How is the VGrep database created?

  • First, anti-virus products are run across an extensive collection of viruses while set to scan files with non-executable extensions (the files in the collection have been renamed to prevent someone running one by accident), write a log file and run without user input.
  • Next, the log files have to be parsed. Each log file is converted to a generic format: FILENAME|VIRUS_FOUND.
  • These intermediate logs are sorted and contrasted to detect if a product has skipped a file or has not reported that a file was infected: some products cannot be told to report all files checked. Missing entries are fixed, and the files are sorted again. All the logs are now of the same length and in the same order.
  • The files are now combined. This is fairly simple, because of the strict ordering imposed in the previous step.
  • Finally, the filenames are removed and the file is sorted and duplicates are removed, creating VGREP.DAT. VGREP.CFG is created manually, and specifies the order of the products on each line of VGREP.DAT. VGREP.EXE does not need to be recompiled unless new features have been added. These files can be downloaded as part of the vgrep.zip file.

Adding products to VGrep

There are certain minimum requirements a product must fulfill before it can be considered for addition to VGrep. It must be able to run unattended, it must write an ASCII text log file (this does not have to contain the name of every file scanned, as it is patched later), and it must be able to correctly scan renamed executables. It must also be able to check for boot sector viruses in files - the boot sector viruses are stored in disk-images in the collection. Finally, the application must be entirely controllable from the command line.

These requirements trip up quite a number of products, especially in these modern times when people place a lot of emphasis on user-interfaces. It should be possible to add any product that meets these requirements to VGrep.

More details:

What is VGrep, and why do we need it?

VGrep's input and output

Which products are indexed?

Poll

Should AV software check search engine results for malicious sites even before the user clicks on them?
Yes
No
I don't know

Leave a comment
View 8 comments
vb2008-sidebar

Jobs

In Virus Bulletin's jobs pages among others:
Virus Bulletin currently has 129,047 registered users.