|
 | | |
| How
does anti-virus software work? | |
How does anti-virus software work?From Wikipedia, the
free encyclopedia.
An anti-virus
software program is a computer program that can be used to scan files to identify
and eliminate computer viruses and other malicious
software (malware).
Anti-virus software typically uses two different
techniques to accomplish this: - Examining files to look for known viruses
by means of a virus dictionary
- Identifying suspicious behavior from any computer
program which might indicate infection
Most commercial anti-virus software
uses both of these approaches, with an emphasis on the virus dictionary approach.
Virus dictionary approachIn the virus dictionary
approach, when the anti-virus software examines a file, it refers to a dictionary
of known viruses that have been identified by the author of the anti-virus software.
If a piece of code in the file matches any virus identified in the dictionary,
then the anti-virus software can then either delete the file, quarantine it so
that the file is inaccessible to other programs and its virus is unable to spread,
or attempt to repair the file by removing the virus itself from the file.
To be successful in the medium and long term, the virus dictionary approach requires
periodic online downloads of updated virus dictionary entries. As new viruses
are identified "in the wild", civically minded and technically inclined users
can send their infected files to the authors of anti-virus software, who then
include information about the new viruses in their dictionaries.
Dictionary-based
anti-virus software typically examines files when the computer's operating system
creates, opens, and closes them; and when the files are e-mailed. In this way,
a known virus can be detected immediately upon receipt. The software can also
typically be scheduled to examine all files on the user's hard disk on a regular
basis.
Although the dictionary approach is considered effective, virus
authors have tried to stay a step ahead of such software by writing "polymorphic
viruses", which encrypt parts of themselves or otherwise modify themselves as
a method of disguise, so as to not match the virus's signature in the dictionary.
Suspicious behavior approachThe suspicious behavior approach, by contrast,
doesn't attempt to identify known viruses, but instead monitors the behavior of
all programs. If one program tries to write data to an executable program, for
example, this is flagged as suspicious behavior and the user is alerted to this,
and asked what to do.
Unlike the dictionary approach, the suspicious
behavior approach therefore provides protection against brand-new viruses that
do not yet exist in any virus dictionaries. However, it also sounds a large number
of false positives, and users probably become desensitized to all the warnings.
If the user clicks "Accept" on every such warning, then the anti-virus software
is obviously useless to that user. This problem has especially been made worse
over the past 7 years, since many more nonmalicious program designs chose to modify
other .exes without regards to this false positive issue. Thus, most modern anti
virus software uses this technique less and less. Other ways to detect virusesSome
antivirus-software will try to emulate the beginning of the code of each new executable
that is being executed before transferring control to the executable. If the program
seems to be using self-modifying code or otherwise appears as a virus (it immeadeatly
tries to find other executables), one could assume that the executable has been
infected with a virus. However, this method results in a lot of false positives.
Yet another detection method is using a sandbox. A sandbox emulates the
operating system and runs the executable in this simulation. After the program
has terminated, the sandbox is analysed for changes which might indicate a virus.
Because of performance issues this type of detection is normally only performed
during on-demand scans. Issues of concernMacro viruses, arguably the
most destructive and widespread computer viruses, could be prevented far more
inexpensively and effectively, and without the need of all users to buy anti-virus
software, if Microsoft would fix security flaws in Microsoft Outlook and Microsoft
Office related to the execution of downloaded code and to the ability of document
macros to spread and wreak havoc.
User education is as important as anti-virus
software; simply training users in safe computing practices, such as not downloading
and executing unknown programs from the Internet, would slow the spread of viruses,
without the need of anti-virus software.
Computer users should not always
run with administrator access to their own machine. If they would simply run in
user mode then some types of viruses would not be able to spread.
The
dictionary approach to detecting viruses is often insufficient due to the continual
creation of new viruses, yet the suspicious behavior approach is ineffective due
to the false positive problem; hence, the current understanding of anti-virus
software will never conquer computer viruses.
There are various methods
of encrypting and packing malicious software which will make even well-known viruses
undetectable to anti-virus software. Detecting these "camouflaged" viruses requires
a powerful unpacking engine, which can decrypt the files before examining them.
Unfortunately, many popular anti-virus programs do not have this and thus are
often unable to detect encrypted viruses.
Companies that sell anti-virus
software seem to have a financial incentive for viruses to be written and to spread,
and for the public to panic over the threat.
| |
|
|
|
BluePink 