How Anti-Virus Software Works
Anti-virus software today is fairly sophisticated, but virus writers are often a step
ahead of the software, and new viruses are constantly being released that current
anti-virus software cannot recognize. The key to anti-virus software is detection.
Once an infected file has been detected, it can sometimes be repaired. If not, the file
can at least be quarantined so that the viral code will not be executed. The difficulty
here is that generic virus detection is inadequate for current and new viruses, and
so anti-virus software must be constantly updated with new lists of viruses. Currently,
when a new virus is discovered (unfortunately only through execution,) samples are sent
to virus analysis centers. These centers analyze the virus, and extract a unique string
from the virus that will identify it. This and other information about the virus is added
into a database that users can then download. However, should generic virus detection ever
become 100% effective, then the other steps (removal/repair) should be greatly simplified.
Virus Detection Methods Top
There are four major methods of virus detection in use today: scanning, integrity checking,
interception, and heuristic detection. Of these, scanning and interception are very common,
with the other two only common in less widely-used anti-virus packages. Unfortunately, while
scanning is very effective against known viruses, it is completely incapable of dealing with
new viruses, forcing anti-virus analysis centers into a reactive stance.
Scanning
Definition: A scanner will search all files in memory, in the boot sector (the sector on
disk that specifies where boot information is,) and on disk for code snippets that will
uniquely identify a file as a virus. Obviously, this requires a list of unique signatures
that will be found in viruses and not in benign programs. To prevent false alarms, most scanners
also will check the code of a suspected file against either the virus code itself or a checksum
of it. (A checksum is a method frequently used to determine if data has been changed, and involves
summing all of the bits in a file.) This is the most common method of virus detection available,
and is implemented in all major anti-virus software packages. There are two types of scanning:
on-access and on-demand. On-access scanning scans files when they are loaded into memory prior
to execution. On-demand scanning scans all of main memory, the boot sector, and disk memory as
well, and is started by a user when he/she wishes. On-access scanning has become more aggressive
recently, with virus scans occurring even if files are selected, but not loaded.
Advantages: Scanners can find viruses that haven't executed yet - this is critical for e-mail
worms, which can spread themselves rapidly if not stopped. Also, false alarms have become
extremely rare with the software available today. Finally, scanners are also very good at
detecting viruses that they have the signatures for.
Disadvantages: There are two major disadvantages to scanning-based techniques. First,
if the software is using a signature string to detect the virus, all a virus writer would
have to do is modify the signature string to develop a new virus. This is seen in polymorphic
viruses. The second, and far greater disadvantage is the limitation that a scanner can only
scan for something it has the signature of. The Maltese Amoeba virus was a very destructive
virus that activated on November 11, 1991, and was able to spread rapidly before its activation
without being detected. According to the 1991 Virus Bulletin: "Prior to November 2nd, 1991, no
commercial or shareware scanner (of which VB has copies) detected the Maltese Amoeba virus. Tests
showed that not ONE of the major commercial scanners in use ... detected this virus." Although
virus updates occur more frequently today because of the Internet, viruses still cannot be
detected until one has executed.
Integrity Checking
Definition: An integrity checker records integrity information about important files on
disk, usually by checksumming. Should a file change due to virus activity or corruption,
the file will no longer match the recorded integrity information. The user is prompted, and
can usually be given an option to restore the file to its pre-corrupted/infected state. This
is an extensive process, and few virus checkers today utilize it.
Norman Virus Control, however, is one.
Advantages: Integrity checking is the only way to determine whether a virus has
damaged a file, and it's fairly foolproof. Most integrity checkers today also have the
benefit of detecting other damage to data, such as corruption, and can restore that as well.
Disadvantages: The major problem with integrity checking is that not enough companies
offer comprehensive integrity checking software. Most anti-virus suites that do offer it don't
protect enough files, and those that they do may not be damaged at all with newer viruses.
Simpler integrity checkers won't be able to differentiate between damage done via corruption
and damage done via a virus, thus giving the user unclear information as to what's going on.
Finally, this process is simply rather cumbersome - in today's computers, many important files
are changed by as little as booting up and shutting down, so integrity checkers need to be
coupled with scanners for maximum efficacy in detecting viruses.
Heuristic Virus Checking
Definition: This is a generic method of virus detection. Anti-virus software makers
develop a set of rules to distinguish viruses from non-viruses. Should a program or code segment
follow these rules, then it is marked a virus and dealt with accordingly. This allows detection
of any virus, and theoretically, should be sufficient to deal with any new virus attacks.
F-secure virus software uses this
method in addition to scanning, although not very many software packages available today utilize
heuristic virus checking.
Advantages: Generic virus protection would make all other virus scanners obsolete and
would be sufficient to stop any virus. The user doesn't need to download weekly virus updates
anymore, because the software can detect all viruses.
Disadvantages: Although these are huge benefits to heuristic virus checking, the
technology today is not sufficient. Virus writers can easily write viruses that don't obey the
rules, making the current set of virus detection rules obsolete. Changes to these rules must be
downloaded, and thus these virus checkers must be updated and won't stop many new viruses, which
gives them similar characteristics to scanners. In addition, the potential for false alarms
and not detecting a known virus is greater with heuristic checkers than with scanners.
Interception
Definition: Interception software detects virus-like behavior and warns the user about
it. How to detect virus-like behavior? Use heuristics again. Many viruses will perform some
suspicious action, like relocating themselves in memory and installing themselves as resident
programs. Many software packages have this as an option, although most people usually disable it.
Advantages: Interception is a good generic method to stop logic bombs and Trojan horses.
Logic bombs will trigger a (usually destructive) sequence given an event, such as the date being
set to a certain date. When not detected by scanners, interception software will usually detect
the destructive and unusual sequences of events caused by logic bombs and Trojan horses.
Disadvantages: Unfortunately, interceptors aren't very good at detecting anything else.
Interceptors also have all the drawbacks of heuristic systems - difficulty differentiating
virus from non-virus, and easy to program around. Also, most interceptors are very easy to
disable, and so many viruses frequently disable them before launching. Due to the nature of an
interceptor, this software is unable to detect viruses before they launch, and a lot of damage
could already have been done. Lastly, interceptors are a nuisance and frequently prompt the user
to allow/disallow activity during software installations and system upgrades, making the above
very tedious. Combined with their limited usefulness, most software packages disable or strongly
limit interception by default.
Upcoming Improvements to Software Top
Symantec has recently released something called the "Digital Immune System" with the
Norton AntiVirus Corporate Edition. Currently only available to corporations, this
system automates much of the virus detection/vaccine process. A sample is automatically uploaded
to an analysis center when the system detects virus-like activity. If the virus matches a known
virus, then a vaccine is downloaded to the infected computer and the software cleans it out.
If this is a new virus, the sample is sent to analysts to develop a vaccine. This greatly speeds
up the time it takes to clean a virus off of a computer, thus greatly decreasing the ability
the virus has to infect other computers. Unfortunately, virus activity is detected using heuristics,
which, as mentioned above, are not totally accurate. Network Associates has a similar process
in its VirusScan software. Unfortunately, not many other improvements to virus software are
foreseen, and improvements in this area rely wholly on improved AI to detect viruses.
Ways to Defeat Anti-virus Software Top
Because the same anti-virus software methods are in use all over the world, virus writers
have attempted to defeat the software in their viruses, either by disabling the software or
getting around the detection algorithms. This section will briefly examine the techniques that
virus writers use to get around the software and how effective they are in doing so.
Polymorphic viruses attempt to neutralize virus-scanning techniques by changing the
code every time the virus infects a new computer. Even if the virus signature remains
unchanged, the checksum of the virus will, ensuring that anti-virus software won't pick it up.
However, all of the viruses today that use such a technique are fairly ineffective, because
the code that is generated is too similar to the original virus. "Toolkits" have been developed
by virus writers - some with excellent user interfaces and even help files - to generate
polymorphic viruses, but even so, the similarities between the viruses generated by these
toolkits makes it easy for anti-virus software to detect the virus. Nevertheless, the
possibility exists that a polymorphic virus will be developed that can evade virus scanners;
such a virus would be extremely difficult to contain.
Tunneling viruses attempt to get around anti-virus software by loading themselves
underneath the scanner, closer to the hardware. Such viruses aim to gain access to interrupt
handlers and thus have direct access to the operating system. Most anti-virus software can detect
this. When detected, the anti-virus software installs itself underneath the virus. Smarter viruses
then try to install themselves underneath the anti-virus software, leading to a battle over
the interrupt handlers and system problems as no one is allowed access to the interrupt handlers.
Stealth viruses rely on being loaded before the anti-virus software, which could occur
should the virus infect the boot sector or a system file that is loaded before anti-virus software
is. These viruses then disguise the changes that they make, and thus get around any virus detection
schemes. Cleaning such viruses off isn't that difficult - booting with a clean diskette will prevent
the virus from being loaded into memory, and a scanner should be able to clean it off then.
Fast infecting viruses work similarly to stealth viruses - they rely on being invisible
to the virus scanner to infect computers. These viruses usually piggyback on anti-virus scanners,
and infect files whenever they are accessed. If not found before the virus scanner begins scanning
files, the virus will quickly infect every file on disk. Because of on-access scanning, this type
of virus will spread even without an on-demand scan. However, the virus still needs to infect its
first file, and most scanners will block the virus before it can latch onto the virus scanner.
Other methods: Many viruses being developed today use a combination of the above techniques
and add a few more of their own. For example, the MTX worm loads itself into memory before
anti-virus software and prevents the software from functioning correctly. In addition to that,
the virus uses a technique that's becoming more and more common - blocking access to anti-virus
vendor websites. The MTX virus blocks access to Symantec, McAfee, and several other companies
that provide virus scanner updates so that the user is prevented from retrieving an update. Other
viruses will attack the software more directly, damaging and corrupting library or code files
that a virus scanner needs to function properly. Finally, many viruses will download updates and
plugins, allowing the virus writer to stay one step ahead of the anti-virus software writers.
Virus recovery & removal Top
Once a virus is detected, how do anti-virus programs undo the damage that the virus has
done? Anti-virus programs are fairly bad at restoring data - viruses that attempt to damage
files instead of merely infecting them will succeed unless those files have been backed up.
Virus scanners repair files by deleting the virus code from the file, which in most cases
restores the file to its pre-infected state. However, for viruses that damage system files
(e.g. viruses that block access to anti-virus software vendors irreparably changes a network
library,) the anti-virus program is incapable of repairing all the damage. The only foolproof
method of restoring damage done by a virus is to clean all infected files and restore
everything else from backups.
Problems with anti-virus software Top
Anti-virus software suffers from more problems than not being able to detect cutting edge
viruses. Many copies of anti-virus software are unable to detect even old viruses, because
end users frequently forget or simply don't update their virus scanner's virus databases
until it's too late. On-demand scans are rarely performed because they're slow and hog
resources while running, so dormant viruses tend to have a rather long life. On-access
scanners aren't free of troubles, either - some consume too many resources, so many users are
tempted to disable them if they're on a slower machine.
Finally, while anti-virus software may become extremely good at sensing virus activity, there
are always new security holes to exploit in operating system and networking software that would
give viruses another entry point that bypasses the anti-virus software. Finding a security hole
and getting reported on one of these sites is considered to be an honor among the virus writing
community. An example of one of these sites is
SANS, which
has bulletins about hacker and virus attacks.
The bottom line? Anti-virus software in use today is fairly effective - but only if it's
kept updated and the user takes precautions (such as not opening unfamiliar documents or
programs.) Despite all this, anti-virus software cannot protect against brand new viruses,
and few users take the necessary precautions. A survey was done of corporate computer users,
finding that many users still get infected even if they are required to take all the
necessary precautions. (Source:
ICSA Labs Computer Virus
Prevalence Survey 2000.)With the Internet daily growing larger, it is unlikely that
anti-virus software will be able to protect all of the users connected; however, with
proper care and attention, people should be able to deal with all but the most unusual viruses.
Sources: Top
http://www.cknow.com/vtutor/vtprotect.htm
Computer Knowledge Virus Tutorial, Computer Knowledge.com
http://www.time.com/time/digital/feature/0,2955,49120,00.html
"The New Hot Zone," Time Digital. July 2000
Rutrell Yasin, Management & Security: Viruses Get Quarantined. , InternetWeek, 05-17-1999, pp 25.
http://www.infoworld.com/articles/op/xml/00/09/18/000918opswatch.xml
"Do you think that updating your anti-virus software is good enough? Think again." InfoWorld.com
Friday, Sep. 15, 2000 1:01 pm PT
http://www.tml.hut.fi/Opinnot/Tik-110.501/1997/viruses.html
Hanhisalo, Markus. Helsinki University of Technology.
http://www.icsalabs.com/html/communities/antivirus/index.shtml
ICSA Labs, AntiVirus Product Developers Consortium.