Antivirus software

From Wikipedia, the free encyclopedia

"Antivirus" redirects here. For antiviral medication, see antiviral drug.

Antivirus software are computer programs that attempt to identify, neutralize or eliminate malicious software. Antivirus is so named because the earliest examples were designed exclusively to combat computer viruses; however most modern antivirus software is now designed to combat a wide range of threats, including worms, phishing attacks, rootkits, trojan horses and other malware. Antivirus software typically uses two different approaches to accomplish this:

  • examining (scanning) files to look for known viruses matching definitions in a virus dictionary, and
  • identifying suspicious behavior from any computer program which might indicate infection.

The second approach is called heuristic analysis. Such analysis may include data captures, port monitoring and other methods.

Most commercial antivirus software uses both of these approaches, with an emphasis on the virus dictionary approach. Some people claim that a Firewall program performs the functions of a Anti-Virus, however they are mistaken.

Contents

[edit] Approaches

[edit] Dictionary

In the virus dictionary approach, when the antivirus software looks at a file, it refers to a dictionary of known viruses that the authors of the antivirus software have identified. If a piece of code in the file matches any virus identified in the dictionary, then the antivirus software can take one of the following actions:

  1. attempt to repair the file by removing the virus itself from the file,
  2. quarantine the file (such that the file remains inaccessible to other programs and its virus can no longer spread), or
  3. delete the infected file.

To achieve consistent success in the medium and long term, the virus dictionary approach requires periodic (generally online) downloads of updated virus dictionary entries. As civically-minded and technically-inclined users identify new viruses "in the wild", they can send their infected files to the authors of antivirus software, who then include information about the new viruses in their dictionaries.

Dictionary-based antivirus software typically examines files when the computer's operating system creates, opens, closes, or e-mails them. In this way it can detect a known virus immediately upon receipt. Note too that a System Administrator can typically schedule the antivirus software to examine (scan) all files on the computer's hard disk on a regular basis.

Although the dictionary approach can effectively contain virus outbreaks in the right circumstances, virus authors have tried to stay a step ahead of such software by writing "oligomorphic", "polymorphic" and more recently "metamorphic" viruses, which encrypt parts of themselves or otherwise modify themselves as a method of disguise, so as to not match the virus's signature in the dictionary.

An emerging technique to deal with malware in general is whitelisting. Rather than looking for only known bad software, this technique prevents execution of all computer code except that which has been previously identified as trustworthy by the system administrator. By following this default deny approach, the limitations inherent in keeping virus signatures up to date are avoided. Additionally, computer applications that are unwanted by the system administrator are prevented from executing since they are not on the whitelist. Since modern enterprise organizations have large quantities of trusted applications, the limitations of adopting this technique rest with the system administrators' ability to properly inventory and maintain the whitelist of trusted applications. As such, viable implementations of this technique include tools for automating the inventory and whitelist maintenance processes.

[edit] Suspicious behavior

The suspicious behavior approach, by contrast, doesn't attempt to identify known viruses, but instead monitors the behavior of all programs. If one program tries to write data to an executable program, for example, the antivirus software can flag this suspicious behavior, alert a user, and ask what to do.

Unlike the dictionary approach, the suspicious behavior approach therefore provides protection against brand-new viruses that do not yet exist in any virus dictionaries. However, it can also sound a large number of false positives, and users probably become desensitized to all the warnings. If the user clicks "Accept" on every such warning, then the antivirus software obviously gives no benefit to that user. This problem has worsened since 1997[citation needed], since many more non-malicious program designs came to modify other .exe files without regard to this false positive issue. Therefore, most modern antivirus software uses this technique less and less.

[edit] Other approaches

Some antivirus software use other types of heuristic analysis. For example, it could try to emulate the beginning of the code of each new executable that the system invokes before transferring control to that executable. If the program seems to use self-modifying code or otherwise appears as a virus (if it immediately tries to find other executables, for example), one could assume that a virus has infected the executable. However, this method could result in a lot of false positives.

Yet another detection method involves using a sandbox. A sandbox emulates the operating system and runs the executable in this simulation. After the program has terminated, software analyzes the sandbox for any changes which might indicate a virus. Because of performance issues, this type of detection normally only takes place during on-demand scans. Also this method may fail as viruses can be nondeterministic and result in different actions or no actions at all done when run — so it will be impossible to detect it from one run. [1]

Some virus scanners can also warn a user if a file is likely to contain a virus based on the file type.

[edit] Issues of concern

  • The regular appearance of new malware is certainly in the financial interest of vendors of commercial antivirus software, but there is no evidence of collusion. [2]
  • Some antivirus software can considerably reduce performance. Users may disable the antivirus protection to overcome the performance loss, thus increasing the risk of infection. For maximum protection, the antivirus software needs to be enabled all the time — often at the cost of slower performance (see also software bloat).
  • It is important to note that one should not have more than one memory-resident antivirus software solution installed on a single computer at any given time. Otherwise, the computer may be crippled and further damaged.[3]
  • It is sometimes necessary to temporarily disable virus protection when installing major updates such as Windows Service Packs or updating graphics card drivers.[citation needed] Active antivirus protection may partially or completely prevent the installation of a major update.
  • When purchasing antivirus software, the agreement may include a clause that your subscription will be automatically renewed, and your credit card automatically billed at the renewal time without your approval. For example, McAfee requires one to unsubscribe at least 60 days before the expiration of the present subscription.[4] In that case, the subscriber may contest the charges with the credit card issuer, but this recourse is likely to fail if in fact the subscriber had authorised such a "continuous payment authority". Norton Antivirus also has a default setting that includes the automatic renewal of your subscription. [5]
  • Some antivirus programs are actually spyware masquerading as antivirus software. It is best to double-check that the antivirus software which is being downloaded is actually a real antivirus program.[6]
  • Some commercial antivirus software programs contain adware. For example, the home/small business version of CA Anti-Virus 2008 displays an advert for CA products whenever the desktop is unlocked after a period of inactivity.
  • Most widely-accepted antivirus programs often do not detect newly-created viruses. This can be verified by making a program with destructive code in a language like C++.

[edit] Mobile devices

Viruses from the desktop and laptop world have migrated to mobile devices. Antivirus vendors are beginning to offer solutions for mobile handsets. These devices present significant challenges for antivirus software, such as:

  • processor constraints,
  • memory constraints, and
  • definitions and new signature updates to these mobile handsets.

Mobile handsets are now offered with a variety of interfaces and data connection capabilities. Consumers should carefully evaluate security products before deploying them on devices with a small form factor.

Solutions that are hardware-based, perhaps USB devices or SIM-based antivirus solutions, might work better in meeting the needs of mobile handset consumers. Technical evaluation and review on how deploying an antivirus solution on cellular mobile handsets should be considered as scanning process might impact other legitimate applications on the handheld.

SIM-based solutions with antivirus integrated on the small memory footprint might provide a basic solution to combat malware/viruses in protecting PIM and mobile user data. Solutions based on USB and Flash memory allow the user to swap and use these products with a range of hardware devices.

[edit] History

See also: Timeline of notable computer viruses and worms

There are competing claims for the innovator of the first antivirus product. Perhaps the first publicly-known neutralization of a wild PC virus was performed by European Bernt Fix (also Bernd) in early 1987. Fix neutralized an infection of the Vienna virus.[7] [8] The first edition of Polish antivirus software mks_vir was released in 1987; the program was only available with a Polish interface. Autumn 1988 saw antivirus software Dr. Solomon's Anti-Virus Toolkit released by Briton Alan Solomon. By December 1990, the market had matured to the point of nineteen separate antivirus products being on sale including Norton AntiVirus and ViruScan from McAfee.

Peter Tippett made a number of contributions to the budding field of virus detection.[citation needed] He was an emergency-room doctor who also ran a computer software company. He had read an article about the Lehigh virus and questioned whether they would have similar characteristics to biological viruses that attack organisms. From an epidemiological viewpoint, he was able to determine how these viruses were affecting systems within the computer (the boot-sector was affected by the Brain virus, the .com files were affected by the Lehigh virus, and both .com and .exe files were affected by the Jerusalem virus). Tippett’s company Certus International Corp. then began to create anti-virus software programs. The company was sold in 1992 to Symantec Corp, and Tippett went to work for them, incorporating the software he had developed into Symantec’s product, Norton AntiVirus.[citation needed]

A very uncommon use of the term "antivirus" is to apply it to benign viruses that spread and combated malicious viruses. This was common on the Amiga computer platform.[citation needed]

[edit] Effectiveness

Studies in December 2007 have shown that the effectiveness of Antivirus software is much reduced from what it was a few years ago, particularly against unknown or zero day threats.

The German computer magazine c't found that detection rates had dropped to a frightening 20% to 30%, as compared to 40% to 50% only one year earlier. Only one product managed a creditable 68% detection rate.[9]

The problem is magnified by the changing intent of virus authors. Some years ago it was obvious when a virus infection was present. The viruses of the day, written by amateurs, exhibited destructive behavior or popped-up screen messages. Modern viruses are often written by professionals, financed by criminal organizations. It is not in their interests to make their viruses evident, because their purpose is to create bot-nets or steal information for as long as possible without the user realizing this; consequently, they are often well-hidden. If an infected user has a less-than-effective antivirus product that says the computer is clean, then the virus may go undetected. As a result of this, even major antivirus products have failed to detect programs containing malicious behaviour.

[edit] See also

[edit] Notes

  1. ^ Raynal, Frederic (2006-05-16). Malicious cryptography, part two.
  2. ^ Yarden, Jonathan (2005-11-15). Why there is no global antivirus software conspiracy. TechRepublic.
  3. ^ Microsoft Support
  4. ^ Buying Dangerously
  5. ^ Symantec agreement
  6. ^ List of rogue software
  7. ^ Kaspersky Lab Virus list
  8. ^ Wells, Joe (1996-08-30). Virus timeline. IBM. Retrieved on 2008-06-06.
  9. ^ Goodin, Dan (2007-12-21). Anti-virus protection gets worse. Channel Register.

[edit] External links