| A variety of strategies are typically employed. | | | | may be advantageous to identify a specific virus, it can |
| Signature-based detection involves searching for | | | | be quicker to detect a virus family through a generic |
| known malicious patterns in executable code. | | | | signature or through an inexact match to an existing |
| However, it is possible for a user to be infected with | | | | signature. Virus researchers find common areas that |
| new malware for which no signature exists yet. To | | | | all viruses in a family share uniquely and can thus |
| counter such so-called zero-day threats,heuristics can | | | | create a single generic signature. These signatures |
| be used. One type of heuristic approach, generic | | | | often contain non-contiguous code, using wildcard |
| signatures, can identify new viruses or variants of | | | | characters where differences lie. These wildcards |
| existing viruses by looking for known malicious code | | | | allow the scanner to detect viruses even if they are |
| (or slight variations of such code) in files. Some | | | | padded with extra, meaningless code. Padded code is |
| antivirus software can also predict what a file will do if | | | | used to confuse the scanner so it can't recognize the |
| opened/run by emulating it in a sandbox and analyzing | | | | threat.A detection that uses this method is said to be |
| what it does to see if it performs any malicious actions. | | | | "heuristic detection." |
| If it does, this could mean the file is malicious.However, | | | | Issues of concern: |
| no matter how useful antivirus software is, it can | | | | Unexpected renewal costs- |
| sometimes have drawbacks. Antivirus software can | | | | Some commercial antivirus software end-user license |
| degrade computer performance if it is not designed | | | | agreements include a clause that the subscription will |
| efficiently. Inexperienced users may have trouble | | | | be automatically renewed, and the purchaser's credit |
| understanding the prompts and decisions that antivirus | | | | card automatically billed, at the renewal time without |
| software presents them with. An incorrect decision | | | | explicit approval. For example, McAfee requires users |
| may lead to a security breach. If the antivirus software | | | | to unsubscribe at least 60 days before the expiration |
| employs heuristic detection (of any kind), success | | | | of the present subscription while BitDefendersends |
| depends on achieving the right balance between false | | | | notifications to unsubscribe 30 days before the |
| positives and false negatives. False positives can be | | | | renewal. Norton Antivirus also renews subscriptions |
| as destructive as false negatives. In one case, a faulty | | | | automatically by default.Open source and free |
| virus signature issued by Symantec mistakenly | | | | software applications, such as Clam AV, provide both |
| removed essential operating system files, leaving | | | | the scanner application and updates free of charge |
| thousands of PCs unable to boot. Finally, antivirus | | | | and so there is no subscription to renew. |
| software generally runs at the highly trusted kernel | | | | Rogue security applications- |
| level of the operating system, creating a potential | | | | Some antivirus programs are actually malware |
| avenue of attack.In addition to the drawbacks | | | | masquerading as antivirus software, such as WinFixer |
| mentioned above, the effectiveness of antivirus | | | | and MS Antivirus. |
| software has also been researched and debated. One | | | | False positives- |
| study found that the detection success of major | | | | A false positive is identifying a file as a virus when it is |
| antivirus software dropped over a one-year period. | | | | not a virus. If an antivirus program is configured to |
| History: | | | | immediately delete or quarantine infected files (or does |
| There are competing claims for the innovator of the | | | | this by default), false positives in essential files can |
| first antivirus product. Possibly the first publicly | | | | render the operating system or some applications |
| documented removal of a computer virus in the wild | | | | unusable.Certain AV software, such as AVG Free has |
| was performed by Bernt Fix in 1987.Before Internet | | | | a reputation for false positives. |
| connectivity was widespread, viruses were typically | | | | System related issues- |
| spread by infected floppy disks. Antivirus software | | | | Running multiple antivirus programs concurrently can |
| came into use, but was updated relatively infrequently. | | | | degrade performance and create conflicts.It is |
| During this time, virus checkers essentially had to | | | | sometimes necessary to temporarily disable virus |
| check executable files and the boot sectors of floppy | | | | protection when installing major updates such as |
| and hard disks. However, as internet usage became | | | | Windows Service Packs or updating graphics card |
| common, initially through the use of modems, viruses | | | | drivers. Active antivirus protection may partially or |
| spread throughout the Internet.Powerful macros used | | | | completely prevent the installation of a major update. |
| in word processor applications, such as Microsoft | | | | Effectiveness- |
| Word, presented a further risk. Virus writers started | | | | Studies in December 2007 have shown that the |
| using the macros to write viruses embedded within | | | | effectiveness of antivirus software has decreased in |
| documents. This meant that computers could now also | | | | recent years, particularly against unknown or zero day |
| be at risk from infection by documents with hidden | | | | attacks. The German computer magazine c't found |
| attached macros as programs.Later email programs, in | | | | that detection rates for these threats had dropped |
| particular Microsoft Outlook Express and Outlook, | | | | from 40-50% in 2006 to 20-30% in 2007. At that time, |
| were vulnerable to viruses embedded in the email | | | | the only exception was the NOD32 antivirus, which |
| body itself. Now, a user's computer could be infected | | | | managed a detection rate of 68 percent.The problem |
| by just opening or previewing a message. This meant | | | | is magnified by the changing intent of virus authors. |
| that virus checkers had to check many more types of | | | | Some years ago it was obvious when a virus infection |
| files. As always-on broadband connections became | | | | was present. The viruses of the day, written by |
| the norm and more and more viruses were released, it | | | | amateurs, exhibited destructive behavior or pop-ups. |
| became essential to update virus checkers more and | | | | Modern viruses are often written by professionals, |
| more frequently. Even then, a new zero-day virus | | | | financed by criminal organizations.Traditional antivirus |
| could become widespread before antivirus companies | | | | software solutions run virus scanners on schedule, on |
| released an update to protect against it. | | | | demand and some run scans in real time. If a virus or |
| Identification methods: | | | | malware is located the suspect file is usually placed |
| There are several methods which antivirus software | | | | into aquarantine to terminate its chances of disrupting |
| can use to identify malware.Signature based detection | | | | the system. Traditional antivirus solutions scan and |
| is the most common method. To identify viruses and | | | | compare against a publicised and regularly updated |
| other malware, antivirus software compares the | | | | dictionary of malware otherwise known as a blacklist. |
| contents of a file to a dictionary of virus signatures. | | | | Some antivirus solutions have additional options that |
| Because viruses can embed themselves in existing | | | | employ an heuristic engine which further examines the |
| files, the entire file is searched, not just as a whole, but | | | | file to see if it is behaving in a similar manner to |
| also in pieces. Heuristic-based detection, like malicious | | | | previous examples of malware. A new technology |
| activity detection, can be used to identify unknown | | | | utilized by a few antivirus solutions is whitelisting, this |
| viruses.File emulation is another heuristic approach. File | | | | technology first checks if the file is trusted and only |
| emulation involves executing a program in a virtual | | | | questioning those that are not. |
| environment and logging what actions the program | | | | Other methods- |
| performs. Depending on the actions logged, the | | | | Installed antivirus software running on an individual |
| antivirus software can determine if the program is | | | | computer is only one method of guarding against |
| malicious or not and then carry out the appropriate | | | | viruses. Other methods are also used, including |
| disinfection actions. | | | | cloud-based antivirus, firewalls and on-line scanners. |
| Signature based detection: | | | | Cloud antivirus- |
| Traditionally, antivirus software heavily relied upon | | | | In current antivirus software a new document or |
| signatures to identify malware. This can be very | | | | program is scanned with only one virus detector at a |
| effective, but cannot defend against malware unless | | | | time. CloudAV would be able to send programs or |
| samples have already been obtained and signatures | | | | documents to a network cloud where it will use |
| created. Because of this, signature-based approaches | | | | multiple antivirus and behavioural detection |
| are not effective against new, unknown viruses. | | | | simultaneously. It is more thorough and also has the |
| Because new viruses are being created each day, the | | | | ability to check the new document or programs |
| signature-based detection approach requires frequent | | | | access history. CloudAV is a cloud computing |
| updates of the virus signature dictionary. To assist the | | | | antivirus developed as a product of scientists of the |
| antivirus software companies, the software may allow | | | | University of Michigan. Each time a computer or device |
| the user to upload new viruses or variants to the | | | | receives a new document or program, that item is |
| company, allowing the virus to be analyzed and the | | | | automatically detected and sent to the antivirus cloud |
| signature added to the dictionary. | | | | for analysis. The CloudAV system uses 12 different |
| Although the signature-based approach can effectively | | | | detectors that act together to tell the PC whether the |
| contain virus outbreaks, virus authors have tried to | | | | item is safe to open. |
| stay a step ahead of such software by writing | | | | Network firewall- |
| "oligomorphic", "polymorphic" and, more recently, | | | | Network firewalls prevent unknown programs and |
| "metamorphic" viruses, which encrypt parts of | | | | Internet processes from accessing the system |
| themselves or otherwise modify themselves as a | | | | protected. However, they are not antivirus systems as |
| method of disguise, so as to not match virus | | | | such and thus make no attempt to identify or remove |
| signatures in the dictionary. | | | | anything. They may protect against infection from |
| Heuristics: | | | | outside the protected computer or LAN, and limit the |
| Some more sophisticated antivirus software uses | | | | activity of any malicious software which is present by |
| heuristic analysis to identify new malware or variants | | | | blocking incoming or outgoing requests on certain TCP |
| of known malware.Many viruses start as a single | | | | IP ports. A firewall is designed to deal with broader |
| infection and through either mutation or refinements by | | | | system threats that come from network connections |
| other attackers, can grow into dozens of slightly | | | | into the system and is not an alternative to a virus |
| different strains, called variants. Generic detection | | | | protection system. |
| refers to the detection and removal of multiple threats | | | | Online scanning- |
| using a single virus definition.For example, the Vundo | | | | Some antivirus vendors maintain websites with free |
| trojan has several family members, depending on the | | | | online scanning capability of the entire computer, critical |
| antivirus vendor's classification. Symantec classifies | | | | areas only, local disks, folders or files. |
| members of the Vundo family into two distinct | | | | For best and 100% protection you may use McAfee |
| members, Trojan.Vundo and Trojan.Vundo.B.While it | | | | UK. |