A computer virus is a self-replicating program that installs itself on your computer without your consent. It does this by inserting itself into other programs, data files, or the boot sector of your hard drive. Once this happens, the affected areas are referred to as “infected.”
The vast majority of viruses perform malicious activities on their hosts. A virus can access your sensitive information (such as your bank details), corrupt data or steal disk space or processing power, log your keystrokes, and spam your contacts. However, if you are particularly lucky, only humorous, scatological or political news may appear on your screen.
antivirus software used to detect and remove computer viruses. It consists of two basic types: signature scanners and heuristic detectors. Signature scans are used to identify known threats while heuristics are used to find unknown viruses.
Previously… less than a decade ago… most viruses were contained in executable (or program) files, i.e. files with extensions like .exe or .com, so antivirus software only had to scan these types of files. Today, antivirus software needs to scan a wider variety of files, including Microsoft Word documents and other non-executable (and seemingly harmless) files.
In MS Word, op macro is a series of instructions that you record and associate with a shortcut or name. For example, you can use a macro to store the text of a disclaimer. You can then add the text to any document you write (without having to retype the disclaimer) by simply pressing the appropriate keyboard shortcut or clicking the macro name.
Despite the time savings, macros pose a risk. Rogue programmers can use them to hide viruses in documents, which they send as email attachments to unsuspecting victims. Once they open the attachments, the victim’s computer is infected.
Nasty little programs can also be embedded into other non-executable files, so opening these files can lead to infections.
Some e-mail programs, notably MS Outlook Express and Outlook, are susceptible to viruses embedded in the body of an e-mail. They can infect your computer simply by opening or previewing a message.
There are several methods antivirus software can use to identify files containing viruses: signature scanning, heuristic detection, and file emulation.
Signature-based detection is the most common method for identifying viruses. It scans the contents of a computer’s boot record, programs and macros for known code patterns that match known viruses. Since viruses can nest anywhere in existing files, the files must be scanned completely.
The creators of the antivirus software maintain the characteristics of known viruses in so-called tables Virus signature dictionaries. With thousands of new viruses being created every day, virus signature tables must be updated regularly for antivirus software to effectively scan files against these lists.
To avoid detection, malicious programmers can create viruses that encrypt parts of themselves or modify themselves so that they do not match the virus signatures in the dictionary.
In practice, the signature-based approach has proven to be very effective against most viruses. However, it cannot be used to find unknown or modified viruses. To counter these threats, heuristics must be deployed.
Heuristic-based detection involves trial and error based on past experience. For example, heuristic detectors look for sections of code that are characteristic of viruses, such as being programmed to start on a specific date.
The usage of generic signatures is a type of heuristic approach that can identify variants of known viruses by looking for subtle variations of known malicious code in files. This makes it possible to detect known viruses that have been modified.
File emulation is another heuristic approach. It involves running a file in a sandboxan isolated part of a computer where untrusted programs can be safely run to see what it’s doing.
The actions performed by the program are logged, and if any of them are classified as malicious, the antivirus software can take appropriate actions to disinfect the computer.
Memory resident antivirus software
Memory resident antivirus software installs programs in memory that keep running in the background while other applications are running.
A computer’s hard drive is where computer programs and files are stored, while RAM (Random Access Memory) is the memory that programs use when they run. When starting, a program is first loaded into the main memory. Once programs have finished executing, they leave RAM. Also, RAM is volatile, meaning if the power is turned off, everything in RAM is erased. In contrast, the programs and files on your hard drive remain intact when your computer is turned off.
Memory-resident antivirus programs monitor the operation of a computer for virus-related actions, such as For example, downloading files, running programs directly from a website, copying or unzipping files, or attempting to modify program code. It will also look out for programs trying to stay in memory after they run.
When they detect suspicious activity, memory-resident programs halt operations, display a warning message, and wait for user approval before allowing operations to resume.
Despite their undoubted advantages, antivirus software has some disadvantages. Since it consumes computer resources, it can slow down your computer a bit, although this is usually not very important.
No antivirus software can offer complete protection against all known and unknown viruses. Once installed, however, it can give you a false sense of security. You may also find it difficult to understand the prompts and decisions that the software occasionally throws on your screen. A wrong decision can lead to infection.
Most antivirus programs use heuristic detection. This needs to be fine-tuned to minimize it false alarmie misidentifying non-malicious files as viruses.
False alarms can cause serious problems. If an antivirus program is configured to immediately delete or quarantine infected files, a false positive on an important file can render the operating system or some applications unusable. This has happened multiple times over the past few years, even with major antivirus service providers such as Symantec, Norton AntiVirus, McAfee, AVG, and Microsoft.
Antivirus software can also pose a threat of its own as it typically runs at the highly trusted kernel level of the operating system, thus creating a potential avenue of attack. This is required in order to have access to all potentially malicious processes and files. There have been cases when antivirus software itself has become infected with a virus.
Finally, it’s best to remember that not all heuristic methods can detect new viruses. This is because malicious programmers, before they boot into cyberspace, test their new viruses with major antivirus applications to ensure they are undetectable!