ANTIVIRUS

2012-2013

1. INTRODUCTION

Antivirus or anti-virus software (usually written as the abbreviation AV) is software used to prevent, detect and remove malware (of all descriptions), such as: viruses, malicious BHOs, hijackers, ransom ware, key loggers, backdoors, root kits, Trojan, malicious LSPs, dialers, fraudtools, adware and spyware. Computer security, worms, including

protection from social engineering techniques, is commonly offered in products and services of antivirus software companies. This page discusses the software used for the prevention and removal of malware threats, rather than computer security implemented by software methods. A variety of strategies are typically employed. Signature-based detection involves searching for known patterns of data within executable code. However, it is possible for a computer to be infected with new malware for which no signature is yet known. To counter such so-called zero-day threats, heuristics can be used. One type of heuristic approach, generic signatures, can identify new viruses or variants of existing viruses by looking for known malicious code, or slight variations of such code, in files. Some antivirus software can also predict what a file will do by running it in a sandbox and analyzing what it does to see if it performs any malicious actions. No matter how useful antivirus software can be, it can sometimes have drawbacks. Antivirus software can impair a performance. Inexperienced users may also have problems understanding the prompts and decisions that antivirus software presents them with. An incorrect decision may lead to a security breach. If the antivirus software employs heuristic detection, success depends on achieving the right balance between false positives and false negatives. False positives can be as destructive as false negatives. Finally, antivirus software generally runs at the highly trusted kernel level of the operating system, creating a potential avenue of attack.

ANTIVIRUS

2012-2013

2. History Of Anti Virus

Most of the computer viruses written in the early and mid-1980s were limited to self-reproduction and had no specific damage routine built into the code. That changed when more and more programmers became acquainted with virus programming and created viruses that manipulated or even destroyed data on infected computers. There are competing claims for the innovator of the first antivirus product. Possibly the first publicly documented removal of a computer virus in the wild was performed by Bernd Fix in 1987. There were also two antivirus applications for the Atari ST platform developed in 1987. The first one was G Data and second was UVK 2000. Fred Cohen, who published one of the first academic papers on computer viruses in 1984, began to develop strategies for antivirus software in 1988 that were picked up and continued by later antivirus software developers. In 1987, he published a demonstration that there is no algorithm that can perfectly detect all possible viruses. In 1987 the first two heuristic antivirus utilities were released: Flushot Plus by Ross Greenberg and Anti4us by Erwin Lanting. Also in 1988 a mailing list named VIRUS-Laws started on the BITNET/EARN network where new viruses and the possibilities of detecting and eliminating viruses were discussed. Some members of this mailing list like John McAfee or Eugene Kaspersky later founded software companies that developed and sold commercial antivirus software. Before internet connectivity was widespread, viruses were typically spread by infected floppy disks. Antivirus software came into use, but was updated relatively infrequently. During this time, virus checkers essentially had to check executable files and the boot sectors of floppy disks and hard disks. However, as internet usage became common, viruses began to spread online.

ANTIVIRUS

2012-2013

Over the years it has become necessary for antivirus software to check an increasing variety of files, rather than just executables, for several reasons:

Powerful macros used in word processor applications, such as Microsoft Word, presented a risk. Virus writers could use the macros to write viruses embedded within documents. This meant that computers could now also be at risk from infection by opening documents with hidden attached macros.

The possibility of embedding executable objects inside otherwise non-executable file formats can make opening those files a risk.

Later

email

programs,

in

particular

Microsoft's Outlook

Express and Outlook,

were vulnerable to viruses embedded in the email body itself. A user's computer could be infected by just opening or previewing a message. As always-on broadband connections became the norm, and more and more viruses were released, it became essential to update virus checkers more and more frequently. Even then, a new zero-day virus could become widespread before antivirus companies released an update to protect against it.

An example of free antivirus software

ANTIVIRUS

2012-2013

3. Features

Antivirus software has the capability of searching an entire file on a computer system. Instead of just looking at a small section of an existing computer file, the antivirus software thoroughly analyzes it. This prevents viruses, spyware, and malware from hiding on your computer system and compromising the data stored on it. On-access scanning is another useful feature of much antivirus software. The real time protection will notify you of any irregular file activity that may indicate your computer system has been infected. Virus removal features are also included in antivirus software to take them off your current computer system. With frequent virus database updates, your antivirus software will effectively keep track of the latest threats that could harm your computer system.

4. Function of Antivirus Software

Antivirus software is used to detect harmful viruses and other spyware on a computer system. Hackers frequently embed viruses on popular websites to infect the computer of anyone that visits their website. Youll need to locate a suitable t ype of antivirus software to stop them from invading your computer system unknowingly. With antivirus software, viruses and spyware will be properly removed from your infected computer system to protect your important data. Most antivirus software programs can usefully identify common and uncommon malware applications that have been unwittingly installed on a computer system.

5. SIGNATURE DETECTION

ANTIVIRUS

2012-2013

Most anti-virus programs work like the human immune system by scanning your computer for the signatures (patterns) of digital pathogens and infections. They refer to a dictionary of known malware, and if something in a file matches a pattern in the dictionary, the anti-virus software attempts to neutralize it. Like the human immune system, the dictionary approach requires updates, like flu shots, to provide protection against new strains of malware. Anti-virus can only protect against what it recognizes as harmful. Again, the problem is the bad guys are developing new malware so fast that anti-virus developers cannot keep up. Your computer is vulnerable during the delay between the time new malware is identified and the time a dictionary update is released by anti-virus vendors. This is why it is important that you keep your anti-virus product as up-to-date as possible.

6. BEHAVIOR DETECTION
In this approach, instead of attempting to identify known malware, anti-virus software monitors the behavior of software installed on your computer. When a program acts suspiciously, such as trying to access a protected file or to modify another program, anti-virus spots the suspicious activity and alerts you to it. This approach provides protection against brand new types of malware that do not yet exist in any dictionary. The problem with this approach is that it can generate a large number of false warnings. You, the computer user, may be unsure about what to allow or not allow and over time become desensitized to all those warnings. You might be tempted to click Accept on every warning, leaving your computer wide open to attack and infection.

ANTIVIRUS

2012-2013

7. ANTI-VIRUS TIPS

1. Dont assume youre Not at Risk

Every computer, regardless of its operating system, is vulnerable to attack. While anti-virus cannot protect against all types of malware, the security of your computer is enhanced substantially when anti-virus software is installed, up to date, and working properly.

2. Download Only From Trusted Sources

Obtain security software only from known, trusted sources and vendors. It is a common ploy of cybercriminals to pretend to be selling anti-virus programs that are in fact malware. We list several trusted sources for anti-virus solutions at the end of this newsletter.

ANTIVIRUS

2012-2013

3. Keep Your Software Current

Make sure you have the latest version of your anti-virus product installed and that it is set to update automatically. Check the status of the signature updates periodically to make sure they are current.

4. Dont Delay Updates

If your computer has been offline or powered off for a while, your anti-virus will most likely need an update when you turn it back on or reconnect it to the Internet. Do not postpone these updates.

5. Scan Additional Devices

Make sure your anti-virus automatically scans portable devices, such as USB sticks, when you plug them into your computer.

6. Track Warnings and Alerts

Pay attention to the onscreen warnings and alerts generated by your anti-virus software. Most alerts include the option of clicking on a link to get more information or a recommendation about what to do next. At the office, write down the alert messages and contact your computer help desk or security team.

ANTIVIRUS

2012-2013

7. Dont Disable The Software

Do not disable your security software because you feel it is slowing down your computer, blocking a website, or preventing you from installing an app or program. Disabling your anti-virus will expose your computer to unnecessary risk and could result in a serious security incident. If problems persist, replace your anti-virus with another product.

8. Install One Program Only

Do not install multiple anti-virus programs on your computer at the same time. Doing so may leave your computer with less protection instead of providing more protection.

9. Consider a Security Suite

Understand that anti-virus cannot protect your computer against all threats. We recommend you install a security suite that includes additional tools, such as a firewall, browser protection, and other advanced security features.

8. What is a Computer Virus?

A virus is a computer code that has been designed to spread" and replicate itself by passing from computer to computer. It is a piece of software that piggybacks on legitimate programs like Excel, Word, WordPerfect, Outlook, etc... When the program is run, the virus is triggered to run too. Viruses can be destructive in nature, and can cause a wide range of problems ranging from operating system and file corruption to getting blamed for email spamming. Some viruses are just annoying, but cause no damage.

ANTIVIRUS

2012-2013

9. How do Computers get Viruses?

Viruses usually find their way into computers through networks (local networks as well as the internet) by taking advantage of unpatched security vulnerabilities (holes) in software or by receiving an infected file via email, download or shared disk. Depending on the type of virus, it may be embedded in an Excel or Word file, or may be designed to infect upon the opening of an email. Once infected, a computer can literally infect thousands of other computers by quietly spreading the virus without the user even knowing about it.

10.

How Anti Virus Software Works

Virus definition files tell the anti virus software what codecharacteristics to look for while monitoring your computer. When acertain file type or activity occurs that matches a characteristic, theanti virus software blocks the execution of code and alerts you thata virus has been found. The virus is then isolated and destroyed.Hundreds of new computer viruses are introduced onto the interneteach week, and as antivirus software developers find these newviruses, they create updates of the virus definitions in order toprovide the antivirus software with a way to identify and destroyeven the newest of viruses. It is extremely important to update your antivirus software every day in order to make sure you have the most current virus definitions available. Fortunately, most modernanti virus software comes with an automatic update feature that makes this task a onetime set it and forget it kind of thing.

ANTIVIRUS

2012-2013

11. ANTIVIRUS PRODUCT VIRUS DETECTION ANALYSIS

Each product type requires different analysis approaches. A virus test bed can be used for evaluating products which will detect or prevent known viruses .A virus test bed can be utilized for products which will detect or prevent unknown viruses, but vulnerability analysis is also required. If the virus tests beds are divide into different categories, this can be utilized while analyzing antivirus products. The different virus categories of the test bed are examples and the classification can be differerent depending on the analysis method and products evaluated .If the test bed is divided into different categories, this will help analysis of product.

Antivirus product catego

Detectingknownvirus:

Current antivirus productrepresentthecategory

knownvirusscanner

10

ANTIVIRUS

2012-2013

Preventing known virus : Detecting unknown virus: Preventing unknown virus:

memory resident known virusscanner checksum calculation programs and heuristic scanner Memory resident heuristic Scanners, behavior blockers and memory resident checksum calculation programs.

Current Antivirus Product

Detecting known viruses
A well maintained virus test bed, which contains viruses known to computer antivirus researches, can be used for evaluating products which will detect known viruses. The virus detection analysis can be carried out by scanning the contents of the test bed and concluding results from the scanning reports. Unfortunately, some product may crash during the scanning and in such files causing crashes need to be traced and files resulting in crashes should be treated as unidentified by the product.

Preventing Known virus

A well maintained virus test bed containing viruses known to computer antivirus researches can be used for evaluating products preventing known viruses. The difference between is that the product is working in the background and this requires more complicated evaluation methods, but the same virus test bed can be used with products, which will prevent known viruses.

Detecting Unknown viruses A virus test bed can also be used as a basis for the analysis for product, which detects unknown viruses. Often products detecting unknown viruses are combined with products which will detect known viruses. If possible, the products known virus detection capability should be disabled. Known virus detection may be detached by removing virus database files, by using old database files or by using specific operation mode of a product. Unfortunate-ly, the known virus detection may be an inseparable part of a product and in this case test bed should be limited to viruses not known to the product and a vulnerability analysis may be necessary.

11

ANTIVIRUS

2012-2013

Preventing Unknown viruses A virus test bed can be also used for evaluating products which will prevent unknown viruses. The difference is that the product is working in the background and this requires special evaluation methods, but the same virus test bed can be used with product which will prevent unknown viruses. This is demonstrated in Virus Research Units behavior blocker analysis. With products preventing unknown viruses, virus attack emulation and Vulnerability analysis are also required.

Different virus types in the test bed File viruses Some programs are viruses in disguise, when executed they load the virus in the memory along with the program and perform the predefined steps and infect the system. They infect program files like files with extensions like.EXE, .COM, .BIN, .DRV and .SYS. Some file viruses just replicate while others destroy the program being used at that time. Such viruses start replicated as soon as they are loaded into the memory. As the file viruses also destroy the program currently being used, after removing the virus or disinfecting the system, the program that got corrupted due to the file virus, too, has to be repaired or reinstalled.

Boot sector viruses The boot sector virus can be the simplest or the most sophisticated of all computer viruses. Since the boot sector is the first code to gain control after the ROM startup code, it is very difficult to stop before it loads. If one writes a boot sector virus with sufficiently sophisticated anti-detection routines, it can also be very difficult to detect after it loads, making the virus nearly invincible. Specifically, lets look at a virus which will carefully hide itself on both floppy disks and hard disks, and will infect new disks very efficiently, rather than just at boot time. Such a virus will require more than one sector of code, so we will be faced with hiding multiple sectors on disk and loading them at boot time. Additionally, if the virus is to infect other disks after boot-up, it must leave at least a portion of itself memory-resident. The mechanism for making the virus memory resident cannot take advantage of the DOS Keep function (Function31H) like typical TSR programs.

12

ANTIVIRUS

2012-2013

Macro viruses In essence, a macro is an executable program embedded in a word processing document or other type of file. Typically users employ macros to automate repetitive tasks and there by save key strokes. The macro language is some type of basic programming language. A user might define a sequence of key strokes i n a m a c r o a n d s e t i t u p s o t h a t a m a c r o i s i n v o k e d w h e n a f u n c t i o n k e y i s invoked. Common auto executing events are opening a file, closing file etc. Once a macro is running it can copy itself to other documents, deleting files etc. How does a Macro Virus strike?1. The user gets an infected Office Document by email or by any other medium.2. The infected document is opened by the user.3. The evil Macro code looks for the event to occur which is set as the event handler at which the Virus is set off or starts infecting other files. Macro viruses include Concept, Melissa, and Have a Nice Day.

Script viruses Script viruses should be replicated by using the environment needed for Replication. For example, viruses using MS-DOS batch language should be replicated using batch files as goat files and viruses using Visual Basic Scripting should be replicated using Windows Scripting Host.

Multipartition viruses Multipartite viruses are the hybrid variety; they can be best described as across between both Boot Viruses and File viruses. They not only infect files but also infect the boot sector. They are more destructive and more difficult to remove. First of all, they infect program files and when the infected program is launched or run, the multipartite viruses start infecting the boot sector too. Now the interesting thing about these viruses is the fact that they do not stop, once the boot sector is infected. Now after the boot sector is infected, when the system is booted, they load into the memory and start infecting other program files. Some popular examples would be Invader and Flip etc

13

ANTIVIRUS

2012-2013

Polymorphic viruses They are the most difficult viruses to detect. They have the ability to mutate this means that they change the viral code known as the signature each time it spreads or infects. Thus Antiviruses which look for specific virus codes are not able to detect such viruses. Now what exactly is a Viral Signature? Basically the Signature can be defined as the specific fingerprint of a particular virus which is a string of bytes taken from the code of the virus. Antiviral software maintain database of known virus signatures and look for a match each time they scan for v i r u s e s . As we see a new virus

a l m o s t e v e r yd a y , t h i s d a t a b a s e o f V i r u s Signatures has to be kept updated. This is the reason why the Antivirus vendors provide updates. How does a Polymorphic Virus Strike? 1. The User copies an infected file to the disk. 2. When the infected file is run, it loads the Virus into the memory or the RAM. 3. The new virus looks for a host and starts infecting other files on the disk. 4. The virus makes copies of itself on the disk. 5. The mutation engines on the new viruses generate a new unique encrypticcode which is developed due to a new unique algorithm. Thus it avoids detecting from Check summers.

Companion viruses Companion viruses sustaining known executable appearance do not pose much difficulty for scanners, because they can be simply detected by normally scanning executable files. Companion viruses, however, may mislead non identifying products, like integrity checkers, if the possibility of a companion virus type of attack has not been taken into account while implementing the product.

Stealth viruses They viruses are stealth in nature and use various methods to hide themselves and to avoid detection. They sometimes remove themselves from the memory temporarily to avoid detection and hiding from virus scanners. Some can also redirect the disk head to read another sector instead of the sector in which they reside. Some stealth viruses like the Whale conceal the increase in the length of the infected file and display the

14

ANTIVIRUS

2012-2013

original length by reducing the size by the same amount as that of the increase, so as to avoid detection from scanners. For example, the whale virus adds 9216 bytes to an infected file and then the virus subtracts the same number of bytes i.e. 9216 from the size given in the directory. They are somewhat difficult to detect.

Linking viruses Linking viruses may require that the system is first infected with the virus in Order to construct the linkage. However, scanners typically detect the virus even when the linkage does not exist and this can be utilized in virus detection analysis..Furthermore, a linkage virus may be capable of replicating even without establishing the linkage, but if this is not the case, then the linkage should be created before analysis. Otherwise we are not analyzing true working viruses, because the virus is not capable of replicating without the linkage.

Memory resident viruses As demonstrated with the definition of stealth viruses, memory resident Viruses may be able to deceive antivirus products, if the memory scanning does not work correctly for some reason and the virus active in the central memory is not found. In such a case it is possible that a antivirus scanner is actually replicating a virus, because the virus may infect each file the scanner opens for reading. Therefore one phase of antivirus product evaluation could be evaluating products capabilities to detect viruses in central memory.

Self-distributing viruses Self-distributing viruses have at least one special replication channel from a local system to a remote system. The replication should be performed by using the replication channels. However, the replication environment should be an isolated environment in order to prevent the virus accidently spreading to external systems. Preventing antivirus products should be analyzed based on the prevention mechanism. This may require that the replication channel is used or that the virus is activated while the antivirus product is actively preventing virus

12. IDENTIFICATION METHOD OF ANTIVIRUS There are several methods which antivirus software can use to identify malware. Signature

15

ANTIVIRUS

2012-2013

based detection is the most common method. To identify viruses and other malware, antivirus software compares the contents of a file to a d i c t i o n a r y o f v i r u s s i g n a t u r e s . B e c a u s e v i r u s e s c a n e m b e d t h e m s e l v e s i n existing files, the entire file is searched, not just as a whole, but also in pieces. Heuristic-based detection, like malicious activity detection, can be used to identify unknown viruses. File emulation is another heuristic approach. File emulation involves executing a program in a virtual environment and logging what actions the program performs. Depending on the actions logged, the antivirus software can determine if the program is malicious or not and then carry Signature-based detection.

Traditionally, antivirus software heavily relied upon signatures to identifymalware. This can be very effective, but cannot defend against malware unless samples have already been obtained and signatures created. Because of this, signature-based approaches are not effective against new, unknown viruses .A s n e w v i r u s e s a r e b e i n g c r e a t e d e a c h d a y, t h e s i g n a t u r e - b a s e d d e t e c t i o n approach requires frequent updates of the virus signature dictionary. To assist the antivirus software companies, the software may allow the user to upload new viruses or variants to the company, allowing the virus to be analyzed and the signature added to the dictionary. Signatures are obtained by human experts using reverse engineering. [citation needed] A n e x a m p l e o f s o f t w a r e u s e d i n reversed engineering is Interactive. S u c h s o f t w a r e d o e s n o t implement antivirus protection, but facilitates human analysis. Although the signature-based approach can effectively contain virus authors have tried to stay a step ahead of such software outbreaks, v i r u s by writing

"oligomorphic", " polymorphic" a n d , m o r e r e c e n t l y , " metamorphic" viruses,which encrypt parts of themselves or otherwise modify themselves as a method of disguise, so as to not match virus signatures in the dictionary. Heuristics some more sophisticated antivirus software uses heuristic analysis to identify new malware or variants of known malware. M a n y v i r u s e s s t a r t a s a s i n g l e i n f e c t i o n a n d t h r o u g h e i t h e r mutation or refinements by other attackers, can

16

ANTIVIRUS

2012-2013

grow into dozens of slightly different strains, called variants. Generic detection refers to the detection and removal of multiple threats using a single virus definition. For example, the Vundo trojan has several family members, depending on the antivirus vendor's classification. Symantec classifies members of the Vundofamily into two distinct categories, Trojan. Vundo and Trojan. Vundo.B. While it may be advantageous to identify a specific virus, it can be quicker to detect a virus family through a generic signature or through an inexact match to an existing signature. Virus researchers find common areas that all viruses in a family share uniquely and can thus create a single generic signature. These signatures often contain non-contiguous code, using wildcard characters where differences lie. These wildcards allow the scanner to detect viruses even if they are padded with extra, meaningless code. A detection that uses this method is said to be "heuristic detection."Variants of viruses are referred to with terminology such as:

"oligomorphic"," polymorphic" a n d " metamorphic", where the differences between specifi cv a r i a n t s o f t h e s a m e v i r u s a r e s i g n i f i c a n t l y h i g h . I n s u c h c a s e s , t h e r e a r e d edicated statistical analysis-based algorithms, implemented in the "real time" protection, which analyses software behavior. This approach is not absolutely e x a c t a n d r e s u l t s in higher resourceusage on the computer. Since " polymorphic" a n d " metamorphic" e n g i n e development is "oligomorphic", difficult and the

resulting computer code has a (relatively) high dimension (although such cases are very rare), this approach can be used with a relatively high success rate. This approach may imply human ingeniousness for the design of the algorithm. I f t h e heuristic detection, success depends on antivirus software e m p l o ys

achieving the right

balance between

false positives and false negatives. Due to the e x i s t e n c e o f t h e p o s s i b i l i t y o f f a l s e p o s i t i v e s a n d f a l s e n e g a t i v e s , t h e identification process is subject to human assistance which may include user decisions, but also analysis from an expert of the antivirus software company.

17

ANTIVIRUS

2012-2013

13 ANTIVIRUS APPROACHES

The ideal solution to the threat of viruses is prevention. Do not allow a virus is get into the system in first place. This goal is in general difficult to achieve, although prevention can reduce the no: of successful viral attacks. The next best approach is to be able to do the following.

Detection: Once the infection has occurred, determine that it has occurred and locate the virus. Identification:
Once detection has been achieved, identify the specific virus has infected a program. Removal: Once the specific virus has been identified, remove all traces of the virus from the infected program and restore it to its original state. Advances in viruses and antivirus technology go hand in hand. As the virus arms race has evolved, both viruses and antivirus software have grown more complex and sophisticated. There are three main kinds of anti-virus programs [McAfee]. Essentially these are scanners, monitors and integrity checkers.

SCANNERS

Scanners are programs that scan the executable objects (files and bootsectors) for the presence of code sequences that are present in the knownviruses. Currently, these are the most popular and the most widely used kindof anti-virus programs. There are some variations of the scanning technique,like virus removal programs (programs that can "repair" the infected objectsby removing the virus from them), resident scanners (programs that areconstantly active in memory and scan every file before it is executed), virusidentifiers (programs that can recognize the particular virus variant exactly bykeeping some kind of map of the non-modifiable parts of the virus body andtheir checksums), heuristic analyzers (programs that scan for particular sequences of instructions that perform some virus-like functions), and so on.The reason that this kind of anti-virus program is so widely used nowadays isthat they are relatively easy to maintain. This is especially true for the programswhich just report the infection by a known virus variant, without attemptingexact identification or removal. They consist mainly of a searching engine and adatabase of code sequences (often called virus signatures or scan strings) that are present in the known viruses. When a new virus appears, the author of thescanner needs just to pick a good signature (which is present in each copy of thevirus and in the same time is unlikely to be found in any legitimate program)and to

18

ANTIVIRUS

2012-2013

add it to the scanner's database. Often this can be done very quickly and without a detailed disassembly and understanding of the particular virus. Furthermore, scanning of any new software is the only way to detect viruses before they have the chance to get executed. Having in mind that in most operating systems for personal computers the program being executed has the full rights to access and/or modify any memory location (including the

operating system itself), it is preferable that the infected programs do not get any chance to be executed. At last, even if the computer is protected by another (not virus-specific) defense, a scanner will still be needed. The reason is that when the non virus -specific defense detects a virus-like behavior, the user usually wants to identify the particular virus, effects or

which is attacking

the system - for instance, to figure

out the possible side

intentional damage, or at least to identify all infectedobjects.Unfortunately, the scanners have several very serious drawbacks. The main one is that they must be constantly kept up-to-date. Since they can detect only the known viruses, any new virus presents a danger, because

i t c a n b yp a s s a s c a n n e r o n l y b a s e d p r o t e c t i o n . I n f a c t , a n o l d s c a n n e r i s w o r s e t h a n n o protection at all - since it provides a false sense of security. Simultaneously, it is very difficult to keep a scanner up -to-date. In order to produce an update, which can detect a particular new virus, the author of the scanner must obtain a sample of the virus, disassemble it, understand it, pick a good scan string that is characteristic for this virus and is unlikely to cause a false positive alert, incorporate this string in the scanner, and ship the update to the users. This can take quite a lot of time. And new viruses are created every day - with a current rate of up to 100 per month. Very few anti-virus producers are able to keep upto-date with such a production rate. One can even argue that h i s s c a n n e r s a r e s o m e h o w responsible for the existence of so many virus variants. Indeed, since it

i s s o e a s y t o m o d i f y a v i r u s i n o r d e r t o a v o i d a particular scanner, lots of "wannabe" virus writers are doing it. However, the fact that the scanners are obsolete as a single line of defense against the computer viruses became obvious only with the appearance of the polymorphic viruses. These are viruses, which use a variable encryption scheme to encode their body and which even modify the small decryption routine, so that the virus looks differently in each infected file. It is impossible to pick a simple sequence of bytes

19

ANTIVIRUS

2012-2013

that will be present in all infected files and use it as as can string. Such sequence simply does not exist. Some polymorphic viruses can be detected using a wildcard scan string, but more and more viruses appear today, which cannot be detected even if the scan string is allowed to contain wildcard bytes. The only possible way to detect such viruses is to understand their mutation engine in detail. Then one has to construct an algorithmic "scanning engine specific to the particular virus. However, this is a very time -consuming and effort-expensive task, so many of the existing scanners have problems with the polymorphic viruses. And we are going to see more such viruses in the future. The Bulgarian virus writer known under the handle Dark Avenger has evenreleased a "mutating engine" - a tool for

building extremely polymorphic viruses... Very few scanners are able to detect the viruses, which are using it, with 100 reliability. One last drawback of the scanners is that scanning for lots of viruses can be very time-consuming. The number of currently existing viruses is about 1,600and is expected to reach 3,000 at the end of 1992. Indeed, some scanners useclever scanning methods like fixed-point scanning, top-and-tail scanning, hashing and so on. The detailed description of these methods is outside the scope of this paper, but as has been proved in [Cohen90], scanning is not cost-effective in the long run, despite the scanning method used. MONITORS

The monitoring programs are memory resident programs, which constantly monitor some functions of the operating system. Those are the functions that are c o n s i d e r e d t o b e D a n g e r o u s a n d i n d i c a t i v e f o r v i r u s - l i k e b e h a v i o r . S u c h f u n c t i o n s i n c l u d e m o d i f yi n g a n e x e c u t a b l e f i l e , d i r e c t a c c e s s o f t h e d i s k by passing the operating system, and so on. When a program tries to use such a function, the monitoring program intercepts it and either denies it completely or asks the user for confirmation. Unlike the scanners, the monitors are not virus-specific and therefore need not to be constantly updated. Unfortunately, they have other very serious drawbacksdrawbacks that make them even weaker than the scanners as an anti -virus defense and almost unusable today. The most serious drawback of the monitors is that they can be easily by passed by the so-called tunneling viruses.

20

ANTIVIRUS

2012-2013

The reason forthis is the total lack of memory protection in most operating systems for pe rsonal computers. Any program that is being executed (including the virus) has full access to readand/or modify any area of the computer's memory - including the parts of the operating system. Therefore, any monitoring program can be disabled because the virus could simply patch it in the memory. There are other clever techniques as interrupt tracing, DOS scanning, and so on, which allow the viruses to find the original handlers of any operating system function. Afterwards, this function can be called directly, thus bypassing any monitoring programs, which watch for it. Another drawback of the monitoring programs is that they try to detect a virus by its behavior. This is essentially impossible in the general case, as proven in[Cohen84]. Therefore, they cause many false alarms - since the functions that are expected to be used by the computer viruses usually have pretty legitimate use by the normal programs. And if the user gets used to the false alerts, s/he will be likely to oversee a real one. The monitoring programs are also completely useless against the slow viruses, described later in this paper.

INTEGRITY CHECKING PROGRAMS.

Therefore, in order to be a virus, a program must be able to infect. And, in order to infect, the program must cause modifications to the programs that are infected. Therefore, a program, which can detect that the other executable objects

have been modified, will be able to detect the infection. Such programs are usually called integrity checkers. The integrity checkers compute some kind of checksum of the executable code in a computer system and store it in a database. The checksums are re-computed periodically and compared with the stored originals. Several authors point out that in order to avoid forging attempts from the part of the virus, the checksums must be cryptographically strong. This can be achieved by using some kind of trap-door one-way function, which is algorithmically difficult to be inverted. Such functions include DES, MD4, MD5, and so on. But, as has been shown by [Radai], this is not mandatory. A simple CRC is sufficient, if implemented correctly. There are several kinds of Integrity checkers. The most widely used ones are the o f f l i n e i n t e g r i t y c h e c k e r s , w h i c h a r e r u n t o c h e c k t h e i n t e g r i t y o f a l l t h e executable code on a computer system.

21

ANTIVIRUS

2012-2013

Another kind is the integrity modules, which can be attached (with the help of a special program) to the executable f i l e s , s o t h a t w h e n t h e latter started

w i l l c h e c k t h e i r o w n i n t e g r i t y . Unfortunately, this is not a good idea, since not all executable objects can be "immunized" this way. Additionally, the "immunization" itself can be easily bypassed by stealth viruses, as described later in this paper. The third kind

of integrity software is the integrity shells. They are resident programs, similar to the resident scanners, which check the integrity of an object only at the moment when this object is about to be executed. These are the least widespread anti-virus programs today, but the specialists predict them a bright future [Cohen90].The integrity checking programs are not virus-specific and therefore do not need constant updating like the scanners. They do not try to block virus replication attempts like the monitoring programs and therefore cannot be bypassed by the tunneling viruses. In fact, as demonstrated by [Cohen90], they are currently the most cost-effective and sound line of defense against the computer viruses. They also have some drawbacks. For instance, they cannot prevent an infectionthey are able only to detect and report it after the fact. Second, they must be installed on a virus-free system; otherwise they will compute and store the check

s u m s o f a l r e a d y i n f e c t e d o b j e c t s . T h e r e f o r e , t h e y m u s t b e u s e d i n a combinat ion with a scanner at least before installation. This is needed, in order to ensure that the system they are being installed on is virus-free. Third, they are prone to false positive alerts. Since they detect changes, not viruses, any change in the programs (like updating the software with a new version), is likely to trigger the alert. Sometimes this can be avoided or at least reduced by using some intelligent heuristics and educating the users. Fourth, while the integrity checkers are able to detect the virus spread and identify the newly infected objects, they usually cannot determine the initially infected object, i.e., the source of the infection.Despite the drawbacks mentioned, the integrity checking programs are the currently most powerful line of defense against computer viruses and are likely to be used more widely in the future. Therefore, we should expect that new viruses will appear Which will target the integrity programs in the same way as the polymorphic viruses are targeting the scanners and the tunneling viruses are targeting the monitors? Let's see what kinds of attacks are possible against the integrity checking programs and how these programs can be improved to avoid them.

22

ANTIVIRUS

2012-2013

14. OTHER COMPUTER PROTECTION METHODS

Antivirus Card
This method was used in the early 1990s by DOS users and involves the installation of an ISA interface card which takes over the DOS interrupt and monitors the WRITE operation.

Network Firewall
Network firewalls prevent unknown programs and Internet processes from accessing the system protected. However, they are not antivirus systems as such and thus make no attempt to identify or remove anything. They may protect against infection from outside the protected computer or LAN, and limit the activity of any malicious software which is present by blocking incoming or outgoing requests on certain TCP/IP ports. A firewall is designed to deal with broader system threats that come from network connections into the system and is not an alternative to a virus protection system.

Online detection
Some antivirus vendors maintain websites with free online scanning capability of theentire computer, critical areas only, local disks, folders or files. Examples includeKaspersky Online Scanner and ESET Online Scanner

Virus removal tool

A virus removal tool is software for removing specificvirusesfrom infected computers. Unlike complete antivirus scanners, they are usually not intended to detect and remove an extensive list of viruses; rather they are designed to remove specific viruses, usually more effectively than normal antivirus software. Sometimes they are also designed to run in places that regular antivirus software can't. This is useful in the case of a severely infected

23

ANTIVIRUS

2012-2013

computer. Examples of these tools include McAfee Stinger and the Microsoft Windows Malicious Software Removal Tool.

USE MORE THAN ONE AT A TIME

Although there are multiple types of antivirus software to help keep your computer system safe, you shouldn't use more than one at a time. Having several antivirus software programs installed on a single computer system will expose it to vulnerabilities. A missed malicious file could cause your entire computer system to crash or prevent it from accessing a stable Internet connection. Instead of tracking a virus threat, each antivirus software will prevent the other from correctly functioning

15. Why Should Update Your Antivirus

If you don't update your antivirus software to its most recent version, it will not effectively protect your computer system. Activate the feature that allows automatic connection to the Internet for virus database updates. This can usually be done by accessing the "Settings" feature within your antivirus software

16. New controversy on the effectiveness of antivirus software

The debate on whether or not an antivirus solution is worth the money spent is not new. There have been surveys and studies comparing the effectiveness of the various security solutions out there for many years. The problem used to be fairly huge, because the very design of an antivirus meant that it would scan a system for potential malware it knows about, and nothing else. In the early years of these security systems, each antivirus would keep a database of known threats, and whenever a new type of malware came in, nothing could detect it, and it would then infect every system it could reach until the companies could update their virus

24

ANTIVIRUS

2012-2013

definition databases. Now, this is less so, because of something called heuristics, where an antivirus software not only looks at malware signatures, but also behavior, and tries to detect new malware simply by what the binary file may be doing to your computer. However, the effectiveness of these new solutions is up for debate, and according to a recent study by the firm Imperva, also published in the New York Times, antivirus solutions simply do not do a good job at it. In its Hacker Intelligence Initiative Monthly Trend Report, published in late December, the researchers picked 82 randomly selected malware files and used them against some of the most popular antivirus solutions to see what their detection rates were. These were newly created infections, taken from web forums, and the result was abysmal, according to the report. The initial detection rate for new viruses was less than 5%. In fact, they found that for some of them, it would take weeks for an antivirus to start detecting the infected file. They also found that the commercial and free solutions had similar detection rates, and recommend that people and businesses stick to freeware products instead. One of the figures they cited, was that 4.5 billion dollars is spent on antivirus solutions -- an amount that is not proportional to the effectiveness of these applications. They finally recommend that security teams focus on identifying aberrant behavior rather than detecting infections. There are many ways to compare security solutions, and it can be very complex to reach a good conclusion. In the weeks following the release of this study, many independent labs and antivirus companies criticized the way this particular research was done. First, the firm used a tool called Virus Total. This site is a very popular one in the security community, where you can upload a file and run it through a series of popular antivirus engines to see if the file is infected. Virus Total gives you a report as to which solutions detected which malware, if any. However, this automated process only uses the core engine of each antivirus solution. It does not use some of the perimeter detection systems and the heuristics will not be as good. It also uses the command line version of the engine, and will not behave like a fully-installed antivirus.

25

ANTIVIRUS

2012-2013

Another problem that the security companies are quick to point out is the small sample size. There are around 142,000 new malicious files being submitted to security researchers every single day. A sample size of 82 is much too small, and could be biased. This is especially true if all of those files were taken from specific Russian forums, for example, and not from a more representative sample of what everyday Internet users may find. Finally, they also note that normal computer users will not face sophisticated threats like Flame or Stuxnet, and that for average malware your antivirus solution will stop around 9 infections out of 10. One interesting thing to note is that few people criticised the study for reaching the conclusion that free antivirus solutions were just as good as paid ones. In fact while there are differences between each company, and the features that each antivirus provides, as far as the engine goes, the detection rate is fairly similar, which makes the purchase of a paid software fairly dubious. One conclusion that the study did point out is that some of the free solutions have a higher false positive rate, but this may be seen as a good thing, since it means they might be more aggressive in their detection. But at the end of the day, the information most of us want to know is whether an antivirus solution is useful, and everyone pretty much agrees on that one. There is no question that using security software is a good thing, and that your antivirus will help detect infections. While the detection rate will never be 100%, modern software with heuristics have a very good rate for normal, average malware, the type we find in abundance on the web. Problems typically occur for new, zero-day malicious infections, and for targeted attacks. This is where researchers don't agree, but it can be safe to assume that if someone is out to get you, then there is a good chance that your antivirus will not protect you. Flame, for example, infected Windows computers in the Middle-East for over four years before antivirus companies finally started detecting it. This was a major failure of the security community, but it was also a new type of highly sophisticated malware. If you have no reason to think the government or organized crime will spend the necessary resources to break into your system, there probably is no good reason to lose sleep over it. But any modern business should be doing more than simply installing antivirus software. This is just one part of a full protection policy, which should also include intrusion detection systems, log auditing, and a myriad of other things.

26

ANTIVIRUS

2012-2013

17. THERE ARE 4 THINGs SHOULD BE CARE WHILE PURCHASING THE ANTIVIRUS 1. A good fast scanning engine 2. Ability to detect and clean viruses easily even the latest ones 3. Faster and lighter updates 4. Easy to configure

18. SOME OF THE KEY FEATURES OR FUNCTION THAT ARE COMMONLY FOUND IN ANTIVIRUS: Real Time Scanner On- access Scanner On- Demand Scanner Compressed File Scanner Scheduled Scans POP3 Email Scanner Webmail Protection Automatic Virus Updates

19. HOW AN ANTIVIRUS WORKS Using dictionary Approach: The antivirus softvirus software examines each and every file in a computer and examine its content with the virus difinitions stored in its virus dictionary.

27

ANTIVIRUS

2012-2013

A virus dictionary is an inbuilt file belonging to an antivirus software that contains code identified as a virus by the antivirus authors.

20. The advantage of an ANTIVIRUS Protection from Viruses. Protecting personal information Cost Saving Convenience

21. THE disadvantage of an ANTIVIRUS Doesnt Fully Protect Slow Down PC or Network. Conflicts.

22. SYSTEM REQUIREMENTS

WINDOWS
1GHZ OR HIGHER 32-BIT OR 64-BIT PROCESSOR. 1 GB OF RAM INTERNET CONNECTION IS ESSENCIAL TO UPDATION. 200MB OF HARD DISK SPACE FOR INSTALATION. DVD OR CD-ROM DRIVE. WINDOWS XP OR LATER.

28

ANTIVIRUS

2012-2013

MAC OS
MAC COMPUTER WITH 1GHZOR HIGHER. INTERNET CONNECTION IS ESSENCIAL TO UPDATION. 512MB OF RAM. 140MB OF HARD DISK SPACE FOR INSTALLATION DVD OR CD-ROM DRIVE. MAC OS X 10 OR LATER.

23. SOME OF THE SYMPTOMS OF AN INFECTED COMPUTER

Folder Options disappears from the Tools. Now, hidden files cannot be viewed. Changing registry values has no effect. In My Computer, Auto play option appears instead of Open in every drive you enter i.e. when you click on your drive letters (C, D, E etc.) a window opens to select any one program to open with. It creates new entries & adds values to the existing Registry. You cannot open system utilities like Task Manager, Msconfig opens and suddenly closes. Computer becomes slow and there is noticeable delay in characters to appear on screen when you press in keyboard

29

ANTIVIRUS

2012-2013

24. WHAT TO DO ON SUSPECTING VIRUS ATTACK?

Disconnect the suspected computer system from the Internet as well as from the Local Network. Start the system in Safe Mode or from the Windows boot disk, if it displays any problem in starting. Take backup of all crucial data to an external drive. Install antivirus software if you do not have it installed. Now, download the latest virus definitions updates from the internet. (do it on a separate computer) Perform a full system scan.

25. VIRUS FOUND

REPAIR QUARANTINE DELETE RENAME

IGNORE

30

ANTIVIRUS

2012-2013

26. CONFIGURING YOUR ANTIVIRUS SOFTWARE

Adjust the settings to scan all (*all*) files. Also, ensure that real time scanning is enabled by default. Create a recovery/reference/cure disk because if a boot sector or MBR virus attack the system, it may fail to boot. In that case, recovery cure disk can be used to boot the system and remove the virus. Read the vendors manual. This will help you to understand the advanced options and how to use them according to your preference.

27. HOW AN ANTIVIRUS WORKS

Using dictionary Approach
The antivirus software examines each and every file in a computer and examines its content with the virus definitions stored in its virus dictionary. A virus dictionary is an inbuilt file belonging to an antivirus software that contains code identified as a virus by the antivirus authors.

Using Suspicious Behavior Approach:

Antivirus software will constantly monitors the activity of all the programs. If any program tries to write data on an executable file, the antivirus software will flag the program having a suspicious behavior, means the suspected program will be marked as a virus. The advantage of this approach is that it can safeguard the computer against unknown viruses also. The disadvantage is that it may create several false alerts too.

31

ANTIVIRUS

2012-2013

28. WITH OR WITHOUT AN ANTIVIRUS SOLUTION?

So, no matter if the antivirus solutions are vulnerable or not, all the users prefer to install them to feel A little more secure. I must agree that an antivirus application is more useful when it helps you clean your computer so, you're the one that decides: install or not.

29.

New

Product

Development

on

(Antivirus

internet security product)

Name of the antivirus product -: antivirus capsule. Features -: maximum protection, online update, internet security specialist, pc protection, fast relief from antivirus, total health care of computer. Rate /price 500/- per piece M.R.P

SWOT analysis of antivirus software 1. Strength -: Quality of software, software is made within time limit, which is given
by the client and with the company

.a) Credibility. b) Reliability. c) Goodwill within the customer and suppliers

32

ANTIVIRUS

2012-2013

2. Weaknesses -:If the website is not made within the time limit or duration on which
client and the company made and agreement .Narmada Computers is newly launched in the software industry. There is much such other big company, so that Narmada Computers had to struggle more than any other company. Competitors are large in numbers. Employees are less in number (For that it took time for the project completion).

2. Opportunity -: Favorable time for the company is there is no recession and company gets as many as project from foreign country or from Indian company. Outsourced antivirus marketing projects from other company Long term selling and distribution of the antivirus projects. Design marketing strategy and marketing plan of other company. Project of online marketing of the antivirus website.

3. Threats

-: For Software Company recession is the major threats. Inflation increases

can also be threats to a company .Not getting appropriate skill employee for a particular projects. Not getting the long term marketing and selling and distribution of the projects.

33

ANTIVIRUS

2012-2013

30. Best Antivirus Software Review Product Comparisons

34

ANTIVIRUS

2012-2013

Antivirus Software: What to Look For

The top antivirus software protects your personal computer from various malware attacks. No security software can always detect and block every threat. Some malware attacks are brand new and have never been seen in the wild. When a virus scanner finds one of these zero-day threats, it attempts to figure out whether it descends from a known threat-family genealogy, which would make it guilty by association. Many times there is nothing in a zero-day threat to reveal its bad intent. So, in addition to considering how an antivirus software product keeps threats out, we must also take into account how well a product discovers and removes a threat after it has already lodged itself within a system and exposed itself through its behavior.

35

ANTIVIRUS

2012-2013

The ability to block incoming threats and to get rid of threats that break through defenses are aspects of performance, which is the most important thing to look for in antivirus software. After you consider performance, you should take into account product features as well as the help and support that the publishers provide. Let's look at each of these factors one by one.
Performance

The best way to know how well a product performs is to read product test results from AV-Test, which considers three main performance criteria: protection, repair and usability. AV-Test has dozens of servers that are connected to hundreds of workstations. With this test bed, AV-Test exposes antivirus software products to tens of millions of malicious threat samples and records the results for the world to see.
Features

After you know how a product performs, consider its other features. All antivirus software is easy to install, so this is not something to worry about these days. But not every antivirus software product blocks malware that attempts to arrive via web browsing. Sometimes you need the internet security version of a product, not just the antivirus version, to protect against phishing attempts. Other features to consider are whether the product can detect threats in instant messages and email, and whether it can detect and scan an inserted USB drive.
Help&Support

The best antivirus software publishers let you reach their support departments via live chat, telephone and email on any day and at any hour. However, not every competitor is so generous in terms of help and support, so you should be aware of what type of access you prefer prior to purchase. Some of the best computer scientists on the planet have gone over to the dark side to cast their lots with the hacker underworld. Without thirdparty antivirus protection, you do not stand a chance. They are organized to steal your identity and subjugate your PC into a botnet available to do their bidding. Our reviews describe the best antivirus software's performance, features, and help and support. Don't rely on the security native in Windows. Let us assist you to find something better.

36

ANTIVIRUS

2012-2013

31. THE BEST Antivirus for 2013

Most antivirus vendors that run on a yearly update schedule wait until the fall to release the next year's version, just like car manufacturers. So, the "2014 models" appear in the fall of 2013. They're definitely rolling in; I've reviewed four that actually contain "2014" in the name. Four others come from vendors who've dropped the notion of adding a version or year number, but they're still the "(2014)" editions. As new versions arrive, most of the same products retain their positions at the top of the heap. Here are the best from the current crop of antivirus products.

The Best Products

The antivirus field is huge; I currently track over forty products. In a field that big there's room for multiple products to earn the title of Editors' Choice. Three products share the Editor's Choice honor for best overall antivirus: Bitdefender Antivirus Plus (2014)$39.95 at BitDefender, Norton AntiVirus (2014)$49.99 at Norton, and Webroot SecureAnywhere Antivirus 2013$29.99 at Webroot. (I expect the 2014 edition of Webroot's antivirus in a few weeks).

37

ANTIVIRUS

2012-2013

Bitdefender and Web root both earned 6.6 points in my malware removal test, though they were tested with different sample sets. Norton, tested along with Bitdefender, slipped to 6.3 this time around, but its impressive multi-layered malware-fighting technology continues to impress. Two free products also did well in testing. Ad-Aware Free Antivirus+ 10.5 detected 83 percent of the samples and earned 5.8 points; for a while that was the top score. AVG AntiVirus FREE 2014 detected fewer samples, 78 percent, but more thorough cleanup earned it an impressive 6.4 points. AVG and Ad-Aware are our current Editors' Choice products for free antivirus. The new Bitdefender Antivirus Free Edition (2014) also fared well in testing. It matched the full Bitdefender antivirus's malware blocking score, and earned a decent 6.2 points for malware cleanup Our two free Editors' Choice products share the best malware blocking score, 9.4 points, among products tested using my current malware collection. Trend Micro Titanium Antivirus+ 2014$39.95 at Trend Micro and McAfee AntiVirus Plus 2014$39.99 at Dell Small Business were close behind with 9.2 points. Tested with my previous malware collection, Webroot scored an impressive 9.9 of 10 possible points. . InterestingVariations A full-scale antivirus tool both cleans up existing threats and keeps new attacks from getting a foothold. Sometimes, though, a counterattack by entrenched malware means you can't even install that hot-shot antivirus. In that case, a free removal-only tool can be a godsend. In my malware removal test, Malwarebytes Anti-Malware 1.70 scored higher than any of the competition, paid or free. The well-known Malwarebytes is our Editors' Choice for free cleanuponly antivirus.

38

ANTIVIRUS

2012-2013

Of course, you do have to work to make sure your antivirus stays up to date, and you need to deal with any threats it reports. Or do you? In fact, once you install Daily Safety Check Home Edition you don't have to do a thing. Its managed antivirus will scan your system and block attacks, and it also ensures that you have all the latest security patches. If necessary, a support agent can remote-control your PC to clean up the worst infestations. All you need to do is view emailed safety reports. This unique service has earned Editors' Choice for consumer-side managed antivirus. If ransomware or other malicious software has made it impossible to boot Windows, you need a solution that doesn't rely on Windows. When you boot from the hardware-basedFixMeStick 2013$42.89 at Amazon, it automatically updates itself and runs a scan. All you need to do is click OK when it asks permission to clean up. Newcomer Jumpshot is another interesting cleanup-only tool. It conceals a full-scale Linuxbased bootable antivirus behind a user interface based on cartoon-style "minions" that handle tasks like wiping out malware, tuning system performance, and protecting your privacy. Jumpshot had the highest malware-removal score among products tested with my current malware collection, until it got edged out by Bitdefender. AntivirusTests Where did those scores come from? To test an antivirus product's ability to deal with existing malware infestations, I install it on twelve malware-infested virtual machines. After running the most comprehensive scan available, I check which threats the antivirus detected and note how well it cleaned them up. This article explains how I derive the scores in the chart that follows: How We Test Malware Removal. Antivirus malware removal chart Starting with the introduction of my new malware collection earlier this year, I've added a new metric to my malware removal charts, an ease of installation score. I base this score on how tough it is to install the product on my malwareinfested systems. A product like Malwarebytes that installs on all twelve with little or no help from the vendor's tech support, well, that's a five-star performance. If tech support supplies

39

ANTIVIRUS

2012-2013

ancillary tools like rescue disks or threat-specific removal tools that make installation possible, we're at four stars; Kaspersky is an example. All too often, getting antivirus protection installed on an infested system takes hours or days of back and forth with tech support. If after a super-lengthy process the product does get installed, that's worth two to three stars. If it totally can't install on one or more of the twelve systems, well, we're down to one star. That's not the bottom, though. Sometimes the cleanup process renders a test system completely unusable. A product that "kills" any test system beyond tech support's ability to fix gets zero stars. And yes, it does happen. I also install each product on a clean test system and see how well it prevents infestation by the same collection of threats. Most antivirus tools wipe out a portion of the samples the moment I open the containing folder. I launch those that weren't killed on sight and observe just how far they get before the antivirus takes action. The article How We Test Malware Blocking explains in detail how I come up with the scores in the chart below. Antivirus malware blocking chart Independent antivirus testing labs have vastly more resources at hand than I do, so they can perform tests on a scale beyond what I can manage. At present I track results from AVComparatives, AV-Test, ICSA Labs, Virus Bulletin, and West Coast Labs. I hope to be adding tests from NSS Labs and Dennis Labs later this year. The chart below summarizes current results, and this article goes into more detail about how I interpret those results:How We Interpret Antivirus Lab Tests. Note that only Bitdefender and Kaspersky Anti-Virus (2014)23.39 at Amazon earn top scores across the board. To be fair, both Norton and Webroot argue that the current crop of tests don't match real-world circumstances well enough to properly evaluate their products. Antivirus lab tests chart Whatever your antivirus needs, one of the over forty tools listed here should do the job. Note that the blurbs that follow are not the full reviews; click on the title of each antivirus to get to the full reviews, which detail my testing. Also note that we'll be updating this roundup often, adding reviews of the new AV software as it rolls out this fall.

40

ANTIVIRUS

2012-2013

32. The contemporary antivirus industry and its problems

The Internet today is a breeding ground for criminal activity. Home users, small and medium businesses, international corporations and governmental bodies all suffer from constant attacks by viruses and Trojans. The reasons why the Internet is in this condition have been widely discussed, and will continue to be discussed. But what do I meant when I say that the Internet is a fertile environment for crime? At bottom, it means that money is being made illegally by creating and distributing malicious programs, which will:

steal personal and corporate bank account information steal credit card numbers conduct DDoS attacks, with the instigators then demanding money to stop the attacks - a cyber racket)

create networks of Trojan proxy servers. These can be used to send spam, and for commercial gain

create zombie networks, which can be exploited in multiple ways create programs which download and install adware to the victim machine install Trojan dialers which will repeatedly call pay services etc.

It's difficult to say exactly how widespread criminal activity is. I think that there are dozens, if not hundreds of hacker groups and individual hackers active in the computer underground. The hackers who belong to groups can probably be numbered in the thousands - this is according to the law enforcement agencies of most computerized countries. Over the last few years several dozen hackers and hacker groups have been arrested, and the total number of arrests topped several hundred. However, this doesn' t seem to have had any real effect on the number of viruses and Trojans.

41

ANTIVIRUS

2012-2013

Another figure which can only be guessed at is the total turnover of the computer underground. Published sources estiamte that between 2004 and 2005 hackers either stole or scammed several hundred million dollars. As the vast majority of cyber criminals have not been arrested or imprisoned, we can assume that the annual turnover is probably billions of dollars. (This figure may well exceed the annual turnover of antivirus companies - for these figures, see below.) The total damage done to the world economy by the activity of virus writers, hackers and spammers has long since exceeded tens of billions of dollars annually. The amount continues to grow. According to research carried out by Computer Economics, total losses in 2004 were close to $18 billion, with a trend towards a 30 - 40% annual growth rate. Let's take a look at the players in the world of cyber threats:

Virus writers and hackers are creating and distributing viruses and Trojans for their own reasons

End users' machines and networks are under constant threat of hacker attacks, and may often fall victim to co-ordinated attacks

Police and law enforcement bodies throughout the world are only partially successful in investigating and prosecuting cyber crimes

Antivirus companies create software to counteract cyber threats

There's been a great deal written about viruses, hackers, and those who hunt them down - there have even been Hollywood films made on the subject. The developers and vendors of antivirus solutions use their web sites to publicize their achievements. However, there isn't much information about the problems which the antivirus industry faces. This article, therefore, aims to address this topic and, to some extent, rectify the imbalance. A short overview of the antivirus industry To start with, let's take a look at the companies manufacturing standard solutions which protect against computer viruses. (We'll discuss dedicated solutions and tools a little later in the article.)

42

ANTIVIRUS

2012-2013

By standard solutions, I mean software for desktops, file servers, mail servers, and the perimeter of corporate networks. The total market for such standard solutions was estimated as being $2.7 billion in 2003 and $3.3 billion in 2004, with $3.8 billion being the predicted figure for 2005. (All information in this section is taken from IDC, 2005). All antivirus manufacturers are divided into 3 groups; industry leaders, second tier companies, and others (those which have no significant effect - if any - on the antivirus landscape). The leaders include Symantec, McAfee (NAI) and Trend Micro - the activity of these companies affects all markets: Annual turnover, $mln Company 2003 Symantec McAfee (NAI) Trend Micro 1098 577 382 2004 1364 597 508

These three companies occupy leading positions in all markets, with a few exceptions (for instance, Trend Micro dominates the Japanese market). Symantec and NAI (McAfee) are North American. Trend Micro is originally a Taiwanese company which was floated on the Japanese stock market. It is currently headquartered in the USA. The second tier includes companies whose turnover is significantly lower than the leading three. However, these companies still have an annual turnover of tens of millions of dollars: Company Annual turnover, $mln

43

ANTIVIRUS

2012-2013

2003 Sophos (UK) Panda Software (Spain) * Computer Associates (USA) F-Secure (Finland) Norman (Norway) AhnLab (S.Korea) 97 65 61 36 23 21

2004 116 104 74 51 31 28

Kaspersky Lab, based in Russia, is also included in this group. However, the company does not disclose financial information. The majority of second tier companies have a significant presence in their respective domestic markets, but a relatively small presence in foreign markets. For instance, Sophos is most successful in the UK, Panda in Spain, F-Secure in Scandinavian countries etc. The third group includes several dozen antivirus companies. The best known include:

Alwil - Awast (the Czech Republic) Arcabit - MKS (Poland) Doctor Web - DrWeb (Russia) ESET - NOD32 (Slovakia) Frisk Software - F-Prot (Iceland) GriSoft - AVG (the Czech Republic) H+BEDV - AntiVir (Germany) Hauri - VI Robot (South Korea)

44

ANTIVIRUS

2012-2013

SoftWin - BitDefender (Romania) VirusBuster - VirusBuster (Hungary)

The third group also includes UNA and Stop! (both Ukrainian), Rising and KingSoft (China) and others. The majority of companies in this group do not disclose any financial information. However, some estimates state that annual turnover is around $10 million. This information above gives a breakdown of antivirus companies' market share. However, companies offering products based on licensed technologies aren't included. Examples are the German company G-Data, whose antivirus solution is based on Kaspersky Lab and SoftWin technologies, and Microsoft, which offers a multi-engine solution developed by Sybari. There are also some non-standard types of antivirus protection, some of which are relatively specialized. This includes systems which will delete any potential threat from corporate email messages (the end user receives only messages without executable attachments or html scripts), systems which will launch the web browser within a virtual machine etc. There are also some programs which are fairly similar to antivirus solutions: software which protects against DDoS attacks, patch management software etc. However, none of these can be called fully functional antivirus products.

Problems of the antivirus industry

What problems might the antivirus industry be facing, apart from the market headaches which plague any manufactuer of consumer goods. We all know that viruses exist, and so do antivirus solutions. It might seem that antivirus solutions are a standard consumer product - one solution barely differs from the next. Users choose their product according to design, or marketing, or for some other non-technical reason. Given this, an antivirus solution is, in theory, just another consumer product, like washing powder, toothpaste, or cars. Unfortunately (or perhaps fortunately) this is not the case. Users often chose an antivirus solution for its technical characteristics, and these differ widely between products. Users often focus on

45

ANTIVIRUS

2012-2013

whether or not a specific product protects against a specific type of cyber threat, and the overall level of protection offered. An antivirus solution should be able to protect against ALL types of malicious program. The better the antivirus solution, the happier users and system administrators will be. Anyone who doesn't understand this in theory will very soon be faced with the practical consequences; without a good antivirus solution, someone can start stealing money from the user's bank account, or the computer may start dialing phone numbers of its own accord, leaving the user to wonder why outgoing traffic has increased so much. Given this, users should have some idea of what protection is offered by antivirus solutions, so that an informed choice can be made. Let's say that antivirus solution X detects, let's say, 50% of all viruses currently circulating on the Internet; product Y detects 90%, and product Z, 99.9%. N number of attacks will result in either the computer's integrity being maintained, or the system becoming infected. If the computer is attacked 10 times, then the likelihood of product X failing to detect a malicious program is virtually guaranteed; product Y is more than likely to fail to detect the culprit; and in the case of product Z, the danger is almost infinitesimal. Unfortunately, there are relatively few products available in shops or on the Internet which offer even close to 100% protection. The majority of products are unable even to guarantee 90% protection. And this is the main problem facing the antivirus industry today. Problem 1 The number and variety of malicious programs is increasing year on year. The result is that many antivirus companies are simply unable to cope with the onslaught and are losing this 'virus arms race'. Users who chose products manufactured by such companies will not be protected against all malicious programs. Unfortunately, this may be a large number of users, as a lot of products marketed as 'antivirus solutions' shouldn't really be called this at all. Incidentally, five or ten years ago, it could honestly be said that an antivirus solution didn't need to protect systems against every new virus and Trojan. After all, the majority of new malicious

46

ANTIVIRUS

2012-2013

programs which were appearing at this time would never penetrate the user's computer. They were written by adolescent cyber vandals, who either wanted to show off their coding skills, or to satisfy their curiosity. Users only really needed protection against the few In The Wild viruses which managed to actually penetrate victim machines. However, the situation has now changed. More than 75% of malicious programs - i.e. the overwhelming majority - are created by the criminal computer underground, with the aim of infecting a defined number of computers on the Internet. The number of new viruses and Trojans is now increasing every day by a few hundred the Kaspersky Virus Lab receives between 200 and 300 new samples a day. These samples come from several sources - honeypots (dedicated machines used to collect malicious files on the Internet); users of infected machines; local network administrators; ISPs; and from other antivirus companies, strange though this may sound. In spite of market segmentation of antivirus companies (which happens with any market, without exception), antivirus companies do work with each other. If a new worm which propagates quickly is detected by one antivirus company, the analysts will inform competitor companies almost immediately, and forward a sample of the worm. And the majority of antivirus companies exchange virus samples at least one a month. They also exchange information at dedicated professional gatherings, which are not open to those outside the industry. It could be seen as professional ethics; antivirus companies do share information with other antivirus companies, except for those companies which may have damaged their standing in the antivirus world through unethical behaviour. Let's suppose that a new virus or Trojan is detected in the wild, either on the Internet or on an infected computer. And what does this mean? It means that the likelihood that a certain computer will be infected by a parasite is far from zero, and it's possible that dozens, hundreds or maybe even thousands of the computers which make up the Internet are already infected. And given how quickly the Internet works, if the latest 'beastie' is a network worm, then the number of victims could be in the millions. Consequently, antivirus companies have to able to release rapid updates to antivirus databases, and these updates have to include protection against all the newest viruses and Trojans. This brings us on to the second problem faced by the antivirus industry.

47

ANTIVIRUS

2012-2013

Problem 2 Today, malicious programs propagate so quickly that antivirus companies have to release updates as quickly as possible to minimize the amount of time that users will potentially be at risk. Unfortunately, many antivirus companies are unable to do this - users often receive updates once they are already infected. Let's assume that the virus manages to penetrate the victim machine, and the antivirus solution installed on the victim machine doesn't detect any suspicious activity. (This might be because of the quality of the solution itself, or because the user has been careless, and not downloaded the latest updates to the antivirus databases in good time.) Sooner or later, updates which detected the virus will be released - this means that the virus will be detected, but not necessarily defeated. To get rid of the virus once and for all, the infected files have to be carefully deleted from the victim machine. Carefully is the key word here, which brings us to the third problem connected with antivirus programs. Problem 3 The third problem faced by the antivirus industry is deleting malicious code detected on the victim machine. Very often viruses and Trojans are written in a way which enables them to hide their presence in the system and/ or to penetrate the system so deeply that deleting them is a complex task. Unfortunately, some antivirus programs are unable to delete malicious code and restore the data which has been modified by the virus without causing further problems. An additional issue is that all software uses system resources, and antivirus programs are no exception. In order to protect the computer, the antivirus program has to perform certain actions open files, read information in them, open archives to scan them etc. etc. The more thoroughly a file is checked, the more resources are required by the antivirus solution. In this way, an antivirus solution is similar to a security door - the thicker the door is, the more protection it will offer; however, the heavier the door is, the more difficult open and closing it will be. When talking about antivirus solutions, the problem is balancing program speed against the level of protection provided.

48

ANTIVIRUS

2012-2013

Problem 4 Unfortunately, the issue of resource usage is almost insoluble. Experience shows that antivirus solutions which offer rapid scanning are heavily flawed, and will let viruses and Trojans through like water through a sieve. However, the opposite is also not true; antivirus programs which run slowly do not necessarily offer effective protection. In order to scan files on the fly and provide constant protection for the computer, an antivirus solution has to penetrate relatively deeply into the kernel of the system. It will always penetrate the same levels. Technically speaking, an antivirus program has to install interceptors of system events deep inside the protected system and transmit the results to the antivirus engine in order that intercepted files, network packets and other potentially dangerous objects can be scanned. However, sometimes it's simply not possible to install two interceptors in the necessary kernel level of the operating system. The result is incompatibility between the antivirus monitors (which function constantly), as the second antivirus will either be unable to intercept system events, or the attempt to duplicate the interception mechanism can lead to system crash. And this is at the heart of the next problem of the antivirus industry. Problem 5 Incompatibility between antivirus programs is an issue; in the vast majority of cases, installing two antivirus programs from different vendors on one machine (for increased protection) is technically impossible, as the two programs will disrupt each other's functioning. People often think that antivirus companies are acting like toddlers snatching at each other's toys, that the incompatibility issue is caused by unfair competition, and specially designed in order to squeeze other manufacturers out of the market. However, this is not the case. There is no question of unfair or unethical competition. On the contrary, developers make every effort they can to ensure that their product does not conflict with other popular software (including antivirus solutions.)

49

ANTIVIRUS

2012-2013

Above, I've tried to summarize what I think are fundamental issues faceing today's antivirus industry. So how is the industry going to address this issues? What type of protection will antivirus companies offer in the future? New technologies vs. traditional solutions Naturally enough, from time to time antivirus developers want to invent quintessentially new technologies, which will solve the problems listed above at a single stroke, a kind of universal panacea. This proactive protection would make it possible to detect a virus and delete it prior to the virus actually being created and appearing on the Internet - and this could be applied to all emerging virus threats. Unfortunately, this simply isn't possible. A 'universal' solution is only effective against those threats which act in accordance with constant, well defined rules. As computer viruses aren't a natural occurrence, but the creation of the intricate workings of hackers' minds, they are not subject to any fixed rules. Rather, viruses abide by a set of rules which will constantly change in accordance with the goals of the computer underground. Let's take the example of the behaviour blocker, which is a competitor to traditional antivirus solutions which are based on virus signatures. These are two completely different approaches scanning for viruses, which are not necessarily mutually exclusive. A signature is a small piece of code which can be compared to files, and the antivirus solution checks to see if the two are identical. A behaviour blocker, on the other hand, tracks application behaviour on launch, and will terminate programs if suspicious or known malicious behaviour is detected. Both methods have their advantages and disadvantages. One benefit of a signature scanner is that it detects all malicious code that it recognizes. The minus is that it will fail to detect malicious code which it hasn't encountered before. Another potential minus is the large size of antivirus databases and the resources they consume. Behaviour blockers offer benefits in that they are able to detect even unknown malicious programs. On the minus side is the possibility of false positives; the behaviour of today's viruses and Trojans is so diverse that devising a single set of rules which encompasses all possible

50

ANTIVIRUS

2012-2013

behaviours is simply impossible. This means that the behaviour blocker is certain to fail to detect some malicious programs, and will periodically prevent legitimate applications from functioning. Behaviour blockers have another inherent disadvantage; they are unable to combat conceptually new malicious programs. Let's imagine that Company X has developed a behavioural antivirus AVX, which detects 100% of current malicious programs. So what will the hackers do? Of course, they will invent new types of malicious programs. And then of course it will be necessary to update the behavioural rules. And then update them again, because the hackers and virus writers aren't going to give up that easily. And then update them again and again and again. At the end of the day, we arrive at a signature scanner, except the signatures will be behavioural, and not pieces of code. This conclusion also applies to the heuristic analyser, another proactive protection method. As soon as hackers perceive that antivirus technologies are preventing them from reaching their victims, they invent new virus technologies which will be used to evade proactive detection. As soon as a product with advanced heuristics and/ or behaviour blocking is widely used, the 'advanced' technologies employed will cease working. This means that 'reinvented' proactive technologies are only effective for a relatively short length of time. Where junior hackers need a few weeks or a couple of months to get round proactive protection, professional hackers will need one or two days, or, in the worst case, a few minutes or hours. This means that behaviour blockers or heuristic analyzers, however effective they may be, need constant development and updating. It should also be noted that adding new signatures to antivirus databases is a matter of a few minutes, whereas perfecting and testing proactive protection methods takes much longer. The result is that in many cases signature updates to antivirus databases are far better that the average proactive protection solution. The experience of epidemics caused caused by new email and network worms, new spy programs and other types of malicious code bears this theory out. Of course this doesn't mean that proactive protection is useless. It functions well within specific boundaries, and is capable of stopping a certain amount of malware (the programs created by less

51

ANTIVIRUS

2012-2013

experienced hackers and virus writers,) For this reason, proactive protection can be an useful addition to signature scanners, but they should not be relied upon to provide total protection. Comparative testing and its weaknesses This part of the article looks at the problems users may have when choosing an antivirus solution. It's assumed that the user will be looking for a product which offers real protection against malicious code. So where can they get information to base their decision on? The most logical thing is naturally to look at comparative test results from different sources, including professional ones. Do such things exist? Yes, they do, but there aren't many of them. Most IT publications conduct comparative tests of antivirus solutions on a fairly regular basis. They test the solutions thoroughly, and compare everything from the product price to the quality of technical support provided. However, these tests don't really prove the quality of the antivirus function. This is understandable, as testers would need a fairly large virus collection, their own tests stands, and automated testing procedures to thoroughly testing the antivirus component. This means a dedicated group which only tests antivirus solutions, and which requires the necessary resources - something which most IT publications don't have. Comparative tests conducted by IT publications therefore either leave much to be desired, or the publications contact experts who specialize in testing antivirus products. Currently, the most experienced testers of antivirus products currently are Andreas Marx (Germanyhttp://www.av-test.org) and Andreas Clementi (Austria http://www.avcomparatives.org).These tests describe in detail the quality of detection of various types of malicious programs and the speed at which different antivirus companies react to epidemics. The tests are thorough and detailed, and can be used to compare the characteristics of the antivirus solutions themselves. Sadly, these tests only examine the two characteristics described above; they do not address issues of how antivirus solutions perform in real life situations e.g. when curing an infected system, the reaction of the solution to infected web sites, the amount of resources used, and the thoroughness with which archives and installers are checked.

52

ANTIVIRUS

2012-2013

Sadly, tests which provide an in-depth, accurate picture of how products react in typical situations barely exist. The one exception that we know of is the Test Lab at Moscow State University, which conducts tests using a fairly wide range of situations. However, the methodology of these tests still needs working on, and the university's test lab is not yet known to the public at large. It's also worth mentioning the tests conducted by VirusBulletin (an industry publication) - I am sure that if I didn't include this, readers would ask why the tests and the resulting VB100% award hadn't been mentioned. Sadly, these tests are far from perfect. The test standards were developed in the mid-1990s and have barely changed since then. Antivirus products are tested using a collection of files infected by ITW viruses. The award is given on the basis of the test results. However, the ITW collection only contains between two to three thousand files - fewer malicious programs than appear in the wild in the space of a single month. Therefore, a VB100% award doesn't necessarily mean that a product really provides protection against all types of malware. It simply means that the product copes well with VirusBulletin's ITW collection, nothing more.

53

ANTIVIRUS

2012-2013

CONCLUTION
Antivirus or anti-virus software is used to prevent, detect, and

remove malware, including but not limited to computer viruses, computer worms, Trojan horses, spyware and adware. Computer security, including protection from social

engineering techniques, is commonly offered in products and services of antivirus software companies. This page discusses the software used for the prevention and removal of malware threats ,rather than computer security implemented by software methods. A variety of strategies are typically employed. Signature-based detection involves searching for known patterns of data within executable code. However, it is possible for a computer to be infected with new malware for which no signature is yet known. To counter such so-called zero-day threats, heuristics can be used. One type of heuristic approach, generic signatures, can identify new viruses or variants of existing viruses by looking for known malicious code, or slight variations of such code, in files. Some antivirus software can also predict what a file will do by running it in a sandbox and analyzing what it does to see if it performs any malicious actions. No matter how useful antivirus software can be, it can sometimes have drawbacks. Antivirus software can impair a computer's performance. Inexperienced users may also have trouble understanding the prompts and decisions that antivirus software presents them with. An incorrect decision may lead to a security breach. If the antivirus software employs heuristic detection, success depends on achieving the right balance between false positives and false negatives. False positives can be as destructive as false negatives .Finally, antivirus software generally runs at the highly trusted kernel level of the operating system, creating a potential avenue of attack .

54

ANTIVIRUS

2012-2013

BIBLIOGRAPHY

1. "What is antivirus software?". Microsoft. 2. "How Antivirus Software Can Slow Down Your Computer". Support.com Blog. 3. "Softpedia Exclusive Interview: Avira 10". Ionut Ilascu. Softpedia. 14 April 2010. 4. "Norton AntiVirus ignores malicious WMI instructions". Munir Kotadia. CBS Interactive. 21 October 2004. . 5. History of viruses 6. Kaspersky Lab Virus list 7. Wells, Joe (1996-08-30). "Virus timeline". IBM. Archived from the original on 4 June 2008. 8. G Data Software AG (2011). "G Data presents security firsts at CeBIT 2010". 9. Karsmakers, Richard (January 2010). "The ultimate Virus Killer UVK 2000". 10. Fred Cohen 1984 "Computer Viruses Theory and Experiments" 11. Fred Cohen 1988 "On the implications of Computer Viruses and Methods of Defense" 12. :a b Cohen, Fred, An Undetectable Computer Virus, 1987, IBM 13. VIRUS-L mailing list archive

55

ANTIVIRUS

2012-2013

SREENSHORT OF SOME POPULAR ANTIVIRUS

56

ANTIVIRUS

2012-2013

57

ANTIVIRUS

2012-2013

58

ANTIVIRUS

2012-2013

59

ANTIVIRUS

2012-2013

60

ANTIVIRUS

2012-2013

61

ANTIVIRUS

2012-2013

62

ANTIVIRUS

2012-2013

63