Anti-Virus Methods

 

Scanning

Integrity checking

Behavior monitoring


Scanning

Virus scanning relies on the a virus pattern for detecting and locating viruses. The virus pattern is a unique piece of code that identifies the virus. It's the "fingerprint" for that particular virus. When a new virus appears on the scene it is extracted from the original host program, analysed and recorded. Then scanning program opens a program and begins scanning down the code, comparing the contents of every executable file with a bank of virus patterns. If a match is found the file is declared to be infected. If no match is found it is concluded that the file is uninfected. Quality scanners will check file areas and the boot sector.

One difficulty with virus scanners is that if a new virus that hasn't been yet analysed infects your computer the scanner has no way of detecting it. Thus, if a file is infected with a new virus that isn't in the virus pattern bank , the scanner won't be able to detect it. Asking a scanner to find unknown viruses would be like handing someone a telephone book and asking, "Can you find all the criminals in this phone book?" Without specific names, it's an impossible task. Scanning, therefore, is a great method for finding known viruses in files.

Some scanners on the market today compromise on one point or another. For example, many scanners have a "turbo mode" which scans faster because it only scans the beginning and ending sections of files. Unfortunately, they also give you a false sense of security because many viruses today insert themselves into the middle of a host file. Scanning in turbo mode is like trying to find the name in the phone book by only looking at "A" and "Z" -- while skipping "B" through "Y"!

Integrity checking

Integrity checking or Checksumming, depends on the ablility to continually monitor and check the status of executables for any changes. You must initially run a checksum of all the executables when they are clean and update the checksum database everytime the system is changed or some software is added

An example might be: imagine that you just purchased a new car. Unfortunately, your brother also likes your car and he sometimes takes your keys without your knowledge and goes for a drive.

When you ask your brother if he has used the car, he denies it. But how can you check to see if your car has been used or not? Simple. Just check the distance your car has travelled by looking at the odometer. Each time you finish using your car, you write down the current odometer reading. ("000942" for example). Then, the next time you get into the car, you check the odometer again. If the reading isn't "000942," you know that someone has been driving your car.

This is exactly what Integrity Checking does -- it records the status of every application file on your hard drive and then later checks the status to see if changes have been made. If the status has changed, the integrity checker tells you that you have a virus.

The main drawback of integrity checkers is that they don't prevent the action. Checking the status of a file doesn't prevent a virus from infecting it. Integrity checkers only operate after the fact. They only tell you what happened when it's too late for you to take action. In addition, integrity checkers cannot identify what caused the status change. Any change, even programs that modify themselves during installation, will cause the typical integrity checker to set off an alarm. Integrity checkers used alone cannot provide effective virus protection.

Behavior monitoring

Monitoring for the abnormal behavior of viruses within a computer environment is usually accomplished by installing a program resident in memory. This program is a TSR (terminate-stay-resident) program for one reason it must monitor requests that are passed to the interrupt table. A virus behaves in an abnormal way to most applications, this abnormal behavior is called "virus activity." Virus activity might be a request to write to a boot sector, opening an executable program for writing, or placing itself resident in memory. Based on certain common actions of viruses a set of rules can be established for discerning between virus activity and normal application activity.

Rule-based monitoring is a very effective way to detect all known and unknown viruses. It makes it possible to stop infection of a file by a virus before it has a chance to damage the file.

Consequently, rule-based virus traps have a great advantage: They can prevent any kind of malicious program from damaging your system. This includes:

A minor disadvantage to rule-based virus traps lies in their inability to identify the virus. The trap can prevent the virus from damaging your system, but it cannot identify the virus by name. For identification, only a virus scanner will work.


© 1998 Trend Micro Incorporated. All rights reserved.