Is there antivirus software that detects malware files via database files?
I have heard that some viruses have their own database files from which an antivirus program can detect and quarantine it. Is it true? Why would a virus have a database file or dispatch files within it?
Viruses or malware generally contain many different types of files included with them to support their malicious operations. Almost all viruses will have some sort of executable code used for infecting the machine, as well as associated supporting files like libraries. Then, some malware will contain other executable code, like a rootkit, to fully takeover a machine. There is also malware that includes database files of IP addresses, domain names, URLs or other means of connecting to its management infrastructure, though more advanced bots are now auto-generating URLs or domain names to avoid detection. Malware could also use a database of the checksums and files in its operation to ensure only legitimate files are used in the malicious operations to protect from rival malware. The malware may even contain encryption keys used in securing its communications.
Antimalware and antivirus programs can detect a large number of different types of malicious files and activity. Traditional antimalware software detects malware files based on antimalware definitions -- these are essentially signatures -- to identify malicious or infected files and then quarantine them. And the fact that malware includes database files will make it easily detectable by antimalware software. Many antimalware programs are now also using behavioral mechanisms to augment the signature-based detections.
This was first published in July 2010