Classification of antivirus software with examples. Classification, characteristics, examples. Software products based on Bitdefender technologies

Basic methods for detecting viruses

antivirus programs have evolved in parallel with the evolution of viruses. As new technologies for creating viruses appeared, the mathematical apparatus that was used in the development of antiviruses became more complicated.

The first anti-virus algorithms were built on the basis of comparison with the standard. We are talking about programs in which the virus is determined by the classical kernel by some mask. The meaning of the algorithm is to use statistical methods. The mask should be, on the one hand, small so that the file size is acceptable, and on the other hand, large enough to avoid false positives (when "friend" is perceived as "alien", and vice versa).

The first anti-virus programs built on this principle (the so-called polyphage scanners) knew a certain number of viruses and were able to treat them. These programs were created as follows: the developer, having received the virus code (the virus code was static at first), compiled a unique mask from this code (a sequence of 10-15 bytes) and entered it into the database of the anti-virus program. The anti-virus program scanned the files and, if it found this sequence of bytes, it concluded that the file was infected. This sequence (signature) was chosen in such a way that it was unique and did not occur in a regular data set.

The described approaches were used by most anti-virus programs until the mid-90s, when the first polymorphic viruses appeared that changed their body according to algorithms that were unpredictable in advance. At that time, the signature method was supplemented by the so-called processor emulator, which made it possible to find encrypted and polymorphic viruses that did not explicitly have a permanent signature.

The principle of processor emulation is shown in Fig. one . If usually a conditional chain consists of three main elements: CPU®OS®Program, then when emulating a processor, an emulator is added to such a chain. The emulator, as it were, reproduces the work of the program in some virtual space and reconstructs its original content. The emulator is always able to interrupt the execution of the program, controls its actions without letting anything spoil, and calls the anti-virus scanning engine.

The second mechanism, which appeared in the mid-1990s and is used by all antiviruses, is heuristic analysis. The fact is that the processor emulation apparatus, which allows you to get a summary of the actions performed by the analyzed program, does not always make it possible to search for these actions, but allows you to perform some analysis and put forward a hypothesis like “virus or not a virus?”.

In this case, decision making is based on statistical approaches. And the corresponding program is called a heuristic analyzer.

In order to reproduce, a virus must perform some specific actions: copying to memory, writing to sectors, etc. The heuristic analyzer (it is part of the anti-virus engine) contains a list of such actions, looks through the program code being executed, determines what it is doing, and based on this decides whether this program virus or not.

At the same time, the percentage of virus skipping, even unknown to the antivirus program, is very small. This technology is now widely used in all anti-virus programs.

Classification of antivirus programs

anti-virus programs are classified into pure anti-viruses and dual-purpose anti-viruses (Fig. 2).

Pure antiviruses are distinguished by the presence of an antivirus engine that performs the function of scanning by patterns. The fundamental thing in this case is that treatment is possible if the virus is known. Pure antiviruses, in turn, are divided into two categories according to the type of access to files: those that control access (on access) or on demand (on demand). Typically, on access products are called monitors, and on demand products are called scanners.

On demand-product works according to the following scheme: the user wants to check something and issues a request (demand), after which the check is carried out. An on access product is a resident program that monitors access and performs a check at the time of access.

In addition, anti-virus programs, like viruses, can be divided depending on the platform within which this antivirus working. In this sense, along with Windows or Linux, platforms can include Microsoft Exchange Server, Microsoft Office, Lotus Notes.

Dual purpose programs are programs used in both antivirus and non-antivirus software. For example, CRC-checker - a checksum-based change inspector - can be used not only to catch viruses. A variety of dual-purpose programs are behavioral blockers that analyze the behavior of other programs and, if suspicious actions are detected, block them. Behavioral blockers differ from a classic antivirus with an antivirus core that recognizes and cures viruses that were analyzed in the laboratory and for which a treatment algorithm was prescribed, behavioral blockers do not know how to treat viruses, because they know nothing about them. This property of blockers allows them to work with any viruses, including unknown ones. This is of particular relevance today, since the distributors of viruses and antiviruses use the same data transmission channels, that is, the Internet. At the same time, the anti-virus company always needs time to get the virus itself, analyze it and write the appropriate treatment modules. Programs from the dual-purpose group just allow you to block the spread of the virus until the company writes a treatment module.

Overview of the most popular personal antiviruses

The review includes the most popular antiviruses for personal use from five well-known developers. It should be noted that some of the companies discussed below offer several versions of personal programs that differ in functionality and, accordingly, in price. In our review, we looked at one product from each company, choosing the most functional version, which, as a rule, is called Personal Pro. Other personal antivirus options can be found on the respective websites.

Kaspersky Anti-Virus

Personal Prov. 4.0

Developer: Kaspersky Lab. Website: http://www.kaspersky.ru/ . Price $69 (license for 1 year).

Kaspersky Anti-Virus Personal Pro (Fig. 3) is one of the most popular solutions on the Russian market and contains a number of unique technologies.

Behavior Blocker The Office Guard module controls the execution of macros, preventing all suspicious actions. The presence of the Office Guard module provides 100% protection against macro viruses.

The Inspector monitors all changes in your computer and, if unauthorized changes are detected in files or in system registry allows you to restore the contents of the disk and remove malicious codes. Inspector does not require updates to the anti-virus database: integrity control is carried out on the basis of taking original file fingerprints (CRC-sums) and their subsequent comparison with modified files. Unlike other auditors, Inspector supports all the most popular executable file formats.

The heuristic analyzer makes it possible to protect your computer even from unknown viruses.

The Monitor background virus interceptor, permanently present in the computer's memory, performs anti-virus scanning of all files right at the moment they are launched, created or copied, which allows you to control all file operations and prevent infection even by the most technologically advanced viruses.

Antivirus email filtering prevents viruses from entering your computer. The Mail Checker plug-in not only removes viruses from the body of an email, but also completely restores the original content of emails. A comprehensive scan of mail correspondence prevents a virus from hiding in any of the elements of an email by scanning all sections of incoming and outgoing messages, including attached files (including archived and packaged) and other messages of any nesting level.

Antivirus Scanner makes it possible to carry out a full-scale scan of the entire contents of local and network drives on demand.

The Script Checker interceptor provides anti-virus checks of all running scripts before they are executed.

Support for archived and compressed files provides the ability to remove malicious code from an infected compressed file.

Isolation of infected objects provides isolation of infected and suspicious objects with their subsequent transfer to a specially organized directory for further analysis and recovery.

Automation of anti-virus protection allows you to create a schedule and order of the program components; automatically download and connect new anti-virus database updates via the Internet; send alerts about detected virus attacks to e-mail etc.

Norton AntiVirus 2003 Professional Edition

Developer: Symantec. Website: http://www.symantec.ru/ .

The price is 89.95 euros.

The program runs under Windows control 95/98/Me/NT4.0/2000 Pro/XP.

Price $39.95

The program runs under Windows 95/98/Me/NT4.0/2000 Pro/XP.

Antivirus program (antivirus) - a program for detecting and removing computer viruses and other malicious programs, preventing their spread, as well as restoring programs infected by them.

The main tasks of modern anti-virus programs:

-- Scan files and programs in real time.
-- On-demand computer scan.
-- Scanning Internet traffic.
-- Email scanning.
-- Protection against attacks from dangerous websites.
-- Recovery of damaged files (treatment).

Classification of antivirus programs:

· detector programs provide search and detection of viruses in random access memory and on external media, and upon detection, they issue a corresponding message. There are detectors:
- 1. universal - use in their work to check the invariance of files by counting and comparing with a checksum standard
- 2. specialized- search for known viruses by their signature (repeating code section). The disadvantage of such detectors is that they are unable to detect all known viruses.

A detector that can detect several viruses is called a polydetector. The disadvantage of such antivirus programs is that they can only find viruses that are known to the developers of such programs.

· Doctor programs (phages) not only find virus-infected files, but also "treat" them, i.e. remove the body of the virus program from the file, returning the files to their original state. At the beginning of their work, phages look for viruses in RAM, destroying them, and only then proceed to "treat" files. Among phages, polyphages are distinguished, i.e. doctor programs designed to find and destroy a large number of viruses. Given that new viruses are constantly appearing, detection programs and doctor programs quickly become outdated, and regular updates of their versions are required.
· Auditor programs are among the most reliable means of protection against viruses. Auditors remember the initial state of programs, directories and system areas of the disk when the computer is not infected with a virus, and then periodically or at the request of the user compare the current state with the original one. The detected changes are displayed on the monitor screen. As a rule, the comparison of states is carried out immediately after loading operating system. When comparing, the file length, cyclic control code (file checksum), date and time of modification, and other parameters are checked.
· Filter programs (watchdog) are small resident programs designed to detect suspicious computer activity that is characteristic of viruses. Such actions may be:
- 1. attempts to correct files with COM and EXE extensions;
- 2. changing file attributes;
- 3. direct writing to disk at an absolute address;
- 4. writing to the boot sectors of the disk;

Vaccine programs (immunizers) are resident programs that prevent file infection. Vaccines are used if there are no doctor programs that "treat" this virus. Vaccination is possible only against known viruses. The vaccine modifies the program or disk in such a way that it does not affect their work, and the virus will perceive them as infected and therefore will not take root. A significant drawback of such programs is their limited ability to prevent infection from a large number of different viruses.

Functions of antivirus programs

Real-time virus protection

Most antivirus programs offer real-time protection. This means that the antivirus program protects your computer from all incoming threats every second. Thus, even if a virus has not infected your computer, you should consider installing an anti-virus program with real-time protection in order to prevent further spread of the infection.

Threat detection

Antivirus programs can scan your entire computer for viruses. First of all, the most vulnerable areas, system folders, and RAM are scanned. You can also choose the scanning sectors yourself, or choose, for example, to check a specific hard drive. However, not all antiviruses are the same in their algorithms, and some antivirus programs have higher detection rates than others.

Automatic updates

New viruses are created and appear every day. Therefore, it is extremely important for anti-virus programs to be able to update anti-virus databases (a list of all known viruses, both old and new). Automatic update is necessary because an outdated antivirus cannot detect new viruses and threats. In addition, if the antivirus program only offers manual updates, you may forget to update the antivirus definitions, and your computer may become infected with a new virus. Try to choose an antivirus with automatic updates.

Alerts

The antivirus will alert you when any program tries to access your computer. Internet applications are an example. Many programs that try to access your PC are harmless or you downloaded them voluntarily, and thus antivirus programs give you the opportunity to decide for yourself whether to allow or block their installation or operation.

Anti-virus protection is the most common measure for ensuring the information security of the IT infrastructure in the corporate sector. However, only 74% of Russian companies use anti-virus solutions for protection, showed a study conducted by Kaspersky Lab together with the analytical company B2B International (autumn 2013).

The report also says that amid the explosion of cyber threats against which companies are protected by simple antiviruses, Russian businesses are increasingly using complex protection tools. Largely for this reason, the use of data encryption tools on removable media increased by 7% (24%). In addition, companies have become more willing to demarcate security policies for removable devices. The differentiation of the level of access to different parts of the IT infrastructure has also increased (49%). At the same time, small and medium-sized businesses pay more attention to the control of removable devices (35%) and application control (31%).

The researchers also found that despite the constant discovery of new vulnerabilities in software, Russian companies still not paying enough attention to regular updating software. What's more, the number of patching organizations is down from last year to just 59%.

Modern anti-virus programs are able to effectively detect malicious objects inside program files and documents. In some cases, the antivirus can remove the body of a malicious object from an infected file, restoring the file itself. In most cases, an antivirus is able to remove a malicious program object not only from a program file, but also from a file. office document without violating its integrity. The use of anti - virus programs does not require high qualifications and is available to almost any computer user .

Most anti-virus programs combine real-time protection (virus monitor) and on-demand protection (virus scanner).

Antivirus rating

2019: Two thirds of antiviruses for Android were useless

In March 2019, AV-Comparatives, an Austrian laboratory specializing in testing antivirus software, published the results of a study that showed the uselessness of most such programs for Android.

Only 23 antiviruses located in the official catalog of the Google Play Store accurately recognize malware in 100% of cases. The rest of the software either does not respond to mobile threats, or takes absolutely safe applications for them.

Experts studied 250 antiviruses and reported that only 80% of them can detect more than 30% of malware. Thus, 170 applications failed the test. The products that passed the tests were mainly solutions from large manufacturers, including Avast, Bitdefender, ESET, F-Secure, G-Data, Kaspersky Lab, McAfee, Sophos, Symantec, Tencent, Trend Micro and Trustwave.

As part of the experiment, the researchers installed each anti-virus application on a separate device (without an emulator) and automated the devices to launch a browser, download and then install malware. Each device was tested against 2,000 of the most prevalent Android viruses in 2018.

According to AV-Comparatives' calculations, most Android antivirus solutions are counterfeits. Dozens of applications have an almost identical interface, and their creators are clearly more interested in displaying ads than in writing a working virus scanner.

Some antiviruses "see" a threat in any application that is not included in their "whitelist". Because of this, they, in a number of very anecdotal cases, raised the alarm because of their own files, since the developers forgot to mention them in the "white list".

2017: Microsoft Security Essentials is recognized as one of the worst antiviruses

In October 2017, the German antivirus laboratory AV-Test published the results of comprehensive antivirus testing. According to the study, Microsoft's proprietary software designed to protect against malicious activity is almost the worst at doing its job.

According to the results of tests conducted in July-August 2017, AV-Test experts named Kaspersky Internet Security as the best antivirus for Windows 7, which received 18 points when evaluating the level of protection, performance and ease of use.

The top three included Trend Micro Internet Security and Bitdefender Internet Security, which earned 17.5 points each. The position of products of other antivirus companies that were included in the study can be found in the illustrations below:

Many scanners also use heuristic scanning algorithms, i. analysis of the sequence of commands in the checked object, collection of some statistics and decision making for each checked object.

Scanners can also be divided into two categories - universal and specialized. Universal scanners are designed to search for and neutralize all types of viruses, regardless of the operating system in which the scanner is designed to work. Specialized scanners are designed to neutralize a limited number of viruses or only one class of them, such as macro viruses.

Scanners are also divided into resident (monitors), which scan on the fly, and non-resident, which check the system only on request. As a rule, resident scanners provide more reliable system protection, since they immediately react to the appearance of a virus, while a non-resident scanner is able to identify a virus only during its next launch.

CRC scanners

The principle of operation of CRC scanners is based on the calculation of CRC sums (checksums) for files / system sectors present on the disk. These CRC sums are then stored in the antivirus database, as well as some other information: file lengths, dates of their last modification, etc. The next time CRC scanners are run, they check the data contained in the database with the actual counted values. If the file information recorded in the database does not match the real values, then CRC scanners signal that the file has been modified or infected with a virus.

CRC scanners are not able to catch a virus at the moment of its appearance in the system, but do it only after some time, after the virus has spread throughout the computer. CRC scanners cannot detect a virus in new files (in e-mail, on floppy disks, in files restored from a backup or when unpacking files from an archive), because their databases do not have information about these files. Moreover, viruses periodically appear that use this weakness of CRC scanners, infect only newly created files and thus remain invisible to them.

Blockers

Anti-virus blockers are resident programs that intercept virus-dangerous situations and notify the user about it. Virus-dangerous calls include calls to open for writing to executable files, writing to the boot sectors of disks or the MBR of a hard drive, attempts by programs to remain resident, etc., that is, calls that are typical for viruses at the time of reproduction.

The advantages of blockers include their ability to detect and stop the virus at the earliest stage of its reproduction. The disadvantages include the existence of ways to bypass the protection of blockers and a large number of false positives.

Immunizers

Immunizers are divided into two types: infection-reporting immunizers and infection-blocking immunizers. The first ones are usually written to the end of files (according to the principle of a file virus) and each time the file is launched, it is checked for changes. The disadvantage of such immunizers is only one, but it is lethal: the absolute inability to report infection with a stealth virus. Therefore, such immunizers, as well as blockers, are practically not used at present.

The second type of immunization protects the system from attack by a particular type of virus. Files on disks are modified in such a way that the virus takes them for already infected ones. To protect against a resident virus, a program that imitates a copy of the virus is entered into the computer's memory. When launched, the virus stumbles upon it and believes that the system is already infected.

This type of immunization cannot be universal, since it is impossible to immunize files against all known viruses.

Classification of antiviruses on the basis of time variability

According to Valery Konyavsky, antivirus tools can be divided into two large groups - analyzing data and analyzing processes.

Data analysis

Data analysis includes auditors and polyphages. Auditors analyze the consequences of the activities of computer viruses and other malicious programs. Consequences are shown in change of the data which should not change. It is the fact of data change that is a sign of the activity of malicious programs from the point of view of the auditor. In other words, the auditors control the integrity of the data and, upon violation of the integrity, make a decision about the presence of malware in the computer environment.

Polyphages act differently. Based on data analysis, they identify fragments of malicious code (for example, by its signature) and, on this basis, make a conclusion about the presence of malicious programs. Deleting or disinfecting virus-infected data helps to prevent the negative consequences of malware execution. Thus, on the basis of analysis in statics, the consequences arising in dynamics are prevented.

The scheme of work of both auditors and polyphages is almost the same - to compare the data (or their checksum) with one or more reference samples. Data is compared to data. Thus, in order to find a virus in your computer, you need it to have already worked so that the consequences of its activity appear. This method can only find known viruses for which code fragments or signatures are previously described. It is unlikely that such protection can be called reliable.

Process analysis

Anti-virus tools based on process analysis work somewhat differently. Heuristic analyzers, like those described above, analyze data (on disk, in a channel, in memory, etc.). The fundamental difference is that the analysis is carried out on the assumption that the code being analyzed is not data, but commands (in computers with a von Neumann architecture, data and commands are indistinguishable, and therefore one or another assumption has to be put forward during analysis.)

The heuristic analyzer selects a sequence of operations, assigns a certain danger rating to each of them, and, based on the totality of danger, decides whether this sequence of operations is part of a malicious code. The code itself is not executed.

Another type of anti-virus tools based on process analysis are behavioral blockers. In this case, the suspicious code is executed step by step until the set of actions initiated by the code is evaluated as dangerous (or safe) behavior. In this case, the code is partially executed, since the completion of the malicious code can be detected by simpler methods of data analysis.

Virus detection technologies

The technologies used in antiviruses can be divided into two groups:

Signature analysis technologies
Probabilistic Analysis Technologies

Signature analysis technologies

Signature analysis is a virus detection method that checks for the presence of virus signatures in files. Signature analysis is the most well-known method of detecting viruses and is used in almost all modern antiviruses. To perform a scan, the antivirus needs a set of virus signatures, which is stored in the antivirus database.

Due to the fact that signature analysis involves checking files for virus signatures, the anti-virus database needs to be updated periodically to keep the anti-virus up to date. The very principle of signature analysis also defines the limits of its functionality - the ability to detect only known viruses - a signature scanner is powerless against new viruses.

On the other hand, the presence of virus signatures implies the possibility of treating infected files detected by signature analysis. However, not all viruses can be cured - trojans and most worms cannot be cured due to their design features, since they are integral modules created to cause damage.

Competent implementation of a virus signature makes it possible to detect known viruses with 100% certainty.

Probabilistic Analysis Technologies

Probabilistic analysis technologies, in turn, are divided into three categories:

Heuristic analysis
Behavioral analysis
Checksum Analysis

Heuristic analysis

Heuristic analysis is a technology based on probabilistic algorithms, the result of which is the identification of suspicious objects. The heuristic analysis checks the file structure and its compliance with virus templates. The most popular heuristic technique is to check the contents of a file for modifications of already known virus signatures and their combinations. This helps to detect hybrids and new versions of previously known viruses without additional updating of the anti-virus database.

Heuristic analysis is used to detect unknown viruses and, as a result, does not involve treatment. This technology is not able to 100% determine the virus in front of it or not, and like any probabilistic algorithm, it sins with false positives.

Behavioral analysis

Behavioral analysis is a technology in which a decision about the nature of the object being checked is made on the basis of an analysis of the operations it performs. Behavioral analysis has a very narrow practical application, since most of the actions typical of viruses can be performed by ordinary applications. Behavioral analyzers of scripts and macros are the most famous, since the corresponding viruses almost always perform a number of similar actions.

The security features embedded in the BIOS can also be classified as behavioral analyzers. When an attempt is made to make changes to the computer's MBR, the analyzer blocks the action and displays a corresponding notification to the user.

In addition, behavioral analyzers can track attempts to directly access files, changes to the boot record of floppy disks, formatting hard drives etc.

Behavioral analyzers do not use additional objects like virus databases for their work and, as a result, they are unable to distinguish between known and unknown viruses - all suspicious programs are a priori considered unknown viruses. Similarly, the features of the operation of tools that implement behavioral analysis technologies do not imply treatment.

Checksum Analysis

Checksum analysis is a way to keep track of changes in the objects of a computer system. Based on the analysis of the nature of the changes - simultaneity, mass character, identical changes in file lengths - it can be concluded that the system is infected. Checksum analyzers (also called change auditors), like behavioral analyzers, do not use additional objects in their work and issue a verdict on the presence of a virus in the system solely by the method of expert evaluation. Similar technologies are used in access scanners - during the first check, a checksum is taken from the file and placed in the cache, before the next check of the same file, the checksum is taken again, compared, and if there are no changes, the file is considered uninfected.

Antivirus complexes

Anti-virus complex - a set of anti-viruses that use the same anti-virus engine or engines, designed to solve practical problems in ensuring the anti-virus security of computer systems. The anti-virus complex also includes tools for updating anti-virus databases.

In addition, the anti-virus complex may additionally include behavioral analyzers and change auditors that do not use the anti-virus engine.

There are the following types of anti-virus complexes:

Antivirus complex for protection of workstations
Anti-virus complex for protecting file servers
Anti-virus complex for protection of mail systems
Antivirus complex for protection of gateways.

Cloud vs Traditional Desktop Antivirus: Which Should You Choose?

(According to the resource Webroot.com)

The modern market of anti-virus tools is primarily traditional solutions for desktop systems, the protection mechanisms in which are built on the basis of signature-based methods. An alternative method of anti-virus protection is the use of heuristic analysis.

Problems with traditional antivirus software

In recent years, traditional anti-virus technologies have become less and less effective and quickly become obsolete, due to a number of factors. The number of virus threats identified by signatures is already so high that it is often an unrealistic task to ensure timely 100% update of signature databases on user computers. Hackers and cybercriminals are increasingly using botnets and other technologies to accelerate the spread of zero-day virus threats. In addition, signatures of the corresponding viruses are not created during targeted attacks. Finally, new anti-virus detection technologies are applied: malware encryption, server-side creation of polymorphic viruses, preliminary testing of the quality of a virus attack.

Traditional anti-virus protection is most often built in the "thick client" architecture. This means that a lot of program code is installed on the client's computer. It checks incoming data and detects the presence of virus threats.

This approach has a number of disadvantages. First, scanning for malware and matching signatures requires a significant computational load, which is “taken away” from the user. As a result, the productivity of the computer decreases, and the operation of the antivirus sometimes interferes with the execution of applied tasks in parallel. Sometimes the load on the user's system is so noticeable that users turn off anti-virus programs, thereby removing the barrier to a potential virus attack.

Second, each update on the user's machine requires the transfer of thousands of new signatures. The amount of data transferred is typically in the order of 5 MB per day per machine. Data transfer slows down the network, diverts additional system resources, requires the involvement of system administrators to control traffic.

Thirdly, users who are roaming or away from their fixed place of work are vulnerable to zero-day attacks. To receive an updated portion of the signatures, they must connect to a VPN network that is not accessible to them remotely.

Antivirus protection from the cloud

When switching to anti-virus protection from the cloud, the architecture of the solution changes significantly. A "lightweight" client is installed on the user's computer, the main function of which is to search for new files, calculate hash values and send data to the cloud server. In the cloud, a full-scale comparison is performed on a large database of collected signatures. This database is constantly and timely updated with data transmitted by anti-virus companies. The client receives a report with the results of the audit.

Thus, the cloud architecture of anti-virus protection has a number of advantages:

the volume of calculations on the user's computer is negligible compared to a thick client, therefore, the user's productivity does not decrease;
there is no catastrophic effect of anti-virus traffic on network bandwidth: a compact portion of data is to be sent, containing only a few dozen hash values, the average daily traffic does not exceed 120 KB;
cloud storage contains huge arrays of signatures, much larger than those stored on user computers;
signature comparison algorithms used in the cloud are significantly more intelligent than simplified models used at the local station level, and due to higher performance, data comparison takes less time;
cloud-based antivirus services work with real data received from antivirus laboratories, security developers, corporate and private users; zero-day threats are blocked simultaneously with their recognition, without delay caused by the need to gain access to user computers;
users who are roaming or do not have access to their main workplaces receive protection from zero-day attacks at the same time as accessing the Internet;
the load on system administrators is reduced: they do not need to spend time installing anti-virus software on users' computers, as well as updating signature databases.

Why traditional antiviruses fail

Modern malicious code can:

Bypass antivirus traps by creating a special target virus for the company
Before the antivirus creates a signature, it will evade using polymorphism, transcoding using dynamic DNS and URL

Target creation for the company
Polymorphism
Code unknown to anyone - no signature

Difficult to defend

High-speed antiviruses of 2011

The Russian independent information and analytical center Anti-Malware.ru published in May 2011 the results of another comparative test of the 20 most popular antiviruses for performance and system resource consumption.

The purpose of this test is to show which personal antiviruses have the least impact on the user's typical operations on the computer, "slow down" his work less and consume the minimum amount of system resources.

Among anti-virus monitors (real-time scanners), a whole group of products demonstrated very high performance, among them: Avira, AVG, ZoneAlarm, Avast, Kaspersky Anti-Virus, Eset, Trend Micro and Dr.Web. With these antiviruses on board, the slowdown in copying the test collection was less than 20% compared to the benchmark. The antivirus monitors BitDefender, PC Tools, Outpost, F-Secure, Norton and Emsisoft also showed high results in terms of performance, falling within the range of 30-50%. The antivirus monitors BitDefender, PC Tools, Outpost, F-Secure, Norton and Emsisoft also showed high results in terms of performance, falling within the range of 30-50%.

At the same time, Avira, AVG, BitDefender, F-Secure, G Data, Kaspersky Anti-Virus, Norton, Outpost and PC Tools can be significantly faster in real conditions due to their post-check optimization.

Avira antivirus showed the best speed of on-demand scanning. A little behind him were Kaspersky Anti-Virus, F-Secure, Norton, G Data, BitDefender, Kaspersky Anti-Virus and Outpost. In terms of the speed of the first scan, these antiviruses are only slightly inferior to the leader, at the same time, they all have in their arsenal powerful technologies for optimizing repeated scans.

Another important characteristic of the speed of the antivirus is its impact on the work of applications that the user often works with. Five of them were chosen for the test: Internet Explorer, Microsoft Office Word, Microsoft Outlook , Adobe Acrobat Reader and Adobe Photoshop. The smallest slowdown in the launch of these office programs showed antiviruses Eset, Microsoft, Avast, VBA32, Comodo, Norton, Trend Micro, Outpost and G Data.

INTRODUCTION

We live at the turn of two millennia, when humanity has entered the era of a new scientific and technological revolution.

By the end of the twentieth century, people had mastered many of the secrets of the transformation of matter and energy and were able to use this knowledge to improve their lives. But in addition to matter and energy, another component plays a huge role in human life - information. This is a wide variety of information, messages, news, knowledge, skills.

In the middle of our century, special devices appeared - computers focused on storing and converting information, and a computer revolution took place.

Today, widespread use personal computers, unfortunately, turned out to be associated with the emergence of self-reproducing virus programs that prevent the normal operation of the computer, destroy the file structure of disks and damage the information stored in the computer.

Despite the laws adopted in many countries to combat computer crimes and the development of special software tools protection against viruses, the number of new software viruses is constantly growing. This requires the user of a personal computer to be aware of the nature of viruses, how to infect and protect against viruses. This was the stimulus for choosing the theme of my work.

That's what I'm talking about in my essay. I show the main types of viruses, consider the schemes of their functioning, the reasons for their appearance and ways of penetrating the computer, and also suggest measures for protection and prevention.

The purpose of the work is to acquaint the user with the basics of computer virology, to teach how to detect viruses and fight them. The method of work is the analysis of printed publications on this topic. I faced a difficult task - to talk about what has been very little studied, and how it happened - you be the judge.

1. COMPUTER VIRUSES AND THEIR PROPERTIES AND CLASSIFICATION

1.1. Properties of computer viruses

Now personal computers are used, in which the user has free access to all the resources of the machine. This is what opened up the possibility for the danger that has come to be known as a computer virus.

What is a computer virus? A formal definition of this concept has not yet been invented, and there are serious doubts that it can be given at all. Numerous attempts to give a "modern" definition of the virus have not been successful. To feel the complexity of the problem, try, for example, to define the concept of "editor". You either come up with something very general, or you start listing everything. known types editors. Both can hardly be considered acceptable. Therefore, we will confine ourselves to considering some properties of computer viruses that allow us to speak of them as a certain specific class of programs.

First of all, a virus is a program. Such a simple statement alone can dispel many legends about the extraordinary capabilities of computer viruses. The virus can flip the image on your monitor, but it cannot flip the monitor itself. Legends about killer viruses “destroying operators by displaying a deadly color scheme on the 25th frame” should not be taken seriously either. Unfortunately, some authoritative publications from time to time publish "the latest news from the computer front", which, upon closer examination, turn out to be the result of a not entirely clear understanding of the subject.

A virus is a program that has the ability to reproduce itself. This ability is the only means inherent in all types of viruses. But not only viruses are capable of self-replication. Any operating system and many other programs are capable of creating their own copies. Copies of the same virus not only do not have to completely match the original, but may not match it at all!

A virus cannot exist in "complete isolation": a virus cannot be imagined today that does not use other programs' code, file structure information, or even just the names of other programs. The reason is clear: the virus must somehow ensure the transfer of control to itself.

1.2. Virus classification

Currently, more than 5,000 software viruses are known, they can be classified according to the following criteria:

¨ habitat

¨ way of environmental contamination

¨ impact

¨ features of the algorithm

Depending on the habitat, viruses can be divided into network, file, boot, and file-boot. Network viruses distributed over various computer networks. File viruses are introduced mainly into executable modules, that is, into files with COM and EXE extensions. File viruses can be embedded in other types of files, but, as a rule, written in such files, they never get control and, therefore, lose the ability to reproduce. Boot viruses are embedded in the boot sector of the disk (Boot sector) or in the sector containing the system disk boot program (Master Boot Re-

cord). File-boot viruses infect both files and disk boot sectors.

According to the method of infection, viruses are divided into resident and non-resident. Resident virus when infecting (infecting) a computer, it leaves its resident part in RAM, which then intercepts the operating system's access to infection objects (files, disk boot sectors, etc.) and intrudes into them. Resident viruses reside in memory and remain active until the computer is turned off or restarted. Non-resident viruses do not infect computer memory and are active for a limited time.

According to the degree of impact, viruses can be divided into the following types:

¨ non-hazardous, which do not interfere with the operation of the computer, but reduce the amount of free RAM and disk space, the actions of such viruses are manifested in any graphic or sound effects

¨ dangerous viruses that can cause various problems with your computer

¨ very dangerous, the impact of which can lead to loss of programs, destruction of data, erasure of information in the system areas of the disk.

2. MAIN TYPES OF VIRUSES AND SCHEMES OF THEIR FUNCTIONING

Among the variety of viruses, the following main groups can be distinguished:

¨ boot

¨ file

¨ file-boot

Now in more detail about each of these groups.

2.1. Boot viruses

Consider the operation of a very simple boot virus that infects floppy disks. We deliberately bypass all the numerous subtleties that would inevitably be encountered in a rigorous analysis of the algorithm for its functioning.

What happens when you turn on your computer? First, control is transferred bootstrap program, which is stored in read-only memory (ROM) i.e. PNZ ROM.

This program tests the hardware and, if the tests pass, tries to find the floppy disk in drive A:

Every floppy disk is marked on the so-called. sectors and tracks. Sectors are combined into clusters, but this is not essential for us.

Among the sectors there are several service ones used by the operating system for its own needs (your data cannot be placed in these sectors). Among the service sectors, we are still interested in one - the so-called. bootstrap sector(boot sector).

The bootstrap sector stores diskette information- the number of surfaces, the number of tracks, the number of sectors, etc. But now we are not interested in this information, but in a small bootstrap program(PNZ), which should load the operating system itself and transfer control to it.

So the normal bootstrap pattern is as follows:

Now consider the virus. In boot viruses, two parts are distinguished - the so-called. head etc. tail. The tail, generally speaking, can be empty.

Suppose you have a blank floppy disk and an infected computer, by which we mean a computer with an active resident virus. As soon as this virus detects that a suitable victim has appeared in the drive - in our case, a diskette that is not write-protected and not yet infected, it proceeds to infect. When infecting a floppy disk, the virus performs the following actions:

Allocates a certain area of the disk and marks it as inaccessible to the operating system, this can be done in different ways, in the simplest and traditional case, sectors occupied by the virus are marked as bad (bad)

Copies its tail and the original (healthy) boot sector to the selected area of the disk

Replaces the bootstrap program in the (real) boot sector with its head

Organizes the control transfer chain according to the scheme.

Thus, the head of the virus is now the first to take control, the virus is installed in memory and transfers control to the original boot sector. In a chain

PNZ (ROM) - PNZ (disk) - SYSTEM

a new link appears:

PNZ (ROM) - VIRUS - PNZ (disk) - SYSTEM

The moral is clear: never (accidentally) leave floppy disks in drive A.

We have examined the operation of a simple butovy virus that lives in the boot sectors of floppy disks. As a rule, viruses can infect not only the boot sectors of floppy disks, but also the boot sectors of hard drives. In this case, unlike floppy disks, a hard drive has two types of boot sectors containing boot programs that receive control. When booting a computer from a hard drive, the boot program in the MBR (Master Boot Record - Master Boot Record) takes control first. If your HDD is divided into several sections, then only one of them is marked as bootable (boot). The bootstrap program in the MBR finds the boot partition of the hard drive and transfers control to the bootloader of this partition. The code of the latter is the same as the code of the boot program contained on ordinary floppy disks, and the corresponding boot sectors differ only in the parameter tables. Thus, there are two objects of attack of boot viruses on the hard drive - bootstrap program in MBR And elementary downloads in the boot sector boot disk.

2.2. File viruses

Let us now consider how a simple file virus works. Unlike boot viruses, which are almost always resident, file viruses are not necessarily resident. Let's consider the scheme of functioning of a non-resident file virus. Suppose we have an infected executable file. When such a file is launched, the virus takes control, performs some actions, and transfers control to the "master" (although it is still unknown who is the master in such a situation).

What actions does the virus perform? It looks for a new object to infect - a file of a suitable type that has not yet been infected (in the event that the virus is “decent”, otherwise there are those that infect immediately without checking anything). By infecting a file, the virus injects itself into its code in order to gain control when the file is run. In addition to its main function - reproduction, the virus may well do something intricate (say, ask, play) - this already depends on the imagination of the author of the virus. If a file virus is resident, it will install itself into memory and gain the ability to infect files and display other abilities not only while the infected file is running. By infecting an executable file, a virus always modifies its code - therefore, an infection of an executable file can always be detected. But by changing the file code, the virus does not necessarily make other changes:

à it is not obliged to change the length of the file

à unused sections of code

à is not required to change the beginning of the file

Finally, file viruses often include viruses that "have something to do with files" but are not required to intrude into their code. Let us consider as an example the scheme of functioning of viruses of the known Dir-II family. It must be admitted that having appeared in 1991, these viruses caused a real plague epidemic in Russia. Consider a model that clearly shows the basic idea of a virus. Information about files is stored in directories. Each directory entry includes the file name, creation date and time, some additional information, number of the first cluster file, etc. spare bytes. The latter are left "in reserve" and MS-DOS itself is not used.

When running executable files, the system reads the first cluster of the file from the directory entry and then all other clusters. Viruses of the Dir-II family produce the following "reorganization" file system: the virus itself writes itself to some free sectors of the disk, which it marks as bad. In addition, it stores information about the first clusters of executable files in spare bits, and writes references to itself in place of this information.

Thus, when any file is launched, the virus receives control (the operating system launches it itself), resides in memory, and transfers control to the called file.

2.3. Boot-file viruses

We will not consider the boot-file virus model, because you will not learn any new information in this case. But here is an opportunity to briefly discuss the recently extremely "popular" OneHalf boot-file virus that infects the master boot sector (MBR) and executable files. The main destructive action is the encryption of hard drive sectors. Each time it is launched, the virus encrypts another portion of sectors, and after encrypting half of the hard drive, it happily announces this. The main problem in the treatment of this virus is that it is not enough just to remove the virus from the MBR and files, it is necessary to decrypt the information encrypted by it. The most "deadly" action is to simply rewrite a new healthy MBR. The main thing - do not panic. Weigh everything calmly, consult with experts.

2.4. Polymorphic viruses

Most of the questions are related to the term "polymorphic virus". This type of computer virus is by far the most dangerous. Let's explain what it is.

Polymorphic viruses are viruses that modify their code in infected programs in such a way that two instances of the same virus may not match in one bit.

Such viruses not only encrypt their code using different encryption paths, but also contain the generation code of the encryptor and decryptor, which distinguishes them from ordinary encryption viruses, which can also encrypt parts of their code, but at the same time have a constant code of the encryptor and decryptor.

Polymorphic viruses are viruses with self-modifying decoders. The purpose of such encryption is that if you have an infected and original file, you will still not be able to analyze its code using conventional disassembly. This code is encrypted and is a meaningless set of commands. Decryption is performed by the virus itself at run time. At the same time, options are possible: he can decrypt himself all at once, or he can perform such a decryption "on the go", he can again encrypt already worked out sections. All this is done for the sake of making it difficult to analyze the virus code.

3. HISTORY OF COMPUTER VIROLOGY AND CAUSES OF VIRUSES

The history of computer virology today seems to be a constant "race for the leader", and, despite the full power of modern anti-virus programs, it is viruses that are the leaders. Among the thousands of viruses, only a few dozen are original developments using truly fundamentally new ideas. All others are "variations on a theme". But each original development forces the creators of antiviruses to adapt to new conditions, to catch up with virus technology. The latter can be disputed. For example, in 1989, an American student managed to create a virus that disabled about 6,000 US Department of Defense computers. Or the epidemic of the famous Dir-II virus that broke out in 1991. The virus used a truly original, fundamentally new technology and at first managed to spread widely due to the imperfections of traditional anti-virus tools.

Or the outbreak of computer viruses in the UK: Christopher Pine managed to create the Pathogen and Queeq viruses, as well as the Smeg virus. It was the latter that was the most dangerous, it could be applied to the first two viruses, and because of this, after each run of the program, they changed the configuration. Therefore, they were impossible to destroy. To spread viruses, Pine copied computer games and programs, infected them, and then sent them back to the network. Users downloaded infected programs to their computers and infected disks. The situation was aggravated by the fact that Pine managed to bring viruses into the program that fights them. By running it, users instead of destroying viruses received another one. As a result, the files of many companies were destroyed, the losses amounted to millions of pounds.

American programmer Morris is widely known. He is known as the creator of the virus that in November 1988 infected about 7,000 personal computers connected to the Internet.

The reasons for the emergence and spread of computer viruses, on the one hand, are hidden in the psychology of the human personality and its shadow sides (envy, revenge, vanity of unrecognized creators, the inability to constructively apply their abilities), on the other hand, due to the lack of hardware protection and counteraction from the operating room. personal computer systems.

4. WAYS OF PENETRATION OF VIRUSES INTO A COMPUTER AND MECHANISM OF DISTRIBUTION OF VIRUS PROGRAMS

The main ways for viruses to enter a computer are removable disks (floppy and laser), as well as computer networks. Hard disk infection with viruses can occur when a program is loaded from a floppy disk containing a virus. Such an infection can also be accidental, for example, if the floppy disk was not removed from drive A and the computer was restarted, while the floppy disk may not be a system one. It is much easier to infect a floppy disk. A virus can get on it even if the floppy disk is simply inserted into the disk drive of an infected computer and, for example, its table of contents is read.

The virus, as a rule, is introduced into the working program in such a way that when it is launched, control is first transferred to it and only after the execution of all its commands returns to the working program again. Having gained access to control, the virus first of all rewrites itself into another working program and infects it. After running a program containing a virus, it becomes possible to infect other files. Most often, the boot sector of the disk and executable files with the EXE, COM, SYS, BAT extensions are infected with the virus. Text files are extremely rarely infected.

After infecting the program, the virus can perform some kind of sabotage, not too serious so as not to attract attention. And finally, do not forget to return control to the program from which it was launched. Each execution of an infected program transfers the virus to the next one. Thus, all software will be infected.

To illustrate the infection process computer program as a virus, it makes sense to liken disk storage to an old-fashioned archive with folders on tape. The folders contain programs, and the sequence of operations for the introduction of a virus in this case will look like this. (See Appendix 1)

5. SIGNS OF VIRUSES

When a computer is infected with a virus, it is important to detect it. To do this, you should know about the main signs of the manifestation of viruses. These include the following:

¨ termination of work or incorrect operation of previously successfully functioning programs

¨ slow computer performance

¨ inability to boot the operating system

¨ disappearance of files and directories or distortion of their contents

¨ change the date and time of modification of files

¨ file resizing

¨ unexpected large increase in the number of files on the disk

¨ a significant decrease in the size of free RAM

¨ displaying unexpected messages or images on the screen

¨ giving unforeseen sound signals

¨ frequent freezes and computer crashes

It should be noted that the above phenomena are not necessarily caused by the presence of the virus, but may be due to other causes. Therefore, it is always difficult to correctly diagnose the state of the computer.

6. VIRUS DETECTION AND PROTECTION AND PREVENTION MEASURES

6.1. How to detect a virus ? Traditional approach

So, a certain virus writer creates a virus and launches it into "life". For some time, he may walk freely, but sooner or later the “lafa” will end. Someone will suspect something is wrong. As a rule, viruses are detected by ordinary users who notice certain anomalies in the behavior of the computer. They, in most cases, are not able to cope with the infection on their own, but this is not required of them.

It is only necessary that the virus gets into the hands of specialists as soon as possible. Professionals will study it, find out “what it does”, “how it does”, “when it does”, etc. In the process of such work, all the necessary information about this virus is collected, in particular, the virus signature is highlighted - a sequence of bytes that defines it quite clearly. To build a signature, the most important and characteristic parts of the virus code are usually taken. At the same time, the mechanisms of how the virus works become clear, for example, in the case of a boot virus, it is important to know where it hides its tail, where the original boot sector is located, and in the case of a file one, how the file is infected. The information obtained allows us to find out:

How to detect a virus, for this, methods for searching for signatures in potential objects of a virus attack - files and / or boot sectors are specified

how to neutralize the virus, if possible, algorithms for removing virus code from affected objects are being developed

6.2. Virus detection and protection programs

To detect, remove and protect against computer viruses, several types of special programs have been developed that allow you to detect and destroy viruses. Such programs are called antiviral . There are the following types of antivirus programs:

programs-detectors

programs-doctors or phages

program auditors

filter programs

vaccine programs or immunizers

Programs-detectors perform a search for a signature characteristic of a particular virus in RAM and in files and, if detected, issue an appropriate message. The disadvantage of such anti-virus programs is that they can only find viruses that are known to the developers of such programs.

Doctor Programs or phages, as well as vaccine programs not only find virus-infected files, but also “treat” them, i.e. the body of the virus program is removed from the file, returning the files to their original state. At the beginning of their work, phages look for viruses in RAM, destroying them, and only then proceed to “treatment” of files. Among phages, polyphages are distinguished, i.e. doctor programs designed to find and destroy a large number of viruses. The most famous of them are: Aidstest, Scan, Norton AntiVirus, Doctor Web.

Given that new viruses are constantly appearing, detection programs and doctor programs quickly become outdated, and regular updates are required.

Auditor programs are among the most reliable means of protection against viruses. Auditors remember the initial state of programs, directories and system areas of the disk when the computer is not infected with a virus, and then periodically or at the request of the user compare the current state with the original one. The detected changes are displayed on the monitor screen. As a rule, states are compared immediately after the operating system is loaded. When comparing, the file length, cyclic control code (file checksum), date and time of modification, and other parameters are checked. Auditor programs have fairly advanced algorithms, detect stealth viruses, and can even clean up changes to the version of the program being checked from changes made by the virus. Among the programs-auditors is the Adinf program widely used in Russia.

Filter programs or "watchman" are small resident programs designed to detect suspicious computer activity that is characteristic of viruses. Such actions may be:

Attempts to correct files with COM, EXE extensions

changing file attributes

Direct write to disk at absolute address

Write to disk boot sectors

When any program tries to perform the specified actions, the "watchman" sends a message to the user and offers to prohibit or allow the corresponding action. Filter programs are very useful, as they are able to detect a virus at the earliest stage of its existence before reproduction. However, they do not "heal" files and disks. To destroy viruses, you need to use other programs, such as phages. The disadvantages of watchdog programs include their "annoyance" (for example, they constantly issue a warning about any attempt to copy an executable file), as well as possible conflicts with other software. An example of a filter program is the Vsafe program, which is part of the MS DOS utility package.

Vaccines or immunizers are resident programs that prevent file infection. Vaccines are used if there are no doctor programs that "treat" this virus. Vaccination is possible only against known viruses. The vaccine modifies the program or disk in such a way that it does not affect their work, and the virus will perceive them as infected and therefore will not take root. Vaccine programs are currently of limited use.

Timely detection of virus-infected files and disks, complete destruction of detected viruses on each computer helps to avoid the spread of a virus epidemic to other computers.

6.3. Basic measures to protect against viruses

In order not to expose your computer to viruses and ensure reliable storage of information on disks, you must follow the following rules:

¨ equip your computer with up-to-date anti-virus programs, such as Aidstest, Doctor Web, and constantly update their versions

¨ before reading information stored on other computers from floppy disks, always check these diskettes for viruses by running anti-virus programs on your computer

¨ when transferring archived files to your computer, check them immediately after unzipping them on your hard disk, limiting the check area only to newly recorded files

¨ periodically check for viruses hard drives computer by running anti-virus programs to test files, memory and system areas of disks from a write-protected floppy disk, after loading the operating system from a write-protected system diskette

¨ always write protect your floppy disks when working on other computers if they will not be written to information

¨ be sure to make archival copies on diskettes of valuable information for you

¨ do not leave floppy disks in the pocket of drive A when turning on or rebooting the operating system to prevent infection of the computer with boot viruses

¨ use anti-virus programs for input control of all executable files received from computer networks

¨ to ensure greater security, the use of Aidstest and Doctor Web must be combined with the daily use of the Adinf disk auditor

CONCLUSION

So, we can cite a lot of facts indicating that the threat to the information resource is increasing every day, putting the responsible persons in banks, enterprises and companies all over the world into a panic. And this threat comes from computer viruses that distort or destroy vital, valuable information, which can lead not only to financial losses, but also to human casualties.

Computer virus - a specially written program that can spontaneously attach to other programs, create copies of itself and embed them in files, computer system areas and computer networks in order to disrupt programs, corrupt files and directories, and create all kinds of interference in computer operation.

Currently, more than 5,000 software viruses are known, the number of which is constantly growing. There are known cases when study guides to help write viruses.

The main types of viruses: boot, file, file-boot. The most dangerous type of viruses is polymorphic.

From the history of computer virology, it is clear that any original computer development forces the creators of antiviruses to adapt to new technologies, constantly improve antivirus programs.

The reasons for the appearance and spread of viruses are hidden on the one hand in human psychology, on the other hand, with the lack of protection in the operating system.

The main ways for viruses to penetrate are removable drives and computer networks. To prevent this from happening, take precautions. Also, several types of special programs called anti-virus programs have been developed to detect, remove and protect against computer viruses. If you still find a virus in your computer, then according to the traditional approach, it is better to call a professional so that he can figure it out further.

But some properties of viruses puzzle even experts. Until quite recently, it was hard to imagine that a virus could survive a cold reboot or spread through document files. Under such conditions, it is impossible not to attach importance to at least the initial anti-virus education of users. Despite the seriousness of the problem, no virus is capable of causing as much harm as a whitened user with trembling hands!

So, the health of your computers, the safety of your data - in your hands!

Bibliographic list

1. Informatics: Textbook / ed. Prof. N.V. Makarova. - M.: Finance and statistics, 1997.

2. Encyclopedia of secrets and sensations / Prepared. text by Yu.N. Petrov. - Minsk: Literature, 1996.

3. Bezrukov N.N. Computer viruses. - M.: Nauka, 1991.

4. Mostovoy D.Yu. Modern technologies for fighting viruses // PC World. - No. 8. - 1993.

Classification.

Anti-virus products can be classified according to several criteria at once, such as the anti-virus protection technologies used, product functionality, and target platforms.

Anti-virus protection technologies used:

Classic anti-virus products (products that use only the signature-based detection method)
Proactive anti-virus protection products (products using only proactive anti-virus protection technologies);
Combined products (products that use both classical, signature-based protection methods and proactive ones)

Product functionality:

Antivirus products (products providing only antivirus protection)
Combination products (products that provide not only anti-malware protection, but also spam filtering, data encryption and backup, and other functions)

By target platforms:

Antivirus products for Windows OS family
Antivirus products for operating systems of the *NIX family (this family includes OS BSD, Linux, etc.)
Antivirus products for OS family MacOS
Antivirus products for mobile platforms (Windows Mobile, Symbian, iOS, BlackBerry, Android, Windows Phone 7, etc.)

Anti-virus products for corporate users can also be classified according to the objects of protection:

Antivirus products for protecting workstations
Antivirus products for protection of file and terminal servers
Antivirus products to protect mail and Internet gateways
Antivirus products to protect virtualization servers
etc.

Characteristics of anti-virus programs.

Anti-virus programs are divided into: detector programs, doctor programs, auditor programs, filter programs, vaccine programs.

Detector programs provide search and detection of viruses in RAM and on external media, and upon detection they issue a corresponding message. There are universal and specialized detectors.

Universal detectors in their work use checking the immutability of files by counting and comparing with a checksum standard. The disadvantage of universal detectors is the impossibility of determining the causes of file corruption.

Specialized detectors search for known viruses by their signature (a repeating piece of code). The disadvantage of such detectors is that they are unable to detect all known viruses.

A detector that can detect several viruses is called a polydetector.

The disadvantage of such antivirus programs is that they can only find viruses that are known to the developers of such programs.

Doctor programs (phages) not only find files infected with viruses, but also "treat" them, i.e. remove the body of the virus program from the file, returning the files to their original state. At the beginning of their work, phages look for viruses in RAM, destroying them, and only then proceed to "treat" files. Among phages, polyphages are distinguished, i.e. doctor programs designed to find and destroy a large number of viruses.

Given that new viruses are constantly appearing, detection programs and doctor programs quickly become outdated, and regular updates of their versions are required.

Auditor programs are among the most reliable means of protecting against viruses. Auditors remember the initial state of programs, directories and system areas of the disk when the computer is not infected with a virus, and then periodically or at the request of the user compare the current state with the original one. The detected changes are displayed on the video monitor screen. As a rule, states are compared immediately after the operating system is loaded. When comparing, the file length, cyclic control code (file checksum), date and time of modification, and other parameters are checked.

Auditor programs have fairly advanced algorithms, detect stealth viruses, and can even distinguish between changes in the version of the program being checked and changes made by the virus.

Filter programs (watchmen) are small resident programs designed to detect suspicious actions during computer operation that are characteristic of viruses. Such actions may be:

Attempts to correct files with COM and EXE extensions;

Changing file attributes;

Direct write to disk at absolute address;

Vaccines (immunizers) are resident programs that prevent infection of files. Vaccines are used if there are no doctor programs that "treat" this virus. Vaccination is possible only against known viruses. The vaccine modifies the program or disk in such a way that it does not affect their work, and the virus will perceive them as infected and therefore will not take root. Vaccine programs are currently of limited use.

A significant drawback of such programs is their limited ability to prevent infection from a large number of different viruses.

Examples of antivirus programs

When choosing an anti-virus program, it is necessary to take into account not only the percentage of virus detections, but also the ability to detect new viruses, the number of viruses in the anti-virus database, the frequency of its updates, and the availability of additional functions.

Currently, a serious antivirus must be able to recognize at least 25,000 viruses. This does not mean that they are all "free". In fact, most of them have either ceased to exist or are in laboratories and are not being distributed. In reality, you can meet 200-300 viruses, and only a few dozen of them are dangerous.

There are many antivirus programs. Consider the most famous of them.

Norton AntiVirus 4.0 and 5.0 (Manufacturer: Symantec).

One of the most famous and popular antiviruses. The virus recognition rate is very high (close to 100%). The program uses a mechanism that allows you to recognize new unknown viruses.

Norton AntiVirus's interface includes a LiveUpdate feature that allows you to update both the program and the virus signature set via the Web with the click of a single button. The Virus Control Wizard gives you detailed information about the detected virus, and also gives you the choice to remove the virus either automatically or more carefully, through a step-by-step procedure that allows you to see each of the actions performed during the removal process.

Anti-virus databases are updated very frequently (sometimes updates appear several times a week). There is a resident monitor.

The disadvantage of this program is the complexity of the settings (although basic settings almost no need to change).

Dr Solomon's AntiVirus (manufacturer: Dr Solomon's Software).

It is considered one of the best antiviruses (Eugene Kaspersky once said that this is the only competitor to his AVP). Detects almost 100% of known and new viruses. A large number of functions, a scanner, a monitor, heuristics and everything you need to successfully resist viruses.

McAfee Virus Scan (manufacturer: McAfee Associates).

This is one of the most famous antivirus packages. It removes viruses very well, but VirusScan is worse than other packages when it comes to detecting new varieties of file viruses. It is easy and quick to install using the default settings, but you can also customize it to your liking. You can scan all files or only program files, distribute or not distribute the scanning procedure to compressed files. It has many functions for working with the Internet.

.Dr.Web (manufacturer: Dialog Science)

Popular domestic antivirus. It recognizes viruses well, but there are much fewer of them in its database than other antivirus programs.

Antiviral Toolkit Pro (manufacturer: Kaspersky Lab).

This antivirus is recognized worldwide as one of the most reliable. Despite the ease of use, it has all the necessary arsenal to fight viruses. Heuristic mechanism, redundant scanning, scanning of archives and packed files - this is not a complete list of its capabilities.

Kaspersky Lab closely monitors the emergence of new viruses and releases updates to anti-virus databases in a timely manner. There is a resident monitor to control executable files.