Friday, June 9, 2017

How does anti-virus software work?

An anti-virus software program is a computer program that can be used to  scan files to identify and eliminate computer viruses and other  malicious software (malware).

Anti-virus software typically uses two different techniques to accomplish this:

* Examining files to look for known viruses by means of a virus dictionary
* Identifying suspicious behavior from any computer program which might indicate infection 

Most commercial anti-virus software uses both of these approaches, with an emphasis on the virus dictionary approach.

Virus dictionary approach
In the virus dictionary approach, when the anti-virus software examines a  file, it refers to a dictionary of known viruses that have been  identified by the author of the anti-virus software. If a piece of code  in the file matches any virus identified in the dictionary, then the  anti-virus software can then either delete the file, quarantine it so  that the file is inaccessible to other programs and its virus is unable  to spread, or attempt to repair the file by removing the virus itself  from the file.

To be successful in the medium and long term, the virus dictionary  approach requires periodic online downloads of updated virus dictionary  entries. As new viruses are identified "in the wild", civically minded  and technically inclined users can send their infected files to the  authors of anti-virus software, who then include information about the  new viruses in their dictionaries.

Dictionary-based anti-virus software typically examines files when the  computer's operating system creates, opens, and closes them; and when  the files are e-mailed. In this way, a known virus can be detected  immediately upon receipt. The software can also typically be scheduled  to examine all files on the user's hard disk on a regular basis.

Although the dictionary approach is considered effective, virus authors  have tried to stay a step ahead of such software by writing "polymorphic  viruses", which encrypt parts of themselves or otherwise modify  themselves as a method of disguise, so as to not match the virus's  signature in the dictionary.

Suspicious behavior approach
The suspicious behavior approach, by contrast, doesn't attempt to  identify known viruses, but instead monitors the behavior of all  programs. If one program tries to write data to an executable program,  for example, this is flagged as suspicious behavior and the user is  alerted to this, and asked what to do.

Unlike the dictionary approach, the suspicious behavior approach  therefore provides protection against brand-new viruses that do not yet  exist in any virus dictionaries. However, it also sounds a large number  of false positives, and users probably become desensitized to all the  warnings. If the user clicks "Accept" on every such warning, then the  anti-virus software is obviously useless to that user. This problem has  especially been made worse over the past 7 years, since many more  nonmalicious program designs chose to modify other .exes without regards  to this false positive issue. Thus, most modern anti virus software  uses this technique less and less.

Other ways to detect viruses
Some antivirus-software will try to emulate the beginning of the code of  each new executable that is being executed before transferring control  to the executable. If the program seems to be using self-modifying code  or otherwise appears as a virus (it immeadeatly tries to find other  executables), one could assume that the executable has been infected  with a virus. However, this method results in a lot of false positives.

Yet another detection method is using a sandbox. A sandbox emulates the  operating system and runs the executable in this simulation. After the  program has terminated, the sandbox is analysed for changes which might  indicate a virus. Because of performance issues this type of detection  is normally only performed during on-demand scans.

Issues of concern

Macro viruses, arguably the most destructive and widespread computer  viruses, could be prevented far more inexpensively and effectively, and  without the need of all users to buy anti-virus software, if Microsoft  would fix security flaws in Microsoft Outlook and Microsoft Office  related to the execution of downloaded code and to the ability of  document macros to spread and wreak havoc.

User education is as important as anti-virus software; simply training  users in safe computing practices, such as not downloading and executing  unknown programs from the Internet, would slow the spread of viruses,  without the need of anti-virus software.

Computer users should not always run with administrator access to their  own machine. If they would simply run in user mode then some types of  viruses would not be able to spread.

The dictionary approach to detecting viruses is often insufficient due  to the continual creation of new viruses, yet the suspicious behavior  approach is ineffective due to the false positive problem; hence, the  current understanding of anti-virus software will never conquer computer  viruses.

There are various methods of encrypting and packing malicious software  which will make even well-known viruses undetectable to anti-virus  software. Detecting these "camouflaged" viruses requires a powerful  unpacking engine, which can decrypt the files before examining them.  Unfortunately, many popular anti-virus programs do not have this and  thus are often unable to detect encrypted viruses.

Companies that sell anti-virus software seem to have a financial  incentive for viruses to be written and to spread, and for the public to  panic over the threat.

© Pilot Prosoft
Source: How does anti-virus software work?

No comments:

Post a Comment