetakenlable = GUICtrlCreateLabel("Time taken to preform scan:", 32, 352, 490, 25)

GUICtrlCreateGroup("", -99, -99, 1, 1)

GUISetState(@SW_SHOW)


$flag = 0

While 1

    $nMsg = GUIGetMsg()

    Switch $nMsg

        Case $GUI_EVENT_CLOSE

            Exit

        Case $Browse

            GUICtrlSetData($Filepath, FileOpenDialog("Select a File to Scan", @WorkingDir, "All Files(*.*)"))

        Case $Scanbutton

            ProgressOn("Scanning File", "Scanning Requested File", "Scanning " & GUICtrlRead($Filepath))

            $timer = TimerInit()

            $test = Binary(FileRead(GUICtrlRead($Filepath)))

            ProgressSet(40)

            $database = _StringEncrypt(0, FileRead(@ScriptDir & "\" & $DEF), "S3JT3NTAATST0R3GP0", 1)

            ProgressSet(46)

            $db = StringSplit($database, "!")

            ProgressSet(50)

            $xy = UBound($db) - 2

            For $i = 1 To UBound($db) - 2

                ProgressSet($i / $xy * 100 + 50)

                ConsoleWrite($i / $xy * 100 & @CRLF)

                $db2 = StringSplit($db[$i], "=")


                If StringRegExp($test, $db2[2]) Then


                    GUICtrlSetData($Filepathlable, 'File path: ' & GUICtrlRead($Filepath))

                    GUICtrlSetData($Filestatuslable, 'File status: Infected!')

                    GUICtrlSetData($Virustypelable, 'Virus type: ' & $db2[1])

                    GUICtrlSetData($Filesizelable, "File size: " & FileGetSize(GUICtrlRead($Filepath)) & ' Bytes')

                    GUICtrlSetData($Timetakenlable, 'Time taken to preform scan: ' & StringLeft(TimerDiff($timer) / 1000, 10) & ' Seconds')

                    $flag = 1

                    ExitLoop

                EndIf

              Next

            ProgressOff()

            If $flag = 1 Then

                MsgBox(16, "Complete", "Scan Completed")

                $flag = 0

            Else

                GUICtrlSetData($Filepathlable, 'File path: ' & GUICtrlRead($Filepath))

                GUICtrlSetData($Filestatuslable, 'File status: Clean!')

                GUICtrlSetData($Virustypelable, 'Virus type: N/A')

                GUICtrlSetData($Filesizelable, "File size: " & FileGetSize(GUICtrlRead($Filepath)) & ' Bytes')

                GUICtrlSetData($Timetakenlable, 'Time taken to preform scan: ' & StringLeft(TimerDiff($timer) / 1000, 10) & ' Seconds')

                MsgBox(64, "Complete", "Scan Completed")

            EndIf

    EndSwitch

WEnd

Edited April 6, 2009 by jeantje

[Dampe]

Erm... I don't think you're database will cut it for a working anti-virus program xD

[Innovative]

It's already good of you to release the source even though the signature database is empty o.O

I hope you'll provide update with the database frequently ..

[jeantje]

It's already good of you to release the source even though the signature database is empty o.O

I hope you'll provide update with the database frequently ..

Updated: Alpha 2 To Beta 1

Added:

Newer Database: 7 More Sample Signatures

EICAR Test Virus (ONLY WRITES TEXT IN CONSOLE)

[jvanegmond]

Do you wish to register for AutoAv false positives reporting? If you ever flag AutoIt, or any AutoIt compiled scripts, as a malicious file you will receive an automated email daily saying this in correct with a blank compiled script that caused the flag.

[jeantje]

Do you wish to register for AutoAv false positives reporting? If you ever flag AutoIt, or any AutoIt compiled scripts, as a malicious file you will receive an automated email daily saying this in correct with a blank compiled script that caused the flag.

Yes it can be very useful because im going further with this

[gseller]

Ohhh, I see.. Your trying to give everyone a virus with your database so they can find it with your antivirus.. LOL Nortons killz it before it finishes downloading. If it is a real database you can always post the code or format for anyone else to use..

[jvanegmond]

Ohhh, I see.. Your trying to give everyone a virus with your database so they can find it with your antivirus.. LOL Nortons killz it before it finishes downloading. If it is a real database you can always post the code or format for anyone else to use..

Oh god, please don't tell me you use Norton.. I just spent 4 hours on the phone with Symantec just trying to get an email to submit false positives. It was a perfect example why outsourcing is bad.

And yeah, the virus database contains an EICAR signature. Obviously this signature is picked up by any reasonable virus scanner. Why don't you continue downloading it and check it out for yourself?

Edited February 13, 2009 by Manadar

[Dampe]

Do you wish to register for AutoAv false positives reporting? If you ever flag AutoIt, or any AutoIt compiled scripts, as a malicious file you will receive an automated email daily saying this in correct with a blank compiled script that caused the flag.

This made me laugh.

I can imagine they have a filter "Those damn autoit automated emails."

[jvanegmond]

This made me laugh.

I can imagine they have a filter "Those damn autoit automated emails."

The companies that have replied to so far were very pleased with the server. It helps them make a better product.

I can imagine some companies are completely lazy and will just block the emails after a while. :V

[gseller]

What AV do you use that is sooo good to use then? Everyone that works in code of any kind thinks they know the best AV and it is usually different depending on who you talk to. I got tired of worrying about which one works best and use one and keep backups.. LOL

[jvanegmond]

What AV do you use that is sooo good to use then? Everyone that works in code of any kind thinks they know the best AV and it is usually different depending on who you talk to. I got tired of worrying about which one works best and use one and keep backups.. LOL

I use none and keep backups. It's a universal rule that no matter what AV you have, it will screw you up at some point. It's only a matter of time.

[KJohn]

I use none and keep backups. It's a universal rule that no matter what AV you have, it will screw you up at some point. It's only a matter of time.

You don't use an antivirus at all???

That's like saying getting immunized as a child is useless because you'll fall sick sooner or later. Or like going to battle without weapons saying you are most likely going to die anyway. I'm sure you see my point of view.

At least you keep backups. How do you know you are not making backups of infected files? Don't tell me you manually keep checking...

Personally, I find Norton Antivirus 2009 to be really light, fast and (seemingly) powerful - not like any of their previous versions (2008 wasn't too bad either).

[gseller]

I agree with Koshy.. It is not always going to be the best for any virus but seems to do a fairly good job..

[NELyon]

I, like Manadar, do not use an Anti-Virus. I'm smart with my downloading, and I make remote backups of all my files I cannot afford to lose (if I have to reformat for any reason).

[gseller]

That's cool, I hope it works for you both. I am the last person to tell anyone how to run their system. I respect both of you very much for what I have monitored you doing on this forum, i wasn't trying to hijack this topic so I will not correspond to anymore discussion. Have a blessed day..

[KJohn]

I, like Manadar, do not use an Anti-Virus. I'm smart with my downloading, and I make remote backups of all my files I cannot afford to lose (if I have to reformat for any reason).

I normally would agree with you if all viruses jumped up and said "Ha Ha Ha! You've been infected." Then it's easy to just revert to a backup.

But that's not always the case and sometimes you just won't know you are infected no matter how careful and observant you are.

Nevertheless, I have to agree that it's quite unlikely you'll get infected if you are smart about your PC use (I'm a 'safe' user and I've gotten about 6 alerts in the past year - but for me, that is just 6 alerts too many).

Just my opinion, I'm not here to argue...

[b1naryatr0phy]

You don't use an antivirus at all???

I gotta agree with Manadar. Besides commercial AV proggy's being a waste of resources, once you've dealt with enough virus' you know how to handle them yourself, and more effectively than any AV might i add. It's been a long time since i've lost a drive to a virus, they're isolated and killed before they know what hit 'em. Rootkits don't even stand a chance if you know what you're doing.

[HeffeD]

I can imagine some companies are completely lazy and will just block the emails after a while. :V

I know of a guy who collects malware of all types and recently asked Avira if they'd like his list. (4000+ files) They said no, they have too many people sending in files. Can you believe that? A company that makes an AV product isn't interested in adding everything they can...

And no offense, but I think those that don't run AV because "I know what I'm doing", are just deluding themselves. Saying something like "After you've been hit by enough virii, you know how to handle them" is a bit silly. The concept is to not get a virus in the first place! I've yet to have my system infected thanks to AV.

I stopped using Norton probably five years ago because it just kept getting more and more bloated and hogging up too many system resources. It's also a nightmare to try and get it off your system.

I'm currently running Comodo Internet Security, which is amazingly lightweight as far as resources go. It's also free! It has the Comodo firewall which is one of the top rated software firewalls, (free or paid...) as well as Defense+ which is a Host Intrusion Protection System. The HIPS is really solid. Comodo has always been of the opinion that prevention is the most powerful line of defense, which is why they focused on the firewall and HIPS before starting the AV. Their AV is the weakest link of CIS. It's getting better all the time, but it's still fairly young so it's database isn't quite as developed as many of the AV solutions that have been around longer. The latest version also adds buffer overflow protection. I'm not aware of any other security product doing that yet.

[ZeR0]

1 Bug:

Encrypt_CDB.exe not work for me:

Line -1:

Error: Array variable has incorrect number of subscripts or subscript dimension range exceeded.

???