solution to the threat of viruses is prevention: The next best approach is to
be able to do the following:
infection has occurred, determine that it has occurred and locate the virus.
detection has been achieved, identify the specific virus that has infected a program.
the specific virus has been identified, remove all traces of the virus from the infected program and restore it to
its original state. Remove the virus from all infected systems so that the
disease cannot spread further.
detection succeeds but either identification or removal is not possible, then
the alternative is to discard the infected program and reload a clean backup version.
four generations of antivirus software:
First generation: simple scanners
Second generation: heuristic scanners
Third generation: activity traps
Fourth generation: full-featured protection
A first-generation scanner requires
a virus signature to identify a virus.. Such signature-specific scanners are limited to the detection
of known viruses. Another type of first-generation scanner maintains a record
of the length of programs and looks for changes in length.
A second-generation scanner does not
rely on a specific signature. Rather, the scanner uses heuristic rules to search for probable virus infection. One class
of such scanners looks for fragments of code that are often associated with
second-generation approach is integrity checking. A checksum can be appended to
each program. If a virus infects the program without changing the checksum,
then an integrity check will catch the change. To counter a virus that is
sophisticated enough to change the checksum when it infects a program, an
encrypted hash function can be used. The encryption key is stored separately
from the program so that the virus cannot generate a new hash code and encrypt
that. By using a hash function rather than a simpler checksum, the virus is
prevented from adjusting the program to produce the same hash code as before.
Third-generation programs are
memory-resident programs that identify a virus by its actions rather than its structure in an
infected program. Such programs have the advantage that it is not necessary to
develop signatures and heuristics for a wide array of viruses. Rather, it is
necessary only to identify the small set of actions that indicate an infection
is being attempted and then to intervene.
Fourth-generation products are
packages consisting of a variety of antivirus techniques used in conjunction. These include scanning
and activity trap components. In addition, such a package includes access
control capability, which limits the ability of viruses to penetrate a system
and then limits the ability of a virus to update files in order to pass on the
race continues. With fourth-generation packages, a more comprehensive defense
strategy is employed, broadening the scope of defense to more general-purpose
computer security measures.
Advanced Antivirus Techniques
sophisticated antivirus approaches and products continue to appear. In this
subsection, we highlight two of the most important.
decryption (GD) technology enables the antivirus program to easily detect even
the most complex polymorphic viruses, while maintaining fast scanning speeds .
In order to detect such a structure, executable files are run through a GD
scanner, which contains the following elements:
software-based virtual computer. Instructions in an executable file are interpreted by the emulator rather
than executed on the underlying processor. The emulator includes software
versions of all registers and other processor hardware, so that the underlying
processor is unaffected by programs interpreted on the emulator.
signature scanner: A module that scans the target code looking for
known virus signatures.
control module: Controls the execution of the target code.
digital immune system is a comprehensive approach to virus protection developed
by IBM]. The motivation for this development has been the rising threat of
Internet-based virus propagation.Two major trends in Internet technology have
had an increasing impact on the rate of virus propagation in recent years:
mail systems: Systems such as Lotus Notes and Microsoft Outlook make it very
simple to send anything to anyone and to work with objects that are received.
systems: Capabilities such as Java and ActiveX allow programs to move on their
own from one system to another.
A monitoring program on each PC uses a variety of
heuristics based on system behavior, suspicious changes to programs, or family
signature to infer that a virus may be present. The monitoring program forwards
a copy of any program thought to be infected to an administrative machine
within the organization.
The administrative machine encrypts the sample and
sends it to a central virus analysis machine.
This machine creates an environment in which the
infected program can be safely run for analysis. Techniques used for this
purpose include emulation, or the creation of a protected environment within
which the suspect program can be executed and monitored. The virus analysis
machine then produces a prescription for identifying and removing the virus.
The resulting prescription is sent back to the
The administrative machine forwards the
prescription to the infected client.
The prescription is also forwarded to other clients
in the organization.
Subscribers around the world receive regular
antivirus updates that protect them from the new virus.
success of the digital immune system depends on the ability of the virus
analysis machine to detect new and innovative virus strains. By constantly
analyzing and monitoring the viruses found in the wild, it should be possible
to continually update the digital immune software to keep up with the threat.
heuristics or fingerprint-based scanners, behavior-blocking software integrates
with the operating system of a host computer and monitors program behavior in
real-time for malicious actions. Monitored behaviors can include the following:
Attempts to open, view, delete, and/or modify
Attempts to format disk drives and other unrecoverable
Modifications to the logic of executable files or
Modification of critical system settings, such as
Scripting of e-mail and instant messaging clients
to send executable content; and
Initiation of network communications.
behavior blocker detects that a program is initiating would-be malicious
behaviors as it runs, it can block these behaviors in real-time and/or
terminate the offending software. This gives it a fundamental advantage over
such established antivirus detection techniques as fingerprinting or