Scanning Internals - arlotalkington/Virus-Be-Gone GitHub Wiki

🧠 Scanning Internals

Virus Be Gone uses SHA-256 hash-based scanning to detect known malicious files. Here's how the system works under the hood when scanning.

🧬 How Files Are Checked

Each file is:

  1. Opened safely
  2. Hashed using SHA-256
  3. Compared against known virus signatures

If a match is found, the file is automatically moved to quarantine (unless using --dry-run in future versions).

πŸ” Scan Modes

πŸ”Ή Full Scan

  • Traverses every folder and file.
  • Very thorough, but can take time.

πŸ”Ή Quick Scan

  • Scans only high-risk folders like:
    • Downloads
    • Desktop
    • Documents
    • Pictures
    • OneDrive
    • AppData
    • C:\Windows
  • Filters out junk/system folders like:
    • $Recycle.Bin
    • System Volume Information
    • Temp
    • .cache

πŸ”Ή Custom Scan

  • Lets you choose a path and how many files to scan.
  • Useful for suspicious folders or specific checks.

πŸ›‘ What Happens to Infected Files?

If a file's hash matches a known signature:

  • It’s moved to the quarantine/ folder.
  • The original file is deleted (unless locked β€” admin rights recommended).
  • Its permissions are restricted to prevent it from running.

πŸ“ Signature Database

Signatures are stored in .json files inside the signatures/ folder.

Each entry looks like:

{
  "hash": "d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2"
}

You can split signatures across multiple files like:

  • signatures_part_1.json
  • signatures_part_2.json
  • etc.

Use reload_sigs to reload these at runtime.

πŸ›  Future Improvements

  • Heuristic (fuzzy) scanning
  • Real-time file behavior analysis
  • Custom exclusions & allowlists
  • Multi-threaded scanning

Virus Be Gone was made to be simple, transparent, and hackable β€” explore the source and make it yours!