Function of Anti-Virus Software

It is really valuable to have anti-virus software in your computer in order to prevent the trouble and disaster that might be caused by computer viruses. Anti-virus software we can get today is pretty sophisticated and effective. However, "virus writers are often a step ahead of the software, and new viruses are constantly being released that current anti-virus software cannot recognize.

The most important thing you can do is to update your anti-virus software as often as you can in order for the creators to inform you (the anti-virus software in your computer) the list of the most current viruses' codes and system. At the same time, it is also essential to backup your data and information frequently. It is almost impossible to predict the newest virus. That's what the virus writers do. Therefore, unfortunately, a brand new virus is found and cautioned after the virus is executed. Just in case YOU are the one who will be the very first victim of the newest virus, backing up your files and data is the wise and safest way to protect your information in your computer.

Now, how does the anti-virus work? What are the functions of the software? There are four major methods of virus detection that is used in anti-virus software you would buy. These are scanning, integrity checking, interception, and heuristic detection. Let's look at these methods one by one.

SCANNING
"A scanner will search all files in memory, in the boot sector (the sector on disk that specifies where boot information is,) and on disk for code snippets that will uniquely identify a file as a virus.... To prevent false alarms, most scanners also will check the code of a suspected file against either the virus code itself or a checksum of it. (A checksum is a method frequently used to determine if data has been changed, and involves summing all the bits in a file.) This is the most common method of virus detection available, and is implemented in all major anti-virus software packages." [1]

Advantages: "Scanners can find viruses that haven't executed, yet - this is critical for e-mail worms, which can spread themselves rapidly if not stopped." [1]
Disadvantages: If the software is using a signature string to detect the virus, all a virus writer would have to do is modify the signature string to develop a new virus. The limitation that a scanner can only scan for something it has the signature of."[1]

INTEGRITY CHECKING
"A integrity checker records integrity information about important files on disk, usually by checksumming. If a file should "change due to virus activity or corruption, the file will no longer match the recorded integrity information.... This is an extensive process, and few virus checkers today utilize it." [1]

Advantages: "Integrity checking is the only way to determine whether a virus has damaged a file, and it's fairly foolproof. Most integrity checkers today also have the benefit of detecting other damage to data, such as corruption, and can restore that as well. " [1]
Disadvantages: "The major problem with integrity checking is that not enough companies offer comprehensive integrity checking software.... Simpler integrity checkers won't be able to differentiate between damage done via corruption and damage done via a virus, thus giving the user unclear information as to what's going on."[1]

HEURISTIC VIRUS CKECKING
"Anti-virus software makers develop a set of rules to distinguish viruses from non-viruses." If a program or code segment should "follow these rules, then it is marked a virus and dealt with accordingly. This allows detection of any virus, and theoretically, should be sufficient to deal with any new virus attacks." [1]

Advantages: "The user doesn't need to download weekly virus updates anymore, because the software can detect all viruses." [1]
Disadvantages: "Not very many software packages available today utilize heuristic virus checking." "Virus writers can easily write viruses that don't obey the rules, making the current set of virus detection rules obsolete.... In addition, the potential for false alarms and not detecting a known virus is greater with heuristic checkers than with scanners." [1]

INTERCEPTION
"Interception software detects virus-like behavior and warns the user about it." [1]

Advantages: "Interception is a good generic method to stop logic bombs and Trojan horses.... When not detected by scanners, interception software will usually detect the destructive and unusual sequences of events caused by logic bombs and Trojan horses." [1]
Disadvantages: "interceptors aren't very good at detecting anything else.... Due to the nature of an interceptor, this software is unable to detect viruses before they launch, and a lot of damage could already have been done. Combined with their limited usefulness, most software packages disable or strongly limit interception by default." [1]

- Problems with Anti-Virus Software -

  1. "Many copies of anti-virus software are unable to detect even old viruses, because end users frequently forget or simply don't update their virus scanner's virus databases until it's too late."[1]
  2. "while anti-virus software may become extremely good at sensing virus activity, there are always new security holes to exploit in operating system and networking software that would give viruses another entry point that bypasses the anti-virus software. Finding a security hole and getting reported on one of these sites is considered to be an honor among the virus writing community." [1]
  3. "Anti-virus software in use today is fairly effective - but only if it's kept updated and the user takes precautions (such as not opening unfamiliar documents or programs.) Despite all this, anti-virus software cannot protect against brand new viruses, and few users take the necessary precautions. A survey was done of corporate computer users, finding that many users still get infected even if they are required to take all the necessary precautions." [1]

Source
[1] http://www-cse.stanford.edu/classes/cs201/projects-00-01/viruses/anti-virus.html

Home