Menu
Is free
check in
the main  /  Problems / Antivirus classification. Classification of computer viruses and antivirus programs

Antivirus software classification. Classification of computer viruses and antivirus programs

INTRODUCTION

We live at the turn of two millennia, when humanity has entered the era of a new scientific and technological revolution.

By the end of the twentieth century, people have mastered many secrets of the transformation of matter and energy and were able to use this knowledge to improve their lives. But in addition to matter and energy, another component plays a huge role in human life - information. This is a wide variety of information, messages, news, knowledge, skills.

In the middle of our century, special devices appeared - computers, focused on storing and transforming information, and the computer revolution took place.

Today, the massive use of personal computers, unfortunately, turned out to be associated with the emergence of self-replicating viruses that prevent the normal operation of the computer, destroy the file structure of disks and damage the information stored in the computer.

Despite the laws on combating computer crimes adopted in many countries and the development of special software tools to protect against viruses, the number of new software viruses is constantly growing. This requires the user of a personal computer to know about the nature of viruses, how they can be infected and protected against them. This served as an incentive for choosing the topic of my work.

This is what I am talking about in my essay. I show the main types of viruses, consider the schemes of their functioning, the reasons for their appearance and the ways of their penetration into the computer, and also propose measures for protection and prevention.

The purpose of the work is to familiarize the user with the basics of computer virology, to teach how to detect viruses and fight them. The method of work is the analysis of printed publications on a given topic. I was faced with a difficult task - to tell about what has been studied very little, and how it turned out - it's up to you to judge.

1. COMPUTER VIRUSES, THEIR PROPERTIES AND CLASSIFICATION

1.1. Properties of computer viruses

Nowadays, personal computers are used, in which the user has free access to all the resources of the machine. It was this that opened up the possibility for the danger, which is called a computer virus.

What is a computer virus? A formal definition of this concept has not yet been invented, and there are serious doubts that it can be given at all. Numerous attempts to give a "modern" definition of the virus have not been successful. To get a feel for the complexity of the problem, try, for example, defining an editor. You will either come up with something very general or start listing all the known types of editors. Both can hardly be considered acceptable. Therefore, we will restrict ourselves to considering some of the properties of computer viruses that allow us to speak of them as a certain class of programs.

First of all, a virus is a program. Such a simple statement in itself can dispel many legends about the extraordinary capabilities of computer viruses. The virus can flip the image on your monitor, but it cannot flip the monitor itself. The legends of killer viruses “killing operators by displaying a deadly color gamut in the 25th frame” should also not be taken seriously. Unfortunately, some reputable publications from time to time publish "the latest news from the computer fronts", which, upon closer examination, turn out to be the result of an unclear understanding of the subject.

A virus is a program with the ability to reproduce itself. This ability is the only one common to all types of viruses. But not only viruses are capable of self-replication. Any operating system and many more programs are able to create their own copies. Copies of the virus not only do not have to completely coincide with the original, but may not coincide with it at all!

A virus cannot exist in "complete isolation": today it is impossible to imagine a virus that does not use the code of other programs, information about the file structure, or even just the names of other programs. The reason is clear: the virus must somehow ensure the transfer of control to itself.

1.2. Virus classification

Currently, more than 5000 software viruses are known, they can be classified according to the following criteria:

¨ habitat

¨ the way to contaminate the habitat

¨ exposure

¨ features of the algorithm

Depending on the habitat, viruses can be divided into network, file, boot and file-boot. Network viruses spread over various computer networks. File viruses are introduced mainly into executable modules, that is, into files with the COM and EXE extensions. File viruses can be embedded in other types of files, but, as a rule, written in such files, they never gain control and, therefore, lose the ability to reproduce. Boot viruses are embedded in the boot sector of the disk (Boot sector) or in the sector containing the boot program for the system disk (Master Boot Re-

cord). File-boot viruses infect both files and boot sectors of disks.

By the method of infection, viruses are divided into resident and non-resident. Memory resident virus When a computer is infected (infected), it leaves its resident part in RAM, which then intercepts the operating system's access to the objects of infection (files, boot sectors of disks, etc.) and is embedded in them. Resident viruses reside in memory and remain active until the computer is shut down or restarted. Non-memory resident viruses do not infect computer memory and are active for a limited time.

According to the degree of exposure, viruses can be divided into the following types:

¨ non-hazardousthat do not interfere with the operation of the computer, but reduce the amount of free RAM and memory on disks, the actions of such viruses are manifested in any graphic or sound effects

¨ dangerous viruses that can lead to various disruptions in the operation of the computer

¨ very dangerous, the impact of which can lead to the loss of programs, destruction of data, erasure of information in the system areas of the disk.

2. MAIN TYPES OF VIRUSES AND SCHEMES OF THEIR FUNCTIONING

Among the whole variety of viruses, the following main groups can be distinguished:

¨ bootable

¨ file

¨ file-boot

Now in more detail about each of these groups.

2.1. Boot viruses

Let's consider the operation of a very simple boot virus that infects floppy disks. We will deliberately bypass all the numerous subtleties that would inevitably be encountered in a rigorous analysis of the algorithm of its functioning.

What happens when you turn on your computer? First of all, control is transferred boot programwhich is stored in read-only memory (ROM) i.e. PNZ ROM.

This program tests the hardware and, if the checks are successful, tries to find a floppy disk in drive A:

Every floppy disk is labeled with a so-called. sectors and tracks. Sectors are combined into clusters, but this is irrelevant to us.

Among the sectors there are several service sectors used by the operating system for its own needs (these sectors cannot accommodate your data). Among the service sectors, we are still interested in one - the so-called. boot sector (boot-sector).

The boot sector stores floppy disk information - the number of surfaces, the number of tracks, the number of sectors, etc. But now we are not interested in this information, but in small bootstrap program (PNZ), which must load the operating system itself and transfer control to it.

So the normal bootstrap scheme is as follows:

PNZ (ROM) - PNZ (disk) - SYSTEM

Now let's look at the virus. In boot viruses, two parts are distinguished - the so-called. head etc. tail... The tail, generally speaking, may be empty.

Suppose you have a blank floppy disk and an infected computer, by which we mean a computer with an active resident virus. As soon as this virus detects that a suitable victim has appeared in the drive - in our case, an unwritten and not yet infected floppy disk, it proceeds to infect. Infecting a floppy disk, the virus performs the following actions:

Allocates a certain area of \u200b\u200bthe disk and marks it as inaccessible to the operating system, this can be done in different ways, in the simplest and traditional case, the sectors occupied by the virus are marked as bad

Copies its tail and original (healthy) boot sector to the selected disk area

malware antivirus infection

For their successful operation, viruses need to check if a file is already infected (by the same virus). This is how they avoid self-destruction. For this, viruses use a signature. Most common viruses (including macro viruses) use symbolic signatures. More complex viruses (polymorphic) use signatures of algorithms. Regardless of the type of virus signature, antivirus programs use them to detect "computer infections." After that, the anti-virus program tries to destroy the detected virus. However, this process depends on the complexity of the virus and the quality of the antivirus program. As mentioned, Trojan horses and polymorphic viruses are the most difficult to detect. The first of them do not add their body to the program, but embed it inside it. On the other hand, anti-virus programs must take a long time to determine the signature of polymorphic viruses. The fact is that their signatures change with each new copy.

To detect, remove and protect against computer viruses, there are special programs called antivirus programs. Modern antivirus programs are multifunctional products that combine both preventive measures and virus treatment and data recovery tools.

The number and variety of viruses is large, and in order to detect them quickly and efficiently, an antivirus program must meet several parameters:

1. Stability and reliability of work.

2. Size of the program's virus database (the number of viruses that are correctly detected by the program): taking into account the constant appearance of new viruses, the database should be regularly updated.

3. The ability of the program to detect various types of viruses, and the ability to work with files of various types (archives, documents).

4. The presence of a resident monitor that checks all new files "on the fly" (that is, automatically, as they are written to disk).

5. The speed of the program, the presence of additional features such as algorithms for detecting viruses even unknown to the program (heuristic scanning).

6. Ability to recover infected files without erasing them from the hard drive, but only by removing viruses from them.

7. Percentage of false positives of the program (erroneous detection of a virus in a "clean" file).

8. Cross-platform (availability of versions of the program for various operating systems).

Classification of antivirus programs:

1. Detection programs provide for the search and detection of viruses in RAM and on external media, and upon detection, they issue a corresponding message. There are detectors:

Universal - use in their work checking the immutability of files by counting and comparing with the standard checksum;

Specialized - searches for known viruses by their signature (a repeated piece of code).

2. Doctor programs (phages) not only find files infected with viruses, but also "cure" them, ie. delete the body of the virus program from the file, returning the files to their original state. At the beginning of their work, phages look for viruses in the RAM, destroying them, and only then proceed to "cure" files. Among the phages, polyphages are distinguished, i.e. Doctor programs designed to search for and destroy a large number of viruses.

3. Programs-auditors are among the most reliable means of protection against viruses. Auditors remember the initial state of programs, directories and system areas of the disk when the computer is not infected with a virus, and then periodically, or at the user's request, compare the current state with the initial one. The detected changes are displayed on the monitor screen.

4. Filters (watchdogs) are small resident programs designed to detect suspicious actions during computer operation, typical of viruses. Such actions can be:

Attempts to correct files with COM and ЕХЕ extensions;

Change of file attributes;

Direct write to disk at absolute address;

Writing to boot sectors of the disk;

5. Vaccine programs (immunizers) are resident programs that prevent files from infecting. Vaccines are used if there are no doctor programs that "treat" this virus. Vaccination is possible only against known viruses N. Bezrukov Computer Virology: Textbook [Electronic resource]: http://vx.netlux.org/lib/anb00.html ..

In fact, the architecture of antivirus programs is much more complex and depends on the specific developer. But one fact is indisputable: all the technologies that I talked about are so closely intertwined in each other that sometimes it is impossible to understand when some start to work and others start to work. This interaction of anti-virus technologies allows them to be used most effectively in the fight against viruses. But do not forget that there is no perfect protection, and the only way to warn yourself against such problems is constant OS updates, a well-configured firewall, frequently updated antivirus, and - most importantly - not to launch / download suspicious files from the Internet.

Antivirus protection is the most common measure for ensuring information security of IT infrastructure in the corporate sector. However, only 74% of Russian companies use anti-virus solutions for protection, according to a study conducted by Kaspersky Lab in conjunction with the analytical company B2B International (autumn 2013).

The report also says that amid the explosive growth of cyber threats, from which companies are protected by simple antiviruses, Russian businesses are increasingly using complex protection tools. Largely for this reason, the use of data encryption tools on removable media increased by 7% (24%). In addition, companies have become more willing to delineate security policies for removable devices. The differentiation of the level of access to various parts of the IT infrastructure also increased (49%). At the same time, small and medium-sized companies pay more attention to the control of removable devices (35%) and control of applications (31%).

The researchers also found that despite the constant discovery of new vulnerabilities in software, Russian companies still do not pay enough attention to regular software updates. What's more, the number of organizations deploying patches is down from last year to just 59%.

Modern antivirus programs are capable of efficiently detecting malicious objects inside program and document files. In some cases, the antivirus can delete the body of the malicious object from the infected file by restoring the file itself. In most cases, an antivirus is able to remove a malicious program object not only from a program file, but also from an office document file without violating its integrity. The use of antivirus programs does not require high qualifications and is available to almost any computer user.

Most antivirus programs combine real-time protection functions (antivirus monitor) and on-demand protection functions (antivirus scanner).

Antivirus rating

2019: Two-thirds of antiviruses for Android turned out to be useless

In March 2019, AV-Comparatives, an Austrian antivirus software testing laboratory, released a study that showed most of these programs are useless for Android.

Only 23 antiviruses located in the official Google Play Store catalog accurately recognize malicious programs in 100% of cases. The rest of the software either does not respond to mobile threats, or takes absolutely safe applications for them.

Experts studied 250 antiviruses and reported that only 80% of them can detect more than 30% of malware. Thus, 170 applications failed the test. The products that passed the tests were mainly solutions from major manufacturers, including Avast, Bitdefender, ESET, F-Secure, G-Data, Kaspersky Lab, McAfee, Sophos, Symantec, Tencent, Trend Micro and Trustwave.

As part of the experiment, the researchers installed each anti-virus application on a separate device (without an emulator) and automated the devices to launch the browser, download and then install malware. Each device was tested using 2 thousand of the most common Android viruses in 2018.

Most Android antivirus solutions are fake, according to AV-Comparatives. Dozens of applications have an almost identical interface, and their creators are clearly more interested in displaying ads than in writing a working antivirus scanner.

Some antiviruses “see” a threat in any application that is not included in their “white list”. Because of this, they, in a number of very anecdotal cases, raised the alarm because of their own files, since the developers forgot to mention them in the "white list".

2017: Microsoft Security Essentials recognized as one of the worst antiviruses

In October 2017, the German antivirus laboratory AV-Test published the results of comprehensive testing of antiviruses. According to the study, Microsoft's proprietary software designed to protect against malicious activity is almost the worst performing its duties.

According to the results of tests carried out in July-August 2017, AV-Test experts named Kaspersky Internet Security as the best antivirus for Windows 7, which received 18 points in assessing the level of protection, performance and usability.

The top three included Trend Micro Internet Security and Bitdefender Internet Security, which earned 17.5 points each. The status of the products of other antivirus companies that were included in the study can be found in the illustrations below:

Many scanners also use heuristic scanning algorithms, i.e. analyzing the sequence of commands in the checked object, collecting some statistics and making a decision for each checked object.

Scanners can also be divided into two categories - general-purpose and specialized. Universal scanners are designed to search for and neutralize all types of viruses, regardless of the operating system in which the scanner is designed to work. Specialized scanners are designed to neutralize a limited number of viruses or only one class of them, for example, macro viruses.

Scanners are also divided into resident (monitors), which scan on the fly, and non-resident, which provide a system scan only on demand. As a rule, resident scanners provide more reliable system protection, since they immediately react to a virus, while a non-resident scanner is able to recognize a virus only during its next launch.

CRC scanners

The principle of operation of CRC scanners is based on the calculation of CRC-sums (checksums) for files / system sectors present on the disk. These CRC-sums are then saved in the anti-virus database, as well as some other information: file lengths, dates of their last modification, etc. On subsequent startup, the CRC scanners compare the data contained in the database with the actual calculated values. If the information about a file recorded in the database does not match the real values, then CRC scanners signal that the file has been modified or infected with a virus.

CRC scanners are not able to catch a virus at the moment of its appearance in the system, but they do it only after some time, after the virus has spread through the computer. CRC scanners cannot detect a virus in new files (in e-mail, on floppy disks, in files restored from a backup or when unpacking files from an archive), because their databases do not have information about these files. Moreover, periodically there are viruses that exploit this weakness of CRC scanners, infect only newly created files and thus remain invisible to them.

Blockers

Antivirus blockers are memory resident programs that intercept dangerous situations and notify the user about it. Virus-threatening calls include calls to open for writing to executable files, writing to boot sectors of disks or the MBR of a hard drive, attempts by programs to remain resident, etc., that is, calls that are typical for viruses at times of replication.

The advantages of blockers include their ability to detect and stop a virus at the earliest stage of its reproduction. The disadvantages include the existence of ways to bypass the protection of blockers and a large number of false positives.

Immunizers

Immunizers are divided into two types: immunizers that report infection and immunizers that block infection. The former are usually written to the end of files (like a file virus) and each time the file is run, it is checked for changes. There is only one drawback with such immunizers, but it is lethal: the absolute inability to report infection with the stealth virus. Therefore, such immunizers, as well as blockers, are practically not used at the present time.

The second type of immunization protects the system from being infected by a particular type of virus. Files on disks are modified in such a way that the virus takes them as already infected. To protect against a resident virus, a program that imitates a copy of the virus is entered into the computer's memory. When launched, the virus stumbles upon it and believes that the system is already infected.

This type of immunization cannot be universal, since files cannot be immunized against all known viruses.

Classification of antiviruses based on their variability over time

According to Valery Konyavsky, anti-virus tools can be divided into two large groups - analyzing data and analyzing processes.

Data analysis

Data analysis includes auditors and polyphages. Auditors analyze the consequences of the activities of computer viruses and other malicious programs. The consequences are manifested in data changes that should not be changed. It is the fact that the data has changed that is a sign of the activity of malicious programs from the point of view of the auditor. In other words, auditors control the integrity of the data and, upon violation of the integrity, make a decision about the presence of malicious programs in the computer environment.

Polyphages act differently. On the basis of data analysis, they isolate fragments of malicious code (for example, by its signature) and, on this basis, make a conclusion about the presence of malicious programs. Removing or disinfecting data infected with a virus helps prevent the negative consequences of the execution of malicious programs. Thus, based on the analysis in statics, the consequences arising in dynamics are prevented.

The scheme of work of both auditors and polyphages is practically the same - to compare the data (or their checksum) with one or more reference samples. The data is compared with the data. Thus, in order to find a virus in your computer, you need it to have already worked for the consequences of its activity to appear. This method can only find known viruses for which code fragments or signatures have been previously described. It is unlikely that such protection can be called reliable.

Process analysis

Antivirus tools based on process analysis work in a slightly different way. Heuristic analyzers, like those described above, analyze data (on disk, in a channel, in memory, etc.). The fundamental difference lies in the fact that the analysis is carried out under the assumption that the analyzed code is not data, but commands (in computers with von Neumann architecture, data and commands are indistinguishable, in this regard, during the analysis, one or another assumption has to be put forward.)

The heuristic analyzer identifies a sequence of operations, assigns a certain hazard rating to each of them, and, based on the totality of the hazard, decides whether this sequence of operations is part of the malicious code. The code itself is not executed.

Another type of process-based antivirus is behavioral blockers. In this case, the suspicious code is executed in stages until the set of actions initiated by the code is evaluated as dangerous (or safe) behavior. At the same time, the code is partially executed, since the completion of the malicious code can be detected by simpler methods of data analysis.

Virus detection technologies

The technologies used in antivirus software can be divided into two groups:

  • Signature analysis technologies
  • Probabilistic Analysis Technologies

Signature analysis technologies

Signature analysis is a virus detection method that checks for virus signatures in files. Signature analysis is the most well-known method for detecting viruses and is used in almost all modern antiviruses. To conduct a scan, the antivirus needs a set of virus signatures, which are stored in the anti-virus database.

Since signature analysis involves scanning files for virus signatures, the anti-virus database needs to be updated periodically to keep the anti-virus up-to-date. The very principle of operation of signature analysis also defines the boundaries of its functionality - the ability to detect only already known viruses - a signature scanner is powerless against new viruses.

On the other hand, the presence of virus signatures implies the ability to cure infected files detected using signature analysis. However, not all viruses can be cured - Trojans and most worms cannot be cured due to their design features, since they are integral modules designed to cause damage.

A competent implementation of the virus signature allows you to detect known viruses with one hundred percent probability.

Probabilistic Analysis Technologies

Probabilistic analysis technologies, in turn, are divided into three categories:

  • Heuristic Analysis
  • Behavioral Analysis
  • Checksum analysis

Heuristic analysis

Heuristic analysis is a technology based on probabilistic algorithms, the result of which is the identification of suspicious objects. In the process of heuristic analysis, the file structure is checked, its compliance with virus patterns. The most popular heuristic technology is to check the contents of a file for modifications of already known virus signatures and their combinations. This helps to detect hybrids and new versions of previously known viruses without additional updating of the anti-virus database.

Heuristic analysis is used to detect unknown viruses and, as a result, does not require a cure. This technology is not 100% capable of determining whether a virus is in front of it or not, and like any probabilistic algorithm, it suffers from false positives.

Behavioral Analysis

Behavioral analysis is a technology in which a decision about the nature of the object being checked is made based on an analysis of the operations it performs. Behavioral analysis is very narrowly applicable in practice, since most of the actions typical of viruses can be performed by ordinary applications. The most famous behavioral analyzers for scripts and macros, since the corresponding viruses almost always perform a number of similar actions.

The protections built into the BIOS can also be classified as behavioral analyzers. When an attempt is made to make changes to the MBR of a computer, the analyzer blocks the action and displays a corresponding notification to the user.

In addition, behavioral analyzers can track attempts to directly access files, changes to the boot record of floppy disks, formatting of hard drives, etc.

Behavioral analyzers do not use additional objects like virus databases to operate and, as a result, are unable to distinguish between known and unknown viruses - all suspicious programs are considered a priori unknown viruses. Likewise, the behavior of tools that implement behavioral analysis technologies does not involve treatment.

Checksum analysis

Checksum analysis is a way of tracking changes in objects in a computer system. Based on the analysis of the nature of the changes - simultaneity, massiveness, identical changes in file lengths - we can conclude that the system is infected. Checksum analyzers (also called change auditors), like behavioral analyzers, do not use additional objects in their work and issue a verdict on the presence of a virus in the system solely by the method of expert judgment. Similar technologies are used in scanners on access - during the first check, the checksum is removed from the file and placed in the cache, before the next check of the same file, the sum is removed again, compared, and if there are no changes, the file is considered uninfected.

Antivirus complexes

Antivirus complex is a set of antiviruses that use the same antivirus kernel or kernels, designed to solve practical problems in ensuring the antivirus security of computer systems. The anti-virus complex also necessarily includes tools for updating the anti-virus databases.

In addition, the antivirus complex may additionally include behavioral analyzers and change auditors that do not use the antivirus engine.

The following types of antivirus complexes are distinguished:

  • Antivirus complex for protecting workstations
  • Antivirus suite for protecting file servers
  • Antivirus complex for protecting mail systems
  • Anti-virus complex for protection of gateways.

Cloud Antivirus vs. Traditional Desktop Antivirus: Which Should You Choose?

(Based on materials from the resource Webroot.com)

The modern market for antivirus tools is primarily traditional solutions for desktop systems, in which protection mechanisms are built on the basis of signature-based methods. An alternative way of anti-virus protection is the use of heuristic analysis.

Problems with traditional antivirus software

Recently, traditional antivirus technologies have become less and less effective and are rapidly becoming outdated due to a number of factors. The number of virus threats recognized by signatures is already so great that it is often an unrealistic task to ensure timely 100% update of signature bases on user computers. Hackers and cybercriminals are increasingly using botnets and other technologies to accelerate the spread of zero-day virus threats. In addition, the signatures of the corresponding viruses are not generated during targeted attacks. Finally, new technologies are used to counter anti-virus detection: malware encryption, creation of polymorphic viruses on the server side, preliminary testing of the quality of a virus attack.

Traditional anti-virus protection is most often built on the "thick client" architecture. This means that a large amount of code is installed on the client's computer. It checks incoming data and detects the presence of virus threats.

This approach has several disadvantages. First, scanning for malware and comparing signatures requires a significant computational load that is taken away from the user. As a result, the productivity of the computer decreases, and the work of the antivirus sometimes interferes with the execution of parallel application tasks. Sometimes the load on the user's system is so noticeable that users disable anti-virus programs, thereby removing the barrier against a potential virus attack.

Second, every update on the user's machine requires thousands of new signatures to be sent. The amount of data transferred is usually in the order of 5 MB per day per machine. Data transfer slows down the network, diverts additional system resources, requires the involvement of system administrators to control traffic.

Third, users roaming or away from a fixed workplace are vulnerable to zero-day attacks. To receive the updated portion of the signatures, they must connect to a VPN network that is inaccessible to them remotely.

Antivirus protection from the cloud

When switching to antivirus protection from the cloud, the solution architecture changes significantly. A "lightweight" client is installed on the user's computer, the main function of which is to search for new files, calculate hash values \u200b\u200band send data to the cloud server. A full-scale comparison is performed in the cloud over a large database of collected signatures. This database is constantly and timely updated due to the data transmitted by anti-virus companies. The client receives a report with the results of the check.

Thus, the cloud architecture of antivirus protection has a number of advantages:

  • the amount of calculations on the user's computer turns out to be negligible compared to a thick client, therefore, the user's productivity does not decrease;
  • there is no catastrophic effect of anti-virus traffic on the network bandwidth: a compact piece of data is to be sent, containing only a few tens of hash values, the average daily traffic volume does not exceed 120 Kbytes;
  • cloud storage contains huge arrays of signatures, much larger than those stored on user computers;
  • signature comparison algorithms used in the cloud are significantly more intelligent than simplified models used at the local station level, and due to higher performance, data comparison takes less time;
  • cloud antivirus services work with real data received from antivirus laboratories, security developers, corporate and private users; zero-day threats are blocked simultaneously with their recognition, without the delay caused by the need to gain access to user computers;
  • users who are roaming or who do not have access to their main workplaces receive protection against zero-day attacks simultaneously with access to the Internet;
  • the workload of system administrators is reduced: they do not need to spend time installing anti-virus software on users' computers, as well as updating signature databases.

Why traditional antiviruses fail

Modern malicious code can:

  • Bypass the traps of antiviruses by creating a special target virus for the company
  • Before the antivirus creates a signature, it will evade using polymorphism, transcoding using dynamic DNS and URLs
  • Targeted creation for a company
  • Polymorphism
  • Code unknown to anyone yet - no signature

Difficult to defend

High-speed antiviruses of 2011

The Russian independent information and analytical center Anti-Malware.ru published in May 2011 the results of the next comparative test of the 20 most popular antiviruses for performance and consumption of system resources.

The purpose of this test is to show which personal antiviruses have the least impact on the user performing typical operations on the computer, slow down his work less and consume the minimum amount of system resources.

Among anti-virus monitors (scanners in real time), a whole group of products has demonstrated very high performance, among them: Avira, AVG, ZoneAlarm, Avast, Kaspersky Anti-Virus, Eset, Trend Micro and Dr.Web. With these antiviruses on board, the slowdown in copying the test collection was less than 20% compared to the reference. Antivirus monitors BitDefender, PC Tools, Outpost, F-Secure, Norton, and Emsisoft also performed well in the 30-50% range. Antivirus monitors BitDefender, PC Tools, Outpost, F-Secure, Norton, and Emsisoft also performed well in the 30-50% range.

At the same time, Avira, AVG, BitDefender, F-Secure, G Data, Kaspersky Anti-Virus, Norton, Outpost and PC Tools in real conditions can be much faster due to their optimization of subsequent scans.

Avira antivirus showed the best scan speed on demand. A little behind him were Kaspersky Anti-Virus, F-Secure, Norton, G Data, BitDefender, Kaspersky Anti-Virus and Outpost. In terms of the speed of the first scan, these antiviruses are only slightly inferior to the leader, at the same time they all have powerful technologies for optimizing repeated scans in their arsenal.

Another important characteristic of the speed of the antivirus is its impact on the operation of application programs with which the user often works. Five were selected for the test: Internet Explorer, Microsoft Office Word, Microsoft Outlook, Adobe Acrobat Reader, and Adobe Photoshop. Eset, Microsoft, Avast, VBA32, Comodo, Norton, Trend Micro, Outpost and G Data antiviruses showed the least slowdown in the launch of these office programs.

INTRODUCTION

We live at the turn of two millennia, when humanity has entered the era of a new scientific and technological revolution.

By the end of the twentieth century, people have mastered many secrets of the transformation of matter and energy and were able to use this knowledge to improve their lives. But in addition to matter and energy, another component plays a huge role in human life - information. This is a wide variety of information, messages, news, knowledge, skills.

In the middle of our century, special devices appeared - computers, focused on storing and transforming information, and the computer revolution took place.

Today, the massive use of personal computers, unfortunately, turned out to be associated with the emergence of self-replicating viruses that prevent the normal operation of the computer, destroy the file structure of disks and damage the information stored in the computer.

Despite the laws on combating computer crimes adopted in many countries and the development of special software tools to protect against viruses, the number of new software viruses is constantly growing. This requires the user of a personal computer to know about the nature of viruses, how they can be infected and protected against them. This served as an incentive for choosing the topic of my work.

This is what I am talking about in my essay. I show the main types of viruses, consider the schemes of their functioning, the reasons for their appearance and the ways of their penetration into the computer, and also propose measures for protection and prevention.

The purpose of the work is to familiarize the user with the basics of computer virology, to teach how to detect viruses and fight them. The method of work is the analysis of printed publications on a given topic. I was faced with a difficult task - to tell about what has been studied very little, and how it turned out - it's up to you to judge.

1. COMPUTER VIRUSES, THEIR PROPERTIES AND CLASSIFICATION

1.1. Properties of computer viruses

Nowadays, personal computers are used, in which the user has free access to all the resources of the machine. It was this that opened up the possibility for the danger, which is called a computer virus.

What is a computer virus? A formal definition of this concept has not yet been invented, and there are serious doubts that it can be given at all. Numerous attempts to give a "modern" definition of the virus have not been successful. To get a feel for the complexity of the problem, try, for example, defining an editor. You will either come up with something very general or start listing all the known types of editors. Both can hardly be considered acceptable. Therefore, we will restrict ourselves to considering some of the properties of computer viruses that allow us to speak of them as a certain class of programs.

First of all, a virus is a program. Such a simple statement in itself can dispel many legends about the extraordinary capabilities of computer viruses. The virus can flip the image on your monitor, but it cannot flip the monitor itself. The legends of killer viruses “killing operators by displaying a deadly color gamut in the 25th frame” should also not be taken seriously. Unfortunately, some reputable publications from time to time publish "the latest news from the computer fronts", which, upon closer examination, turn out to be the result of an unclear understanding of the subject.

A virus is a program with the ability to reproduce itself. This ability is the only one common to all types of viruses. But not only viruses are capable of self-replication. Any operating system and many more programs are able to create their own copies. Copies of the virus not only do not have to completely coincide with the original, but may not coincide with it at all!

A virus cannot exist in "complete isolation": today it is impossible to imagine a virus that does not use the code of other programs, information about the file structure, or even just the names of other programs. The reason is clear: the virus must somehow ensure the transfer of control to itself.

1.2. Virus classification

Currently, more than 5000 software viruses are known, they can be classified according to the following criteria:

¨ habitat

¨ the way to contaminate the habitat

¨ exposure

¨ features of the algorithm

Depending on the habitat, viruses can be divided into network, file, boot and file-boot. Network viruses spread over various computer networks. File viruses are introduced mainly into executable modules, that is, into files with COM and EXE extensions. File viruses can be embedded in other types of files, but, as a rule, written in such files, they never gain control and, therefore, lose the ability to reproduce. Boot viruses are embedded in the boot sector of the disk (Boot sector) or in the sector containing the boot program for the system disk (Master Boot Re-

cord). File-boot viruses infect both files and boot sectors of disks.

By the method of infection, viruses are divided into resident and non-resident. Memory resident virus When a computer is infected (infected), it leaves its resident part in RAM, which then intercepts the operating system's access to the objects of infection (files, boot sectors of disks, etc.) and is embedded in them. Resident viruses reside in memory and remain active until the computer is shut down or restarted. Non-memory resident viruses do not infect computer memory and are active for a limited time.

According to the degree of exposure, viruses can be divided into the following types:

¨ non-hazardous that do not interfere with the operation of the computer, but reduce the amount of free RAM and memory on disks, the actions of such viruses are manifested in any graphic or sound effects

¨ dangerous viruses that can lead to various disruptions in the operation of the computer

¨ very dangerous , the impact of which can lead to the loss of programs, destruction of data, erasure of information in the system areas of the disk.

2. MAIN TYPES OF VIRUSES AND SCHEMES OF THEIR FUNCTIONING

Among the whole variety of viruses, the following main groups can be distinguished:

¨ bootable

¨ file

¨ file-boot

Now in more detail about each of these groups.

2.1. Boot viruses

Let's consider the operation of a very simple boot virus that infects floppy disks. We will deliberately bypass all the numerous subtleties that would inevitably be encountered in a rigorous analysis of the algorithm of its functioning.

What happens when you turn on your computer? First of all, control is transferred boot program which is stored in read only memory (ROM) i.e. PNZ ROM.

This program tests the hardware and, if the checks are successful, tries to find a floppy disk in drive A:

Every floppy disk is labeled with a so-called. sectors and tracks. Sectors are combined into clusters, but this is irrelevant to us.

Among the sectors there are several service sectors used by the operating system for its own needs (these sectors cannot accommodate your data). Among the service sectors, we are still interested in one - the so-called. boot sector (boot-sector).

The boot sector stores floppy disk information - the number of surfaces, the number of tracks, the number of sectors, etc. But now we are not interested in this information, but in a small one bootstrap program (PNZ), which must load the operating system itself and transfer control to it.

So the normal bootstrap scheme is as follows:

Now let's look at the virus. In boot viruses, two parts are distinguished - the so-called. head etc. tail ... The tail, generally speaking, may be empty.

Suppose you have a blank floppy disk and an infected computer, by which we mean a computer with an active resident virus. As soon as this virus detects that a suitable victim has appeared in the drive - in our case, an unwritten and not yet infected floppy disk, it proceeds to infect. Infecting a floppy disk, the virus performs the following actions:

Allocates a certain area of \u200b\u200bthe disk and marks it as inaccessible to the operating system, this can be done in different ways, in the simplest and traditional case, the sectors occupied by the virus are marked as bad

Copies its tail and original (healthy) boot sector to the selected disk area

Replaces the boot program in the boot sector (present) with his head

Organizes a chain of transfer of control according to the scheme.

Thus, the head of the virus is now the first to gain control, the virus is installed in memory and transfers control to the original boot sector. In a chain

PNZ (ROM) - PNZ (disk) - SYSTEM

a new link appears:

PNZ (ROM) - VIRUS - PNZ (disk) - SYSTEM

The moral is clear: never leave (accidentally) floppy disks in drive A.

We examined the scheme of the functioning of a simple rubble virus that lives in the boot sectors of floppy disks. As a rule, viruses are capable of infecting not only the boot sectors of floppy disks, but also the boot sectors of hard drives. However, unlike floppy disks, a hard drive has two types of boot sectors that contain boot programs that are controlled. When the computer boots from the hard drive, the MBR (Master Boot Record) boot program takes over control first. If your hard drive is divided into several partitions, then only one of them is marked as boot. The boot program in the MBR finds the boot partition of the hard drive and transfers control to the boot program for that partition. The code of the latter is the same as the code of the bootstrap program contained on ordinary floppy disks, and the corresponding boot sectors differ only in the parameter tables. Thus, there are two objects of attack by boot viruses on the hard drive - boot program in MBR and initial program boot sector downloads boot disk.

2.2. File viruses

Let us now consider how a simple file virus works. Unlike boot viruses, which are almost always memory resident, file viruses are not necessarily memory resident. Let's consider the operation scheme of a non-memory resident file virus. Suppose we have an infected executable file. When such a file is launched, the virus gains control, performs some actions and transfers control to the “master” (although it is still unknown who is the master in such a situation).

What actions does the virus perform? It looks for a new object to be infected - a file of a suitable type that has not yet been infected (in the event that the virus is "decent", otherwise there are those that infect immediately, without checking anything). By infecting a file, the virus injects itself into its code in order to gain control when the file is run. In addition to its main function - reproduction, the virus may well do something intricate (say, ask, play) - it already depends on the imagination of the author of the virus. If a file virus is memory resident, it will be installed in memory and will be able to infect files and display other abilities not only while the infected file is running. By infecting an executable file, a virus always changes its code - therefore, an infection of an executable file can always be detected. But by changing the code of the file, the virus does not necessarily make other changes:

à he is not obliged to change the length of the file

à unused code sections

à is not obliged to change the beginning of the file

Finally, file viruses are often referred to as viruses that “have something to do with files,” but do not need to be embedded in their code. Let us consider as an example the scheme of functioning of viruses of the well-known Dir-II family. It must be admitted that, having appeared in 1991, these viruses became the cause of a real plague epidemic in Russia. Consider a model that clearly shows the main idea of \u200b\u200bthe virus. Information about files is stored in directories. Each directory entry includes the file name, creation date and time, some additional information, first cluster number file, etc. spare bytes ... The latter are left "in reserve" and are not used by MS-DOS itself.

When executing files are launched, the system reads the first cluster of the file from the directory entry and then all other clusters. Dir-II viruses perform the following "reorganization" of the file system: the virus itself writes itself to some free disk sectors, which it marks as bad. In addition, it stores information about the first clusters of executable files in spare bits, and writes references to itself in place of this information.

Thus, when any file is launched, the virus gains control (the operating system launches it itself), installs itself into memory and transfers control to the called file.

2.3. Boot-file viruses

We will not consider the model of a boot-file virus, because you will not learn any new information. But here is a good opportunity to briefly discuss the extremely "popular" boot / file virus OneHalf, which infects the master boot sector (MBR) and executable files. The main destructive action is encryption of hard drive sectors. Each time it starts, the virus encrypts the next portion of the sectors, and after encrypting half of the hard drive, it happily informs about it. The main problem in the treatment of this virus is that it is not enough just to remove the virus from the MBR and files, it is necessary to decrypt the information encrypted by it. The most deadly action is to simply rewrite a healthy new MBR. The main thing is not to panic. Weigh everything calmly, consult with experts.

2.4. Polymorphic viruses

Most of the questions are related to the term "polymorphic virus". This type of computer viruses seems to be the most dangerous today. Let's explain what it is.

Polymorphic viruses are viruses that modify their code in infected programs in such a way that two copies of the same virus may not match in a single bit.

Such viruses not only encrypt their code using various encryption paths, but also contain the encryption and decryptor generation code, which distinguishes them from conventional encryption viruses, which can also encrypt portions of their code, but at the same time have a permanent encryption and decryptor code.

Polymorphic viruses are viruses with self-modifying decryptors. The purpose of this encryption: having the infected and original files, you still cannot analyze its code using ordinary disassembly. This code is encrypted and is a meaningless set of commands. Decryption is performed by the virus itself already at runtime. In this case, options are possible: he can decrypt himself all at once, or he can perform such decryption "along the way", he can re-encrypt the already worked out sections. All this is done to make it difficult to analyze the virus code.

3. HISTORY OF COMPUTER VIRUSOLOGY AND CAUSES OF THE APPEARANCE OF VIRUSES

The history of computer virology today seems to be a constant "race for the leader", and, despite all the power of modern anti-virus programs, it is viruses that are the leaders. Among the thousands of viruses, only a few dozen are original developments using truly fundamentally new ideas. All the rest are "variations on a theme." But each original development forces the creators of antivirus to adapt to new conditions, to catch up with the viral technology. The latter can be disputed. For example, in 1989, an American student managed to create a virus that disabled about 6,000 US Department of Defense computers. Or the epidemic of the famous Dir-II virus that broke out in 1991. The virus used a truly original, fundamentally new technology and at first was able to spread widely due to the imperfection of traditional antivirus tools.

Or the surge of computer viruses in the UK: Christopher Pine managed to create the Pathogen and Queeq viruses, as well as the Smeg virus. It was the last one that was the most dangerous, it could be applied to the first two viruses, and because of this, after each run of the program, they changed the configuration. Therefore, it was impossible to destroy them. To spread viruses, Pine copied computer games and programs, infected them, and then sent them back online. Users downloaded infected programs to their computers and infected disks. The situation was aggravated by the fact that Pine managed to introduce viruses into the program that fights them. By launching it, users, instead of destroying viruses, received another one. As a result, files of many companies were destroyed, losses amounted to millions of pounds.

The American programmer Morris is widely known. He is known as the creator of the virus that in November 1988 infected about 7,000 personal computers connected to the Internet.

The reasons for the emergence and spread of computer viruses, on the one hand, are hidden in the psychology of the human personality and its shadow sides (envy, revenge, vanity of unrecognized creators, inability to constructively apply their abilities), on the other hand, are due to the lack of hardware protection and counteraction from the operating room. personal computer systems.

4. WAYS OF VIRUSES INTO A COMPUTER AND THE MECHANISM OF DISTRIBUTION OF VIRUS PROGRAMS

The main ways viruses enter a computer are removable disks (floppy and laser), as well as computer networks. Infection of the hard disk with viruses can occur when loading a program from a floppy disk containing a virus. Such infection can also be accidental, for example, if the diskette is not removed from drive A and the computer is restarted, while the diskette may not be the system disk. Infecting a floppy disk is much easier. A virus can get on it, even if a floppy disk is simply inserted into the disk drive of an infected computer and, for example, read its table of contents.

A virus, as a rule, is introduced into a work program in such a way that when it starts up, control is first transferred to it and only after all its commands have been executed, it returns to the work program. Having gained access to control, the virus first of all overwrites itself into another working program and infects it. After starting a program containing a virus, it becomes possible to infect other files. The most common virus infects the disk boot sector and executable files with the extensions EXE, COM, SYS, BAT. Text files are rarely infected.

After infecting the program, the virus can perform some kind of sabotage, not too serious so as not to attract attention. And finally, does not forget to return control to the program from which it was launched. Each execution of an infected program transfers the virus to the next one. Thus, all software will be infected.

To illustrate the process of infecting a computer program with a virus, it makes sense to liken disk memory to an old-fashioned archive with folders on tape. The folders contain programs, and the sequence of operations for introducing a virus will look like this in this case (see Appendix 1)

5. SIGNS OF THE APPEARANCE OF VIRUSES

When a computer gets infected with a virus, it is important to detect it. To do this, you should know about the main signs of the manifestation of viruses. These include the following:

¨ termination of work or incorrect operation of previously successfully functioning programs

¨ slow computer performance

¨ inability to boot the operating system

¨ disappearance of files and directories or distortion of their contents

¨ change the date and time of file modification

¨ resizing files

¨ unexpected significant increase in the number of files on disk

¨ significant reduction in the size of free RAM

¨ displaying unexpected messages or images

¨ making unexpected sound signals

¨ frequent freezes and crashes of the computer

It should be noted that the above phenomena are not necessarily caused by the presence of a virus, but may be due to other causes. Therefore, it is always difficult to correctly diagnose the state of the computer.

6. VIRUS DETECTION AND PROTECTION AND PREVENTION MEASURES

6.1. How to detect a virus ? Traditional Approach

So, a virus writer creates a virus and launches it into life. For some time he may walk freely, but sooner or later "lafa" will end. Someone will suspect that something is amiss. As a rule, viruses are detected by ordinary users who notice certain anomalies in computer behavior. They, in most cases, are not able to cope with the infection on their own, but this is not required of them.

It is only necessary that the virus gets into the hands of specialists as soon as possible. Professionals will study it, find out “what it does”, “how it does it”, “when it does it,” etc. In the process of such work, all the necessary information about a given virus is collected, in particular, a virus signature is allocated - a sequence of bytes that characterizes it quite definitely. To construct a signature, the most important and characteristic sections of the virus code are usually taken. At the same time, the mechanisms of the operation of the virus become clear, for example, in the case of a boot virus, it is important to know where it hides its tail, where the original boot sector is located, and in the case of a file virus, the method of infecting a file. The information received allows you to find out:

How to detect a virus, for this, the methods of searching for signatures in potential objects of a virus attack - files and / or boot sectors are being specified

How to neutralize the virus, if possible, algorithms for removing the virus code from infected objects are being developed

6.2. Virus detection and protection programs

To detect, remove and protect against computer viruses, several types of special programs have been developed that allow you to detect and destroy viruses. Such programs are called antivirus . There are the following types of antivirus programs:

Detector programs

· Programs-doctors or phages

Auditor programs

Filter programs

Vaccine programs or immunizers

Detector programs they search for a signature characteristic of a particular virus in the RAM and in files and, if detected, issue a corresponding message. The disadvantage of such antivirus programs is that they can only find viruses that are known to the developers of such programs.

Doctor programs or phages , and vaccine programs not only find files infected with viruses, but also "cure" them, i.e. remove the body of the virus program from the file, returning the files to their original state. At the beginning of their work, phages look for viruses in the RAM, destroying them, and only then proceed to "cure" files. Among the phages, polyphages are distinguished, i.e. Doctor programs designed to search for and destroy a large number of viruses. The most famous of them: Aidstest, Scan, Norton AntiVirus, Doctor Web.

Considering that new viruses are constantly appearing, detector programs and doctor programs quickly become outdated, and regular version updates are required.

Auditor programs are among the most reliable means of protection against viruses. The auditors remember the initial state of programs, directories and system areas of the disk when the computer is not infected with a virus, and then periodically or at the request of the user compare the current state with the initial one. The detected changes are displayed on the monitor screen. As a rule, states are compared immediately after the operating system is loaded. When comparing, the file length, cyclic control code (file checksum), modification date and time, and other parameters are checked. Auditor programs have quite advanced algorithms, detect stealth viruses and can even clean the changes in the version of the program being checked from the changes made by the virus. The Adinf program, which is widespread in Russia, is one of the auditor programs.

Filters or "Watchman" are small resident programs designed to detect suspicious actions during computer operation, typical of viruses. Such actions can be:

Attempts to correct files with COM, EXE extensions

Changing file attributes

Direct write to disk at absolute address

Writing to the boot sectors of the disk

When any program tries to perform the specified actions, the "watchman" sends a message to the user and offers to prohibit or allow the corresponding action. Filters are very useful because they can detect a virus at a very early stage of its existence, before it multiplies. However, they do not "cure" files and disks. To destroy viruses, you need to use other programs, such as phages. The disadvantages of watchdog programs include their "intrusiveness" (for example, they constantly issue a warning about any attempt to copy an executable file), as well as possible conflicts with other software. An example of a filter program is the Vsafe program included in the MS DOS utility package.

Vaccines or immunizers are TSR programs that prevent file infections. Vaccines are used if there are no doctor programs that "treat" this virus. Vaccination is possible only against known viruses. The vaccine modifies the program or disk in such a way that it does not affect their work, and the virus will perceive them as infected and therefore will not be introduced. Vaccine programs are currently of limited use.

Timely detection of virus-infected files and disks, complete elimination of detected viruses on each computer help to avoid the spread of a virus outbreak to other computers.

6.3. Basic virus protection measures

In order not to expose your computer to virus infection and to ensure reliable storage of information on disks, the following rules must be observed:

¨ equip your computer with modern anti-virus programs, for example, Aidstest, Doctor Web, and constantly renew their versions

¨ before reading information stored on other computers from floppy disks, always check these floppy disks for viruses by running antivirus programs on your computer

¨ when transferring zipped files to your computer, check them immediately after unzipping them on the hard disk, limiting the scan area only to newly written files

¨ periodically check your computer's hard drives for viruses by running antivirus programs to test files, memory and system areas of disks from a write-protected diskette, having previously loaded the operating system from a write-protected system diskette

¨ always protect your floppy disks from writing when working on other computers, if they will not be writing information

¨ be sure to make archival copies on floppy disks of information valuable to you

¨ do not leave floppy disks in the pocket of floppy drive A when turning on or restarting the operating system, in order to avoid infecting the computer with boot viruses

¨ use anti-virus programs for incoming control of all executable files received from computer networks

¨ to make the use of Aidstest and Doctor Web more secure, it must be combined with the daily use of the Adinf disk auditor

CONCLUSION

So, we can cite a lot of facts showing that the threat to the information resource is increasing every day, exposing the responsible persons in banks, enterprises and companies around the world to panic. And this threat comes from computer viruses that distort or destroy vital, valuable information, which can lead not only to financial losses, but also to human casualties.

Computer virus - a specially written program that can spontaneously join other programs, create copies of itself and embed them in files, system areas of the computer and computer networks in order to disrupt the operation of programs, damage files and directories, create all kinds of interference in the operation of the computer.

Currently, more than 5000 software viruses are known, the number of which is constantly growing. There are known cases when tutorials were created to help in writing viruses.

The main types of viruses: boot, file, file-boot. The most dangerous type of viruses is polymorphic.

It is clear from the history of computer virology that any original computer development forces antivirus creators to adapt to new technologies and constantly improve antivirus programs.

The reasons for the emergence and spread of viruses are hidden, on the one hand, in human psychology, on the other hand, with the lack of protection in the operating system.

The main routes for viruses to penetrate are removable disks and computer networks. To prevent this from happening, follow the protective measures. Also, several types of special programs called antivirus programs have been developed to detect, remove and protect against computer viruses. If you nevertheless find a virus in your computer, then, according to the traditional approach, it is better to call a professional to figure it out further.

But some of the properties of viruses baffle even experts. Until recently, it was difficult to imagine that a virus could survive a cold boot or spread through document files. In such conditions, one cannot but attach importance to at least the initial anti-virus education of users. For all the seriousness of the problem, no virus can do as much harm as a whitened user with trembling hands!

So, the health of your computers, the safety of your data are in your hands!

Bibliographic list

1. Informatics: Textbook / ed. Prof. N.V. Makarova. - M .: Finance and Statistics, 1997.

2. Encyclopedia of Secrets and Sensations / Prepared. text by Yu.N. Petrov. - Minsk: Literature, 1996.

3. Bezrukov N.N. Computer viruses. - M .: Nauka, 1991.

4. Mostovoy D.Yu. Modern technologies of fighting viruses // World of PC. - No. 8. - 1993.

The user of a modern personal computer has free access to all the resources of the machine. It was this that opened up the possibility for the existence of a danger that was called a computer virus.

A computer virus is a specially written program that can spontaneously attach itself to other programs, create copies of itself and insert them into files, system areas of a computer and computer networks in order to disrupt the operation of programs, damage files and directories, and create all kinds of interference with the computer. Depending on the environment, viruses can be divided into network, file, boot, file-boot, macro viruses and Trojans.

  • Network viruses spread over various computer networks.
  • File viruses are embedded mainly in executable modules. File viruses can inject into other types of files, but, as a rule, recorded in such files, they never gain control and, therefore, lose their ability to replicate.
  • Boot viruses are embedded in the boot sector of the disk (Boot sector) or in the sector containing the system disk boot program (Master Boot Record).
  • File boot viruses infect both files and boot sectors of disks.
  • Macroviruses are written in high-level languages \u200b\u200band infect application document files that have built-in automation languages \u200b\u200b(macro languages), such as applications of the Microsoft Office family.
  • Trojansmasquerading as useful programs, they are a source of computer infection with viruses.

To detect, remove and protect against computer viruses, several types of special programs have been developed that allow you to detect and destroy viruses. Such programs are called antivirus programs. There are the following types antivirus software:

  • - detector programs;
  • - programs-doctors, or phages;
  • - auditor programs;
  • - filter programs;
  • - vaccine programs, or immunizers.

Detector programs they search for a signature characteristic of a particular virus in RAM and in files and, if detected, issue a corresponding message. The disadvantage of such antivirus programs is that they can only find viruses that are known to the developers of such programs.

Doctor programs, or phages, as well vaccine programs not only find files infected with viruses, but also "cure" them, that is, they delete the body of the virus program from the file, returning the files to their original state. At the beginning of their work, phages look for viruses in the RAM, destroying them, and only then proceed to "cure" files. Among the phages, there are polyphages, that is, doctor programs designed to search and destroy a large number of viruses. The most famous of them: Kaspersky Antivirus, Norton AntiVirus, Doctor Web.

Due to the fact that new viruses are constantly appearing, detector programs and doctor programs quickly become outdated, and regular version updates are required.

Auditor programs are among the most reliable means of protection against viruses. The auditors remember the initial state of programs, directories and system areas of the disk when the computer is not infected with a virus, and then periodically or at the request of the user compare the current state with the initial one. The detected changes are displayed on the monitor screen. As a rule, states are compared immediately after the operating system is loaded. When comparing, the file length, cyclic control code (file checksum), modification date and time, and other parameters are checked. Auditor programs have quite advanced algorithms, detect stealth viruses and can even distinguish changes in the version of the program being scanned from changes made by a virus. The widely used program Kaspersky Monitor is one of the audit programs.

Filters or "watchmen" are small resident programs designed to detect suspicious actions during computer operation, typical of viruses. Such actions can be:

  • - attempts to correct files with COM extensions. EXE;
  • - changing the attributes of the file;
  • - direct recording to disk at an absolute address;
  • - writing to the boot sectors of the disk;

When any program tries to perform the specified actions, the "watchman" sends a message to the user and offers to prohibit or allow the corresponding action. Filter programs are quite useful. since they are able to detect a virus at the earliest stage of its existence, before reproduction. However, they do not "cure" files and disks.

To destroy viruses, you need to use other programs, such as phages. The disadvantages of watchdog programs include their "intrusiveness" (for example, they constantly issue a warning about any attempt to copy an executable file), as well as possible conflicts with other software.

Vaccines or immunizers Are resident programs. preventing file infection. Vaccines are used if there are no doctor programs that "treat" this virus. Vaccination is possible only against known viruses. The vaccine modifies the program or disk in such a way that it does not affect their work, and the virus will perceive them as infected and therefore will not be introduced. Vaccine programs are currently of limited use.

Timely detection of virus-infected files and disks, complete elimination of detected viruses on each computer help to avoid the spread of a virus outbreak to other computers.