This article was written by (Paul D Kennedy)
The source of this article is at the bottom
A computer
virus is a self-replicating program which installs itself on your
computer without your consent. It does so by inserting itself into other
programs, data files, or the boot sector of your hard drive. Once this happens,
the affected areas are said to be 'infected'.
The vast majority of
viruses perform some sort of harmful activity on their hosts. A virus may
access your confidential information (such as your banking details), corrupt
data or steal hard disk space or processing power, log your key-strokes and
spam your contacts. If you are extra lucky, however, it might only display
humorous, scatological or political messages on your screen.
Anti-virus
software is used to detect and remove computer viruses. It consists
of two basic types: signature scanners and heuristic detectors. Signature
scanning is used to identify known threats, while heuristics are used to find
unknown viruses.
Infected files
In the old days... less
than a decade ago... most viruses were contained in executable (or program)
files, ie files with extensions such as .exe or .com, so anti-virus software
only had to check these kinds of files. Nowadays anti-virus software has to
check a greater variety of files, including Microsoft Word documents and other
non-executable (and seemingly harmless) files.
In MS Word, a macro is
a set of instructions you record and associate with a shortcut or name. You can
use a macro, for example, to save the text of a legal disclaimer. You can then
add the text to any document you are writing (without having to retype the
disclaimer) by just pressing the particular shortcut key combination or
clicking the macro name.
Despite the time they
can save, macros present a risk. Rogue programmers can use them to hide viruses
within documents which they send as email attachments to unsuspecting victims.
Once they open the attachments, the victim's computer is infected.
Nasty little programs
can also be embedded in other non-executable files, so that opening these files
can result in infections.
Some email programs,
such as MS Outlook Express and Outlook in particular, are vulnerable to viruses
embedded in the body of an email. You can infect your computer just by opening
or previewing a message.
Identifying viruses
There are several
methods which antivirus software can use to identify files containing viruses:
signature scanning, heuristic detection, and file emulation.
Signature scanners
Signature-based
detection is the most common method of identifying viruses. It involves
searching the contents of a computer's boot record, programs, and macros for
known patterns of code that match known viruses. Because viruses can embed
themselves anywhere in existing files, the files have to be searched in their
entirety.
The creators of the
anti-virus software maintain the characteristics of known viruses in tables
called dictionaries of virus signatures. Because thousands
of new viruses are being created every day, the tables of virus signatures have
to be updated regularly if the anti-virus software is to be effective when it
checks files against these lists.
To avoid detection,
rogue programmers can create viruses that encrypt parts of themselves or that
modify themselves so that they do not match the virus signatures in the
dictionary.
In practice, the signature-based
approach has proved very effective against most viruses. However it cannot be
used to find unknown viruses, or viruses that have been modified. To counter
these threats, heuristics need to be used.
Heuristic detectors
Heuristic-based
detection involves trial-and-error guided by past experience. Heuristic
detectors will, for example, look for sections of code that are characteristic
of viruses, such as being programmed to launch on a particular date.
The use of generic
signatures is a type of heuristic approach that can identify
variants of known viruses by looking for slight variations of known malicious
code in files. This makes it possible to detect known viruses that have been
modified.
File emulation
File emulation is
another heuristic approach. It involves running a file in a sandbox,
an isolated part of a computer in which untrusted programs can be run safely,
to see what it does.
The actions the program
performs are logged and if any of these are deemed to be malicious, the
anti-virus software can carry out appropriate actions to disinfect the
computer.
Memory-resident
anti-virus software
Memory-resident
anti-virus software installs programs in RAM that continue to operate in the
background while other applications are running.
A computer's hard disk
is where computer programs and files are stored, while RAM (random access
memory) is the memory that programs use when they are running. When starting, a
program is first loaded into RAM. Once programs have finished running they exit
RAM. In addition, RAM is volatile, ie when the power is turned off everything
in RAM is wiped out. By contrast, the programs and files on your hard disk
remain when your computer is powered off.
Memory-resident
anti-virus programs monitor a computer's operations for any action associated
with viruses, such as downloading files, running programs directly from an
internet site, copying or unzipping files, or attempting to modify program
code. It will also be on the look out for programs that try to remain in memory
after they've been executed.
When they detect
suspicious activity, memory-resident programs halt operations, display a
warning message, and wait for the user's OK before allowing operations to
resume.
Drawbacks
Despite its undoubted
benefits, antivirus software has a few drawbacks. Because it uses computer
resources, it may slow your computer down a bit, though this is not usually
very significant.
No anti-virus software
can provide full protection against all viruses, known and unknown. Once
installed, however, it can lull you into a false sense of security. You may
also find it difficult to comprehend the prompts and decisions the software
throws up on your screen now and then. An incorrect decision may result in an
infection.
Most anti-virus software
uses heuristic detection. This must be fine-tuned in order to minimise false
positives, ie the misidentification of non-malicious files as a
viruses.
False positives can
cause serious problems. If an antivirus program is configured to immediately
delete or quarantine infected files, a false positive on an essential file can
render the operating system or some applications unusable. This has happened
several times in recent years, even with major anti-virus service providers
such as Symantec, Norton AntiVirus, McAfee, AVG and Microsoft.
Anti-virus software can
also pose its own threat, because it usually runs at the highly trusted kernel
level of the operating system, thus creating a potential avenue of attack. It
needs to do this in order to have access to all potential malicious process and
files. There have been cases where anti-virus software has itself been infected
with a virus.
Finally, it's best to
remember that not all heuristic methods can detect new viruses. This is because
the rogue programmers, before booting their new viruses into cyberspace, will
test them on the major anti-virus applications to make sure that they are not
detectable!
Paul Kennedy is
the marketing manager of Jupiter Support (Ireland). He can be
contacted by email to paul@jupitersupport.ie. You can also go to jupitersupport.ie where
you can use chat or Skype to talk with a technician free of charge.
Alternatively you can call 0766803006 to speak to a technician
and get free advice/diagnosis. Jupiter Support only charges a fixed fee of €19.99 to
rid your computer of any and all viruses on a no-fix/no-fee basis.
Article Source: http://EzineArticles.com/?expert=Paul_D_Kennedy
Article Source: http://EzineArticles.com/8239373
No comments:
Post a Comment