What's wrong with my filesystemwatcher1 code?

Question

1.00/5 (1 vote)

See more:

When a new program opens, my program scans that newly opened program, and if it's MD5 exists in a locally hosted database, a dialogue called Detect.vb should come up saying "Virus detected".

However, that Form isn't. For some reason when I open a file that I've purposely listed in the MD5 database, when I open it, my program starts to run super slowly, and the dialogue never comes up. What is wrong with my code?

Private Sub FileSystemWatcher1_Changed(ByVal sender As Object, ByVal e As System.IO.FileSystemEventArgs)
       Try
           Detect.Label3.Text = e.FullPath
           Quarantinevb.ListBox1.Items.Add(Detect.Label3.Text)
           Me.OpenFileDialog1.FileName = ""
           Dim scanbox As New TextBox
           scanbox.Text = My.Computer.FileSystem.ReadAllText(Application.StartupPath & "viruslist.txt").ToString
           Dim md5 As New MD5CryptoServiceProvider
           Dim f As New FileStream(e.FullPath, FileMode.Open, FileAccess.Read, FileShare.Read, &H2000)
           f = New FileStream(e.FullPath, FileMode.Open, FileAccess.Read, FileShare.Read, &H2000)
           md5.ComputeHash(f)
           Dim hash As Byte() = md5.Hash
           Dim buff As New StringBuilder
           Dim hashByte As Byte
           For Each hashByte In hash
               buff.Append(String.Format("{0:X2}", hashByte))
           Next
           f.Close()
           If scanbox.Text.Contains(buff.ToString) Then
               Me.OpenFileDialog1.FileName = e.FullPath
               Detect.Show()
               Detect.BringToFront()


               WriteToLog("Virus detected")

           End If

       Catch exception1 As Exception
           ProjectData.SetProjectError(exception1)
           Dim ex As Exception = exception1
           ProjectData.ClearProjectError()
       End Try
   End Sub

Note: If I remove

Dim f As New FileStream(e.FullPath, FileMode.Open, FileAccess.Read, FileShare.Read, &H2000)

it gives me a not declared error.

What I have tried:

Trying different methods for reading files.

Removing all viruslist.txt on my PC and re-making the file.

Reading over my code and searching up if everything is correct.

Posted 5-Jun-18 23:07pm

Member 13242613

Updated 6-Jun-18 0:12am

v2

Add a Solution

Comments

Richard Deeming 6-Jun-18 12:30pm

Is this a homework assignment? You seem to be asking exactly the same question that @Helpmecodeplz[^] was asking last August.

Questions & Answers by Helpmecodeplz - CodeProject[^]

You even have exactly the same mistakes in your code, so unless that's what your teacher has given you, you must have copied the code from another student.

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Answer 1 · 2018-06-06T00:14:00

Solution 2

Oh gawd...

Quote:
When a new program opens, my program scans that newly opened program, and if it's MD5 exists in a locally hosted database, a dialogue called Detect.vb should come up saying "Virus detected".

That isn;t going to work, not even slightly.

MD5 is a hashing code, which produces a value based on the whole content of the byte stream you pass it. A single change, even a single bit changing from 0 to 1 or vice versa will result in a wildly different hash value. When a virus infects a file, the MD5 you will calculate will be the hash value for the whole file and the "new" material the virus added. If the same virus attacks two different files, the MD5 value you calculate will be totally different - and neither of them will appear in your "signatures database", so you will never detect them.

The only way to use hashing to "detect viruses" is to calculate the hash value for all unaffected files, and then use that to detect changed values which may indicate virus activity. You can't just "look up a hash" in a DB and say "that's a virus" because hashing - and viruses - just do not work like that.

And that's before you even start to get to polymorphic viruses which change their own code to avoid detection!

Seriously: this is a bad idea - it instills a false sense of security in the user and in practice provide little or no protection from malware of any form.

Posted 6-Jun-18 0:14am

OriginalGriff

Comments

Member 13242613 6-Jun-18 6:28am

So what would you recommend I do?

Dave Kreskowiak 6-Jun-18 8:19am

A couple of years of research to learn how virus and malware works.

Hell, they can even spoof YOUR code into thinking it's still reading the original file when it has indeed been modified!

Just using normal file operations isn't going to detect anything but the simplest forms of these virii.

Member 13242613 6-Jun-18 6:35am

As in, how do modern anti-viruses find viruses?

OriginalGriff 6-Jun-18 6:48am

Modern viruses are horribly complicated things - other than those written by script kiddies - they pretty much have to be to get past the heuristic detectors that modern virus scanners use as part (and only part) of their arsenal.

The early scanners looked for "virus signatures" - specific changes that were made to files, so they ended up with a particular bytes pattern embedded in them at a specific location. But that was easy to spot, so virus writers stepped it up a notch. So the virus detectors caught up, and a arms race began.

How do modern detectors work? You'd have to ask McAfee, Kaspersky, Microsoft - and they won't tell you because that is giving away the information they have invested a load of time and money in, and also making life easier for virus writers! If you know how a detector works, it's a lot easier to work round it by spotting what it doesn't look at.

I'd say "drop the whole idea" - but I don't even know why you are trying to write this. If it's for yourself, then throw it in the bin, find a different project, and chalk it up to experience - we all have to do that from time to time and it's hard to do. If it isn't, then why are you doing it?

Member 13242613 6-Jun-18 6:50am

I thought it would work, but it's obviously not. The only reason why I'm using such language is because I'm the most familiar with it than any other language.

May I ask, what programming language(s) do you recommend for AV?

OriginalGriff 6-Jun-18 6:57am

It's not the language: it's the whole idea. You cannot use the MD5 of a whole file to say "this has a virus" by looking it up in a DB!

Jochen Arndt · Answer 2 · 2018-06-05T23:21:00

Why do you open the file twice?

As a result you will have two handles to the same file but only one will be closed because f holds internally the handle of the second call while the first handle is not accessible anmyore.

Let the line where you declare (Dim) and assign f in place and remove the next line where you reopen the file.