Antivirus Software


Antivirus software (sometimes spelled Anti-Virus or anti-virus with the hyphen) are computer programs that attempt to identify, neutralize or eliminate malicious software. The term "antivirus" is used because the earliest examples were designed exclusively to combat computer viruses; however most modern antivirus software is now designed to combat a wide range of threats, including worms, phishing attacks, rootkits, Trojans, often described collectively as malware.

Virus scanners
Antivirus scanning software, or a virus scanner, is a program which examines all files in specified locations, the contents of memory, the operating system, the registry, unexpected program behavior, and anywhere else relevant with the intention of identifying and removing any malware.
Typically two different approaches are used to identify malware, often in combination, although with an emphasis on the virus dictionary approach.

* examining (scanning) files, etc., for known viruses matching signatures in a virus dictionary, and
* identifying suspicious behavior from any computer program which might indicate infection. This approach is called heuristic analysis, and may include data captures, port monitoring and other methods.

Network firewalls prevent unknown programs and Internet processes from having access to the system protected; they are not antivirus systems as such, and make no attempt to identify or remove anything, but protect against infection, and limit the activity of any malicious software which is present by blocking incoming or outgoing requests on certain TCP/IP ports.

Dictionary
In the virus dictionary approach, when the antivirus software looks at a file, it refers to a dictionary of known viruses that the authors of the antivirus software have identified. If a piece of code in the file matches any virus identified in the dictionary, then the antivirus software can take one of the following actions:

1. attempt to repair the file by removing the virus itself from the file,
2. quarantine the file (such that the file remains inaccessible to other programs and its virus can no longer spread), or
3. delete the infected file.
To achieve consistent success in the medium and long term, the virus dictionary approach requires frequent (generally online) downloads of updated virus dictionary entries. Civically-minded and technically-inclined users, and those who want help find viruses not detected by the software, can send their infected files to the authors of antivirus software, who analyze them and include identifying features and removal information in their dictionaries.

Dictionary-based antivirus software typically examines files when the computer's operating system creates, opens, closes, or e-mails them. In this way it can detect a known virus immediately upon receipt. System administrators can schedule antivirus software to examine (scan) all files on the computer's hard disk on a regular basis.
Although the dictionary approach can effectively contain virus outbreaks in the right circumstances, virus authors have tried to stay a step ahead of such software by writing "oligomorphic", "polymorphic" and more recently "metamorphic" viruses, which encrypt parts of themselves or otherwise modify themselves as a method of disguise, so as to not match virus signatures in the dictionary.

An emerging technique to deal with malware in general is whitelisting. Rather than looking for only known bad software, this technique prevents execution of all computer code except that which has been previously identified as trustworthy by the system administrator. By following this "default deny" approach, the limitations inherent in keeping virus signatures up to date are avoided. Additionally, computer applications that are unwanted by the system administrator are prevented from executing since they are not on the whitelist. Since modern enterprise organizations have large quantities of trusted applications, the limitations of adopting this technique rest with the system administrators' ability to properly inventory and maintain the whitelist of trusted applications. Viable implementations of this technique include tools for automating the inventory and whitelist maintenance processes.

Suspicious behavior - heuristics
The suspicious behavior approach, by contrast, does not attempt to identify known viruses, but instead monitors the behavior of all programs. If one program tries to write data to an executable program, for example, the antivirus software can flag this suspicious behavior, alert a user, and ask what to do.
Unlike the dictionary approach, the suspicious behavior approach therefore provides protection against brand-new viruses that do not yet exist in any virus dictionaries. However, it can also sound a large number of false positives, and users probably become desensitized to all the warnings. If the user clicks "Accept" on every such warning, then the antivirus software obviously gives no benefit to that user. This problem has worsened since 1997[citation needed], since many more non-malicious program designs came to modify other .exe files without regard to this false positive issue. Therefore, most modern antivirus software uses this technique less and less.

File Emulation - heuristics
Some antivirus software use other types of heuristic analysis. For example, it could try to emulate the beginning of the code of each new executable that the system invokes before transferring control to that executable. If the program seems to use self-modifying code or otherwise appears as a virus (if it immediately tries to find other executables, for example), one could assume that a virus has infected the executable. However, this method could result in a lot of false positives.

Virus removal tools
A virus removal tool is software for removing specific viruses from infected computers. Unlike general-purpose virus scanners, it is not intended to detect and remove, ideally, all known viruses; rather it is designed to remove specific viruses more effectively and completely than a general-purpose program. Many single-virus tools will be found searching the Worldwide-Web for "virus removal tool"; others, such as McAfee Stinger and the Microsoft Malicious Software Removal Tool run automatically by Windows update, are designed to remove a limited numbers of viruses. Many of these tools are available for free download.
If a virus is identified by a general-purpose scanner it may not be entirely removed; once the virus has been identified, running a tool designed specifically for it can do a better job of cleaning.

Mobile devices
Viruses from the desktop and laptop world have either migrated to, or are assisted in their dispersal by mobile devices. Antivirus vendors are beginning to offer solutions for mobile handsets. These devices present significant challenges for antivirus software, such as:

* processor constraints,
* memory constraints, and
* definitions and new signature updates to these mobile handsets.
Mobile handsets are now offered with a variety of interfaces and data connection capabilities. Consumers should carefully evaluate security products before deploying them on devices with a small form factor.
Solutions that are hardware-based, perhaps USB devices or SIM-based antivirus solutions, might work better in meeting the needs of mobile handset consumers. Technical evaluation and review on how deploying an antivirus solution on cellular mobile handsets should be considered as scanning process might impact other legitimate applications on the handheld.
SIM-based solutions with antivirus integrated on the small memory footprint might provide a basic solution to combat malware/viruses in protecting PIM and mobile user data. Solutions based on USB and Flash memory allow the user to swap and use these products with a range of hardware devices.

0 comments:

Post a Comment

 

NBA Live Streaming. Copyright 2008 All Rights Reserved Revolution Two Church theme by Brian Gardner Converted into Blogger Template by Bloganol dot com | Distributed by Blogger Templates Blog