Anti-virus software |
Anti-virus software consists of computer programs that attempt to identify, thwart and eliminate computer viruses and other malicious software (Malware).
Anti-virus software typically uses two different techniques to accomplish this:
Most commercial anti-virus software uses both of these approaches, with an emphasis on the virus dictionary approach.
Historically, the term anti-virus has also been used for benign computer viruses that spread and combated malicious viruses. This was common on the Amiga computer platform.
= Approaches to virus detection =
== Virus dictionary approach ==
In the virus dictionary approach, when the anti-virus software examines a Computer file, it refers to a dictionary of known viruses that the authors of the anti-virus software have identified. If a piece of code in the file matches any virus identified in the dictionary, then the anti-virus software can take one of the following actions (in order by favorability): # attempt to repair the file by removing the virus itself from the file # quarantine the file (such that the file remains inaccessible to other programs and its virus can no longer spread) # delete the infected file
To achieve consistent success in the medium and long term, the virus dictionary approach requires periodic (generally online) downloads of updated virus dictionary entries. As civically minded and technically inclined users identify new viruses in the wild , they can send their infected files to the authors of anti-virus software, who then include information about the new viruses in their dictionaries.
Dictionary-based anti-virus software typically examines files when the computer s operating system creates, opens, closes or e-mails them. In this way it can detect a known virus immediately upon receipt. Note too that a System Administrator can typically schedule the anti-virus software to examine (scan) all files on the user s hard disk on a regular basis.
Although the dictionary approach can effectively contain virus outbreaks in the right circumstances, virus authors have tried to stay a step ahead of such software by writing oligomorphic code , polymorphic code and more recently Metamorphic code viruses, which encrypt parts of themselves or otherwise modify themselves as a method of disguise, so as to not match the virus s signature in the dictionary.
== Suspicious behavior approach ==
The suspicious behavior approach, by contrast, doesn t attempt to identify known viruses, but instead monitors the behavior of all programs. If one program tries to write data to an executable program, for example, the anti-virus software can flag this suspicious behavior, alert a user and ask what to do.
Unlike the dictionary approach, the suspicious behavior approach therefore provides protection against brand-new viruses that do not yet exist in any virus dictionaries. However, it also sounds a large number of false positives, and users probably become desensitized to all the warnings. If the user clicks Accept on every such warning, then the anti-virus software obviously gives no benefit to that user. This problem has worsened since 1997, since many more nonmalicious program designs came to modify other .exe files without regard to this false positive issue. Thus, most modern anti-virus software uses this technique less and less.
== Other ways to detect viruses ==
Some antivirus-software will try to emulate the beginning of the code of each new executable that the system invokes before transferring control to that executable. If the program seems to use self-modifying code or otherwise appears as a virus (if it immediately tries to find other executables, for example), one could assume that a virus has infected the executable. However, this method too results in a lot of false positives.
Yet another detection method involves using a sandbox (security). A sandbox emulates the operating system and runs the executable in this simulation. After the program has terminated, software analyses the sandbox for any changes which might indicate a virus. Because of performance issues, this type of detection normally only takes place during on-demand scans.
= Issues of concern =
= Antivirus software and companies =
== For corporate market ==
*GFi WebMonitor and GFi MailSecurity - WWW and email security solutions, by [http://www.gfi.com/ GFI Software] *BitDefender from Romania - email security solutions *Security solutions by *[http://www.sybari.com/ Sybari Software]. Sybari Software had been purchased by Microsoft in early 2005. *Sophos from UK provides antivirus solutions, with evaluation version
== Commercial and shareware ==
*AhnLab V3Pro by AhnLab from Korea *Kaspersky Antivirus by Kaspersky from Russia *McAfee Antivirus by McAfee from USA *Norton AntiVirus by Symantec *[http://www.bullguard.com/antivirus/default.aspx Bullguard Antivirus Software, Firewall and Backup], by BullGuard from [Denmark/United Kingdom *F-Secure from Finland *[http://virusbuster.hu/en VirusBuster] from Hungary *NOD32 by Eset from Slovak Republic, shareware *Norman (anti virus) from Norway *[http://come.to/rose_swe ROSE SWE], shareware and some freeware *Panda Software from Spain *Rising AntiVirus from China
== Freeware (including software which have both free and commercial useful versions ) ==
*Avast! by Alwil from Czech Republic *Antivir by H+BEDV from Germany *AVG Anti-virus by Grisoft
== GPL software ==
ClamAV and ClamWin, by Tomasz Kojm
== Unclassified ==
*Aladdin Knowledge Systems *Cat Computer Services, makers of Quick Heal AntiVirus from India *Computer Associates USA *Dr.Web Ltd from Russia *Frisk Software from Iceland *Hauri *MicroWorld Technologies from India *MKS (anti virus) from Poland *RAV Antivirus from Romania (bought in 2003 from GECAD) *Stiller Research *Trend Micro from Japan (nominally Taiwan - USA) *Zone Labs for ZoneAlarm AntiVirus
= Testing Organizations =
These organizations provide testing of virus scanning and related programs.
*Virus Bulletin - http://www.virusbtn.com/ *ICSA Labs - http://www.icsalabs.com/ *West Coast Labs - http://www.westcoastlabs.org/ *GFI Software - http://www.emailsecuritytest.com/
= External links =
|
|