 Welcome to my analysis for head shocks. I read a comment recently. I don't know where maybe it was read it or so Where the person said well There's been so many years that antivirus programs exist and that people work on them So why are they still not able to detect now where perfectly? Oh Well, yeah, what's the problem can't be so hard, right? The thing is it's actually not possible to create a perfect antivirus solution We will start diving into that with Fred Cohen Let's look into that and after that we will talk about malware in general because virus is only subset of it. Yeah, all right so Fred Cohen made his paper in 1984 and he created a definition for a computer virus first It was not such a common thing back then so he said it computer virus is a program that can infect other Programs when modifying them to include a possibly evolve copy of itself So maybe you remember maybe you've seen my last video on virus infection strategies the example Cohen Provides as a pre-pending virus. So we will say this virus will prepend to the host file and Then that means it will be executed because it's first and it upon execution it infects other parts and Then it may run the code of the host father. That's a very typical pre-pending virus And just an example of one version of it. So all right now his paper Will make a proof by Well by stating the opposite, let's assume there is actually a perfect solution for this a perfect virus detection program and Then he will contradict this statement Therefore the perfect detection problem does not exist. So so let's assume we have a perfect one We have viruses we have good files and the detection program will answer the question This is a computer virus and in case of the virus always say yes in case of the good father always say no because it's perfect, right? So is this a virus yes now? but now we have this idea that's assumed we have a Pretty weird program the maybe virus Program, that's how I call he just called it virus, which is a bit weird because well, let's see So maybe virus This program will decide if it's a virus or not based on the output of our perfect detection program So if the virus gonna says yeah, you are a virus this program will decide not to be a virus Just not in fact anything ever. Yeah, but if the detection problem says no, you're not a virus It will infect other violence. So then we have the contradiction. So that means a perfect detection program cannot exist It's just not possible. We have one example that will disprove this so What does this mean in this case that says the virus detection is an undecidable problem Well in the mathematical sense an undecidable problem just means that there's no algorithm that will perfectly decide about this question So this is about being perfect. This does not mean that we can never decide whether the farthest malicious or not If there's just no perfect solution so But there can be a solution that is just good enough So and as you maybe know antivirus products detect malware not just viruses but viruses are a subset of malware So the same thing is true for malware in general if we cannot detect the subset perfectly We also cannot detect the superset of it So there's that now. I don't know about you But when I started studying computer science and I had at the beginning I had a hard time to wrap my head around these proofs like why is it through I just find this, you know, if I make this contradiction and then I don't get it. So yeah, I don't know But maybe it will be a bit more clear if I give you some more examples So let's assume we have a program that downloads and executes a file. Is there some malicious program? Well, actually it depends on what it downloads, right? so but the thing that I mean the things that have been downloaded may change some of me suddenly Replace the file on the server with a malicious file and before it was just a good file Let's assume you have a setup program That loads other files and executes them to make the installation happening and someone replaces These files with malicious files and suddenly it's a malware downloader and not just a setup program And the file itself didn't change at all. So it's just the external circumstances that make it malicious, right? So that's quite difficult because the malware scanner usually just decides based on the file that's on disk Also, if you have a reman access tool for instance, this is not in in general Whether it's malicious or not it depends on how it is used, right? So you might use it to help someone with technical problems But you may also misuse it and you know to gain access to someone's computer without their authorization So what do you do? You generally decide on how the program is used in most cases Like if it's a very common text support tool That makes it quite hard to misuse it by because you know it may have some security measures Like you have to input a number that the Technician provides the technician has to input a number that the client provides before they can make a collection And maybe the client program will always notify you. Oh, there's someone else on your system So you know and so that it's hard to do this without any authorization And you may also not be able to silently install it So this would be all a more indicator that this is a good program. Whereas Reds that remote access tools that include functionality like You know eject the city drive for no reason and It's a ransomware. I don't know Anything that's more more jokingly and where you have silent installs and there you have anti AV stuff that's certainly used in a malicious sense because makes it easier to misuse the program and And Yeah, or if it adds a stealer anything, but of course if it adds a malware, it's no way Yeah, but That's kind of difficult. So you also have these tools that are right in the middle in the gray area So sometimes entire virus companies may declare them as risk where instead of saying it's not it's good It's the risk. We don't know if you want this so they will say it's potentially unwanted It's a risk to you. So if you wanted to keep it, but if not, please get rid of it Sometimes you have programs, you know that do you harm and do good at the same time? So what are you going to do with them? You might have to weigh Well, which of these sites is More important so Cohen has made an example of a compression virus like this would be a virus that Compresses all the files on your system. So you get more space. You have more space available and back in his time. It was pretty Good to have more space because that wasn't that much. But on the other hand, this Virus will make your system slower because every time you start a program It has to decrypt the main code of the program before it can run. So the performance will drop and This program has pros and cons, but in my opinion if it's a virus, it's malware even in that case he says the virus will ask for permission before it compresses anything Imagine you actually run this on your system and have to give permission for thousands of miles I don't think you want this in any way. So that's a malicious program and Also considering that if it files compress it will also try to compress other files because otherwise it would be a virus So now that's not a good program not at all But I guess you can imagine some things that it's really hard to tell whether the file is good or not Sometimes it depends on how much the people use the program like you could have a Program that has a lot of downsides where you would usually say how who does who wants that? Like it may have ads in it and it may monitor your system and it may not tell you that it does this But it's also pretty cool messenger and all of your friends use it so and maybe it's the only messenger that is available for your language and You have no alternative. So if it's used that often and so widespread it will not be detected also not as a spot so because obviously people want it and they despite all of the downsides of the program some cases We have files where I had to ask several of my colleagues before deciding what to do with it like some cases are just difficult and it will always be So well, maybe you have some examples for me like Put it in the comment section below if you have some some other examples where you would say, okay That's really really great area where I can decide whether that's malicious or not so yeah, and if you have any questions do so to ask them and Yeah, that's it. So thanks for watching. Bye. Bye