An Introduction to Virus Scanners

Similar documents
Is Anti-Virus a Necessary Evil?

Overcoming limitations of Signature scanning - Applying TRIZ to Improve Anti-Virus Programs

Solving Virus Problems by System Administrators- a TRIZ perspective

Implementing Virus Scanning in Computer Networks

Inventions on using LDAP for different purposes- Part-1

Inventions on LDAP data storage- A TRIZ based analysis

Contradictions in Improving Speed of Virus Scanning

Evolution of User Interfaces for the Visually Impaired- Part- 1

Methods of Repairing Virus Infected Files, A TRIZ based Analysis

CERT-In. Indian Computer Emergency Response Team ANTI VIRUS POLICY & BEST PRACTICES

Zillya Internet Security User Guide

User Guide. This user guide explains how to use and update Max Secure Anti Virus Enterprise Client.

Anti-Virus. Anti-Virus Scanning Overview. This chapter contains the following sections:

Inventions on LDAP data management- a TRIZ based analysis

Antivirus Technology

Network Security Fundamentals

Evolution of User Interfaces for the Visually Impaired

Malware, , Database Security

Virus Analysis. Introduction to Malware. Common Forms of Malware

Quick Heal Total Security for Mac. Simple, fast and seamless protection for Mac.

Quick Heal Total Security for Mac. Simple, fast and seamless protection for Mac.

Network Fundamentals. Chapter 7: Networking and Security 4. Network Fundamentals. Network Architecture

Chapter 5: Configuring ServerProtect

Internet Security Mail Anti-Virus

Small Office Security 2. Mail Anti-Virus

Get Max Internet Security where to buy software for students ]

Quick Heal Total Security Multi-Device (Mac) Simple, fast and seamless protection for Mac.

BUFFERZONE Advanced Endpoint Security

Quick Heal AntiVirus Pro Advanced. Protects your computer from viruses, malware, and Internet threats.

How To Remove Virus From Computer Without Using Antivirus In Windows Xp

Avira AntiVir Server

Using TRIZ to Design the Future Keyboard

Full file at

FRISK Software International F-Prot AVES Managed Security Service

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

Lecture 12 Malware Defenses. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422

EXECUTIVE REPORT 20 / 12 / 2006

TITLE FIELD OF THE INVENTION BACKGROUND OF THE INVENTION

Demonstrating contradictions in a Graphical User Interface

Beyond Testing: What Really Matters. Andreas Marx CEO, AV-TEST GmbH

NetDefend Firewall UTM Services

Report on ESET NOD 32 Antivirus

Protection Against Malware. Alan German Ottawa PC Users Group

A Review Paper on Network Security Attacks and Defences

Comodo Antivirus Software Version 2.1

Seqrite Antivirus for Server

Comodo Antivirus Software Version 2.2

Unit 5. System Security

2. INTRUDER DETECTION SYSTEMS

Types Of Computer Virus Sources Of Virus Virus Warning Signs Virus Detection(Anti-Virus) Virus Prevention and Removal

Cloud Security & Advance Threat Protection. Cloud Security & Advance Threat Protection

SecureAPlus User Guide. Version 3.4

McAfee Internet Security Suite Quick-Start Guide

IS-2150/TEL-2810 Introduction to Computer Security Quiz 2 Thursday, Dec 14, 2006

No Time for Zero-Day Solutions John Muir, Managing Partner

Avira Free Mac Security Version HowTo

Test Strategies & Common Mistakes International Antivirus Testing Workshop 2007

GFI MailSecurity 2011 for Exchange/SMTP. Administration & Configuration Manual

Quick Heal AntiVirus Pro. Tough on malware, light on your PC.

Dr.Web KATANA. Kills Active Threats And New Attacks

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

GUIDE. MetaDefender Kiosk Deployment Guide

Kaseya 2. User Guide. Version 2.1

Backup challenge for Home Users

User Guide. Version 2.1

2018 By: RemoveVirus.net. Remove A Virus From Your PC In 5 Simple Steps

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak

Computer Security. Solutions

How To Remove Personal Antivirus Security Pro Virus Manually

ENDPOINT SECURITY WHITE PAPER. Endpoint Security and the Case For Automated Sandboxing

KSI/KAI Cyber Security Policy / Procedures For Registered Reps

SmartSiren: Virus Detection and Alert for Smartphones. Jerry Cheung, Starsky Wong, Hao Yang and Songwu Lu MOBISYS 2007

SIMATIC. Process Control System PCS 7 Symantec Endpoint Protection 11.0 Configuration. Using virus scanners 1. Configuration 2. Commissioning Manual

Comodo Antivirus Software Version 2.0

iq.suite Watchdog - Central virus protection - Intelligent server-based virus protection and file blocking through fingerprint technology

Best Practical Response against Ransomware

How To Remove A Virus Manually Windows 7 Without Antivirus Security Pro

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

User s Guide. SingNet Desktop Security Copyright 2010 F-Secure Corporation. All rights reserved.

Vendor: CompTIA. Exam Code: Exam Name: CompTIA A+ Certification Exam (902) Version: Demo

Kaspersky Security for Windows Server

Quick Heal AntiVirus for Server. Optimized Antivirus Scanning. Low on Resources. Strong on Technology.

CompTIA Network+ Lab Series Network Concepts. Lab 11: Business Continuity - Disaster Recovery

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Single Product Review. escan Internet Security 11. Language: English September 2010 Last revision: 13 nd October

Comodo Client - Security for Linux Software Version 2.2

Analysis on computer network viruses and preventive measures

INSIDE. Symantec AntiVirus for Microsoft Internet Security and Acceleration (ISA) Server. Enhanced virus protection for Web and SMTP traffic

Chapter 10: Security. 2. What are the two types of general threats to computer security? Give examples of each.

Manually Update Kaspersky Virus Removal Tool

ACN Premium Technical Support. 24/7/365 Remote Computer Support

Airtel PC Secure Trouble Shooting Guide

BUFFERZONE Advanced Endpoint Security

AntiVirus 8.5 Update 2. User Guide

Perform Manual System Restore Xp Safe Mode Command Prompt

Chapter 10: Security and Ethical Challenges of E-Business

INDEX. browser-hijacking adware programs, 29 brute-force spam, business, impact of spam, business issues, C

MU2a Authentication, Authorization & Accounting Questions and Answers with Explainations

Small Office Security 2. Scan PC for viruses and vulnerabilities

Technology in Action

Transcription:

From the SelectedWorks of Umakant Mishra August, 2010 An Introduction to Virus Scanners Umakant Mishra Available at: https://works.bepress.com/umakant_mishra/76/

An Introduction to Virus Scanners Umakant Mishra, Bangalore, India http://umakantm.blogspot.in Contents 1. Introduction...1 2. Functions of anti-virus programs...2 3. Methods of virus detection...3 4. Methods of virus removal and file repairing...6 5. Important issues before anti-virus products...7 6. Disadvantages of anti-virus product...8 7. Summary...9 1. Introduction A computer virus is a destructive computer program created with malefic intentions to cause undesirable harms to various components of computers used by innocent users. The viruses can cause various types of nuisance such as damaging data, deleting files, altering configurations and even formatting disks. There are various types of viruses such as File viruses, boot sector viruses, worms, Trojan horses, macro viruses, email viruses, network viruses etc. However, these classifications are neither enough nor mutually exclusive. Besides there are also multipartite viruses that possess the characteristics of more than one types of viruses. The older day viruses were mainly transmitting through floppies. The current day viruses transmit mainly through emails, Internet and local area networks. Macro viruses, which infect the document files, have become the biggest headache for the anti-virus programmers. 1 1 For more details on viruses, ref. Umakant Mishra, An Introduction to Computer Viruses, Available at SSRN: http://ssrn.com/abstract=1916631 or http://dx.doi.org/10.2139/ssrn.1916631

2. Functions of anti-virus programs While the viruses intend to spread and do destructive operations on our computers, the anti-virus programs intend to prevent the viruses from doing so. In precise, the anti-virus programs intend to keep our computers safe from the attack of viruses and other such malware. An anti-virus software does some important functions like protecting the computer from virus attacks (before the virus could attack), detecting the presence of viruses (after any virus attack), removing viruses (after detection of any virus) and restore the infected files (after removing the virus). The following are the main functions of an anti virus program: Virus guarding and virus prevention One of the most important functions of an anti-virus program is to protect the computer from any type of attack by the computer viruses, computer worms, Trojan horses, spyware, adware and other malware. The anti-virus program runs as a service or a memory resident program to detect and remove the viruses when found. When an external media, such as, CD, DVD, pen drive etc. is connected to the computer, the anti-virus ensures that no virus from the attached media gets into the computer. When the computer is connected to Internet or LAN, the anti-virus ensures than no virus comes from other computers through these connections. When the user downloads files from Internet or copies files from other computers or checks his emails, the anti-virus ensures that the incoming files contain no viruses. The anti-virus remains active in the memory to check each and every file for viruses when the file is opened or closed by any application. An Introduction to Virus Scanners, by Umakant Mishra 2

Virus scanning and detection The most commonly known function of an anti-virus is virus scanning. Scanning is the process of detecting the viruses in the main memory and secondary memory in all attached devices of a computer. A scanner employs various methods, such as, signature scanning, heuristic scanning etc. to scan different parts of a computer. Virus scanning includes scanning of the hard disk, scanning of external or removable storage media, such as, floppy, CD and USB based drives. There are different modes of scanning. For example, scanning can be done in the background without disturbing the regular activities of the user, or can be scheduled to be done during leisure hours. Besides the scanning can be complete or partial depending on user requirement. Virus removal and file repairing The last but not the least important function of an anti-virus is virus removal. The anti-virus applies various methods to remove the virus code from the infected file and restore the original file. An anti-virus first tries to disinfect the computer and repair the damaged files or sectors of the disk. If the method of disinfection is not known to the anti-virus then it isolates the infected file to quarantine for a possible repairing in future. However, if the virus is too dangerous or the file is too much damaged then the anti-virus has no option but to delete the infected file. 3. Methods of virus detection There are various methods of virus detection. Generally the anti-virus programs employ two popular methods of detecting viruses, viz., signature based virus detection and behavior based virus detection. An Introduction to Virus Scanners, by Umakant Mishra 3

Footprint based detection (also called signature scanning)- this method compares the contents of files against a library of known signatures. If the signatures are matched then the presence of a specific virus is confirmed. The method is based on pattern matching. Advantages: this method is fast and more reliable. The possibility of mistakes or false positives is extremely rare. Disadvantages: new viruses cannot be detected whose signatures are not yet known or not yet included in the signature database. Behavior based detection (also called heuristic scanning)- this method examines the behavior of suspect programs and the pattern of code whether looks to be virus-like. If the pattern of the code looks to be viruslike then it may flag the program as a possible virus and ask for user intervention. Advantages: as this method does not depend on specific virus signatures it can detect even new viruses whose signatures are not yet known. Disadvantages: as there is no exact method of defining a virus-like code or virus-like behavior the method may not identify some real viruses or may identify false positives. (Note: We will discuss various methods of virus detection and their limitations in more detail in a separate article.) Generic vs. specific scanning Specific scanning refers to scanning for specific virus signatures. This is a simple and sure sort method of detecting known viruses whose signatures are already extracted and included in the virus database. But specific scanning has a limitation of detecting only the known viruses whose signatures are included in the virus definition database. It does not detect other variants of a known virus although the differences between their signatures are very minor. In contrast, a generic scanning scans for generic signatures which is common for all viruses of a particular virus family. Generic signatures not only detect all viruses of a particular family but also detect new and even future variants. An Introduction to Virus Scanners, by Umakant Mishra 4

On-the-fly (or real time) vs. on-demand (offline) scanning The anti-virus programs detect the viruses through the method of scanning. Scanning can be done either (i) on demand (i.e., when the user clicks a button to start scanning), or (ii) on-the-fly (i.e., automatically when a file is accessed by a program for copying, opening or modifying). On demand scanning is generally offline scanning. The user need not wait for the scanning to complete. The user may click on a scan button to initiate a scanning operation (or schedule a scanning later during nonbusiness hours) and carry out his work without waiting for the scanning to finish. An on demand scanning can be a full scanning to scan all the files on all the drives or a partial scanning to scan specific files, locations or system components. This method generally scans a long list of files in sequence. The drawback of this method is that although it scans the infected files and detects the viruses it does not prevent the files from being infected. A virus may go on infecting other files at the same time while the scanning is carrying out detection. On-the-fly or real time scanning operations are triggered automatically by a memory resident component of the anti-virus whenever there is a file operation, such as, opening or copying a file, receiving an email etc. For example, when an application is going to open a document for modification, the real time scanner scans the document first before the document is opened. If the document is not infected, then the scanner leaves the handle to the application to open the document. On the other hand if the file is found infected, then the scanner first displays a message to the user about the infection and then either disinfects the file or does not allow the file to open. This method is more powerful as it not only detects the virus when found but also control virus from spreading as the virus is detected immediately when it becomes active. The drawback of this method is that it takes some time to scan the file and delay the process of accessing the file for opening, copying, modifying and other such operations. An Introduction to Virus Scanners, by Umakant Mishra 5

Whether a file is scanned on the fly or scanned on-demand, the method of scanning is the same. Only the order and priority of scanning are different. In an on demand scanning the files are scanned sequentially in a queue, where as, in an on-the fly scanning the specific file (or files) is scanned just before it is going to be opened. 4. Methods of virus removal and file repairing There are several actions that an anti-virus program may initiate when a virus is found. The actions are generally configured in a sequential order, such as, The first attempt of any anti-virus product is to repair the infected file. If the repairing is not possible then it quarantines the infected file so that other files are not infected by the virus. Quarantine is done with a view to repair the infected files after a later point of time. If a virus is too dangerous or the file is severely damaged then the anti-virus may decide to delete the infected file. In case of simple infections the original program code remains in one single block. The anti-virus program removes the virus codes from the infected file and recovers the original program. If infected file is partially damaged by the virus then the anti-virus may apply various methods to recover the original code. If the fails to recover the file then the anti-virus has to delete the file or move the file to quarantine. When a system is infected by a boot sector virus or the system is unable to boot because of damaged boot sector, then the anti-virus has to boot the system from a clean external disk in order to scan the system further. While repairing an email the anti-virus may have to first detach the attachments from the email body, then scan / repair the attachments, and then re-attach the scanned/ repaired attachments. Some anti-virus products keep a backup of critical OS files in protected locations. When any of the files get corrupted the anti-virus replaces them with the original files from backup. An Introduction to Virus Scanners, by Umakant Mishra 6

5. Important issues before anti-virus products As the anti-viruses get matured, the virus programmers also become more experienced. The new viruses are much more intelligent and try to fool the antivirus programs. The viruses are no more programmed by hobbyists. In some cases the viruses are programmed by software professionals paid by criminal organizations. Such a situation poses a big challenge before the anti-virus programmers. With the presence of various anti-virus products the traditional viruses get lesser scope to flourish. Hence the threat from the traditional viruses has become very minimal. The virus programmers explore newer methods and especially anti-antivirus techniques of attacking a system. Some viruses like polymorphic viruses and metamorphic viruses change their signatures on every infection. As they don t have any specific signatures the anti-virus has to apply complicated techniques like emulation to detect those viruses. Some viruses don t act immediately. Hence the anti virus cannot detect any negativity in their behavior. But the virus may act dangerously when its payload is triggered. The end user generally keeps complete faith on the anti-virus software and forgets that the anti-virus itself may have security holes. Some virus programmers exploit this situation to target the anti-virus products. They attack the anti-virus itself instead of attacking the operating system. A zipped file may contain a Trojan. When the file is attached to an email the virus scanner at the mail server is unable to parse the zipped file and passes it as a legal file. When the victim unzips it he gets the Trojan. The virus programmers generally don t want their viruses to be detected. So many viruses adopt stealth techniques. It becomes a challenge for the anti-virus to detect the stealth viruses. When the system is critically damaged by virus infection, it becomes extremely difficult for the anti-virus to repair the infected components and restore the system. Similarly if the content of the file is scrambled or overwritten by the virus the anti-virus remains incapable of repairing them. Scanning an email file is different from scanning conventional files, as an email is a composition of various types of attachments. Besides the antivirus must scan and detect the virus before an infected email is finally opened by the recipient in order to avoid the possibility of infection. An Introduction to Virus Scanners, by Umakant Mishra 7

It is difficult to virus scan the emails at the email server because many email servers encrypt the email files using proprietary encryption techniques to maintain the privacy of the emails. In such cases the virus scanners cannot scan the emails as they fail to decrypt the encrypted files. The conventional techniques of virus scanning cannot handle virus outbreaks. Virus outbreaks can infect a large number of systems very quickly and make the situation out of control. There should be special techniques to prevent and control such outbreaks. The conventional techniques of virus scanning are meant for individual computers and may not work well for network environments. In a network the viruses may use different strategies to attack client computers, network servers, gateways and even the whole network including the network traffic. The anti-viruses generally consume a lot of system resources. If a virus intelligently plays with an anti-virus then the anti-virus can end up in consuming a large portion of the system memory and affect the system worse than the virus would have. One of the vulnerable areas of the anti-virus products is decompression process. In order to scan the compressed files the anti-virus has to decompress the files using complex calculations. Any mistake in the decompression may lead to vulnerability. 6. Disadvantages of anti-virus product Although an anti-virus is useful for every computer that is exposed to any sort virus threat, it causes many disadvantages to the user. That is why many people think an anti-virus as a necessary evil. Some of the notable disadvantages of the anti-viruses are as follows. An anti-virus product involves a price. Although there are powerful free anti-virus products like AVG, in many situations there are also reasons to select a priced product to get some extra advantage. As there is a wide range of anti-virus products in the market, it is a difficult job to decide which anti-virus product is better and cost effective. Inexperienced users may face problem in understanding the prompts that the anti-virus software presents before them. An incorrect decision by the user may lead to a security breach. No anti-virus product gives a one-time solution. As the viruses are created on a regular basis, the anti-virus products are also updated on a regular basis. This situation involves a lot of maintenance activities. Virus scanning is a time consuming job. A full virus scanning on a loaded computer can easily continue for several hours. An Introduction to Virus Scanners, by Umakant Mishra 8

A virus scanner consumes significant amount of system resources. As the scanner has to be more intelligent and faster than a virus, it puts significant load on the memory and processor and affects a computer s performance. The success of virus scanning depends on achieving a right balance between false positives and false negatives. False positives can be as destructive as false negatives. There are many instances where running of certain anti-viruses had disrupted the functioning of other bona-fide programs. That is because although the anti-viruses are tested for a majority of programs, a minority of programs still face some conflicts. Moreover, an anti-virus tested for one version of OS does not accept an upgrade of the OS without getting itself updated. 7. Summary The main functions of an anti-virus program are, (i) Virus prevention and file protection, (ii) Virus scanning and detection, (iii) Removing virus from infected files, and (iv) Recovering damaged files and objects. An anti-virus program typically employs a variety of strategies to detect and remove viruses. The two popular methods of detecting viruses are signature scanning and behavior monitoring. However each of these methods has its strengths and weaknesses. Signature scanning is the most common method of virus detection. However it cannot detect viruses whose signatures are not available in the virus database. The heuristic method finds viruses based on common behaviors. This method can be complex, but it has the ability to detect unknown and new viruses. We will discuss the virus detection techniques in more detail in a separate article. As the detection gets more sophisticated so are the virus programmers. The virus programmers also try to go one step beyond the anti-virus mechanism and create intelligent viruses which pose more and more difficult challenges before the anti-virus producers. An Introduction to Virus Scanners, by Umakant Mishra 9

About the author After working for more than 18 years in various fields of Information Technology Umakant is currently doing independent research on TRIZ and IT since 2004. He last worked as Director and Chief Technology Officer (2000-2004) in CREAX Information Technologies (Bangalore). Before that he worked as IS/IT manager (1996-2000) for ActionAid India (Bangalore). Umakant is a Master in Philosophy (MA), Master in Business Administration (MBA), Bachelor in Law and Logic (LLB), Microsoft Certified Systems Engineer (MCSE+I), Certified Novel Engineer (CNE), Master Certified Novell Engineer (MCNE), Certified Intranet Manager (CIM), Certified Internet Professional (CIP), Certified Software Test Manager (CSTM) and holds many other global IT certifications. Umakant has authored the books "TRIZ Principles for Information Technology", Improving Graphical User Interface using TRIZ, Using TRIZ for Anti-Virus Development etc. and working on a book on Management Information Systems. Many of his articles are available in SSRN elibrary (http://ssrn.com/author=646786), bepress (http://works.bepress.com/umakant_mishra), Arxiv (http://arxiv.org/a/mishra_u_1) etc. More about Umakant is available at http://umakantm.blogspot.in. An Introduction to Virus Scanners, by Umakant Mishra 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback