Cheat Engine

[Madghostek]

Hi!

I'm wondering how anti virus can decrypt files infected by viruses like CryptoLocker.They say that files are encrypted with RSA,and encryption of this would take decades...
So how antivirus can do all this work in some secs.They are lying about encryption? XD

[Zanzer]

CryptoLocker encrypts your file system.
It, itself, is a normal executable like any other.
Antivirus software detects that executable.

[++METHOS]

Also, even if something is encrypted, does not mean that nothing is readable. Data is still there, it just may not make much sense. That said, some files may leave traces of identifiable code, be it in the form of repeated patterns in code or partial strings etc.. Additionally, if something isn't readable due to limited read/write access protection or the like, you can typically identify the program or methods that are being used such as Zanzer has pointed out. It really depends on how sophisticated the AV software or other has been programmed to detect various things. Some AV is not sophisticated at all, and just throws up a red flag on any little thing that it can't make sense of.

[mgostIH]

There's no antivirus that can decrypt the work of a good cryptolocker entirely, but there are many that can detect it before it gets executed or stop it while it's running, leaving you with just some unreadable files.

The best protection from a ransomware is an external backup of your computer.

[STN]

Easy. Everything that is encrypted is a virus. The good ones have sort of a virtual machine/sandbox inside them which lets the program run/decrypt. I figured this out once when i XOR'ed all the "viral signature" of my trainer (getasynckeystate, writeprocessmemory, xm player) in an effort to evade the false-positives and only included the encrypted code but also had a decryption routine which self-modified the trainer and decrypted the code. It wasn't detected as a virus until i executed it and interestingly, it failed to detect it when i removed the decryption routine but that also rendered the trainer not able to function lol.

Anything it doesn't understand is a virus and anything that tries to modify another program be it a system program or normal user one is automatically flagged as virus.

It doesn't take much skill to code an antivirus these days, most antiviruses rely on a database they leech off bigger antiviruses which pretty much functions like PEiD identifying the OEP (original entry point) of most viruses. The formula for a successful antivirus is the more detection you can generate, the more sense of security you can give your user = $$$

[kuntz]