Antivirus software

Antivirus software (or anti-virus) is computer software used to identify and remove computer viruses, as well as many other types of harmful computer software, collectively referred to as malware. While the first antivirus software was designed exclusively to combat computer viruses (hence "antivirus"), modern antivirus software can protect computer systems against a wide range of malware, including worms, phishing attacks, rootkits, and Trojans.

Identification methods

There are several methods which antivirus software can use to identify malware. Depending on the software, more than method may be used.

Signature based detection is the most common method that antivirus software utilizes to identify malware. To identify viruses and other malware, antivirus software compares the contents of a file to a dictionary of virus signatures. Because viruses can embed themselves in existing files, the entire file is searched, not just as a whole, but also in pieces.

Malicious activity detection is another way to identify malware. In this approach, antivirus software monitors the system for suspicious program behavior. If suspicious behavior is detected, the suspect program may be further investigated, using signature based detection or another method listed in this section. This type of detection can be used to identify unknown viruses

Heuristic-based detection is used by more advanced antivirus software. Like malicious activity detection, heuristics can be used to identify unknown viruses. This can be accomplished in one of two ways; file analysis and file emulation. File analysis is the process of searching a suspect file for virus-like instructions. For example, if a program has instructions to format the C drive, antivirus software might further investigate the file. One downside to this approach is that the computer may run slow if every file is analyzed. File emulation is the other heuristic approach. File emulation involves executing a program in a virtual environment and logging what actions the program performs. Depending on the actions logged, the antivirus software can determine if the program is malicious or not and then carry out the appropriate actions.

Signature based detection

Signature based detection is the most common method that antivirus software uses to identify malware. This method is somewhat limited by the fact that it can only identify known viruses, unlike other methods.

When antivirus software scans a file for viruses, it checks the contents of a file against a dictionary of virus signatures. A virus signature is the viral code. So, saying you found a virus signature in a file is the same as saying you found the virus itself. If a virus signature is found in a file, the antivirus software can take action to remove the virus. Antivirus software will usually perform one or more of the following actions; quarantining, repairing, or deleting. Quarantining a file will make it inaccessible, and is usually the first action antivirus software will take if a malicious file is found. Encrypting the file is a good quarantining technique because it renders the file useless.

Sometimes a user wants to save the content of an infected file (because viruses can sometimes embed themselves in files, called injection.) To do this, antivirus software will attempt to repair the file. To do this, the software will try to remove the viral code from the file. Unfortunately, some viruses might damage the file upon injection, which means repairing will fail.

The third action antivirus software can take against a virus is deleting it. If a file repair operation files, usually the best thing to do is to just delete the file. Deleting the file is necessary if the entire file is a virus.

Because new viruses are being created each day, the signature based detection approach requires frequent updates of the virus signature dictionary. To assist the antivirus software companies, the software may allow the user to upload new viruses or variants to the company. There, the virus can be analyzed and the signature added to the dictionary.

Signature-based antivirus software typically examines files when the computer's operating system creates, opens, closes, or e-mails them. In this way it can detect a known virus immediately upon receipt. System administrators can schedule antivirus software to scan all files on the computer's hard disk at a set time and date.

Although the signature based approach can effectively contain virus outbreaks in the right circumstances, virus authors have tried to stay a step ahead of such software by writing "oligomorphic", "polymorphic" and, more recently, "metamorphic" viruses, which encrypt parts of themselves or otherwise modify themselves as a method of disguise, so as to not match virus signatures in the dictionary.

An emerging technique to deal with malware in general is whitelisting. Rather than looking for only known bad software, this technique prevents execution of all computer code except that which has been previously identified as trustworthy by the system administrator. By following this "default deny" approach, the limitations inherent in keeping virus signatures up to date are avoided. Additionally, computer applications that are unwanted by the system administrator are prevented from executing since they are not on the whitelist. Since modern enterprise organizations have large quantities of trusted applications, the limitations of adopting this technique rests with the system administrators' ability to properly inventory and maintain the whitelist of trusted applications. Viable implementations of this technique include tools for automating the inventory and whitelist maintenance processes.

Suspicious behavior monitoring

The suspicious behavior approach, by contrast, does not attempt to identify known viruses, but instead monitors the behavior of all programs. If one program tries to write data to an executable program, for example, the antivirus software can flag this suspicious behavior, alert a user, and ask what to do.

Unlike the signature based approach, the suspicious behavior approach therefore provides protection against brand-new viruses that do not yet exist in any virus dictionaries. However, it can also sound a large number of false positives, and users may become desensitized to the warnings. If the user clicks "Accept" on every such warning, then the antivirus software obviously gives no benefit to that user. This problem has worsened since 1997^{[citation needed]}, since many more non-malicious program designs came to modify other .exe files without regard to this false positive issue.

Heuristics

Some more sophisticated antivirus software uses heuristic analysis to identify new malware. Two methods are used; file analysis and file emulation.

As described above, file analysis is the process by which antivirus software will analyze the instructions of a program. Based on the instructions, the software can determine whether or not the program is malicious. For example, if the file contains instructions to delete important system files, the file might be flagged as a virus. While this method is useful for identifying new viruses and variants, it can trigger many false alarms.

The second heuristic approach is file emulation. By the this approach, the target file is run in a virtual system environment, separate from the real system environment. The antivirus software would then log what actions the file takes in the virtual environment. If the actions are found to be damaging, the file will be marked a virus. But again, this method can trigger false alarms.

Other Virus Infection Preventions

Beside antivirus software, virus infection prevention can be achieved by some other means such as implementing a network firewall, or system virtualization. However, only antivirus softwares are designed specifically to prevent from known virus infections.

Network Firewall

Network firewalls prevent unknown programs and Internet processes from having access to the system protected; they are not antivirus systems as such, and make no attempt to identify or remove anything, but protect against infection, and limit the activity of any malicious software which is present by blocking incoming or outgoing requests on certain TCP/IP ports. Hence, it is designed to deal with broader system threats that come from network connections into the system.

System Virtualization

This method of prevention is actually done by virtualizing the working system. By doing so, the actual system prevents itself from being altered by any infection attempt made by viruses. In fact, it prevents from any alteration attempts to the whole system under virtualization. Such as the virtualization is, without any antivirus software the virtual system can still be infected and consequent damages or malicious actions the virus is meant to cause will still occur. But as soon as the system is shut down and restarted, all the changes and damages previously done to the virtual system will be reset. This way, the system is protected as well as the virus is removed. However, any damages to unprotected (or unvirtualized) data (usually another data drive/volume or data on the network connected to the system) will remain. So will the malicious effects it has caused such as data theft or the like.

Virus removal tools

A virus removal tool is software for removing specific viruses from infected computers. Unlike general-purpose virus scanners, it is not intended to detect and remove, ideally, all known viruses; rather it is designed to remove specific viruses more effectively and completely than a general-purpose program. Many single-virus tools will be found searching the Worldwide-Web for "virus removal tool"; others, such as McAfee Stinger and the Microsoft Malicious Software Removal Tool run automatically by Windows update, are designed to remove a limited numbers of viruses. Many of these tools are available for free download.

If a virus is identified by a general-purpose scanner it may not be entirely removed; once the virus has been identified, running a tool designed specifically for it can do a better job of cleaning.

Issues of concern

The regular appearance of new malware is certainly in the financial interest of vendors of commercial antivirus software, though there is no evidence of collusion. ^[1]
Some antivirus software can considerably reduce performance. Users may disable the antivirus protection to overcome the performance loss, thus increasing the risk of infection. For maximum protection, the antivirus software needs to be enabled all the time — often at the cost of slower performance (see also software bloat).
Antivirus programs can in themselves pose a security risk as they often run at the 'System' level of privileges and may hook the kernel - Both of these are necessary for the software to effectively do its job but it has a major downside. This can mean exploitation of the Antivirus program itself could lead to privilege escalation and create a severe security threat. Arguably, use of Antivirus software when compared to Principle of least privilege is largely ineffective when ramifications of the added software are taken into account.
It is important to note that one should not have more than one memory-resident antivirus software solution installed on a single computer at any given time. Otherwise, the computer may be crippled.^[2]
It is sometimes necessary to temporarily disable virus protection when installing major updates such as Windows Service Packs or updating graphics card drivers.^[3] Active antivirus protection may partially or completely prevent the installation of a major update.
When purchasing antivirus software, the agreement may include a clause that the subscription will be automatically renewed, and the purchaser's credit card automatically billed, at the renewal time without explicit approval. For example, McAfee requires one to unsubscribe at least 60 days before the expiration of the present subscription.^[4] Norton Antivirus also renews subscriptions automatically by default. ^[5]
Some antivirus programs are actually spyware masquerading as antivirus software. It is best to double-check that the antivirus software which is being downloaded is actually a real antivirus program.^[6]
Anti-virus manufacturers have been criticised for fear mongering by exaggerating the risk that virus pose to consumers.^[7]
If an antivirus program is configured to immediately delete or quarantine infected files (or does this by default), false positives in essential files can render the operating system or some applications unusable.^[8]

Mobile devices

Viruses from the desktop and laptop world have either migrated to, or are assisted in their dispersal by mobile devices. Antivirus vendors are beginning to offer solutions for mobile handsets. These devices present significant challenges for antivirus software, such as processor constraints, memory constraints, and definitions and new signature updates to these mobile handsets.

Mobile handsets are now offered with a variety of interfaces and data connection capabilities. Consumers should carefully evaluate security products before deploying them on devices with a small form factor.

Solutions that are hardware-based, perhaps USB devices or SIM-based antivirus solutions, might work better in meeting the needs of mobile handset consumers. Technical evaluation and review on how deploying an antivirus solution on cellular mobile handsets should be considered as scanning process might impact other legitimate applications on the handheld.

SIM-based solutions with antivirus integrated on the small memory footprint might provide a basic solution to combat malware/viruses in protecting PIM and mobile user data. Solutions based on USB and Flash memory allow the user to swap and use these products with a range of hardware devices.

History

There are competing claims for the innovator of the first antivirus product. Perhaps the first publicly-known neutralization of a wild PC virus was performed by Bernt Fix (also Bernd) in early 1987. Fix neutralized an infection of the Vienna virus.^[9] ^[10] The first edition of Polish antivirus software mks_vir was released in 1987; the program was only available with a Polish interface. Autumn 1988 saw antivirus software Dr. Solomon's Anti-Virus Toolkit released by Briton Alan Solomon. Also in 1988 AIDSTEST and AntiVir were released. By December 1990, the market had matured to the point of nineteen separate antivirus products being on sale including Norton AntiVirus and VirusScan from McAfee.

Peter Tippett made a number of contributions to the budding field of virus detection.^{[citation needed]} He was an emergency-room doctor who also ran a computer software company. He had read an article about the Lehigh virus and questioned whether they would have similar characteristics to biological viruses that attack organisms. From an epidemiological viewpoint, he was able to determine how these viruses were affecting systems within the computer (the boot-sector was affected by the Brain virus, the .com files were affected by the Lehigh virus, and both .com and .exe files were affected by the Jerusalem virus). Tippett’s company Certus International Corp. then began to create anti-virus software programs. The company was sold in 1992 to Symantec Corp, and Tippett went to work for them, incorporating the software he had developed into Symantec’s product, Norton AntiVirus.^{[citation needed]}

Before Internet connectivity was widespread, viruses were typically spread by infected floppy disks; antivirus software started to be used, but was updated relatively infrequently. At that time it was said, correctly, that viruses could not be spread by the readable content of emails, although executable attachments were as risky as programs on floppy disks. Virus checkers essentially had to check executable files, and the boot sectors of floppy and hard disks. As Internet usage became common, initially by making a modem connection when desired, viruses spread through the Internet, facilitated by powerful macros in word processors such as Microsoft Word; hitherto "documents" could not spread infection, although programs could. Later email programs, in particular Microsoft Outlook Express and Outlook, became able to execute program code from within a message's text by simply reading the message, or even previewing its content. Virus checkers now had to check many more types of file. As broadband always-on connections became the norm and more and more viruses were released, it became essential to update virus checkers more and more frequently; even then, a new virus could spread widely before it was detected, identified, a checker update released, and virus checkers round the world updated.

A very uncommon use of the term "antivirus" is to apply it to benign viruses that spread and combated malicious viruses. This was common on the Amiga computer platform.^{[citation needed]}

Effectiveness

Studies in December 2007 have shown that the effectiveness of Antivirus software is much reduced from what it was a few years ago, particularly against unknown or zero day threats. The German computer magazine c't found that detection rates for these threats had dropped to a frightening 20% to 30%, as compared to 40% to 50% only one year earlier. At that time only one product managed a detection rate above 50%.^[11]

The problem is magnified by the changing intent of virus authors. Some years ago it was obvious when a virus infection was present. The viruses of the day, written by amateurs, exhibited destructive behavior or popped-up screen messages. Modern viruses are often written by professionals, financed by criminal organizations.^[12] It is not in their interests to make their viruses or crimeware evident, because their purpose is to create botnets or steal information for as long as possible without the user realizing this; consequently, they are often well-hidden. If an infected user has a less-than-effective antivirus product that says the computer is clean, then the virus may go undetected.

Traditional antivirus software solutions run virus scanners on schedule, on demand and some run scans in real time. If a virus or malware is located the suspect file is usually placed into a quarantine to terminate its chances of disrupting the system. Traditional antivirus solutions scan and compare against a publicised and regularly updated dictionary of malware otherwise known as a blacklist. Some antivirus solutions have additional options that employ an heuristic engine which further examines the file to see if it is behaving in a similar manner to previous examples of malware. A new technology utilised by a few antivirus solutions is whitelisting, this technology first checks if the file is trusted and only questioning those that are not.^[13] With the addition of wisdom of crowds, antivirus solutions backup other antivirus techniques by harnessing the intelligence and advice of a community of trusted users to protect each other. By providing these multiple layers of malware protection and combining them with other security software it is possible to have more effective protection from the latest zero day attack and the latest crimeware than previously was the case with just one layer of protection.

Notes

^ Yarden, Jonathan (2005-11-15). "Why there is no global antivirus software conspiracy". TechRepublic.
^ Microsoft Support
^ http://support.microsoft.com/kb/950717
^ Buying Dangerously
^ Symantec agreement
^ List of rogue software
^ Why is fear-mongering such a popular security sales tactic?
^ AVG gives false alarm for Windows system library
^ Kaspersky Lab Virus list
^ Wells, Joe (1996-08-30). "Virus timeline". IBM. Retrieved 2008-06-06.
^ Goodin, Dan (2007-12-21). "Anti-virus protection gets worse". Channel Register.
^ Hacking poses threats to business
^ Will you be ditching your antivirus app anytime soon?

External links

Independent comparatives of several antivirus software:
Ranking of 50 antivirus software
Carnegie Mellon's CERT coordination center
‹The template Curlie is being considered for deletion.› Computer Viruses at Curlie
Virus Information including EICAR/Virus Bulletin
Microsoft's list of antivirus software vendors
Antivirus software available at Sourceforge

[1] Yarden, Jonathan (2005-11-15). "Why there is no global antivirus software conspiracy". TechRepublic.

[2] Microsoft Support

[3] ttp://support.microsoft.com/kb/950717

[4] Buying Dangerously

[5] Symantec agreement

[6] List of rogue software

[7] Why is fear-mongering such a popular security sales tactic?

[8] AVG gives false alarm for Windows system library

[9] Kaspersky Lab Virus list

[10] Wells, Joe (1996-08-30). "Virus timeline". IBM. Retrieved 2008-06-06.

[11] Goodin, Dan (2007-12-21). "Anti-virus protection gets worse". Channel Register.

[12] Hacking poses threats to business

[13] Will you be ditching your antivirus app anytime soon?

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]