How clever is a typical virus detection application?

Imagine I download a film or some software illegally, and because it’s illegal some resourceful vigilante has hidden a virus within it. Can a virus program detect a virus in an executable before it is executed? If the executable as a whole is not a virus, but contains a virus (a trojan) within.

I put this here as the question ‘how clever’ is not normally one that gets a factual answer.

Yes and no.
First of all, a film isn’t executable, so it’s unlikely to be a problem, unless it exploits a flaw in the player application (rare, but not unheard of). Virus scanners will scan through files and match virus “signatures” to patterns found in the file, but it’s far from foolproof, and easy to circumvent by changing the virus code (which is why the anti-virus crowd is constantly updating).

To expand on what beowulff said, you need to understand that media files are not executables. Typically .mp3, .mpeg, .avi, .ogg, .wmv and other file extensions are safe to play and don’t trigger a anti-virus scan with most configurations. Occasionally hackers will disguise an executable file as a media file, giving it a title like “hot_pr0n.wmv.exe” and under default Windows settings it hides the .exe portion of the extension duping some users into running the executable thinking they are just playing a video.

Anti-virus software is not fooled by basic tactics like that. Anti-virus software is not clever at all, however. All an anti-virus scan does is compare existing files and registry entries it’s catalog of known viruses and exploits. It’s not smart by any definition, it’s just able to run a fast comparison of your files to known threats.

If your supposed vigilante decided to create some new piece of malware and hide it inside an installation file of some pirated software you download no anti-virus software in teh world will catch it. Of course that stipulates that it’s is new code, which means that it’s not included in any of the anti-virus software’s virus definitions. AV software can’t recognize a random piece of code and deduce if it’s a virus or not just based on what it’s trying to do. Some firewalls and security software will prompt you when a piece of code accesses your registry or tries to run a program, but that happens universally and has no relation to what the code that triggers those actions says.

AV software is very dumb. All it does is hopefully prevent known viruses from doing something they have done in the past. If your ill-gotten software contains a known virus that’s hidden and/or injected using a previously seen method a good piece of AV software will prevent it. If the hacker has come up with something new you are on your own.

When it comes to virus prevention the levels of defense are:

  1. Know what the file you are clicking is.
  2. Know who you are getting it from and if they can be trusted.
  3. Have up-to-date Anti Virus Software.

And those are in order of importance, AV software is essentially unnecessary if you follow the first two guideline to the letter. If you violate the first two, it’s a crap shoot if the AV will do you any good.