Anti-virus

Odsek: Informacione tehnologije

Predmet: Engleski jezik 2

SEMINAR PAPER

Anti-virus

Professor: Ana Matić Student: Владимир Даниловић 4-62/2017

Šabac, 2019

1
 Anti-virus

THE CONTENT

1.INTRODUCTION……………………………………………………….3
2.ANTIVIRUS……………………………………………………………..3
2.1 THE BASICS OF ANTIVIRUS PROGRAM…………….3
2.2 FEATURES OF ANTIVIRUS…………………………....3
3.HOW ANTIVIRUS WORKS…………………………………………....4
3.1 Virus dictionary approach………………………………....4
3.2 Suspicious behavior approach……………………………..4
4.ANTIVIRUS PRODUCT VIRUS DETECTION ANALYSIS………...6
4.1 Detecting known viruses…………………………………..6
4.2 Preventing Known virus…………………………….…….7
4.3 Detecting Unknown viruses………………………….…...7
4.4 Preventing Unknown viruses………………………….….7
5.IDENTIFICATION METHOD OF ANTIVIRUS………………….…..7
6.ANTIVIRUS APPROACHES……………………………………….…8
6.1 SCANNERS………………………………………………...8
6.2 MONITORS ………………………………………………..8
6.3 INTEGRITY CHECKING PROGRAMS ………………….8

2
 Anti-virus

1.INTRODUCTION

Dangers loom everywhere on the internet, and when surfing the net, it is always better to be
safe than sorry. Even though you may not intentionally visit suspicious websites, one wrong
click to a seemingly innocent site can still leave your computer infected with a malicious
computer virus or malware. Once on your computer, these harmful programs can steal your
sensitive information and destroy your files. Often, infected machines need to have their hard
drives wiped completely clean in order to truly eradicate the virus. This results in the loss of
files, photos and other vital data.

Hackers and other miscreants are constantly churning out new viruses and malware that is
designed to steal financial information, website passwords and other sensitive information
from innocent victims. Millions of new viruses pop up each year and new threats are discovered
every day. In this constantly changing environment, it is impossible to completely avoid the
threat of viruses, but using trustworthy antivirus software can minimize your risk for infection
and the damage done.

2. ANTIVIRUS

2.1 THE BASICS OF ANTIVIRUS PROGRAM

An antivirus program is designed to protect our computer from possible virus infection. Since
most viruses are designed to run in the background, most users do not know when their computer
is infected.Virus protection programs serve to search for, detect, and remove these viruses.
Antivirus programs must be kept up-to-date in order for them to able to Detect new viruses.
Antivirus: What exactly is a Antivirus?

Antivirus software is a computer program that identify and remove computer virus and
other malicious software like worms and Trojans from an infected computer.Not only this,an
antivirus software also protects the computer from further virus attacks.Anti-virus system detects
viruses from system like svchost.exe,servicemgr.exe,lsass.exe,storevirus generated by
autorun.inf,. Generally Antivirus first check the size & according to it if match the size with it’s
data base then it find out the pattern from that file if so then it will delete it.

2.2 FEATURES OF ANTIVIRUS

1.Antivirus system is a dedicated,system i-specific.

2.It provides full protection against the standard pc types of virus for files and programs used
to store on the system.
3.In antivirus there is automatic virus signature update via the internet.

3
 Anti-virus

4.Proactive virus signature updates via the network for internet isolated servers.
5.Antivirus can scan the entire libraries.
6.Antivirus support definition of automatic,pre-schelduled periodic scan.

3. HOW ANTIVIRUS WORKS

An anti-virus software program is a cprogram that can be used to scan files to identify and
eliminate computer viruses and other malicious software (malware).Anti-virus software typically
uses two different techniques to accomplish this:
 Examining files to look for known viruses by means of a viru dictionary
 Identifying suspicious behavior from anycomputer program which might indicate
infection
3.1 Virus dictionary approach:
In the virus dictionary approach, when the anti-virus software examines a file, it refers to a
dictionary of known viruses that have been identified by the author of the anti-virus software. If
a piece of code in the file matches any virus identified in the dictionary, then the anti-virus
software can then either delete the file, quarantine it so that the file is inaccessible to other
programs and its virus is unable to spread, or attempt to repair the file by removing the virus
itself from the file.
To be successful in the medium and long term, the virus dictionary approach requires periodic
online downloads of updated virus dictionary entries. As new viruses are identified "in the wild",
civically minded and technically inclined users can send their infected files to the authors of anti-
virus software, who then include information about the new viruses in their dictionaries.
Dictionary-based anti-virus software typically examines files when the computer's operating
system creates, opens, and closes them; and when the files are e-mailed. In this way, a known
virus can be detected immediately upon receipt. The software can also typically be scheduled to
examine all files on the user's hard disk on a regular basis. Although the dictionary approach is
considered effective, virus authors have tried to stay a step ahead of such software by writing
"polymorphic viruses", which encrypt parts of themselves or otherwise modify themselves as a
method of disguise, so as to not match the virus's signature in the dictionary.

3.2 Suspicious behavior approach:

The suspicious behavior approach, by contrast, doesn't attempt to identify known viruses, but
instead monitors the behavior of all programs. If one program tries to write data to an executable
program, for example, this is flagged as suspicious behavior and the user is alerted to this, and
asked what to do.
Unlike the dictionary approach, the suspicious behavior approach therefore provides protection
against brand-new viruses that do not yet exist in any virus dictionaries. However, it also sounds
a large number of false positives, and users probably become desensitized to all the warnings. If
the user clicks "Accept" on every such warning, then the anti-virus software is obviously
useless to that user. This problem has especially been made worse over the past 7 years, since

4
 Anti-virus

many more nonmalicious program designs chose to modify other .exes without regards to this
false positive issue.Thus,most modern anti virus software uses this technique less and less.

Other ways to detect viruses:

Some antivirus-software will try to emulate the beginning of the code of each new executable
that is being executed before transferring control to the executable. If the program seems to be
using self-modifying code or otherwise appears as a virus (it immeadeatly tries to find other
executables), one could assume that the executable has been infected with a virus. However, this
method results in a lot of false positives.
Yet another detection method is using a sandbox. A sandbox emulates the operating system
and runs the executable in this simulation. After the program has terminated, the sandbox is
analysed for changes which might indicate a virus. Because of performance issues this type of
detection is normally only performed during on-demand scans.
The dictionary approach to detecting virus is often insufficient due to the continual creation of
new viruses,yet the suspicious behaviour approach is ineffective due to detect false positive
alarm;hence,the current understanding of anti-virus software will never conquer computer virus.

5
 Anti-virus

4.ANTIVIRUS PRODUCT VIRUS DETECTION

ANALYSIS

Each product type requires different analysis approaches.A virus test bed can be used for
evaluating products which will detect or prevent known viruses.A virus test bed can be utilised
for products which will detect or prevent unknown viruses,but vulnerability analysis is also
required.If the virus test bed are divide into different categories,this can be utilised while
analysing antivirus products.The different virus categories of the test bed are examples and the
classification can be differerent depending on the analysis method and products evaluated .If the
test bed is divided into different categories ,this will help analysis of product.

4.1 Detecting known viruses

A well maintained virus test bed,which contains viruses known to computer antivirus
researches can be used for evaluating products which will detect known viruses. The virus
detection analysis can be carried out by scanning the contents of the test bed and concluding
results from the scanning reports.Unfortunately,some product may crash during the scanning and
in such files causing crashes need to be traced and files resulting in crashes should be treated as
unidentified by the product.

6
 Anti-virus

4.2 Preventing Known virus

A well maintained virus test bed containing viruses known to computer antivirus researches
can be used for evaluating products preventing known viruses.The diffrence between is that the
product is working in the background and this requires more complicated evaluation methods,but
the same virus test bed can be used with products,which will prevent known viruses.

4.3 Detecting Unknown viruses

A virus test bed can also be used as a basis for the analysis for product, which detect unknown
viruses.Often products detecting unknown viruses are combined with products which will detect
known viruses.If possible,the products known virus detection capability should be
disabled.Known virus detection may be detached by removing virus databse files,by using old
database files or by using specific operation mode of a product.Unfortunately, the known virus
detection may be an inseparable part of a product and in this case test bed should be limited to
viruses not known to the product and a vulnerability analysis may be necessary.

4.4 Preventing Unknown viruses

A virus test bed can be also used for evaluating products which will prevent unknown
viruses.The diffrence is that the product is working in the background and this requires special
evaluation methods,but the same virus test bed can be used with product which will prevent
unknown viruses. This is demonstrated in Virus Research Unit’s behaviour blocker analysis.
With products preventing unknown viruses,virus attack emulation and Vulnerability analysis are
also required.

5. IDENTIFICATION METHOD OF ANTIVIRUS

There are several methods which antivirus software can use to identify malware.
Signature based detection is the most common method. To identify viruses and other
malware, antivirus software compares the contents of a file to a dictionary of virus signatures.
Because viruses can embed themselves in existing files, the entire file is searched, not just as a
whole, but also in pieces.
Heuristic-based detection, like malicious activity detection, can be used to identify unknown
viruses.
File emulation is another heuristic approach. File emulation involves executing a program in a
virtual environment and logging what actions the program performs. Depending on the actions
logged, the antivirus software can determine if the program is malicious or not and then carry

7
 Anti-virus

6. ANTIVIRUS APPROACHES
The ideal solution to the threat of viruses is prevention. Do not allow a virus is get into the
system in first place. This goal is in general difficult to achieve, although prevention can reduce
the no: of successful viral attacks. The next best approach is to be able to do the following.
Detection: Once the infection has occurred, determine that it has occurred and locate the virus.
Identification: Once detection has been achieved, identify the specific virus has infected a
program.
Removal: Once the specific virus has been identified, remove all traces of the virus from the
infected program and restore it to its original state. Advances in viruses and antivirus technology
go hand in hand. As the virus arms race has evolved, both viruses and antivirus software have
grown more complex and sophisticated. There are three main kinds of anti-virus programs
[McAfee]. Essentially these are scanners, monitors and integrity checkers.

6.1 SCANNERS

Scanners are programs that scan the executable objects (files and boot sectors) for the presence
of code sequences that are present in the known viruses. Currently, these are the most popular
and the most widely used kind of anti-virus programs. There are some variations of the scanning
technique, like virus removal programs (programs that can "repair" the infected objects by
removing the virus from them), resident scanners (programs that are constantly active in memory
and scan every file before it is executed), virus identifiers (programs that can recognize the
particular virus variant exactly by keeping some kind of map of the non-modifiable parts of the
virus body and their checksums), heuristic analyzers (programs that scan for particular sequences
of instructions that perform some virus-like functions), and so on.

6.2 MONITORS
The monitoring programs are memory resident programs, which constantly monitor some
functions of the operating system. Those are the functions that are considered to be dangerous
and indicative for virus-like behavior. Such functions include modifying an executable file,
direct access of the disk bypassing the operating system, and so on. When a program tries to use
such a function, the monitoring program intercepts it and either denies it completely or asks the
user for confirmation.

6.3 INTEGRITY CHECKING PROGRAMS.

Therefore, in order to be a virus, a program must be able to infect. And, in order to infect, the
program must cause modifications to the programs that are infected. Therefore, a program, which
can detect that the other executable objects have been modified, will be able to detect the
infection. Such programs are usually called integrity checkers.