How does
anti-virus software work?
Kaspersky Antivirus Personal
NOD32 Anti-Virus
Command Anti-Virus
McAfee Antivirus Virus Scan
Panda Anti-Virus Titanium & Platinum
Trend PC-cillin Anti-Virus
Norton Anti-Virus
AVG Antivirus
How does anti-virus software work?
What is a trojan horse?
Computer virus (worm)
Malware
protect your network against trojans
Spyware and what you should know about it
Protect your confidential data
Backdoor.Agobot
Win32.Sasser.B
VBS.Redlof.B
How to delete Trojan
How to delete Win32.Worm.Welchia.B
From Wikipedia, the free encyclopedia.
An anti-virus software program is a computer program that can be
used to scan files to identify and eliminate
computer
viruses and other
malicious software
(malware).
Anti-virus software typically uses two different techniques to accomplish this:
Most commercial
anti-virus software uses both of these approaches, with an emphasis on the virus
dictionary approach.
Virus dictionary
approach
In the virus
dictionary approach, when the anti-virus software examines a file, it refers to
a dictionary of known viruses that have been identified by the author of the
anti-virus software. If a piece of code in the file matches any virus identified
in the dictionary, then the anti-virus software can then either delete the file,
quarantine it so that the file is inaccessible to other programs and its virus
is unable to spread, or attempt to repair the file by removing the virus itself
from the file.
To be successful in the medium and long term, the virus dictionary approach
requires periodic online downloads of updated virus dictionary entries. As new
viruses are identified "in the wild", civically minded and technically inclined
users can send their infected files to the authors of anti-virus software, who
then include information about the new viruses in their dictionaries.
Dictionary-based anti-virus software typically examines files when the
computer's operating system creates, opens, and closes them; and when the files
are e-mailed. In this way, a known virus can be detected immediately upon
receipt. The software can also typically be scheduled to examine all files on
the user's hard disk on a regular basis.
Although the dictionary approach is considered effective, virus authors have
tried to stay a step ahead of such software by writing "polymorphic viruses",
which encrypt parts of themselves or otherwise modify themselves as a method of
disguise, so as to not match the virus's signature in the dictionary.
Suspicious
behavior approach
The suspicious
behavior approach, by contrast, doesn't attempt to identify known viruses, but
instead monitors the behavior of all programs. If one program tries to write
data to an executable program, for example, this is flagged as suspicious
behavior and the user is alerted to this, and asked what to do.
Unlike the dictionary approach, the suspicious behavior approach therefore
provides protection against brand-new viruses that do not yet exist in any virus
dictionaries. However, it also sounds a large number of false positives, and
users probably become desensitized to all the warnings. If the user clicks
"Accept" on every such warning, then the anti-virus software is obviously
useless to that user. This problem has especially been made worse over the past
7 years, since many more nonmalicious program designs chose to modify other
.exes without regards to this false positive issue. Thus, most modern anti virus
software uses this technique less and less.
Other ways to
detect viruses
Some
antivirus-software will try to emulate the beginning of the code of each new
executable that is being executed before transferring control to the executable.
If the program seems to be using self-modifying code or otherwise appears as a
virus (it immeadeatly tries to find other executables), one could assume that
the executable has been infected with a virus. However, this method results in a
lot of false positives.
Yet another detection method is using a sandbox. A sandbox emulates the
operating system and runs the executable in this simulation. After the program
has terminated, the sandbox is analysed for changes which might indicate a
virus. Because of performance issues this type of detection is normally only
performed during on-demand scans.
Issues of
concern
Macro viruses,
arguably the most destructive and widespread computer viruses, could be
prevented far more inexpensively and effectively, and without the need of all
users to buy anti-virus software, if Microsoft would fix security flaws in
Microsoft Outlook and Microsoft Office related to the execution of downloaded
code and to the ability of document macros to spread and wreak havoc.
User education is as important as anti-virus software; simply training users in
safe computing practices, such as not downloading and executing unknown programs
from the Internet, would slow the spread of viruses, without the need of
anti-virus software.
Computer users should not always run with administrator access to their own
machine. If they would simply run in user mode then some types of viruses would
not be able to spread.
The dictionary approach to detecting viruses is often insufficient due to the
continual creation of new viruses, yet the suspicious behavior approach is
ineffective due to the false positive problem; hence, the current understanding
of anti-virus software will never conquer computer viruses.
There are various methods of encrypting and packing malicious software which
will make even well-known viruses undetectable to anti-virus software. Detecting
these "camouflaged" viruses requires a powerful unpacking engine, which can
decrypt the files before examining them. Unfortunately, many popular anti-virus
programs do not have this and thus are often unable to detect encrypted viruses.
Companies that sell anti-virus software seem to have a financial incentive for
viruses to be written and to spread, and for the public to panic over the
threat.
This
article is licensed under the
GNU Free Documentation License.
It uses material from the
Wikipedia article "Anti-virus
software".
|
