Antivirus software: Difference between revisions

Content deleted Content added

Inline

Revision as of 12:46, 16 April 2006

Аnti-virus software consists of computer programs that attempt to identify, thwart and eliminate computer viruses and other malicious software (malware).

Аnti-virus software typically uses two different techniques to accomplish this:

Examining (scanning) files to look for known viruses matching definitions in a virus dictionary
Identifying suspicious behavior from any computer program which might indicate infection. Such analysis may include data captures, port monitoring and other methods.

Most commercial anti-virus software uses both of these approaches, with an emphasis on the virus dictionary approach.

Historically, the term anti-virus has also been used for benign computer viruses that spread and combated malicious viruses. This was common on the Amiga computer platform.

Approaches to virus detection

Virus dictionary approach

In the virus dictionary approach, when the anti-virus software examines a file, it refers to a dictionary of known viruses that the authors of the anti-virus software have identified. If a piece of code in the file matches any virus identified in the dictionary, then the anti-virus software can take one of the following actions:

attempt to repair the file by removing the virus itself from the file
quarantine the file (such that the file remains inaccessible to other programs and its virus can no longer spread)
delete the infected file

To achieve consistent success in the medium and long term, the virus dictionary approach requires periodic (generally online) downloads of updated virus dictionary entries. As civically minded and technically inclined users identify new viruses "in the wild", they can send their infected files to the authors of anti-virus software, who then include information about the new viruses in their dictionaries.

Dictionary-based anti-virus software typically examines files when the computer's operating system creates, opens, closes or e-mails them. In this way it can detect a known virus immediately upon receipt. Note too that a System Administrator can typically schedule the anti-virus software to examine (scan) all files on the user's hard disk on a regular basis.

Although the dictionary approach can effectively contain virus outbreaks in the right circumstances, virus authors have tried to stay a step ahead of such software by writing "oligomorphic", "polymorphic" and more recently "metamorphic" viruses, which encrypt parts of themselves or otherwise modify themselves as a method of disguise, so as to not match the virus's signature in the dictionary.

Suspicious behavior approach

The suspicious behavior approach, by contrast, doesn't attempt to identify known viruses, but instead monitors the behavior of all programs. If one program tries to write data to an executable program, for example, the anti-virus software can flag this suspicious behavior, alert a user and ask what to do.

Unlike the dictionary approach, the suspicious behavior approach therefore provides protection against brand-new viruses that do not yet exist in any virus dictionaries. However, it can also sound a large number of false positives, and users probably become desensitized to all the warnings. If the user clicks "Accept" on every such warning, then the anti-virus software obviously gives no benefit to that user. This problem has worsened since 1997, since many more nonmalicious program designs came to modify other .exe files without regard to this false positive issue. Thus, most modern anti-virus software uses this technique less and less.

Other ways to detect viruses

Some antivirus-software uses of other types of heuristic analysis. For example, it could try to emulate the beginning of the code of each new executable that the system invokes before transferring control to that executable. If the program seems to use self-modifying code or otherwise appears as a virus (if it immediately tries to find other executables, for example), one could assume that a virus has infected the executable. However, this method could result in a lot of false positives.

Yet another detection method involves using a sandbox. A sandbox emulates the operating system and runs the executable in this simulation. After the program has terminated, software analyzes the sandbox for any changes which might indicate a virus. Because of performance issues, this type of detection normally only takes place during on-demand scans.

Some virus scanners can also warn a user if a file is likely to contain a virus based on the file type.

Issues of concern

The spread of e-mail viruses (arguably the most destructive and widespread computer viruses) could be inhibited far more inexpensively and effectively, and without the need to install anti-virus software, if bugs in the e-mail clients, which relate to the execution of downloaded code and to the ability of executables to spread and wreak havoc, were fixed.
User education can effectively supplement anti-virus software; simply training users in safe computing practices (such as not downloading and executing unknown programs from the Internet) would slow the spread of viruses and obviate the need of much anti-virus software.
Computer users should not always run with administrator access to their own machine. If they would simply run in user mode then some types of viruses could not spread (or at least the damage caused by viruses could be reduced).
The dictionary approach to detecting viruses does not always suffice -- due to the continual creation of new viruses -- yet the suspicious behavior approach does not work well due to the false positive problem; hence, the current understanding of anti-virus software will never conquer computer viruses.
Various methods exist of encrypting and packing malicious software which will make even well-known viruses undetectable to anti-virus software. Detecting these "camouflaged" viruses requires a powerful unpacking engine, which can decrypt the files before examining them. Unfortunately, many popular anti-virus programs do not have this and thus are often unable to detect encrypted viruses.
The ongoing writing and spreading of viruses and of panic about them gives the vendors of commercial anti-virus software a financial interest in the ongoing existence of viruses.
Some anti-virus software can considerably reduce performance. Users may disable the anti-virus protection to overcome the performance loss, thus increasing the risk of infection. For maximum protection the anti-virus software needs to be enabled all the time - often at the cost of slower performance (see also Software bloat). Some anti-virus software has less impact on performance.
It is sometimes necessary to temporarily disable virus protection when installing major updates such as Windows Service Packs or updating graphics card drivers for example. Having anti-virus protection running at the same time as installing a major update may prevent the update installing properly or at all.
When purchasing anti-virus software, the agreement may include a clause that your subscription will be automatically renewed, and your credit card automatically billed at the renewal time without your approval. For example, McAfee requires one to unsubscribe at least 60 days before the expiration of the present subscription, yet as of this writing it does not provide phone access nor a way to unsubscribe directly through their website; in that case, the subscriber's recourse is to contest the charges with the credit card issuer.

List of antivirus software and companies

For corporate market

BitDefender from Romania - email security solutions
Dr.Web by Doctor Web, Ltd. from Russia - email/www security solutions, corporate networks protection
GFi WebMonitor and GFi MailSecurity - WWW and email security solutions, by GFI Software
Security solutions by Sybari Software. Sybari Software had been purchased by Microsoft in early 2005.
Sophos Anti-Virus by Sophos plc (UK) provides antivirus solutions for desktops, can create a customised installer and update from the corporate network rather than the internet.
Trend Micro Security Solutions for Enterprises, SMB and Consumers. Leader in gateway protection.
Uniwares Leon Enterprise Anti-Spam Server (with integrated AV)
Vexira from Central Command -- Antivirus, antispam, and antispyware solutions.

Commercial and shareware

AVG Anti-Virus by Grisoft
Bullguard Antivirus Software, Firewall and Backup, by BullGuard from Denmark/UK
Command Antivirus by Authentium from USA
Kaspersky Anti-Virus by Kaspersky Lab from Russia
McAfee VirusScan by McAfee from USA
NOD32 by Eset from Slovak Republic, shareware
Norman from Norway
Norton AntiVirus by Symantec
F-Prot, by FRISK Software International in Iceland
F-Secure Antivirus by the eponymous firm from Finland
Panda Software from Spain
PC-cillin Internet Security by Trend Micro
Pocket Antivirus by JSJ Software
Rising AntiVirus from China
Virex by McAfee
Windows Live OneCare by Microsoft

Freeware

This section includes usable free-of-charge versions of commercial software.

AntiVir PersonalEdition Classic by Avira from Germany
Avast! by Alwil from Czech Republic
AVG Free Edition by Grisoft
BitDefender Linux edition and free Windows editions
HouseCall Onlinescanner by Trend Micro

GPL software

ClamAV by Tomasz Kojm
- ClamWin by alch
  - Winpooch - combined with ClamWin makes a GPL antivirus product with on-access scanning.
- ClamTk
- ClamXav

Unclassified

TODO: Classify the following:

Computer Associates USA
ZoneAlarm AntiVirus for Zone Labs

Testing Organizations

These organizations provide testing of virus scanning and related programs.

@@ Line 78: / Line 78: @@
 This section includes usable free-of-charge versions of commercial software.
-*Antivir Personal Edition Classic by [[HBEDV|H+BEDV]] from [[Germany]]
+*AntiVir PersonalEdition Classic by [[Avira|Avira]] from [[Germany]]
 *[[Avast!]] by [[Alwil]] from [[Czech Republic]]
 *[[AVG Anti-Virus|AVG Free Edition]] by [[Grisoft]]