A computer virus is a self-replicating program which
installs itself on your computer without your consent. It does so by
inserting itself into other programs, data files, or the boot sector of
your hard drive. Once this happens, the affected areas are said to be
'infected'.
The vast majority of viruses perform some sort of
harmful activity on their hosts. A virus may access your confidential
information (such as your banking details), corrupt data or steal hard
disk space or processing power, log your key-strokes and spam your
contacts. If you are extra lucky, however, it might only display
humorous, scatological or political messages on your screen.
Anti-virus software
is used to detect and remove computer viruses. It consists of two basic
types: signature scanners and heuristic detectors. Signature scanning
is used to identify known threats, while heuristics are used to find
unknown viruses.
Infected files
In the old days...
less than a decade ago... most viruses were contained in executable (or
program) files, ie files with extensions such as .exe or .com, so
anti-virus software only had to check these kinds of files. Nowadays
anti-virus software has to check a greater variety of files, including
Microsoft Word documents and other non-executable (and seemingly
harmless) files.
In MS Word, a macro is a set of
instructions you record and associate with a shortcut or name. You can
use a macro, for example, to save the text of a legal disclaimer. You
can then add the text to any document you are writing (without having to
retype the disclaimer) by just pressing the particular shortcut key
combination or clicking the macro name.
Despite the time they can
save, macros present a risk. Rogue programmers can use them to hide
viruses within documents which they send as email attachments to
unsuspecting victims. Once they open the attachments, the victim's
computer is infected.
Nasty little programs can also be embedded in other non-executable files, so that opening these files can result in infections.
Some
email programs, such as MS Outlook Express and Outlook in particular,
are vulnerable to viruses embedded in the body of an email. You can
infect your computer just by opening or previewing a message.
Identifying viruses
There
are several methods which antivirus software can use to identify files
containing viruses: signature scanning, heuristic detection, and file
emulation.
Signature scanners
Signature-based
detection is the most common method of identifying viruses. It involves
searching the contents of a computer's boot record, programs, and macros
for known patterns of code that match known viruses. Because viruses
can embed themselves anywhere in existing files, the files have to be
searched in their entirety.
The creators of the anti-virus software maintain the characteristics of known viruses in tables called dictionaries of virus signatures.
Because thousands of new viruses are being created every day, the
tables of virus signatures have to be updated regularly if the
anti-virus software is to be effective when it checks files against
these lists.
To avoid detection, rogue programmers can create
viruses that encrypt parts of themselves or that modify themselves so
that they do not match the virus signatures in the dictionary.
In
practice, the signature-based approach has proved very effective against
most viruses. However it cannot be used to find unknown viruses, or
viruses that have been modified. To counter these threats, heuristics
need to be used.
Heuristic detectors
Heuristic-based
detection involves trial-and-error guided by past experience. Heuristic
detectors will, for example, look for sections of code that are
characteristic of viruses, such as being programmed to launch on a
particular date.
The use of generic signatures is a
type of heuristic approach that can identify variants of known viruses
by looking for slight variations of known malicious code in files. This
makes it possible to detect known viruses that have been modified.
File emulation
File emulation is another heuristic approach. It involves running a file in a sandbox, an isolated part of a computer in which untrusted programs can be run safely, to see what it does.
The
actions the program performs are logged and if any of these are deemed
to be malicious, the anti-virus software can carry out appropriate
actions to disinfect the computer.
Memory-resident anti-virus software
Memory-resident
anti-virus software installs programs in RAM that continue to operate
in the background while other applications are running.
A
computer's hard disk is where computer programs and files are stored,
while RAM (random access memory) is the memory that programs use when
they are running. When starting, a program is first loaded into RAM.
Once programs have finished running they exit RAM. In addition, RAM is
volatile, ie when the power is turned off everything in RAM is wiped
out. By contrast, the programs and files on your hard disk remain when
your computer is powered off.
Memory-resident anti-virus programs
monitor a computer's operations for any action associated with viruses,
such as downloading files, running programs directly from an internet
site, copying or unzipping files, or attempting to modify program code.
It will also be on the look out for programs that try to remain in
memory after they've been executed.
When they detect suspicious
activity, memory-resident programs halt operations, display a warning
message, and wait for the user's OK before allowing operations to
resume.
Drawbacks
Despite its undoubted benefits,
antivirus software has a few drawbacks. Because it uses computer
resources, it may slow your computer down a bit, though this is not
usually very significant.
No anti-virus software can provide full
protection against all viruses, known and unknown. Once installed,
however, it can lull you into a false sense of security. You may also
find it difficult to comprehend the prompts and decisions the software
throws up on your screen now and then. An incorrect decision may result
in an infection.
Most anti-virus software uses heuristic detection. This must be fine-tuned in order to minimise false positives, ie the misidentification of non-malicious files as a viruses.
False
positives can cause serious problems. If an antivirus program is
configured to immediately delete or quarantine infected files, a false
positive on an essential file can render the operating system or some
applications unusable. This has happened several times in recent years,
even with major anti-virus service providers such as Symantec, Norton
AntiVirus, McAfee, AVG and Microsoft.
Anti-virus software can also
pose its own threat, because it usually runs at the highly trusted
kernel level of the operating system, thus creating a potential avenue
of attack. It needs to do this in order to have access to all potential
malicious process and files. There have been cases where anti-virus
software has itself been infected with a virus.
By
Paul D Kennedy
No comments:
Post a Comment