How Antivirus detects VIRUS
12
How Antivirus detects VIRUS
-
Upload
satyam-sangal -
Category
Documents
-
view
49 -
download
0
Transcript of How Antivirus detects VIRUS
How Antivirus detects VIRUS
2What is VIRUS? Vital Information Resources Under Seize. A computer virus is a computer program that can replicate itself and spread from one computer to another without your knowledge and runs against your wishes. All computer viruses are man-made. They insert themselves into host programs and propagate when the infected program gets executed.o It can quickly use all available memory and bring the system to a
halt.o It can result in Modification of data.o It can erase your complete Hard drive.o It can show annoying messages on your computer screen.
Copyright © by Satyam- DucaraAll Rights Reserved. Reproduction is Strictly Prohibited.
3Virus is actually a Malware like other malwares, which include - Computer worms. Trojan horse. Spyware. Key logger. Logic Bomb. Backdoors. Adware. Rootkit, etc.
Copyright © by Satyam- DucaraAll Rights Reserved. Reproduction is Strictly Prohibited.
4What is Antivirus?
Antivirus or anti-virus software, sometimes known as anti-malware software, is computer software used to prevent, detect and remove malicious software. Some Antivirus are:
Copyright © by Satyam- DucaraAll Rights Reserved. Reproduction is Strictly Prohibited.
5How Antivirus detects VIRUS? Antivirus works on many techniques for detection of virus. Some of them are:
⇛ Signature scanning.
⇛ Integrity checking.
⇛ Heuristic scanning.
⇛ Activity monitoring.
⇛Resident scanning.
Copyright © by Satyam- DucaraAll Rights Reserved. Reproduction is Strictly Prohibited.
6Simple signature scanning
Traditionally, antivirus software heavily relied upon signatures to identify malware.
Substantially, when a malware arrives in the hands of an antivirus firm, it is analysed by malware researchers or by dynamic analysis systems. Then, once it is sure it is actually a malware, a proper signature of the file is extracted and added to the signatures database of the antivirus software. When a particular file has to be scanned, the antivirus engine compares the content of the file with all the malware signatures in the signatures database. If the file matches one signature, then the engine is able to know which malware it is and which procedure has to be performed in order to clean the infection.
Copyright © by Satyam- DucaraAll Rights Reserved. Reproduction is Strictly Prohibited.
7Generic signature scanning
Although signature scanning is a simple and sure sort method, it has a limitation that it can detect only the known viruses whose signatures are already extracted and included in the virus signature database. It cannot detect other variants of a known virus although the differences between their signatures are very minor. In contrast, a generic signature uses the pattern found in a family of viruses. This is a quicker method to detect all the viruses belonging to the same family. This method works, as most viruses are not originally programmed rather created by modifying the code of previously existing viruses. In such cases a lot of similarities are found between the main virus and its variants. The generic signatures use various wildcards to detect all the variants of a virus family. This method is also capable of detecting new and future viruses of the same family. A generic signature scanning is also called as heuristic signature scanning.
Copyright © by Satyam- DucaraAll Rights Reserved. Reproduction is Strictly Prohibited.
8Integrity checking
Integrity checking is another method of detecting viruses. The method detects the existence of viruses by comparing the hash values of a file with the hash value of its uninfected version. If no difference is found between the two hash values then the file is deemed to be uninfected.
An integrity checker generally keeps a small “checksum” or “hash value” or “snapshot” or “fingerprint” of uninfected programs (such as, executable, boot records etc.) in a secured location in the beginning when they are presumably uninfected. During integrity checking, the integrity checker recalculates the new fingerprints of the programs and compares those with their original fingerprints. If both the fingerprints match then the files are assumed to be unmodified and hence deemed to be uninfected.
Copyright © by Satyam- DucaraAll Rights Reserved. Reproduction is Strictly Prohibited.
9Heuristic scanningHeuristic scanning is another method of virus detection that is neither signature based nor integrity based. A heuristic anti-virus program examines a target program (executable file, boot record, or possibly document file with a macro) and analyzes its program code to determine if the code appears virus-like. In other words, a heuristic engine detects the commands within a program that are not found in typical application programs, such as, the replication mechanism of a virus, the distribution routine of a worm or the payload of a Trojan. If the target program's code appears virus-like, then scanner reports a possible infection.
As the heuristic method does not use virus signatures it can detect new and unknown viruses that have not yet been analysed by antivirus researchers. Because the heuristic technique does not use integrity information, it does not require the fingerprints of programs to be taken and saved when the computer is in a known clean state.
Copyright © by Satyam- DucaraAll Rights Reserved. Reproduction is Strictly Prohibited.
10Behaviour monitoring
The method of behaviour monitoring tries to detect virus type activity, such as, attempts to reformat a disk, which is generally not the activity of a common program. In another case a program may try to move a file into one of the operating system folders. These actions are immediately flagged by this method of behaviour monitoring.
Generic scanning The methods of virus scanning may be classified as specific methods (to detect specific viruses or specific type of viruses) and generic methods (to detect a virus of whatever type). A signature scanning is a specific method, whereas, integrity checking, heuristic scanning, behaviour monitoring etc. are all generic methods.
Copyright © by Satyam- DucaraAll Rights Reserved. Reproduction is Strictly Prohibited.
11Resident scanning
A scanning can be either on-demand or on-access scanning. On demand scanning is generally offline scanning. The user has to click on a button to start a scanning operation or schedule the scanning operation later during nonbussiness hours. While on-demand scanning is capable of detecting viruses it does not prevent viruses from Infecting other files.On the other hand, an on-access scanning is triggered at the time when a file is accessed or a program is executed. On-access scanning is done by a resident scanner automatically when a file is accessed for copying, editing or other such purposes. The resident scanner runs as a memory resident module and triggers a scan event to scan the file on the fly before it is accessed. This method provides a valuable protection as it catches the virus infections on a real time basis and prevents the virus from infecting other files inside the system.
Copyright © by Satyam - DucaraAll Rights Reserved. Reproduction is Strictly Prohibited.
12ConclusionComputer viruses and worms can so easily be placed into your work station so you must be careful when going on the internet, opening emails from unknown users, make sure you have some kind of anti-virus software and always get updates so that you aren’t helping to spread viruses and worms to other people as well as harming yourself and your pocket.
