Classification of antivirus programs. Classification of computer viruses and antivirus programs

To detect, remove and protect against computer viruses There are several types of programs. Such programs are called antivirus programs. There are the following types antivirus programs:

1. vaccines;

2. detectors;

3. auditors;

4. watchman;

5. monitors;

6. polyphages;

7. heuristic analyzers.

AT recent times, developers of anti-virus programs, offer users comprehensive solutions that include most or even all of the above programs.

Vaccines- these are programs designed to prevent infection of files from any one, specific virus. Vaccines are used if there are no programs that can neutralize this virus. Vaccination is only available from known viruses, which can be detected, but for some reason cannot be disarmed. The vaccine program modifies the protected program or disk in such a way that it does not affect its operation, but at the same time the real virus considers the protected program to be infected and therefore does not infiltrate its executable code.

The action of vaccine programs is based on one of the basic properties of computer viruses - they do not re-infect an already infected program. For these purposes, when infecting programs, viruses use the so-called "black mark", which would make it possible to distinguish already infected programs from uninfected ones. This could be, for example, setting the file creation time to 24 hours 1 minute and 62 seconds. Because normal programs cannot have such a creation time, then, having detected that the file was created at this time, the virus considers that it is infected and does not try to infect it again.

Thus, the vaccine program simply creates a "black mark" of a specific virus on the protected program without changing its executable code, and the virus, detecting such a mark, no longer tries to infect given file.

"Detectors" or "scanners"- these are programs that search for a signature characteristic of a particular virus, in random access memory computer or in files on the hard drive, and when detected, they issue a corresponding message. The disadvantage of this class of antivirus programs is that they can only find viruses that are known to the developers.

"Auditors"- These are programs that are among the most reliable means of protection against viruses.

When infecting a computer, the virus makes changes to the hard drive: appends its code to the infected file, changes the system areas of the disk, and so on. The work of anti-virus programs called "auditors" is based on the detection of such changes.

They are built on the principle opposite to the principle of building scanners. Auditors do not know specific viruses by sight, but they remember information about each specific logical drive and by changing this information, allow you to reliably detect both known and new, unknown viruses.

If a change in information about the data available on the disk is detected, all relevant information about the changed object is provided to the user. And he himself must decide whether, for example, to check this file for a virus (if it is an executable file) or ignore the message if the file was changed by the user himself.

As a rule, state comparison is performed immediately after loading operating system. When comparing, the file length, its checksum, date and time of modification, and some other parameters are checked. Auditor programs have sufficiently developed algorithms to detect even viruses of such classes as "stealth" viruses and "polymorphic" viruses, and some can even restore the original version of the program being checked by deleting the changes made by the virus.

The advantage of auditors is the highest speed of scanning disks (many tens of times higher than the speed of scanners) and high reliability of detecting even unknown viruses.

"Watchman"- These are small resident programs designed to detect suspicious actions that occur when a user works on a computer and are characteristic of viruses. Such actions may include:

1. attempts to correct files with extensions COM, EXE, DLL, etc., which are usually unchangeable;

2. changing file attributes;

4. writing to the boot sectors of the disk;

When any program tries to perform the specified actions, the "watchman" sends a message to the user and offers to prohibit or allow the corresponding action.

One of the biggest drawbacks of programs of this class is that if they are configured incorrectly (and sometimes even if they are correct), they literally “bombard” the user with warnings, as a result of which they are usually turned off.

"Monitors"(or filter programs) are anti-virus programs based on the principle of polyphage, and using a database of their signatures to detect viruses. The anti-virus monitor resides in computer memory, and checks for viruses only those programs over which the user or the operating system performs any manipulations.

Typically, anti-virus monitors check all files that are manipulated in the following ways:

1. launching the program for execution;

2. changing file attributes;

3. opening a document ( Microsoft Office);

4. copying or moving a file;

5. file editing;

Filter programs are useful in that they help the user to detect a virus at a very early stage of its existence, even before the moment when the spread of the virus becomes epidemic.

"Polyphages"- these are programs that are able to safely remove the virus and restore the functionality of corrupted programs.

For each virus, by analyzing its code, how files are infected, etc. some, characteristic only for him, sequence of bytes is allocated. This sequence is called the signature this virus. Searching for viruses, in the simplest case, comes down to searching for their signatures. After a virus is detected in the body of the program (or in the boot sector, which, however, also contains the boot program), the polyphage renders it harmless. To do this, developers of anti-virus tools carefully study the work of each specific virus: what it damages, how it damages, where it hides what it damages, etc.

Scanning is the most traditional method of finding viruses. It consists in searching for signatures isolated from previously discovered viruses. The virus databases of modern scanners contain more than 40,000 virus masks.

The disadvantage of simple scanners is their inability to detect "polymorphic" viruses that completely change their code. Modern polyphages use other methods to search for viruses. To do this, they use more complex search algorithms, including heuristic analysis of the programs being checked. Considering that new viruses are constantly appearing, detection programs and polyphage programs quickly become obsolete, and regular updating of database versions containing signatures of newly appeared viruses is required. As a result, scanners become obsolete as soon as a new version is released.

Heuristic analyzers- programs that execute under their control, programs that are checked and detect actions characteristic of viruses. Thanks to this, heuristic analyzers are able to detect "polymorphic" viruses as easily as ordinary viruses that do not use the masking mechanism, and they can also detect viruses previously unknown to the authors of the anti-virus program.

Special methods are used to detect these masquerading viruses. These include the processor emulation method. The method consists in simulating the execution of a program by the processor and slipping fictitious control resources to the virus. The virus, deceived in this way, under the control of the anti-virus program, decrypts its code. After that, the scanner compares the decrypted code with the codes from its scan database.

Basic methods for detecting viruses

antivirus programs have evolved in parallel with the evolution of viruses. As new technologies for creating viruses appeared, the mathematical apparatus that was used in the development of antiviruses became more complicated.

The first anti-virus algorithms were built on the basis of comparison with the standard. We are talking about programs in which the virus is determined by the classical kernel by some mask. The meaning of the algorithm is to use statistical methods. The mask should be, on the one hand, small so that the file size is acceptable, and on the other hand, large enough to avoid false positives(when "one's own" is perceived as "alien", and vice versa).

The first anti-virus programs built on this principle (the so-called polyphage scanners) knew a certain number of viruses and were able to treat them. These programs were created as follows: the developer, having received the virus code (the virus code was static at first), compiled a unique mask from this code (a sequence of 10-15 bytes) and entered it into the database of the anti-virus program. The anti-virus program scanned the files and, if it found this sequence of bytes, it concluded that the file was infected. This sequence (signature) was chosen in such a way that it was unique and did not occur in a regular data set.

The described approaches were used by most anti-virus programs until the mid-90s, when the first polymorphic viruses appeared that changed their body according to algorithms that were unpredictable in advance. At that time, the signature method was supplemented by the so-called processor emulator, which made it possible to find encrypted and polymorphic viruses that did not explicitly have a permanent signature.

The principle of processor emulation is shown in Fig. one . If usually a conditional chain consists of three main elements: CPU®OS®Program, then when emulating a processor, an emulator is added to such a chain. The emulator, as it were, reproduces the work of the program in some virtual space and reconstructs its original content. The emulator is always able to interrupt the execution of the program, controls its actions without letting anything spoil, and calls the anti-virus scanning engine.

The second mechanism, which appeared in the mid-1990s and is used by all antiviruses, is heuristic analysis. The fact is that the processor emulation apparatus, which allows you to get a summary of the actions performed by the analyzed program, does not always make it possible to search for these actions, but allows you to perform some analysis and put forward a hypothesis like “virus or not a virus?”.

AT this case decision making is based on statistical approaches. And the corresponding program is called a heuristic analyzer.

In order to reproduce, a virus must perform some specific actions: copying to memory, writing to sectors, etc. The heuristic analyzer (it is part of the anti-virus engine) contains a list of such actions, looks through the program code being executed, determines what it is doing, and based on this decides whether this program virus or not.

At the same time, the percentage of virus skipping, even unknown to the antivirus program, is very small. This technology now widely used in all anti-virus programs.

Classification of antivirus programs

anti-virus programs are classified into pure anti-viruses and dual-purpose anti-viruses (Fig. 2).

Pure antiviruses are distinguished by the presence of an antivirus engine that performs the function of scanning by patterns. The fundamental thing in this case is that treatment is possible if the virus is known. Pure antiviruses, in turn, are divided into two categories according to the type of access to files: those that control access (on access) or on demand (on demand). Typically, on access products are called monitors, and on demand products are called scanners.

On demand-product works according to the following scheme: the user wants to check something and issues a request (demand), after which the check is carried out. An on access product is a resident program that monitors access and performs a check at the time of access.

In addition, anti-virus programs, like viruses, can be divided depending on the platform within which this anti-virus works. In this sense, along with Windows or Linux, platforms can include Microsoft Exchange Server, Microsoft Office, Lotus Notes.

Dual purpose programs are programs used in both antivirus and non-antivirus software. For example, CRC-checker - a checksum-based change inspector - can be used not only to catch viruses. A variety of dual-purpose programs are behavioral blockers that analyze the behavior of other programs and, if suspicious actions are detected, block them. Behavioral blockers differ from a classic antivirus with an antivirus core that recognizes and cures viruses that were analyzed in the laboratory and for which a treatment algorithm was prescribed, behavioral blockers do not know how to treat viruses, because they know nothing about them. This property of blockers allows them to work with any viruses, including unknown ones. This is of particular relevance today, since the distributors of viruses and antiviruses use the same data transmission channels, that is, the Internet. At the same time, the anti-virus company always needs time to get the virus itself, analyze it and write the appropriate treatment modules. Programs from the dual-purpose group just allow you to block the spread of the virus until the company writes a treatment module.

Overview of the most popular personal antiviruses

The review includes the most popular antiviruses for personal use from five well-known developers. It should be noted that some of the companies discussed below offer several versions of personal programs that differ in functionality and, accordingly, in price. In our review, we looked at one product from each company, choosing the most functional version, which, as a rule, is called Personal Pro. Other personal antivirus options can be found on the respective websites.

Kaspersky Anti-Virus

Personal Prov. 4.0

Developer: Kaspersky Lab. Website: http://www.kaspersky.ru/ . Price $69 (license for 1 year).

Kaspersky Anti-Virus Personal Pro (Fig. 3) is one of the most popular solutions on Russian market and contains a number of unique technologies.

Behavior Blocker The Office Guard module controls the execution of macros, preventing all suspicious actions. The presence of the Office Guard module provides 100% protection against macro viruses.

The Inspector monitors all changes in your computer and, if unauthorized changes are detected in files or in system registry allows you to restore the contents of the disk and remove malicious codes. Inspector does not require updates to the anti-virus database: integrity control is carried out on the basis of taking original file fingerprints (CRC-sums) and their subsequent comparison with modified files. Unlike other auditors, Inspector supports all the most popular executable file formats.

The heuristic analyzer makes it possible to protect your computer even from unknown viruses.

The Monitor background virus interceptor, permanently present in the computer's memory, performs anti-virus scanning of all files right at the moment they are launched, created or copied, which allows you to control all file operations and prevent infection even by the most technologically advanced viruses.

Antivirus filtering Email prevents viruses from entering your computer. The Mail Checker plug-in not only removes viruses from the body of an email, but also completely restores the original content of emails. A comprehensive check of mail correspondence does not allow the virus to hide in any of the elements email by checking all sections of incoming and outgoing messages, including attached files (including archived and packaged) and other messages of any nesting level.

The Scanner anti-virus scanner makes it possible to carry out a full-scale scan of all the contents of local and network drives on demand.

The Script Checker interceptor provides anti-virus checks of all running scripts before they are executed.

Support for archived and compressed files provides the ability to remove malicious code from an infected compressed file.

Isolation of infected objects provides isolation of infected and suspicious objects with their subsequent transfer to a specially organized directory for further analysis and recovery.

Automation of anti-virus protection allows you to create a schedule and order of the program components; automatically download and connect new anti-virus database updates via the Internet; send warnings about detected virus attacks by e-mail, etc.

Norton AntiVirus 2003 Professional Edition

Developer: Symantec. Website: http://www.symantec.ru/ .

The price is 89.95 euros.

The program runs under Windows control 95/98/Me/NT4.0/2000 Pro/XP.

Price $39.95

The program runs under Windows 95/98/Me/NT4.0/2000 Pro/XP.

Eugene Kaspersky in 1992 used the following classification of antiviruses depending on their principle of operation (defining functionality):

Ø Scanners (obsolete version - "polyphages", "detectors") - determine the presence of a virus by the signature database that stores the signatures (or their checksums) of viruses. Their effectiveness is determined by the relevance of the virus database and the presence of a heuristic analyzer.

Ø auditors (a class close to IDS) - remember the state file system, which makes it possible to analyze the changes in the future.

Ø watchman (resident monitors or filters ) - track potentially dangerous operations, issuing the appropriate request to the user to allow/prohibit the operation.

Ø Vaccines (immunizers ) - change the grafted file in such a way that the virus against which the vaccine is being made already considers the file infected. In modern conditions, when the number of possible viruses is measured in hundreds of thousands, this approach is not applicable.

Modern antiviruses combine all of the above functions.

Antiviruses can also be divided into:

Products for home users:

Actually antiviruses;

Combined products (for example, anti-spam, firewall, anti-rootkit, etc. have been added to the classic anti-virus);

Corporate Products:

Server antiviruses;

Antiviruses on workstations ("endpoint").

Sharing antivirus programs gives good results, as they complement each other well:

Data coming from external sources is checked detector program. If this data was forgotten to be checked and the infected program was launched, it can be caught by the watchdog program. True, in both cases, viruses known to these anti-virus programs are reliably detected. This is no more than 80-90% of cases.

- watchman can detect even unknown viruses if they behave very brazenly (try to format HDD or make changes to system files). But some viruses can bypass such controls.

If the virus was not detected by a detector or watchman, then the results of its activity will be detected by program - auditor.

As a rule, watchdog programs should be constantly running on the computer, detectors should be used to check data coming from external sources (files and diskettes), and auditors should be run once a day to detect and analyze changes on disks. All of this should be combined with regular data backups and the use of preventive measures to reduce the likelihood of a virus infection.

Any anti-virus program "slows down" the computer, but is a reliable remedy for the harmful effects of viruses.


False antiviruses (false antiviruses).

In 2009 various manufacturers antiviruses began to report on the wide distribution of a new type of antivirus - false antiviruses or pseudo-antiviruses (rogueware). In fact, these programs are either not antiviruses at all (that is, they are not capable of fighting malware) or even viruses (they steal credit card data, etc.).

Rogue antiviruses are used to extort money from users by deception. One way to infect a PC with a fake antivirus is as follows. The user is taken to an "infected" site, which gives him a warning message like: "A virus has been found on your computer." The user is then prompted to download free program (false antivirus) to remove the virus. After installation, the false antivirus scans the PC and supposedly detects a lot of viruses on the computer. To remove malware, a fake antivirus offers to buy a paid version of the program. The shocked user pays (amounts from $50 to $80) and a false antivirus cleans the PC from non-existent viruses.

Antiviruses on SIM, flash cards and USB devices

Mobile phones produced today have a wide range interfaces and data transfer capabilities. Users should carefully study the protection methods before connecting any small devices.

Protection methods such as hardware, perhaps antiviruses on USB devices or on SIM, are more suitable for consumers mobile phones. A technical evaluation and review of how to install an antivirus program on a cellular mobile phone should be considered as a scanning process that may affect other legitimate applications on that phone.

Anti-virus programs on SIM with anti-virus built into the small capacity memory area provide anti-malware/virus protection by protecting the PIN and information of the user of the phone. Anti-viruses on flash cards allow the user to exchange information and use these products with various hardware devices, as well as send this data to other devices using various communication channels.

Antiviruses, mobile devices and innovative solutions

In the future, it is possible that mobile phones will be infected with a virus. More and more developers in this field offer anti-virus programs to fight viruses and protect mobile phones. AT mobile devices There are the following types of virus control:

– processor limitations;

– memory limit;

– identifying and updating the signatures of these mobile devices.

Conclusion: An antivirus program (antivirus) is originally a program for detecting and treating malicious objects or infected files, as well as for prevention - preventing a file or operating system from being infected by malicious code. Depending on the principle of operation of anti-virus programs, there is the following classification of anti-viruses: scanners (outdated version - "polyphages", "detectors"); auditors (a class close to IDS); watchman (resident monitors or filters); vaccines (immunizers).

CONCLUSION

Achievements in computer technology in recent years, not only contributed to the development of the economy, trade and communications; provided an effective information exchange, but also provided a unique toolkit to perpetrators of computer crimes. The more intense the process of computerization, the more real the growth of computer crime becomes, and modern society not only feels the economic consequences of computer crimes, but also becomes more and more dependent on computerization. All these aspects oblige to pay more and more attention to the protection of information, further development legislative framework in the area of information security. The whole range of measures should be reduced to the protection of state information resources; to the regulation of relations arising from the formation and use of information resources; creation and use information technologies; protection of information and rights of subjects involved in information processes; as well as defining the basic concepts used in the legislation.

Associate Professor of the Department of Organization of Security and Convoy in the Penitentiary System

candidate of technical sciences

lieutenant colonel of the internal service V.G. Zarubsky

Although general information protection and preventive measures are very important for protecting against viruses, it is necessary to apply specialized programs. These programs can be divided into several types:

  • ? Detector programs check if the files on the disk contain a specific combination of bytes (signature) for a known virus and report this to the user (VirusScan/SCAN/McAfee Associates).
  • ? Doctor programs or phages “cure” infected programs by “biting out” the body of the virus from infected programs, both with and without restoration of the habitat (infected file) - the curing module of the SCAN program - the CLEAN program.
  • ? Doctor-detector programs (Lozinsky's Aidstest, Danilov's Doctor Web, MSAV, Norton Antivirus, Kaspersky's AVP) are able to detect the presence of a known virus on a disk and heal the infected file. The most common group of antivirus programs today.

In the simplest case, the command to check the contents of the disk for viruses looks like this: aidstest / switch1 / switch 2 / switch 3 /---

  • ? Filter programs (watchmen) are located resident in the PC's RAM and intercept those calls to the operating system that are used by viruses to multiply and cause harm and report them to the user:
  • - an attempt to corrupt the main OS COMMAND.COM file;
  • - an attempt to write directly to the disk (the previous record is deleted), while a message is displayed that some program is trying to copy to the disk;
  • - disk formatting,
  • - resident placement of the program in memory.

Having detected an attempt of one of these actions, the filter program gives the user a description of the situation and requires him to confirm. The user can enable or disable this operation. The control of actions characteristic of viruses is carried out by replacing the handlers of the corresponding interrupts. The disadvantages of these programs include importunity (the watchman, for example, issues a warning about any attempt to copy executable file), possible conflicts with other software, watchdogs bypassed by some viruses. Examples of filters: Anti4us, Vsafe, Disk Monitor.

It should be noted that today many programs of the doctor-detector class also have a resident module - a filter (watchman), for example, DR Web, AVP, Norton Antivirus. Thus, such programs can be classified as doctor-detector-storage.

  • ? Hardware and software anti-virus tools (Hardware and software complex Sheriff). On a par with watchdog programs are hardware and software antivirus tools that provide more reliable protection from the penetration of the virus into the system. Such complexes consist of two parts: hardware, which is installed in the form of a microcircuit on motherboard and software, written to disk. The hardware (controller) keeps track of all disk write operations, software part, being resident in the RAM, tracks all input/output operations of information. However, the possibility of using these tools requires careful consideration in terms of the configuration of additional equipment used on the PC, such as disk controllers, modems, or network cards.
  • ? Auditor programs (Adinf/Advanced Disk infoscope/with curing block ADinf Cure Module Bridge). Program-auditors have two stages of work. First, they remember information about the state of programs and system areas of disks (the boot sector and the sector with the partition table hard drive into logical partitions). It is assumed that programs and system areas of disks are not infected at this point. Then, when comparing system areas and disks with the original ones, if a discrepancy is found, it is reported to the user. Auditor programs are able to detect invisible (STEALTH) viruses. Checking the length of a file is not enough, some viruses do not change the length of infected files. A more reliable check is to read the entire file and calculate its checksum (bit by bit). Changing the entire file so that its checksum remains the same is almost impossible. Minor disadvantages of auditors include the fact that for security they must be used regularly, for example, called daily from the AUTOEXEC.BAT file. But their undoubted advantages are the high speed of checks and the fact that they do not require frequent version updates. Versions of the auditor, even six months ago, reliably detect and remove modern viruses.
  • ? Program vaccines or immunizers (CPAV). Vaccine programs modify programs and disks in such a way that this does not affect the operation of programs, but the virus against which vaccination is performed considers these programs and disks already infected. These programs are not efficient enough.

Conventionally, the strategy of protection from the virus can be defined as a multi-level "layered" defense. Structurally, it might look like this. Intelligence tools in the "defense" against viruses correspond to detector programs that allow you to determine the newly received software for the presence of viruses. At the forefront of defense are filter programs that are resident in the computer's memory. These programs can be the first to report the operation of the virus. The second echelon of "defense" is made up of audit programs. The auditors detect the attack of the virus even when it managed to "leak" through the front line of defense. Doctor programs are used to restore infected programs if a copy of the infected program is not in the archive, but they do not always cure correctly. Doctors-auditors detect the attack of the virus and treat the infected programs, and control the correctness of the treatment. The deepest layer of defense is the means of access control. They do not allow viruses and misbehaving programs, even if they have penetrated the PC, to spoil important data. The "strategic reserve" contains archival copies of information and "reference" diskettes with software products. They allow you to recover information if it is damaged.

The harmful effects of each type of virus can be very diverse. This includes deleting important files or even BIOS “firmware”, and transferring personal information, for example passwords, specific address, organization of unauthorized e-mails and attacks on some sites. It is also possible to start dialing through cellular telephone to premium numbers. Hidden administration utilities (backdoor) can even transfer full computer control to an attacker. Fortunately, all these troubles can be successfully dealt with, and the main weapon in this fight will, of course, be anti-virus software.

Kaspersky Anti-Virus. Perhaps, Kaspersky Anti-Virus is the most famous product of this type in Russia, and the name Kaspersky has become synonymous with a fighter against malicious codes. The laboratory of the same name not only constantly releases new versions of its security software, but also conducts educational work among computer users. The latest, ninth version of Kaspersky Anti-Virus, like previous releases, features a simple and maximally transparent interface that combines all the necessary utilities in one window. Thanks to the installation wizard and intuitive menu options, even a novice user can set up this product. The power of the algorithms used will also satisfy professionals. FROM detailed description each of the detected viruses can be found by calling the corresponding page on the Internet directly from the program.

Dr. Web. Another popular Russian antivirus that rivals Kaspersky Anti-Virus in popularity is Dr. Web. Its trial version has an interesting feature: it requires compulsory registration through the Internet. On the one hand, this is very good - immediately after registration, the anti-virus databases are updated and the user receives the latest data on signatures. On the other hand, it is impossible to install a trial version offline, and, as experience has shown, problems are inevitable with an unstable connection.

Panda Antivirus + Firewall 2007. Panda Antivirus + Firewall 2007 is a comprehensive solution in the field of computer security - in addition to the anti-virus program, it includes a firewall that monitors network activity. The interface of the main window of the program is designed in "natural" green colors, but, despite the external attractiveness, the menu navigation system is built inconveniently, and a novice user may well get confused in the settings.

The Panda package contains several original solutions at once, such as TruePrevent, a proprietary technology for searching for unknown threats, based on the most modern heuristic algorithms. It is worth paying attention to the search utility vulnerabilities computer - it assesses the danger of "holes" in the security system and offers to download the necessary updates.

Norton Antivirus 2005. The main impression of the product of the famous company Symantec - the Norton Antivirus 2005 anti-virus complex - is its focus on powerful computing systems. The response of the Norton Antivirus 2005 interface to user actions is noticeably delayed. In addition, during installation, it imposes rather strict requirements on the versions of the operating system and Internet Explorer. Unlike Dr.Web, Norton Antivirus does not require mandatory updating of virus databases during installation, but it will remind you that they are outdated during the entire time of operation.

McAfee VirusScan. An interesting anti-virus product, McAfee VirusScan, which, according to its developers, is the No. 1 scanner in the world, was chosen for testing because among similar applications it stood out for its large distribution size (over 40 MB). Assuming that this value is due to the wide functionality, we proceeded with the installation and found that in addition to the anti-virus scanner, it includes a firewall, as well as utilities for cleaning the hard drive and guaranteed removal of objects from the hard drive (file shredder).

Questions for chapters 6 and 7

  • 1. Stages of development of information security tools and technologies.
  • 2. Components of the standard security model.
  • 3. Sources of security threats and their classification.
  • 4. Unintentional threats to information security.
  • 5. Deliberate threats to information security.
  • 6. Classification of information leakage channels.
  • 7. Regulation of information security problems.
  • 8. Structure state system information protection.
  • 9. Methods and means of information protection.
  • 10. Classification of data security threats.
  • 11. Methods for protecting information from viruses.
  • 12. Methods of integrity control.
  • 13. Classification of computer viruses.
  • 14. Means of protection against viruses.
  • 15. Preventive antiviral measures.
  • 16. Classification of software anti-virus products.

malware antivirus infection

For their successful work, viruses need to check whether the file is already infected (by the same virus). So they avoid self-destruction. To do this, viruses use a signature. Most common viruses (including macro viruses) use character signatures. More complex viruses (polymorphic) use algorithm signatures. Regardless of the type of virus signature, anti-virus programs use them to detect "computer infections". After that, the antivirus program tries to destroy the detected virus. However, this process depends on the complexity of the virus and the quality of the antivirus program. As already mentioned, Trojan horses and polymorphic viruses are the most difficult to detect. The first of them do not add their body to the program, but embed it inside it. On the other hand, anti-virus programs must spend quite a lot of time to determine the signature of polymorphic viruses. The fact is that their signatures change with each new copy.

To detect, remove and protect against computer viruses, there are special programs called antivirus. Modern anti-virus programs are multifunctional products that combine both preventive and virus treatment and data recovery tools.

The number and variety of viruses is great, and in order to detect them quickly and efficiently, an antivirus program must meet certain parameters:

1. Stability and reliability of work.

2. Dimensions of the virus database of the program (the number of viruses that are correctly detected by the program): taking into account the constant appearance of new viruses, the database should be updated regularly.

3. The ability of the program to detect various types of viruses, and the ability to work with files various types(archives, documents).

4. The presence of a resident monitor that checks all new files "on the fly" (that is, automatically, as they are written to disk).

5. The speed of the program, availability additional features such as algorithms for detecting viruses even unknown to the program (heuristic scanning).

6. Possibility to restore infected files without erasing them from the hard disk, but only removing viruses from them.

7. The percentage of false positives of the program (erroneous detection of a virus in a "clean" file).

8. Cross-platform (availability of program versions for different operating systems).

Classification of antivirus programs:

1. Detector programs provide search and detection of viruses in RAM and on external media, and upon detection, they issue an appropriate message. There are detectors:

Universal - use in their work to check the invariability of files by counting and comparing with a checksum standard;

Specialized - search for known viruses by their signature (repeating code section).

2. Doctor programs (phages) not only find virus-infected files, but also “cure” them, i.e. remove the body of the virus program from the file, returning the files to their original state. At the beginning of their work, phages look for viruses in RAM, destroying them, and only then proceed to “treatment” of files. Among phages, polyphages are distinguished, i.e. doctor programs designed to find and destroy a large number of viruses.

3. Program-auditors are among the most reliable means of protection against viruses. Auditors remember the initial state of programs, directories and system areas of the disk when the computer is not infected with a virus, and then periodically or at the request of the user compare the current state with the original one. The detected changes are displayed on the monitor screen.

4. Filter programs (watchmen) are small resident programs designed to detect suspicious actions during computer operation that are characteristic of viruses. Such actions may be:

Attempts to correct files with COM and EXE extensions;

Changing file attributes;

Direct write to disk at absolute address;

Writing to disk boot sectors;

5. Vaccine programs (immunizers) are resident programs that prevent file infection. Vaccines are used if there are no doctor programs that "treat" this virus. Vaccination is possible only against known viruses Bezrukov N. Computer virology: Textbook [Electronic resource]: http://vx.netlux.org/lib/anb00.html..

In fact, the architecture of antivirus programs is much more complex and depends on the specific developer. But one fact is undeniable: all the technologies that I talked about are so closely intertwined in each other that it is sometimes impossible to understand when one is launched and another begins to work. This interaction of anti-virus technologies allows them to be most effectively used in the fight against viruses. But do not forget that there is no perfect protection, and the only way warn yourself against such problems - constant OS updates, a well-configured firewall, frequently updated antivirus, and - most importantly - do not run / download suspicious files from the Internet.