INTRODUCTION
We live at the turn of two millennia, when humanity has entered the era of a new scientific and technological revolution.
By the end of the twentieth century, people had mastered many of the secrets of the transformation of matter and energy and were able to use this knowledge to improve their lives. But in addition to matter and energy, another component plays a huge role in human life - information. This is a wide variety of information, messages, news, knowledge, skills.
In the middle of our century there were special devices- computers focused on the storage and transformation of information and there was a computer revolution.
Today, the mass use of personal computers, unfortunately, turned out to be associated with the emergence of self-reproducing virus programs that prevent the normal operation of a computer, destroy the file structure of disks and damage the information stored in a computer.
Despite the laws adopted in many countries to combat computer crimes and the development of special software tools protection against viruses, the number of new software viruses is constantly growing. This requires the user of a personal computer to be knowledgeable about the nature of viruses, how to infect and protect against viruses. This was the stimulus for choosing the theme of my work.
That's what I'm talking about in my essay. I show the main types of viruses, consider the schemes of their functioning, the reasons for their appearance and ways of penetrating the computer, and also suggest measures for protection and prevention.
The purpose of the work is to acquaint the user with the basics of computer virology, to teach how to detect viruses and fight them. The method of work is the analysis of printed publications on this topic. I faced a difficult task - to talk about what has been very little studied, and how it happened - you be the judge.
1. COMPUTER VIRUSES AND THEIR PROPERTIES AND CLASSIFICATION
1.1. Properties computer viruses
Now personal computers are used, in which the user has free access to all the resources of the machine. This is what opened up the possibility for the danger that has come to be known as a computer virus.
What is a computer virus? A formal definition of this concept has not yet been invented, and there are serious doubts that it can be given at all. Numerous attempts to give a "modern" definition of the virus have not been successful. To feel the complexity of the problem, try, for example, to define the concept of "editor". You will either come up with something very general, or you will start listing all known types of editors. Both can hardly be considered acceptable. Therefore, we will confine ourselves to considering some properties of computer viruses that allow us to speak of them as a certain specific class of programs.
First of all, a virus is a program. Such a simple statement alone can dispel many legends about the extraordinary capabilities of computer viruses. The virus can flip the image on your monitor, but it cannot flip the monitor itself. To the legends about killer viruses that "destroy operators by displaying a deadly colors 25th frame” is also not to be taken seriously. Unfortunately, some authoritative publications from time to time publish "the latest news from the computer front", which, upon closer examination, turn out to be the result of a not entirely clear understanding of the subject.
A virus is a program that has the ability to reproduce itself. This ability is the only means inherent in all types of viruses. But not only viruses are capable of self-replication. Any operating system and many other programs are capable of creating their own copies. Copies of the same virus not only do not have to completely match the original, but may not match it at all!
A virus cannot exist in "complete isolation": today one cannot imagine a virus that does not use other programs' code, file structure information, or even just the names of other programs. The reason is clear: the virus must somehow ensure the transfer of control to itself.
1.2. Virus classification
Currently, more than 5,000 software viruses are known, they can be classified according to the following criteria:
¨ habitat
¨ way of environmental contamination
¨ impact
¨ features of the algorithm
Depending on the habitat, viruses can be divided into network, file, boot, and file-boot. Network viruses distributed over various computer networks. File viruses are introduced mainly into executable modules, that is, into files with COM and EXE extensions. File viruses can be embedded in other types of files, but, as a rule, written in such files, they never get control and, therefore, lose the ability to reproduce. Boot viruses are embedded in the boot sector of the disk (Boot-sector) or in the sector containing the boot program system disk(Master Boot Re-
cord). File-boot viruses infect both files and boot sectors disks.
According to the method of infection, viruses are divided into resident and non-resident. Resident virus when infecting (infecting) a computer, leaves it in random access memory its resident part, which then intercepts the operating system's access to infected objects (files, disk boot sectors, etc.) and injects itself into them. Resident viruses reside in memory and remain active until the computer is turned off or restarted. Non-resident viruses do not infect computer memory and are active for a limited time.
According to the degree of impact, viruses can be divided into the following types:
¨ non-hazardous, which do not interfere with the operation of the computer, but reduce the amount of free RAM and disk space, the actions of such viruses are manifested in any graphic or sound effects
¨ dangerous viruses that can cause various problems with your computer
¨ very dangerous, the impact of which can lead to the loss of programs, the destruction of data, the erasure of information in the system areas of the disk.
2. MAIN TYPES OF VIRUSES AND SCHEMES OF THEIR FUNCTIONING
Among the variety of viruses, the following main groups can be distinguished:
¨ boot
¨ file
¨ file-boot
Now in more detail about each of these groups.
2.1. Boot viruses
Consider the operation of a very simple boot virus that infects floppy disks. We deliberately bypass all the numerous subtleties that would inevitably be encountered in a rigorous analysis of the algorithm for its functioning.
What happens when you turn on your computer? First, control is transferred bootstrap program, which is stored in read-only memory (ROM) i.e. PNZ ROM.
This program tests the hardware and, if the tests pass, tries to find the floppy disk in drive A:
Every floppy disk is marked on the so-called. sectors and tracks. Sectors are combined into clusters, but this is not essential for us.
Among the sectors there are several service ones used by the operating system for its own needs (your data cannot be placed in these sectors). Among the service sectors, we are still interested in one - the so-called. bootstrap sector(boot sector).
The bootstrap sector stores diskette information- the number of surfaces, the number of tracks, the number of sectors, etc. But now we are not interested in this information, but in a small bootstrap program(PNZ), which should load the operating system itself and transfer control to it.
So the normal bootstrap pattern is as follows:
Now consider the virus. In boot viruses, two parts are distinguished - the so-called. head etc. tail. The tail, generally speaking, can be empty.
Suppose you have a blank floppy disk and an infected computer, by which we mean a computer with an active resident virus. As soon as this virus detects that a suitable victim has appeared in the drive - in our case, a diskette that is not write-protected and not yet infected, it proceeds to infect. When infecting a floppy disk, the virus performs the following actions:
Allocates a certain area of the disk and marks it as inaccessible to the operating system, this can be done in different ways, in the simplest and traditional case, sectors occupied by the virus are marked as bad (bad)
Copies its tail and the original (healthy) boot sector to the selected area of the disk
Replaces the bootstrap program in the (real) boot sector with its head
Organizes the control transfer chain according to the scheme.
Thus, the head of the virus is now the first to take control, the virus is installed in memory and transfers control to the original boot sector. In a chain
PNZ (ROM) - PNZ (disk) - SYSTEM
a new link appears:
PNZ (ROM) - VIRUS - PNZ (disk) - SYSTEM
The moral is clear: never (accidentally) leave floppy disks in drive A.
We have examined the operation of a simple butovy virus that lives in the boot sectors of floppy disks. As a rule, viruses can infect not only the boot sectors of floppy disks, but also the boot sectors of hard drives. In this case, unlike floppy disks, a hard drive has two types of boot sectors containing boot programs that receive control. When booting a computer from a hard drive, the boot program in the MBR (Master Boot Record - Master Boot Record) takes control first. If your hard drive is divided into several partitions, then only one of them is marked as bootable (boot). The bootstrap program in the MBR finds the boot partition of the hard drive and transfers control to the bootloader of this partition. The code of the latter is the same as the code of the boot program contained on ordinary floppy disks, and the corresponding boot sectors differ only in the parameter tables. Thus, there are two objects of attack of boot viruses on the hard drive - bootstrap program in MBR and elementary downloads in the boot sector boot disk.
2.2. File viruses
Let us now consider how a simple file virus works. Unlike boot viruses, which are almost always resident, file viruses are not necessarily resident. Let's consider the scheme of functioning of a non-resident file virus. Suppose we have an infected executable file. When such a file is launched, the virus takes control, performs some actions, and transfers control to the "master" (although it is still unknown who is the master in such a situation).
What actions does the virus perform? It is looking for a new object to infect - a file of a suitable type that has not yet been infected (in the event that the virus is “decent”, otherwise there are those that infect immediately without checking anything). By infecting a file, the virus injects itself into its code in order to gain control when the file is run. In addition to its main function - reproduction, the virus may well do something intricate (say, ask, play) - this already depends on the imagination of the author of the virus. If a file virus is resident, it will install itself into memory and gain the ability to infect files and display other abilities not only while the infected file is running. By infecting an executable file, a virus always modifies its code - therefore, an infection of an executable file can always be detected. But by changing the file code, the virus does not necessarily make other changes:
à it is not obliged to change the length of the file
à unused sections of code
à is not required to change the beginning of the file
Finally, file viruses often include viruses that "have something to do with files" but are not required to intrude into their code. Let us consider as an example the scheme of functioning of viruses of the known Dir-II family. It must be admitted that having appeared in 1991, these viruses caused a real plague epidemic in Russia. Consider a model that clearly shows the basic idea of a virus. Information about files is stored in directories. Each directory entry includes a file name, creation date and time, some Additional information, number of the first cluster file, etc. spare bytes. The latter are left "in reserve" and MS-DOS itself is not used.
When running executable files, the system reads the first cluster of the file from the directory entry and then all other clusters. Viruses of the Dir-II family produce the following "reorganization" of the file system: the virus itself is written to some free disk sectors, which it marks as bad. In addition, it stores information about the first clusters of executable files in spare bits, and writes references to itself in place of this information.
Thus, when any file is launched, the virus receives control (the operating system launches it itself), resides in memory, and transfers control to the called file.
2.3. Boot-file viruses
We will not consider the boot-file virus model, because you will not learn any new information in this case. But here is an opportunity to briefly discuss the recently extremely "popular" OneHalf boot-file virus that infects the master boot sector (MBR) and executable files. The main destructive action is the encryption of hard drive sectors. With each launch, the virus encrypts the next portion of sectors, and after encrypting half hard drive, happily announces this. The main problem in the treatment of this virus is that it is not enough just to remove the virus from the MBR and files, it is necessary to decrypt the information encrypted by it. The most "deadly" action is to simply rewrite a new healthy MBR. The main thing - do not panic. Weigh everything calmly, consult with experts.
2.4. Polymorphic viruses
Most of the questions are related to the term "polymorphic virus". This type of computer virus is by far the most dangerous. Let's explain what it is.
Polymorphic viruses are viruses that modify their code in infected programs in such a way that two instances of the same virus may not match in one bit.
Such viruses not only encrypt their code using different encryption paths, but also contain the generation code of the encryptor and decryptor, which distinguishes them from ordinary encryption viruses, which can also encrypt parts of their code, but at the same time have a constant code of the encryptor and decryptor.
Polymorphic viruses are viruses with self-modifying decoders. The purpose of such encryption is that if you have an infected and original file, you will still not be able to analyze its code using conventional disassembly. This code is encrypted and is a meaningless set of commands. Decryption is performed by the virus itself at run time. At the same time, options are possible: he can decrypt himself all at once, or he can perform such a decryption "on the go", he can again encrypt already worked out sections. All this is done for the sake of making it difficult to analyze the virus code.
3. HISTORY OF COMPUTER VIROLOGY AND CAUSES OF VIRUSES
The history of computer virology today seems to be a constant "race for the leader", and, despite the full power of modern anti-virus programs, it is viruses that are the leaders. Among the thousands of viruses, only a few dozen are original developments using truly fundamentally new ideas. All others are "variations on a theme". But each original development forces the creators of antiviruses to adapt to new conditions, to catch up with virus technology. The latter can be disputed. For example, in 1989, an American student managed to create a virus that disabled about 6,000 US Department of Defense computers. Or the epidemic of the famous Dir-II virus that broke out in 1991. The virus used a truly original, fundamentally new technology and at first managed to spread widely due to the imperfection of traditional anti-virus tools.
Or the outbreak of computer viruses in the UK: Christopher Pine managed to create the Pathogen and Queeq viruses, as well as the Smeg virus. It was the latter that was the most dangerous, it could be applied to the first two viruses, and because of this, after each run of the program, they changed the configuration. Therefore, they were impossible to destroy. To spread viruses, Pine copied computer games and programs, infected them, and then sent them back to the network. Users downloaded infected programs to their computers and infected disks. The situation was aggravated by the fact that Pine managed to bring viruses into the program that fights them. By running it, users instead of destroying viruses received another one. As a result, the files of many companies were destroyed, the losses amounted to millions of pounds.
American programmer Morris is widely known. He is known as the creator of the virus that in November 1988 infected about 7,000 personal computers connected to the Internet.
The reasons for the emergence and spread of computer viruses, on the one hand, are hidden in the psychology of the human personality and its shadow sides (envy, revenge, vanity of unrecognized creators, the inability to constructively apply their abilities), on the other hand, due to the lack of hardware protection and counteraction from the operating room. personal computer systems.
4. WAYS OF PENETRATION OF VIRUSES INTO A COMPUTER AND MECHANISM OF DISTRIBUTION OF VIRUS PROGRAMS
The main ways for viruses to enter a computer are removable disks (floppy and laser), as well as computer networks. Hard disk infection with viruses can occur when a program is loaded from a floppy disk containing a virus. Such an infection can also be accidental, for example, if the floppy disk was not removed from drive A and the computer was restarted, while the floppy disk may not be a system one. It is much easier to infect a floppy disk. A virus can get on it even if the floppy disk is simply inserted into the disk drive of an infected computer and, for example, its table of contents is read.
The virus, as a rule, is introduced into the working program in such a way that when it is launched, control is first transferred to it and only after the execution of all its commands returns to the working program again. Having gained access to control, the virus first of all rewrites itself into another working program and infects it. After running a program containing a virus, it becomes possible to infect other files. Most often, the boot sector of the disk and executable files with the EXE, COM, SYS, BAT extensions are infected with the virus. Text files are extremely rarely infected.
After infecting the program, the virus can perform some kind of sabotage, not too serious so as not to attract attention. And finally, do not forget to return control to the program from which it was launched. Each execution of an infected program transfers the virus to the next one. So everything gets infected. software.
To illustrate the infection process computer program as a virus, it makes sense to liken disk storage to an old-fashioned archive with folders on tape. The folders contain programs, and the sequence of operations for the introduction of a virus in this case will look like this. (See Appendix 1)
5. SIGNS OF VIRUSES
When a computer is infected with a virus, it is important to detect it. To do this, you should know about the main signs of the manifestation of viruses. These include the following:
¨ termination of work or incorrect operation of previously successfully functioning programs
¨ slow computer performance
¨ inability to boot the operating system
¨ disappearance of files and directories or distortion of their contents
¨ change the date and time of modification of files
¨ file resizing
¨ unexpected large increase in the number of files on the disk
¨ a significant decrease in the size of free RAM
¨ displaying unexpected messages or images on the screen
¨ submission of unforeseen sound signals
¨ frequent freezes and computer crashes
It should be noted that the above phenomena are not necessarily caused by the presence of the virus, but may be due to other causes. Therefore, it is always difficult to correctly diagnose the state of the computer.
6. VIRUS DETECTION AND PROTECTION AND PREVENTION MEASURES
6.1. How to detect a virus ? Traditional approach
So, a certain virus writer creates a virus and launches it into "life". For some time, he may walk freely, but sooner or later the “lafa” will end. Someone will suspect something is wrong. Viruses are usually found ordinary users who notice certain anomalies in the behavior of the computer. They, in most cases, are not able to cope with the infection on their own, but this is not required of them.
It is only necessary that the virus gets into the hands of specialists as soon as possible. Professionals will study him, find out “what he does”, “how he does”, “when he does”, etc. In the process of such work, all the necessary information about this virus, in particular, the signature of the virus is highlighted - a sequence of bytes that quite definitely characterizes it. To build a signature, the most important and characteristic parts of the virus code are usually taken. At the same time, the mechanisms of how the virus works become clear, for example, in the case of a boot virus, it is important to know where it hides its tail, where the original boot sector is located, and in the case of a file one, how the file is infected. The information obtained allows us to find out:
How to detect a virus, for this, methods for searching for signatures in potential objects of a virus attack - files and / or boot sectors are specified
how to neutralize the virus, if possible, algorithms for removing virus code from affected objects are being developed
6.2. Virus detection and protection programs
To detect, remove and protect against computer viruses, several types of special programs have been developed that allow you to detect and destroy viruses. Such programs are called antiviral . There are the following types of antivirus programs:
programs-detectors
programs-doctors or phages
program auditors
filter programs
vaccine programs or immunizers
Programs-detectors perform a search for a signature characteristic of a particular virus in RAM and in files and, if detected, issue an appropriate message. The disadvantage of such anti-virus programs is that they can only find viruses that are known to the developers of such programs.
Doctor Programs or phages, as well as vaccine programs not only find virus-infected files, but also “treat” them, i.e. remove the body of the virus program from the file, returning the files to the initial state. At the beginning of their work, phages look for viruses in RAM, destroying them, and only then proceed to “treatment” of files. Among phages, polyphages are distinguished, i.e. doctor programs designed to find and destroy a large number of viruses. The most famous of them are: Aidstest, Scan, Norton Antivirus, Doctor Web.
Given that new viruses are constantly appearing, detection programs and doctor programs quickly become outdated, and regular updates are required.
Auditor programs are among the most reliable means of protection against viruses. Auditors remember the initial state of programs, directories and system areas of the disk when the computer is not infected with a virus, and then periodically or at the request of the user compare the current state with the original one. The detected changes are displayed on the monitor screen. As a rule, states are compared immediately after the operating system is loaded. When comparing, the file length, cyclic control code (file checksum), date and time of modification, and other parameters are checked. Auditor programs have fairly advanced algorithms, detect stealth viruses, and can even clean up changes to the version of the program being checked from changes made by the virus. Among the programs-auditors is the Adinf program widely used in Russia.
Filter programs or "watchman" are small resident programs designed to detect suspicious computer activity that is characteristic of viruses. Such actions may be:
Attempts to correct files with COM, EXE extensions
changing file attributes
Direct write to disk at absolute address
Write to disk boot sectors
When any program tries to perform the specified actions, the "watchman" sends a message to the user and offers to prohibit or allow the corresponding action. Filter programs are very useful, as they are able to detect a virus at the earliest stage of its existence before reproduction. However, they do not "heal" files and disks. To destroy viruses, you need to use other programs, such as phages. The disadvantages of watchdog programs include their "annoyance" (for example, they constantly issue a warning about any attempt to copy an executable file), as well as possible conflicts with other software. An example of a filter program is the Vsafe program, which is part of the MS DOS utility package.
Vaccines or immunizers are resident programs that prevent file infection. Vaccines are used if there are no doctor programs that "treat" this virus. Vaccination is possible only against known viruses. The vaccine modifies the program or disk in such a way that it does not affect their work, and the virus will perceive them as infected and therefore will not take root. Vaccine programs are currently of limited use.
Timely detection of virus-infected files and disks, complete destruction of detected viruses on each computer helps to avoid the spread of a virus epidemic to other computers.
6.3. Basic measures to protect against viruses
To prevent your computer from being infected with viruses and to ensure secure storage information on disks, the following rules must be observed:
¨ equip your computer with up-to-date anti-virus programs, such as Aidstest, Doctor Web, and constantly update their versions
¨ before reading information stored on other computers from floppy disks, always check these diskettes for viruses by running anti-virus programs on your computer
¨ when transferring archived files to your computer, check them immediately after unzipping them on your hard disk, limiting the check area only to newly recorded files
¨ periodically check for viruses hard drives computer by running anti-virus programs to test files, memory and system areas of disks from a write-protected floppy disk, after loading the operating system from a write-protected system diskette
¨ always write protect your floppy disks when working on other computers if they will not be written to information
¨ be sure to make archival copies on diskettes of valuable information for you
¨ do not leave floppy disks in the pocket of drive A when turning on or rebooting the operating system to prevent infection of the computer with boot viruses
¨ use anti-virus programs for input control of all executable files received from computer networks
¨ to ensure greater security, the use of Aidstest and Doctor Web must be combined with the daily use of the Adinf disk auditor
CONCLUSION
So, we can cite a lot of facts indicating that the threat to the information resource is increasing every day, putting the responsible persons in banks, enterprises and companies all over the world into a panic. And this threat comes from computer viruses that distort or destroy vital, valuable information, which can lead not only to financial losses, but also to human casualties.
Computer virus - a specially written program that can spontaneously attach to other programs, create copies of itself and embed them in files, computer system areas and in computer networks in order to disrupt the operation of programs, damage files and directories, create all kinds of interference in the operation of the computer.
Currently, more than 5,000 software viruses are known, the number of which is constantly growing. There are cases when tutorials were created to help in writing viruses.
The main types of viruses: boot, file, file-boot. The most dangerous type of viruses is polymorphic.
From the history of computer virology, it is clear that any original computer development forces the creators of antiviruses to adapt to new technologies, constantly improve antivirus programs.
The reasons for the appearance and spread of viruses are hidden on the one hand in human psychology, on the other hand, with the lack of protection in the operating system.
The main ways for viruses to penetrate are removable drives and computer networks. To prevent this from happening, take precautions. Also, several types of special programs called anti-virus programs have been developed to detect, remove and protect against computer viruses. If you still find a virus in your computer, then according to the traditional approach, it is better to call a professional so that he can figure it out further.
But some properties of viruses puzzle even experts. Until quite recently, it was hard to imagine that a virus could survive a cold reboot or spread through document files. Under such conditions, it is impossible not to attach importance to at least the initial anti-virus education of users. Despite the seriousness of the problem, no virus is capable of causing as much harm as a whitened user with trembling hands!
So, the health of your computers, the safety of your data - in your hands!
Bibliographic list
1. Informatics: Textbook / ed. Prof. N.V. Makarova. - M.: Finance and statistics, 1997.
2. Encyclopedia of secrets and sensations / Prepared. text by Yu.N. Petrov. - Minsk: Literature, 1996.
3. Bezrukov N.N. Computer viruses. - M.: Nauka, 1991.
4. Mostovoy D.Yu. Modern technologies fight against viruses // PC World. - No. 8. - 1993.
Anti-virus protection is the most common measure for ensuring the information security of the IT infrastructure in the corporate sector. However, only 74% of Russian companies use anti-virus solutions for protection, showed a study conducted by Kaspersky Lab together with the analytical company B2B International (autumn 2013).
The report also says that amid the explosion of cyberthreats against which companies simple antiviruses, Russian business is increasingly using complex protection tools. Largely for this reason, the use of data encryption tools increased by 7%. removable media(24%). In addition, companies have become more willing to demarcate security policies for removable devices. The differentiation of the level of access to different parts of the IT infrastructure has also increased (49%). At the same time, small and medium-sized businesses pay more attention to the control of removable devices (35%) and application control (31%).
The researchers also found that despite the constant discovery of new vulnerabilities in software, Russian companies still do not pay due attention to regular software updates. What's more, the number of patching organizations is down from last year to just 59%.
Modern anti-virus programs are able to effectively detect malicious objects inside program files and documents. In some cases, the antivirus can remove the body of a malicious object from an infected file, restoring the file itself. In most cases, an antivirus is able to remove a malicious program object not only from a program file, but also from an office document file without violating its integrity. The use of anti - virus programs does not require high qualifications and is available to almost any computer user .
Most anti-virus programs combine real-time protection (virus monitor) and on-demand protection (virus scanner).
Antivirus rating
2019: Two thirds of antiviruses for Android were useless
In March 2019, AV-Comparatives, an Austrian laboratory specializing in testing antivirus software, published the results of a study that showed the uselessness of most such programs for Android.
Only 23 antiviruses located in the official catalog of the Google Play Store accurately recognize malware in 100% of cases. The rest of the software either does not respond to mobile threats, or takes absolutely safe applications for them.
Experts studied 250 antiviruses and reported that only 80% of them can detect more than 30% of malware. Thus, 170 applications failed the test. The products that passed the tests were mainly solutions from large manufacturers, including Avast, Bitdefender, ESET, F-Secure, G-Data, Kaspersky Lab, McAfee, Sophos, Symantec, Tencent, Trend Micro and Trustwave.
As part of the experiment, the researchers installed each anti-virus application on a separate device (without an emulator) and automated the devices to launch a browser, download and then install malware. Each device was tested against 2,000 of the most prevalent Android viruses in 2018.
According to AV-Comparatives, most antivirus solutions for android are fakes. Dozens of applications have an almost identical interface, and their creators are clearly more interested in displaying ads than in writing a working virus scanner.
Some antiviruses "see" a threat in any application that is not included in their "whitelist". Because of this, they, in a number of very anecdotal cases, raised the alarm because of their own files, since the developers forgot to mention them in the "white list".
2017: Microsoft Security Essentials is recognized as one of the worst antiviruses
In October 2017, the German antivirus laboratory AV-Test published the results of comprehensive antivirus testing. According to the study, proprietary Microsoft software designed to protect against malicious activity, almost the worst of all cope with their duties.
According to the results of tests conducted in July-August 2017, AV-Test experts named Kaspersky Internet Security as the best antivirus for Windows 7, which received 18 points when evaluating the level of protection, performance and ease of use.
The top three included Trend Micro programs internet security and Bitdefender Internet Security, which earned 17.5 points each. The position of products of other antivirus companies that were included in the study can be found in the illustrations below:
Many scanners also use heuristic scanning algorithms, i. analysis of the sequence of commands in the checked object, collection of some statistics and decision making for each checked object.
Scanners can also be divided into two categories - universal and specialized. Universal scanners are designed to search for and neutralize all types of viruses, regardless of the operating system in which the scanner is designed to work. Specialized scanners are designed to neutralize a limited number of viruses or only one class of them, such as macro viruses.
Scanners are also divided into resident (monitors), which scan on the fly, and non-resident, which check the system only on request. As a rule, resident scanners provide more reliable system protection, since they immediately react to the appearance of a virus, while a non-resident scanner is able to identify a virus only during its next launch.
CRC scanners
The principle of operation of CRC scanners is based on the calculation of CRC sums (checksums) for files / system sectors present on the disk. These CRC sums are then stored in the antivirus database, as well as some other information: file lengths, dates of their last modification, etc. The next time CRC scanners are run, they check the data contained in the database with the actual counted values. If the file information recorded in the database does not match the real values, then CRC scanners signal that the file has been modified or infected with a virus.
CRC scanners are not able to catch a virus at the moment of its appearance in the system, but do it only after some time, after the virus has spread throughout the computer. CRC scanners cannot detect a virus in new files (in e-mail, on floppy disks, in files restored from a backup or when unpacking files from an archive), because their databases do not have information about these files. Moreover, viruses periodically appear that use this weakness of CRC scanners, infect only newly created files and thus remain invisible to them.
Blockers
Anti-virus blockers are resident programs that intercept virus-dangerous situations and notify the user about it. Virus-dangerous calls include calls to open for writing to executable files, writing to the boot sectors of disks or the MBR of a hard drive, attempts by programs to remain resident, etc., that is, calls that are typical for viruses at the time of reproduction.
The advantages of blockers include their ability to detect and stop the virus at the earliest stage of its reproduction. The disadvantages include the existence of ways to bypass the protection of blockers and a large number of false positives.
Immunizers
Immunizers are divided into two types: infection-reporting immunizers and infection-blocking immunizers. The first ones are usually written to the end of files (according to the principle of a file virus) and each time the file is launched, it is checked for changes. The disadvantage of such immunizers is only one, but it is lethal: the absolute inability to report infection with a stealth virus. Therefore, such immunizers, as well as blockers, are practically not used at present.
The second type of immunization protects the system from attack by a particular type of virus. Files on disks are modified in such a way that the virus takes them for already infected ones. To protect against a resident virus, a program that imitates a copy of the virus is entered into the computer's memory. When launched, the virus stumbles upon it and believes that the system is already infected.
This type of immunization cannot be universal, since it is impossible to immunize files against all known viruses.
Classification of antiviruses on the basis of time variability
According to Valery Konyavsky, antiviral agents can be divided into two large groups- analyzing data and analyzing processes.
Data analysis
Data analysis includes auditors and polyphages. Auditors analyze the consequences of the activities of computer viruses and other malicious programs. Consequences are shown in change of the data which should not change. It is the fact of data change that is a sign of the activity of malicious programs from the point of view of the auditor. In other words, the auditors control the integrity of the data and, upon violation of the integrity, make a decision about the presence of malware in the computer environment.
Polyphages act differently. Based on data analysis, they identify fragments of malicious code (for example, by its signature) and, on this basis, make a conclusion about the presence of malicious programs. Deleting or disinfecting virus-infected data helps to prevent the negative consequences of malware execution. Thus, on the basis of analysis in statics, the consequences arising in dynamics are prevented.
The scheme of work of both auditors and polyphages is almost the same - to compare the data (or their checksum) with one or more reference samples. Data is compared to data. Thus, in order to find a virus in your computer, you need it to have already worked so that the consequences of its activity appear. This method can only find known viruses for which code fragments or signatures are previously described. It is unlikely that such protection can be called reliable.
Process analysis
Anti-virus tools based on process analysis work somewhat differently. Heuristic analyzers, like those described above, analyze data (on disk, in a channel, in memory, etc.). The fundamental difference is that the analysis is carried out on the assumption that the code being analyzed is not data, but commands (in computers with a von Neumann architecture, data and commands are indistinguishable, and therefore one or another assumption has to be put forward during analysis.)
The heuristic analyzer selects a sequence of operations, assigns a certain danger rating to each of them, and, based on the totality of danger, decides whether this sequence of operations is part of a malicious code. The code itself is not executed.
Another type of anti-virus tools based on process analysis are behavioral blockers. In this case, the suspicious code is executed step by step until the set of actions initiated by the code is evaluated as dangerous (or safe) behavior. In this case, the code is partially executed, since the completion of the malicious code can be detected by simpler methods of data analysis.
Virus detection technologies
The technologies used in antiviruses can be divided into two groups:
- Signature analysis technologies
- Probabilistic Analysis Technologies
Signature analysis technologies
Signature analysis is a virus detection method that checks for the presence of virus signatures in files. Signature analysis is the most well-known method of detecting viruses and is used in almost all modern antiviruses. To perform a scan, the antivirus needs a set of virus signatures, which is stored in the antivirus database.
Due to the fact that signature analysis involves checking files for virus signatures, the anti-virus database needs to be updated periodically to keep the anti-virus up to date. The very principle of signature analysis also defines the limits of its functionality - the ability to detect only known viruses - a signature scanner is powerless against new viruses.
On the other hand, the presence of virus signatures suggests the possibility of treatment infected files detected using signature analysis. However, treatment is not acceptable for all viruses - Trojans and most worms are not treatable due to their design features, because they are solid modules designed to cause damage.
Competent implementation of a virus signature makes it possible to detect known viruses with 100% certainty.
Probabilistic Analysis Technologies
Probabilistic analysis technologies, in turn, are divided into three categories:
- Heuristic analysis
- Behavioral analysis
- Checksum Analysis
Heuristic analysis
Heuristic analysis is a technology based on probabilistic algorithms, the result of which is the identification of suspicious objects. In the process heuristic analysis the structure of the file is checked, its compliance with virus templates. The most popular heuristic technique is to check the contents of a file for modifications of already known virus signatures and their combinations. This helps to detect hybrids and new versions of previously known viruses without additional updating of the anti-virus database.
Heuristic analysis is used to detect unknown viruses and, as a result, does not involve treatment. This technology is not able to 100% determine the virus in front of it or not, and like any probabilistic algorithm, it sins with false positives.
Behavioral analysis
Behavioral analysis is a technology in which a decision about the nature of the object being checked is made on the basis of an analysis of the operations it performs. Behavioral analysis has a very narrow practical application, since most of the actions typical of viruses can be performed by ordinary applications. Behavioral analyzers of scripts and macros are the most famous, since the corresponding viruses almost always perform a number of similar actions.
The security features embedded in the BIOS can also be classified as behavioral analyzers. When an attempt is made to make changes to the computer's MBR, the analyzer blocks the action and displays a corresponding notification to the user.
In addition, behavioral analyzers can track attempts to directly access files, make changes to boot record diskette formatting hard drives etc.
Behavioral analyzers do not use additional objects like virus databases for their work and, as a result, they are unable to distinguish between known and unknown viruses - all suspicious programs are a priori considered unknown viruses. Similarly, the features of the operation of tools that implement behavioral analysis technologies do not imply treatment.
Checksum Analysis
Checksum analysis is a way to keep track of changes in the objects of a computer system. Based on the analysis of the nature of the changes - simultaneity, mass character, identical changes in file lengths - it can be concluded that the system is infected. Checksum analyzers (also called change auditors), like behavioral analyzers, do not use additional objects in their work and issue a verdict on the presence of a virus in the system solely by the method of expert evaluation. Similar technologies are used in access scanners - during the first check, a checksum is taken from the file and placed in the cache, before the next check of the same file, the checksum is taken again, compared, and if there are no changes, the file is considered uninfected.
Antivirus complexes
Anti-virus complex - a set of anti-viruses that use the same anti-virus engine or engines, designed to solve practical problems in ensuring anti-virus security computer systems. The anti-virus complex also includes tools for updating anti-virus databases.
In addition, the anti-virus complex may additionally include behavioral analyzers and change auditors that do not use the anti-virus engine.
There are the following types of anti-virus complexes:
- Antivirus complex for protection of workstations
- Anti-virus complex for protecting file servers
- Anti-virus complex for protection of mail systems
- Antivirus complex for protection of gateways.
Cloud vs Traditional Desktop Antivirus: Which Should You Choose?
(According to the resource Webroot.com)
The modern market of anti-virus tools is primarily traditional solutions for desktop systems, the protection mechanisms in which are built on the basis of signature-based methods. Alternative way anti-virus protection - the use of heuristic analysis.
Problems with traditional antivirus software
In recent years, traditional anti-virus technologies have become less and less effective and quickly become obsolete, due to a number of factors. The number of virus threats identified by signatures is already so high that it is often an unrealistic task to ensure timely 100% update of signature databases on user computers. Hackers and cybercriminals are increasingly using botnets and other technologies to accelerate the spread of zero-day virus threats. In addition, signatures of the corresponding viruses are not created during targeted attacks. Finally, new anti-virus detection technologies are used: malware encryption, server-side creation of polymorphic viruses, preliminary testing of the quality of a virus attack.
Traditional anti-virus protection is most often built in the "thick client" architecture. This means that a volume is installed on the client's computer. programming code. It checks incoming data and detects the presence of virus threats.
This approach has a number of disadvantages. First, scanning for malware and matching signatures requires a significant computational load, which is “taken away” from the user. As a result, the productivity of the computer decreases, and the operation of the antivirus sometimes interferes with the execution of applied tasks in parallel. Sometimes the load on the user's system is so noticeable that users turn off anti-virus programs, thereby removing the barrier to a potential virus attack.
Second, each update on the user's machine requires the transfer of thousands of new signatures. The amount of data transferred is typically in the order of 5 MB per day per machine. Data transfer slows down the network, diverts additional system resources, requires the involvement of system administrators to control traffic.
Thirdly, users who are roaming or away from their fixed place of work are defenseless against zero-day attacks. To receive an updated portion of the signatures, they must connect to a VPN network that is not accessible to them remotely.
Antivirus protection from the cloud
When switching to anti-virus protection from the cloud, the architecture of the solution changes significantly. A "lightweight" client is installed on the user's computer, the main function of which is to search for new files, calculate hash values and send data cloud server. In the cloud, a full-scale comparison is performed on a large database of collected signatures. This database is constantly and timely updated with data transmitted by anti-virus companies. The client receives a report with the results of the audit.
Thus, the cloud architecture of anti-virus protection has whole line advantages:
- the volume of calculations on the user's computer is negligible compared to a thick client, therefore, the user's productivity does not decrease;
- there is no catastrophic effect of anti-virus traffic on throughput networks: a compact portion of data is to be sent, containing only a few dozen hash values, the average daily traffic does not exceed 120 KB;
- cloud storage contains huge arrays of signatures, much larger than those stored on user computers;
- signature comparison algorithms used in the cloud are significantly more intelligent than simplified models used at the local station level, and due to higher performance, data comparison takes less time;
- cloud-based antivirus services work with real data received from antivirus laboratories, security developers, corporate and private users; zero-day threats are blocked simultaneously with their recognition, without delay caused by the need to gain access to user computers;
- users who are roaming or do not have access to their main workplaces receive protection from zero-day attacks at the same time as accessing the Internet;
- the load on system administrators is reduced: they do not need to spend time installing anti-virus software on users' computers, as well as updating signature databases.
Why traditional antiviruses fail
Modern malicious code can:
- Bypass antivirus traps by creating a special target virus for the company
- Before the antivirus creates a signature, it will evade using polymorphism, transcoding using dynamic DNS and URL
- Target creation for the company
- Polymorphism
- Code unknown to anyone - no signature
Difficult to defend
High-speed antiviruses of 2011
The Russian independent information and analytical center Anti-Malware.ru published in May 2011 the results of another comparative test The 20 most popular antiviruses for performance and system resource consumption.
The purpose of this test is to show which personal antiviruses have the least impact on the user's typical operations on the computer, "slow down" his work less and consume the minimum amount of system resources.
Among anti-virus monitors (real-time scanners), a whole group of products has demonstrated a very high speed works, among them: Avira, AVG, ZoneAlarm, Avast, Kaspersky Anti-Virus, Eset, Trend Micro and Dr.Web. With these antiviruses on board, the slowdown in copying the test collection was less than 20% compared to the benchmark. The antivirus monitors BitDefender, PC Tools, Outpost, F-Secure, Norton and Emsisoft also showed high results in terms of performance, falling within the range of 30-50%. The antivirus monitors BitDefender, PC Tools, Outpost, F-Secure, Norton and Emsisoft also showed high results in terms of performance, falling within the range of 30-50%.
At the same time, Avira, AVG, BitDefender, F-Secure, G Data, Kaspersky Anti-Virus, Norton, Outpost and PC Tools can be significantly faster in real conditions due to their post-check optimization.
Avira antivirus showed the best speed of on-demand scanning. A little behind him were Kaspersky Anti-Virus, F-Secure, Norton, G Data, BitDefender, Kaspersky Anti-Virus and Outpost. In terms of the speed of the first scan, these antiviruses are only slightly inferior to the leader, at the same time, they all have in their arsenal powerful technologies for optimizing repeated scans.
Another important characteristic of the speed of the antivirus is its impact on the work of applications that the user often works with. Five of them were chosen for the test: Internet Explorer, Microsoft Office Word, Microsoft Outlook , Adobe Acrobat Reader and Adobe Photoshop. The smallest slowdown in the launch of these office programs showed antiviruses Eset, Microsoft, Avast, VBA32, Comodo, Norton, Trend Micro, Outpost and G Data.
Eugene Kaspersky in 1992 used the following classification of antiviruses depending on their principle of operation (defining functionality):
Ø Scanners (obsolete version - "polyphages", "detectors") - determine the presence of a virus by the signature database that stores the signatures (or their checksums) of viruses. Their effectiveness is determined by the relevance of the virus database and the presence of a heuristic analyzer.
Ø auditors (a class close to IDS) - remember the state of the file system, which makes it possible to analyze changes in the future.
Ø watchman (resident monitors or filters ) - track potentially dangerous operations, issuing the appropriate request to the user to allow/prohibit the operation.
Ø Vaccines (immunizers ) - change the grafted file in such a way that the virus against which the vaccine is being made already considers the file infected. In modern conditions, when the number of possible viruses is measured in hundreds of thousands, this approach is not applicable.
Modern antiviruses combine all of the above functions.
Antiviruses can also be divided into:
Products for home users:
Actually antiviruses;
Combined products (for example, anti-spam, firewall, anti-rootkit, etc. have been added to the classic anti-virus);
Corporate Products:
Server antiviruses;
Antiviruses on workstations ("endpoint").
Sharing antivirus programs gives good results, as they complement each other well:
Data coming from external sources is checked detector program. If this data was forgotten to be checked and the infected program was launched, it can be caught by the watchdog program. True, in both cases, viruses known to these anti-virus programs are reliably detected. This is no more than 80-90% of cases.
- watchman can detect even unknown viruses if they behave very brazenly (try to format HDD or make changes to system files). But some viruses can bypass such controls.
If the virus was not detected by a detector or watchman, then the results of its activity will be detected by program - auditor.
As a rule, watchdog programs should be constantly running on the computer, detectors should be used to check data coming from external sources (files and diskettes), and auditors should be run once a day to detect and analyze changes on disks. All of this should be combined with regular data backups and the use of preventive measures to reduce the likelihood of a virus infection.
Any anti-virus program "slows down" the computer, but is a reliable remedy for the harmful effects of viruses.
False antiviruses (false antiviruses).
In 2009 various manufacturers antiviruses began to report on the wide distribution of a new type of antivirus - false antiviruses or pseudo-antiviruses (rogueware). In fact, these programs are either not antiviruses at all (that is, they are not capable of fighting malware) or even viruses (they steal credit card information, etc.).
Rogue antiviruses are used to extort money from users by deception. One way to infect a PC with a fake antivirus is as follows. The user is taken to an "infected" site, which gives him a warning message like: "A virus has been found on your computer." The user is then prompted to download free program(false antivirus) to remove the virus. After installation, the false antivirus scans the PC and supposedly detects a lot of viruses on the computer. To remove malware, a fake antivirus offers to buy a paid version of the program. The shocked user pays (amounts from $50 to $80) and a false antivirus cleans the PC from non-existent viruses.
Antiviruses on SIM, flash cards and USB devices
Mobile phones produced today have a wide range of interfaces and data transfer capabilities. Users should carefully study the protection methods before connecting any small devices.
Protection methods such as hardware, perhaps antiviruses on USB devices or on SIM, are more suitable for mobile phone users. Technical evaluation and an overview of how to install an antivirus program on a cellular mobile phone should be considered as a scanning process that may affect other legitimate applications on this phone.
Anti-virus programs on SIM with anti-virus built into the small capacity memory area provide anti-malware/virus protection by protecting the PIN and information of the user of the phone. Anti-viruses on flash cards allow the user to exchange information and use these products with various hardware devices, as well as send this data to other devices using various communication channels.
Antiviruses, mobile devices and innovative solutions
In the future, it is possible that mobile phones will be infected with a virus. More and more developers in this field offer anti-virus programs to fight viruses and protect mobile phones. AT mobile devices There are the following types of virus control:
– processor limitations;
– memory limit;
– identifying and updating the signatures of these mobile devices.
Conclusion: Antivirus program (antivirus) - originally a program for detecting and treating malicious objects or infected files, as well as for prevention - preventing infection of a file or operating system malicious code. Depending on the principle of operation of anti-virus programs, there is the following classification of anti-viruses: scanners (outdated version - "polyphages", "detectors"); auditors (a class close to IDS); watchman (resident monitors or filters); vaccines (immunizers).
CONCLUSION
Advances in computer technology last years not only contributed to the development of the economy, trade and communications; provided an effective information exchange, but also provided a unique toolkit to perpetrators of computer crimes. The more intense the process of computerization, the more real the growth of computer crime becomes, and modern society not only feels the economic consequences of computer crime, but also becomes more and more dependent on computerization. All these aspects oblige to pay more and more attention to the protection of information, further development legislative framework in the area of information security. The whole range of measures should be reduced to the protection of state information resources; to the regulation of relations arising from the formation and use of information resources; creation and use information technologies; protection of information and rights of subjects participating in information processes; as well as defining the basic concepts used in the legislation.
Associate Professor of the Department of Organization of Security and Convoy in the Penitentiary System
candidate of technical sciences
lieutenant colonel of the internal service V.G. Zarubsky
malware antivirus infection
For their successful work, viruses need to check whether the file is already infected (by the same virus). So they avoid self-destruction. To do this, viruses use a signature. Most common viruses (including macro viruses) use character signatures. More complex viruses (polymorphic) use algorithm signatures. Regardless of the type of virus signature, anti-virus programs use them to detect "computer infections". After that, the antivirus program tries to destroy the detected virus. However, this process depends on the complexity of the virus and the quality of the antivirus program. As already mentioned, Trojan horses and polymorphic viruses are the most difficult to detect. The first of them do not add their body to the program, but embed it inside it. On the other hand, anti-virus programs must spend quite a lot of time to determine the signature of polymorphic viruses. The fact is that their signatures change with each new copy.
To detect, remove and protect against computer viruses, there are special programs called antivirus. Modern anti-virus programs are multifunctional products that combine both preventive and virus treatment and data recovery tools.
The number and variety of viruses is great, and in order to detect them quickly and efficiently, an antivirus program must meet certain parameters:
1. Stability and reliability of work.
2. Dimensions of the virus database of the program (the number of viruses that are correctly detected by the program): taking into account the constant appearance of new viruses, the database should be updated regularly.
3. The ability of the program to detect various types of viruses, and the ability to work with files various types(archives, documents).
4. The presence of a resident monitor that checks all new files "on the fly" (that is, automatically, as they are written to disk).
5. The speed of the program, availability additional features such as algorithms for detecting viruses even unknown to the program (heuristic scanning).
6. Possibility to restore infected files without erasing them from the hard disk, but only removing viruses from them.
7. The percentage of false positives of the program (erroneous detection of a virus in a "clean" file).
8. Cross-platform (availability of program versions for different operating systems).
Classification of antivirus programs:
1. Detector programs provide search and detection of viruses in RAM and on external media, and upon detection they issue a corresponding message. There are detectors:
Universal - use in their work to check the invariability of files by counting and comparing with a checksum standard;
Specialized - search for known viruses by their signature (repeating code section).
2. Doctor programs (phages) not only find virus-infected files, but also “cure” them, i.e. remove the body of the virus program from the file, returning the files to their original state. At the beginning of their work, phages look for viruses in RAM, destroying them, and only then proceed to “treatment” of files. Among phages, polyphages are distinguished, i.e. doctor programs designed to find and destroy a large number of viruses.
3. Program-auditors are among the most reliable means of protection against viruses. Auditors remember the initial state of programs, directories and system areas of the disk when the computer is not infected with a virus, and then periodically or at the request of the user compare the current state with the original one. The detected changes are displayed on the monitor screen.
4. Filter programs (watchmen) are small resident programs designed to detect suspicious actions during computer operation that are characteristic of viruses. Such actions may be:
Attempts to correct files with COM and EXE extensions;
Changing file attributes;
Direct write to disk at absolute address;
Writing to disk boot sectors;
5. Vaccine programs (immunizers) are resident programs that prevent file infection. Vaccines are used if there are no doctor programs that "treat" this virus. Vaccination is possible only against known viruses Bezrukov N. Computer virology: Textbook [Electronic resource]: http://vx.netlux.org/lib/anb00.html..
In fact, the architecture of antivirus programs is much more complex and depends on the specific developer. But one fact is undeniable: all the technologies that I talked about are so closely intertwined in each other that it is sometimes impossible to understand when one is launched and another begins to work. This interaction of anti-virus technologies allows them to be most effectively used in the fight against viruses. But do not forget that there is no perfect protection, and the only way to warn yourself against such problems is constant OS updates, a well-configured firewall, frequently updated antivirus, and - most importantly - do not run / download suspicious files from the Internet.
Eugene Kaspersky in 1992 used the following classification of antiviruses depending on their principle of operation (defining functionality):
1. Scanners (an outdated version - "polyphages") - determine the presence of a virus by the signature database that stores the signatures (or their checksums) of viruses. Their effectiveness is determined by the relevance of the virus database and the presence of a heuristic analyzer (see: Heuristic scanning).
2. Auditors (a class close to IDS) - remember the state of the file system, which makes it possible to analyze changes in the future.
3. Watchmen (monitors) - keep track of potentially dangerous operations, issuing the appropriate request to the user to allow/prohibit the operation.
4. Vaccines - change the grafted file in such a way that the virus against which the vaccine is made already considers the file infected. In modern (2007) conditions, when the number of possible viruses is measured in hundreds of thousands, this approach is not applicable.
Modern antiviruses combine all of the above functions.
Antiviruses can also be divided into:
1. Products for home users:
2. Actually antiviruses;
3. Combined products (for example, anti-spam, firewall, anti-rootkit, etc. have been added to the classic anti-virus);
4. Corporate products:
5. Server antiviruses;
6. Antiviruses on workstations ("endpoint").
Antiviruses on SIM, flash cards and USB devices
Mobile phones produced today have a wide range of interfaces and data transfer capabilities. Users should carefully study the protection methods before connecting any small devices.
Protection methods such as hardware, perhaps antiviruses on USB devices or on SIM, are more suitable for mobile phone users. A technical evaluation and review of how to install an antivirus program on a cellular mobile phone should be considered as a scanning process that may affect other legitimate applications on that phone.
Anti-virus programs on SIM with anti-virus built into the small capacity memory area provide anti-malware/virus protection by protecting the PIN and information of the user of the phone. Anti-viruses on flash cards allow the user to exchange information and use these products with various hardware devices, as well as send this data to other devices using various communication channels.
Antiviruses, mobile devices and innovative solutions
In the future, it is possible that mobile phones will be infected with a virus. More and more developers in this field offer anti-virus programs to fight viruses and protect mobile phones. In mobile devices, there are the following types of virus control.