Previous | Table of Contents | Next |
Generic detectors are used to eliminate unknown viruses. This method performs integrity checking using checksums.
A checksum is created when an algorithm reads a files bytes sequentially, creating a unique numeric code based on the file itself. Generic antivirus detectors then compare checksums recorded when the system was in a known, clean state with checksums recalculated subsequently. If a virus has attached itself to a file, the bytes will add up differently and the new checksum will no longer match the old (i.e., clean) checksum.
Using this method, it is not necessary to know anything about a virus; instead, the system focuses on what the clean file should look like. The Secret Service uses the same method when teaching agents how to spot counterfeit currency. New agents receive extremely detailed training on what a real dollar should look like rather than on what various counterfeits look like.
The other techniques used in generic detection enable antivirus programs to distinguish between normal, legitimate writes to a file in contrast to viral additions. Expert systems test a systems software by examining code flows, calls, and executions, and other functions to spot viral activity. Sophisticated versions of this approach not only spot viruses, but clean them automatically.
Terminate and stay resident (TSR) programs stay in memory but operate in the background while other programs run. Because most viruses are essentially TSR, it makes sense to combat them with a TSR. Antivirus TSR programs can provide real-time monitoring of disks and files, expert systems analysis of virus-like behavior and code, and may even detect stealth and polymorphic activity. Rather than only working when invoked, TSRs stay on in automatic mode whenever the workstation is in use. Instead of looking for code that matches memorized patterns, as scanners do, antivirus TSRs attempt to catch viruses in the act. On a network, antivirus TSRs can download from a server to each client as it logs on so that users do not need to remember to activate antivirus tools.
This is the only defense that can prevent viral infection, rather than merely detecting viruses after they have infected. Behavior blocking performs on-the-fly code analysis, monitoring the sequence of code behavior until it can distinguish whether the code is safe or harmful. Harmful code is not permitted to execute. Instead, the behavior blocker notifies the user. Behavior blocking programs use some or all of the following techniques.
File Attribute Monitors. A virus cannot infect (i.e., write to) an executable that is marked read-only. Many viruses work around this by first modifying the files attributes so that the file is now a read-write file. Behavior blockers can intercept code that attempts to change or delete the attributes of files.
Intercept Reboot. Some behavior blocking intercepts Ctrol+Alt+Del warm reboots and checks any inserted floppy for viruses before allowing the computer to warm-boot off that floppy. If the floppy has a virus, the behavior blocker warns the user that the floppy is infected. This technique can halt boot viruses.
Smart Blocking. This term refers to very sophisticated behavior blockers that are able to distinguish complex virus behaviors from the complex behaviors of a user running complex software. Smart behavior blockers can analyze detailed sequences of behavior, using statistical analysis to determine the probability that a particular sequence is a virus.
Rescue Disks. Rescue disks are used to salvage data once a virus has infected a PC. It is important that each PC have its own rescue disk. During the installation, an operator must be present to put in the diskette there is no automatic installation. Users must keep track of their rescue disks. If the disk is lost, there is no way to rescue the PC from the virus infection.
Physical Access to PCs. One simple but important technique for defeating viruses is to control who is able to use the computers. Despite the rise of the Internet, most viruses still enter machines through floppy disks. Although the majority of infections come through the hands of unwitting employees, a percentage of attacks emanate from hostile intent. Therefore, some viral attacks can be deflected simply by deterring unauthorized personnel from using machines. Besides taking measures such as securing physical access to computer rooms, a manager can also use security products that render physical and logical drives invisible to certain users or user groups on a network. Thus, fewer personnel have the opportunity to hack those drives.
Despite the existence of sophisticated antivirus tools, many organizations rely almost entirely on signature scanning to detect viruses. In light of the virus boom, signature scanning alone is a mediocre defense, at best. Some of the drawbacks of this commonly-used approach are described in the following sections.
Passivity. The most profound flaw in relying on signature scanners is that they are reactive, or passive. The goal of scanning is to detect a virus that has already infected a file or a boot sector. The ideal method is to prevent viruses from infecting the system at all, not merely to be informed of the problem after the fact.
Incomplete Checking. A polymorphic virus, which produces varied but fully operational copies of itself, can deceive signature scanners by altering or encrypting its signature. Signature scanners have attempted to address this by including several signatures for a given virus, one for each possible encryption method or iteration of the signature. As polymorphic viruses become increasingly sophisticated, the brute force method of including more signatures in the scanner will not be able to keep up with all the possible variants of all the polymorphic viruses. Many polymorphs already evade detection by interspersing noise instructions or by interchanging mutually independent instructions within the code to continually modify the signature. A simple signature-based scanner cannot reliably identify this type of code.
Failure to Scan for Newer Viruses. Scan strings can only be extracted and cataloged if the antivirus vendor has a sample of the virus. In the recent past, it took the most common viruses six months to three years to become prevalent, giving vendors enough time to send out regular updates of known viruses and head them off. The exponential growth in viruses has increased the likelihood of a new virus reaching the LAN or PC before the update from the antivirus company does. Besides creating a chance of missing an unknown virus, signature-based scanners require constant updating. If the signature scanner is not centrally administrated, it slows productivity and drains resources because of the management tasks needed to install each successive enterprisewide update.
Previous | Table of Contents | Next |