home Solution Abstract: Classification of anti-virus tools. Classification of antivirus software Classification of antivirus software

Abstract: Classification of anti-virus tools. Classification of antivirus software Classification of antivirus software

Antivirus program (antivirus) - a program for detecting and removing computer viruses and other malware, preventing their distribution, as well as restoring programs infected by them.

The main tasks of modern antivirus programs:

-- Scan files and programs in real time.
-- On-demand computer scan.
-- Scanning Internet traffic.
-- Email scanning.
-- Protection against attacks from dangerous websites.
-- Recovery damaged files(treatment).

Classification of antivirus programs:

· detector programs provide search and detection of viruses in RAM and on external media, and upon detection, issue a corresponding message. There are detectors:
- 1. universal - use in their work to check the invariance of files by counting and comparing with a checksum standard
- 2. specialized- search for known viruses by their signature (repeating code section). The disadvantage of such detectors is that they are unable to detect all known viruses.

A detector that can detect several viruses is called a polydetector. The disadvantage of such antivirus programs is that they can only find viruses that are known to the developers of such programs.

· Doctor programs (phages) not only find virus-infected files, but also "treat" them, i.e. remove the body of the virus program from the file, returning the files to the initial state. At the beginning of their work, phages look for viruses in RAM, destroying them, and only then proceed to "treat" files. Among phages, polyphages are distinguished, i.e. doctor programs designed to find and destroy a large number of viruses. Given that new viruses are constantly appearing, detection programs and doctor programs quickly become outdated, and regular updates of their versions are required.
· Auditor programs are among the most reliable means of protection against viruses. Auditors remember the initial state of programs, directories and system areas of the disk when the computer is not infected with a virus, and then periodically or at the request of the user compare the current state with the original one. The detected changes are displayed on the monitor screen. As a rule, the comparison of states is carried out immediately after loading operating system. When comparing, the file length, cyclic control code (file checksum), date and time of modification, and other parameters are checked.
· Filter programs (watchdog) are small resident programs designed to detect suspicious computer activity that is characteristic of viruses. Such actions may be:
- 1. attempts to correct files with COM and EXE extensions;
- 2. changing file attributes;
- 3. direct writing to disk at an absolute address;
- 4. writing to the boot sectors of the disk;

Vaccine programs (immunizers) are resident programs that prevent file infection. Vaccines are used if there are no doctor programs that "treat" this virus. Vaccination is possible only against known viruses. The vaccine modifies the program or disk in such a way that it does not affect their work, and the virus will perceive them as infected and therefore will not take root. A significant drawback of such programs is their limited ability to prevent infection from a large number various viruses.

Functions of antivirus programs

Real-time virus protection

Most antivirus programs offer real-time protection. This means that the antivirus program protects your computer from all incoming threats every second. Thus, even if a virus has not infected your computer, you should consider installing an antivirus program with real-time protection in order to prevent further spread of the infection.

Threat detection

Antivirus programs can scan your entire computer for viruses. First of all, the most vulnerable areas, system folders, and RAM are scanned. You can also choose the scanning sectors yourself, or choose, for example, to check a specific hard drive. However, not all antiviruses are the same in their algorithms, and some antivirus programs have higher detection rates than others.

Automatic updates

New viruses are created and appear every day. Therefore, it is extremely important for anti-virus programs to be able to update anti-virus databases (a list of all known viruses, both old and new). Automatic update is necessary because an outdated antivirus cannot detect new viruses and threats. Also, if the antivirus program only offers manual update you may forget to update your antivirus definitions, and your computer may become infected with a new virus. Try to choose an antivirus with automatic updates.

Alerts

The antivirus will alert you when any program tries to access your computer. Internet applications are an example. Many programs that try to access your PC are harmless or you downloaded them voluntarily, and thus antivirus programs give you the opportunity to decide for yourself whether to allow or block their installation or operation.

Send your good work in the knowledge base is simple. Use the form below

Students, graduate students, young scientists who use the knowledge base in their studies and work will be very grateful to you.

Hosted at http://www.allbest.ru/

Classification of antiviruses

Antivirus is a software package specially designed to protect, intercept and remove computer viruses and other malicious programs.

Modern anti-virus programs are able to effectively detect malicious objects inside program files and documents. In some cases, the antivirus can remove the body of a malicious object from an infected file, restoring the file itself. In most cases, an antivirus is able to remove a malicious program object not only from a program file, but also from an office document file without violating its integrity. The use of anti-virus programs does not require high qualifications and is available to almost any computer user. Nowadays, most of the leading antivirus programs combine the features permanent protection(antivirus monitor) and on-demand protection features (antivirus scanner).

Classification of antiviruses

Currently does not exist unified system classification of antivirus programs.

Classification of antiviruses by mode of operation

Kaspersky Lab classifies antiviruses according to their mode of operation:

Real time check

Real-time checking, or constant checking, ensures the continuity of work antivirus protection. This is implemented by mandatory checking of all actions performed by other programs and the user himself for maliciousness, regardless of their original location - be it your own HDD, external storage media, other network resources or your own RAM. Also, all indirect actions through third programs are subject to verification.

On-Demand Check

In some cases, having a constantly running real-time scan may not be enough. It is possible that an infected file was copied to the computer, which was excluded from constant scanning due to its large size and, therefore, the virus was not detected in it. If this file does not run on the computer in question, then the virus may go unnoticed and manifest itself only after sending it to another computer.

For this mode, it is usually assumed that the user personally specifies which files, directories or disk areas to be checked and the time when such a check needs to be done - in the form of a schedule or a one-time manual start.

Classification of antiviruses by type

Also, antivirus programs can be classified by type:

Scanners (other names: phages, polyphages)

The principle of operation of anti-virus scanners is based on scanning files, sectors and system memory and searching for known and new (unknown to the scanner) viruses in them. So-called "masks" are used to search for known viruses. A virus mask is some constant code sequence specific to that particular virus. If the virus does not contain a permanent mask, or the length of this mask is not large enough, then other methods are used. An example of such a method is algorithmic language describing everything possible options code that can be encountered when infected with this type of virus. This approach is used by some antiviruses to detect polymorphic viruses.

Many scanners also use "heuristic scanning" algorithms, i. analysis of the sequence of commands in the checked object, collection of some statistics and decision making for each checked object.

Scanners can also be divided into two categories - "universal" and "specialized". Universal scanners are designed to search for and neutralize all types of viruses, regardless of the operating system in which the scanner is designed to work. Specialized scanners are designed to neutralize a limited number of viruses or only one class of them, such as macro viruses.

Scanners are also divided into "resident" (monitors) scanning "on the fly" and "non-resident" scanning the system. Data is compared to data. Thus, in order to find a virus in your computer, you need it to have already "worked", so that the consequences of its activity appear. This method can only find known viruses for which code fragments or signatures are previously described. It is unlikely that such protection can be called reliable.

Process analysis

virus program computer malware

Anti-virus tools based on process analysis work somewhat differently. "Heuristic analyzers", like those described above, analyze data (on disk, in a channel, in memory, etc.). The fundamental difference is that the analysis is carried out on the assumption that the code being analyzed is not data, but commands (in computers with a von Neumann architecture, data and commands are indistinguishable, and therefore one or another assumption has to be put forward during analysis.)

The "heuristic analyzer" selects a sequence of operations, assigns a certain assessment of "danger" to each of them, and, based on the totality of "danger", decides whether this sequence of operations is a part of malicious code. The code itself is not executed.

different kind anti-virus tools based on process analysis are "behavioral blockers". In this case, the suspicious code is executed step by step until the set of actions initiated by the code is evaluated as "dangerous" (or "safe") behavior. In this case, the code is partially executed, since the completion of the malicious code can be detected by simpler methods of data analysis.

Virus detection technologies

The technologies used in antiviruses can be divided into two groups:

Signature analysis technologies

Signature analysis is a virus detection method that checks for the presence of virus signatures in files. Signature analysis is the most well-known method of detecting viruses and is used in almost all modern antiviruses. To perform a scan, the antivirus needs a set of virus signatures, which is stored in the antivirus database.

Due to the fact that signature analysis involves checking files for virus signatures, the anti-virus database needs to be updated periodically to keep the anti-virus up to date. The very principle of signature analysis also defines the limits of its functionality - the ability to detect only known viruses - a signature scanner is powerless against new viruses.

On the other hand, the presence of virus signatures suggests the possibility of treatment infected files detected using signature analysis. However, treatment is not acceptable for all viruses - Trojans and most worms are not treatable due to their design features, because they are solid modules designed to cause damage.

Competent implementation of a virus signature makes it possible to detect known viruses with 100% certainty.

Probabilistic Analysis Technologies

Probabilistic analysis technologies, in turn, are divided into three categories:

Heuristic Analysis

Behavioral analysis

Checksum Analysis

Heuristic analysis is a technology based on probabilistic algorithms, the result of which is the identification of suspicious objects. The heuristic analysis checks the file structure and its compliance with virus templates. The most popular heuristic technique is to check the contents of a file for modifications of already known virus signatures and their combinations. This helps to detect hybrids and new versions of previously known viruses without additional updating of the anti-virus database.

Heuristic analysis is used to detect unknown viruses and, as a result, does not expect positives.

Behavioral analysis is a technology in which a decision about the nature of the object being checked is made on the basis of an analysis of the operations it performs. Behavioral analysis has a very narrow practical application, since most of the actions typical of viruses can be performed by ordinary applications. Behavioral analyzers of scripts and macros are the most famous, since the corresponding viruses almost always perform a number of similar actions.

The security features embedded in the BIOS can also be classified as behavioral analyzers. When an attempt is made to make changes to the computer's MBR, the analyzer blocks the action and displays a corresponding notification to the user.

In addition, behavioral analyzers can track attempts to directly access files, changes to the boot record of floppy disks, formatting hard drives, etc.

Behavioral analyzers do not use additional objects like virus databases for their work and, as a result, they are unable to distinguish between known and unknown viruses - all suspicious programs are a priori considered unknown viruses. Similarly, the features of the operation of tools that implement behavioral analysis technologies do not imply treatment.

Checksum analysis is a way to keep track of changes in the objects of a computer system. Based on the analysis of the nature of the changes - simultaneity, mass character, identical changes in file lengths - it can be concluded that the system is infected. Checksum analyzers (also called "change auditors"), like behavioral analyzers, do not use additional objects in their work and issue a verdict on the presence of a virus in the system solely by the method of expert evaluation. Similar technologies are used in access scanners - during the first check, a checksum is taken from the file and placed in the cache, before the next check of the same file, the checksum is taken again, compared, and if there are no changes, the file is considered uninfected.

Anti-virus complex - a set of anti-viruses that use the same anti-virus engine or engines, designed to solve practical problems in ensuring anti-virus security computer systems. The anti-virus complex also includes tools for updating anti-virus databases.

In addition, the anti-virus complex may additionally include behavioral analyzers and change auditors that do not use the anti-virus engine.

There are the following types of anti-virus complexes:

Antivirus complex for protection of workstations

Anti-virus complex for protecting file servers

Anti-virus complex for protection of mail systems

Antivirus complex for protection of gateways.

Hosted on Allbest.ru

Similar Documents

The concept and classification of computer viruses. Basic methods of protecting information from viruses. Overview of modern software tools for the safe operation of your computer. Classification of antiviruses. Kaspersky Antivirus, Norton Antivirus, Dr. Weber, Eset NOD32.

term paper, added 10/26/2015

The main tasks of antiviruses and means of antivirus protection of a personal computer. How viruses work and how they spread. Methods and technologies of protection against malicious programs. General requirements safety when using a computer.

abstract, added 09/22/2016

A study of the history of computer viruses and antiviruses. The study of the main ways of penetration of malicious programs into the computer. Types of virus and anti-virus programs. Characterization of features of signature and heuristic methods of anti-virus protection.

abstract, added 10/08/2014

The main methods of protection against computer viruses. The main signs of the manifestation of viruses: the termination of programs, slow computer operation, changes in size, date and time of files. Ways of occurrence of viruses. Characteristics of known antiviruses.

presentation, added 12/02/2011

Phenomenon of computer viruses. Classification of computer viruses. Types of antiviruses. How and from what to protect the PC. Fight against hacker attacks. Free antivirus web services. Internet security basics. Actions in the event of a virus.

abstract, added 10/08/2008

The concept and mechanism of action of computer viruses, the definition of their danger to the safety of data, measures to prevent negative impacts. Classification of antivirus programs, their system requirements and conditions for efficient, uninterrupted operation.

thesis, added 07/17/2010

Features of anti-virus programs (antiviruses) - computer programs designed to neutralize viruses and various kinds of malware in order to save data and optimal performance PC. Classification and examples of anti-virus programs.

abstract, added 03/26/2010

The use of antiviruses to effectively detect viruses on the computer and neutralize them. Signs of virus infection. Obvious manifestations of Trojans: changing browser settings, pop-up messages, unauthorized dialing to the Internet.

laboratory work, added 09/13/2013

The concept and classification of computer viruses. Methods of protection against malicious programs, their varieties. Signs of a computer virus infection. The problem of information security. Working with MS Office applications. Analysis of file viruses, hacker utilities.

term paper, added 01/12/2015

Programs for searching for computer viruses similar to known ones and performing suspicious actions. Update, planning and management module. Configuring settings for anti-virus modules, updates, periodic updates and scans.

INTRODUCTION

We live at the turn of two millennia, when humanity has entered the era of a new scientific and technological revolution.

By the end of the twentieth century, people had mastered many of the secrets of the transformation of matter and energy and were able to use this knowledge to improve their lives. But in addition to matter and energy, another component plays a huge role in human life - information. This is a wide variety of information, messages, news, knowledge, skills.

In the middle of our century there were special devices- computers focused on the storage and transformation of information and there was a computer revolution.

Today, widespread use personal computers, unfortunately, turned out to be associated with the emergence of self-reproducing virus programs that prevent the normal operation of the computer, destroy the file structure of disks and damage the information stored in the computer.

Despite the laws adopted in many countries to combat computer crime and the development of special programs new virus protection tools, the number of new software viruses is constantly growing. This requires the user of a personal computer to be aware of the nature of viruses, how to infect and protect against viruses. This was the stimulus for choosing the theme of my work.

That's what I'm talking about in my essay. I show the main types of viruses, consider the schemes of their functioning, the reasons for their appearance and ways of penetrating the computer, and also suggest measures for protection and prevention.

The purpose of the work is to acquaint the user with the basics of computer virology, to teach how to detect viruses and fight them. The method of work is the analysis of printed publications on this topic. I faced a difficult task - to talk about what has been very little studied, and how it happened - you be the judge.

1. COMPUTER VIRUSES AND THEIR PROPERTIES AND CLASSIFICATION

1.1. Properties of computer viruses

Now personal computers are used, in which the user has free access to all the resources of the machine. This is what opened up the possibility for the danger that has come to be known as a computer virus.

What is a computer virus? A formal definition of this concept has not yet been invented, and there are serious doubts that it can be given at all. Numerous attempts to give a "modern" definition of the virus have not been successful. To feel the complexity of the problem, try, for example, to define the concept of "editor". You will either come up with something very general, or you will start listing all known types of editors. Both can hardly be considered acceptable. Therefore, we will confine ourselves to considering some properties of computer viruses that allow us to speak of them as a certain specific class of programs.

First of all, a virus is a program. Such a simple statement alone can dispel many legends about the extraordinary capabilities of computer viruses. The virus can flip the image on your monitor, but it cannot flip the monitor itself. To the legends about killer viruses that "destroy operators by displaying a deadly colors 25th frame” is also not to be taken seriously. Unfortunately, some authoritative publications from time to time publish "the latest news from the computer front", which, upon closer examination, turn out to be the result of a not entirely clear understanding of the subject.

A virus is a program that has the ability to reproduce itself. This ability is the only means inherent in all types of viruses. But not only viruses are capable of self-replication. Any operating system and many other programs are capable of creating their own copies. Copies of the same virus not only do not have to completely match the original, but may not match it at all!

A virus cannot exist in "complete isolation": today one cannot imagine a virus that does not use other programs' code, file structure information, or even just the names of other programs. The reason is clear: the virus must somehow ensure the transfer of control to itself.

1.2. Virus classification

Currently, more than 5,000 software viruses are known, they can be classified according to the following criteria:

¨ habitat

¨ way of environmental contamination

¨ impact

¨ features of the algorithm

Depending on the habitat, viruses can be divided into network, file, boot, and file-boot. Network viruses distributed over various computer networks. File viruses are introduced mainly into executable modules, that is, into files with COM and EXE extensions. File viruses can be embedded in other types of files, but, as a rule, written in such files, they never get control and, therefore, lose the ability to reproduce. Boot viruses are embedded in the boot sector of the disk (Boot-sector) or in the sector containing the boot program system disk(Master Boot Re-

cord). File-boot viruses infect both files and disk boot sectors.

According to the method of infection, viruses are divided into resident and non-resident. Resident virus when infecting (infecting) a computer, it leaves its resident part in RAM, which then intercepts the operating system's access to infection objects (files, disk boot sectors, etc.) and intrudes into them. Resident viruses reside in memory and remain active until the computer is turned off or restarted. Non-resident viruses do not infect computer memory and are active for a limited time.

According to the degree of impact, viruses can be divided into the following types:

¨ non-hazardous, which do not interfere with the operation of the computer, but reduce the amount of free RAM and disk memory, the actions of such viruses are manifested in any graphic or sound effects

¨ dangerous viruses that can cause various problems with your computer

¨ very dangerous, the impact of which can lead to the loss of programs, the destruction of data, the erasure of information in the system areas of the disk.

2. MAIN TYPES OF VIRUSES AND SCHEMES OF THEIR FUNCTIONING

Among the variety of viruses, the following main groups can be distinguished:

¨ boot

¨ file

¨ file-boot

Now in more detail about each of these groups.

2.1. Boot viruses

Consider the operation of a very simple boot virus that infects floppy disks. We deliberately bypass all the numerous subtleties that would inevitably be encountered in a rigorous analysis of the algorithm for its functioning.

What happens when you turn on your computer? First, control is transferred bootstrap program, which is stored in read-only memory (ROM) i.e. PNZ ROM.

This program tests the hardware and, if the tests pass, tries to find the floppy disk in drive A:

Every floppy disk is marked on the so-called. sectors and tracks. Sectors are combined into clusters, but this is not essential for us.

Among the sectors there are several service ones used by the operating system for its own needs (your data cannot be placed in these sectors). Among the service sectors, we are still interested in one - the so-called. bootstrap sector(boot sector).

The bootstrap sector stores diskette information- the number of surfaces, the number of tracks, the number of sectors, etc. But now we are not interested in this information, but in a small bootstrap program(PNZ), which should load the operating system itself and transfer control to it.

So the normal bootstrap pattern is as follows:

Now consider the virus. In boot viruses, two parts are distinguished - the so-called. head etc. tail. The tail, generally speaking, can be empty.

Suppose you have a blank floppy disk and an infected computer, by which we mean a computer with an active resident virus. As soon as this virus detects that a suitable victim has appeared in the drive - in our case, a diskette that is not write-protected and not yet infected, it proceeds to infect. When infecting a floppy disk, the virus performs the following actions:

Allocates a certain area of the disk and marks it as inaccessible to the operating system, this can be done in different ways, in the simplest and traditional case, sectors occupied by the virus are marked as bad (bad)

Copies its tail and the original (healthy) boot sector to the selected area of the disk

Replaces the bootstrap program in the (real) boot sector with its head

Organizes the control transfer chain according to the scheme.

Thus, the head of the virus is now the first to take control, the virus is installed in memory and transfers control to the original boot sector. In a chain

PNZ (ROM) - PNZ (disk) - SYSTEM

a new link appears:

PNZ (ROM) - VIRUS - PNZ (disk) - SYSTEM

The moral is clear: never (accidentally) leave floppy disks in drive A.

We have examined the operation of a simple butovy virus that lives in the boot sectors of floppy disks. As a rule, viruses can infect not only the boot sectors of floppy disks, but also the boot sectors of hard drives. In this case, unlike floppy disks, a hard drive has two types of boot sectors containing boot programs that receive control. When booting a computer from a hard drive, the boot program in the MBR (Master Boot Record - Master Boot Record) takes control first. If your hard drive is divided into several partitions, then only one of them is marked as bootable (boot). The bootstrap program in the MBR finds boot partition hard drive and transfers control to the bootstrap program of this partition. The code of the latter is the same as the code of the boot program contained on ordinary floppy disks, and the corresponding boot sectors differ only in the parameter tables. Thus, there are two objects of attack of boot viruses on the hard drive - bootstrap program in MBR and elementary downloads in the boot sector boot disk.

2.2. File viruses

Let us now consider how a simple file virus works. Unlike boot viruses, which are almost always resident, file viruses are not necessarily resident. Let's consider the scheme of functioning of a non-resident file virus. Suppose we have an infected executable file. When such a file is launched, the virus takes control, performs some actions, and transfers control to the "master" (although it is still unknown who is the master in such a situation).

What actions does the virus perform? It looks for a new object to infect - a file of a suitable type that has not yet been infected (in the event that the virus is “decent”, otherwise there are those that infect immediately without checking anything). By infecting a file, the virus injects itself into its code in order to gain control when the file is run. In addition to its main function - reproduction, the virus may well do something intricate (say, ask, play) - this already depends on the imagination of the author of the virus. If a file virus is resident, it will install itself into memory and gain the ability to infect files and display other abilities not only while the infected file is running. By infecting an executable file, a virus always modifies its code - therefore, an infection of an executable file can always be detected. But by changing the file code, the virus does not necessarily make other changes:

à it is not obliged to change the length of the file

à unused sections of code

à is not required to change the beginning of the file

Finally, file viruses often include viruses that "have something to do with files" but are not required to intrude into their code. Let us consider as an example the scheme of functioning of viruses of the known Dir-II family. It must be admitted that having appeared in 1991, these viruses caused a real plague epidemic in Russia. Consider a model that clearly shows the basic idea of a virus. Information about files is stored in directories. Each directory entry includes a file name, creation date and time, some Additional information, number of the first cluster file, etc. spare bytes. The latter are left "in reserve" and MS-DOS itself is not used.

When running executable files, the system reads the first cluster of the file from the directory entry and then all other clusters. Viruses of the Dir-II family produce the following "reorganization" file system: the virus itself writes itself to some free sectors of the disk, which it marks as bad. In addition, it stores information about the first clusters of executable files in spare bits, and writes references to itself in place of this information.

Thus, when any file is launched, the virus receives control (the operating system launches it itself), resides in memory, and transfers control to the called file.

2.3. Boot-file viruses

We will not consider the boot-file virus model, because you will not learn any new information in this case. But here is an opportunity to briefly discuss the recently extremely "popular" OneHalf boot-file virus that infects the master boot sector (MBR) and executable files. The main destructive action is the encryption of hard drive sectors. Each time it is launched, the virus encrypts another portion of sectors, and after encrypting half of the hard drive, it happily announces this. The main problem in the treatment of this virus is that it is not enough just to remove the virus from the MBR and files, it is necessary to decrypt the information encrypted by it. The most "deadly" action is to simply rewrite a new healthy MBR. The main thing - do not panic. Weigh everything calmly, consult with experts.

2.4. Polymorphic viruses

Most of the questions are related to the term "polymorphic virus". This type of computer virus is by far the most dangerous. Let's explain what it is.

Polymorphic viruses are viruses that modify their code in infected programs in such a way that two instances of the same virus may not match in one bit.

Such viruses not only encrypt their code using different encryption paths, but also contain the generation code of the encryptor and decryptor, which distinguishes them from ordinary encryption viruses, which can also encrypt parts of their code, but at the same time have a constant code of the encryptor and decryptor.

Polymorphic viruses are viruses with self-modifying decoders. The purpose of such encryption is that if you have an infected and original file, you will still not be able to analyze its code using conventional disassembly. This code is encrypted and is a meaningless set of commands. Decryption is performed by the virus itself at run time. At the same time, options are possible: he can decrypt himself all at once, or he can perform such a decryption "on the go", he can again encrypt already worked out sections. All this is done for the sake of making it difficult to analyze the virus code.

3. HISTORY OF COMPUTER VIROLOGY AND CAUSES OF VIRUSES

The history of computer virology today seems to be a constant "race for the leader", and, despite the full power of modern anti-virus programs, it is viruses that are the leaders. Among the thousands of viruses, only a few dozen are original developments using truly fundamentally new ideas. All others are "variations on a theme". But each original development forces the creators of antiviruses to adapt to new conditions, to catch up with virus technology. The latter can be disputed. For example, in 1989, an American student managed to create a virus that disabled about 6,000 US Department of Defense computers. Or the epidemic of the famous Dir-II virus that broke out in 1991. The virus used a really original, fundamentally new technology and at first managed to spread widely due to the imperfection of traditional anti-virus tools.

Or the outbreak of computer viruses in the UK: Christopher Pine managed to create the Pathogen and Queeq viruses, as well as the Smeg virus. It was the latter that was the most dangerous, it could be applied to the first two viruses, and because of this, after each run of the program, they changed the configuration. Therefore, they were impossible to destroy. To spread viruses, Pine copied computer games and programs, infected them, and then sent them back to the network. Users downloaded infected programs to their computers and infected disks. The situation was aggravated by the fact that Pine managed to bring viruses into the program that fights them. By running it, users instead of destroying viruses received another one. As a result, the files of many companies were destroyed, the losses amounted to millions of pounds.

American programmer Morris is widely known. He is known as the creator of the virus that in November 1988 infected about 7,000 personal computers connected to the Internet.

The reasons for the emergence and spread of computer viruses, on the one hand, are hidden in the psychology of the human personality and its shadow sides (envy, revenge, vanity of unrecognized creators, the inability to constructively apply their abilities), on the other hand, due to the lack of hardware protection and counteraction from the operating room. personal computer systems.

4. WAYS OF PENETRATION OF VIRUSES INTO A COMPUTER AND MECHANISM OF DISTRIBUTION OF VIRUS PROGRAMS

The main ways for viruses to enter a computer are removable disks (floppy and laser), as well as computer networks. Hard disk infection with viruses can occur when a program is loaded from a floppy disk containing a virus. Such an infection can also be accidental, for example, if the floppy disk was not removed from drive A and the computer was restarted, while the floppy disk may not be a system one. It is much easier to infect a floppy disk. A virus can get on it even if the floppy disk is simply inserted into the disk drive of an infected computer and, for example, its table of contents is read.

The virus usually infects work program in such a way that when it is launched, control is first transferred to it and only after the execution of all its commands returns to the working program again. Having gained access to control, the virus first of all rewrites itself into another working program and infects it. After running a program containing a virus, it becomes possible to infect other files. Most often, the boot sector of the disk and executable files with the EXE, COM, SYS, BAT extensions are infected with the virus. Text files are extremely rarely infected.

After infecting the program, the virus can perform some kind of sabotage, not too serious so as not to attract attention. And finally, do not forget to return control to the program from which it was launched. Each execution of an infected program transfers the virus to the next one. Thus, all software will be infected.

To illustrate the infection process computer program as a virus, it makes sense to liken disk storage to an old-fashioned archive with folders on tape. The folders contain programs, and the sequence of operations for the introduction of a virus in this case will look like this. (See Appendix 1)

5. SIGNS OF VIRUSES

When a computer is infected with a virus, it is important to detect it. To do this, you should know about the main signs of the manifestation of viruses. These include the following:

¨ termination of work or incorrect operation of previously successfully functioning programs

¨ slow computer performance

¨ inability to boot the operating system

¨ disappearance of files and directories or distortion of their contents

¨ change the date and time of modification of files

¨ file resizing

¨ unexpected large increase in the number of files on the disk

¨ a significant decrease in the size of free RAM

¨ displaying unexpected messages or images on the screen

¨ giving unforeseen sound signals

¨ frequent freezes and computer crashes

It should be noted that the above phenomena are not necessarily caused by the presence of the virus, but may be due to other causes. Therefore, it is always difficult to correctly diagnose the state of the computer.

6. VIRUS DETECTION AND PROTECTION AND PREVENTION MEASURES

6.1. How to detect a virus ? Traditional approach

So, a certain virus writer creates a virus and launches it into "life". For some time, he may walk freely, but sooner or later the “lafa” will end. Someone will suspect something is wrong. Viruses are usually found ordinary users who notice certain anomalies in the behavior of the computer. They, in most cases, are not able to cope with the infection on their own, but this is not required of them.

It is only necessary that the virus gets into the hands of specialists as soon as possible. Professionals will study it, find out “what it does”, “how it does”, “when it does”, etc. In the process of such work, all the necessary information about this virus is collected, in particular, the virus signature is highlighted - a sequence of bytes that defines it quite clearly. To build a signature, the most important and characteristic parts of the virus code are usually taken. At the same time, the mechanisms of how the virus works become clear, for example, in the case of a boot virus, it is important to know where it hides its tail, where the original boot sector is located, and in the case of a file one, how the file is infected. The information obtained allows us to find out:

How to detect a virus, for this, methods for searching for signatures in potential objects of a virus attack - files and / or boot sectors are specified

how to neutralize the virus, if possible, algorithms for removing virus code from affected objects are being developed

6.2. Virus detection and protection programs

To detect, remove and protect against computer viruses, several types of special programs have been developed that allow you to detect and destroy viruses. Such programs are called antiviral . There are the following types of antivirus programs:

programs-detectors

programs-doctors or phages

program auditors

filter programs

vaccine programs or immunizers

Programs-detectors perform a search for a signature characteristic of a particular virus in RAM and in files and, if detected, issue an appropriate message. The disadvantage of such anti-virus programs is that they can only find viruses that are known to the developers of such programs.

Doctor Programs or phages, as well as vaccine programs not only find virus-infected files, but also “treat” them, i.e. the body of the virus program is removed from the file, returning the files to their original state. At the beginning of their work, phages look for viruses in RAM, destroying them, and only then proceed to “treatment” of files. Among phages, polyphages are distinguished, i.e. doctor programs designed to find and destroy a large number of viruses. The most famous of them are: Aidstest, Scan, Norton Antivirus, Doctor Web.

Given that new viruses are constantly appearing, detection programs and doctor programs quickly become outdated, and regular updates are required.

Auditor programs are among the most reliable means of protection against viruses. Auditors remember the initial state of programs, directories and system areas of the disk when the computer is not infected with a virus, and then periodically or at the request of the user compare the current state with the original one. The detected changes are displayed on the monitor screen. As a rule, states are compared immediately after the operating system is loaded. When comparing, the file length, cyclic control code (file checksum), date and time of modification, and other parameters are checked. Auditor programs have fairly advanced algorithms, detect stealth viruses, and can even clean up changes to the version of the program being checked from changes made by the virus. Among the programs-auditors is the Adinf program widely used in Russia.

Filter programs or "watchman" are small resident programs designed to detect suspicious computer activity that is characteristic of viruses. Such actions may be:

Attempts to correct files with COM, EXE extensions

changing file attributes

Direct write to disk at absolute address

Write to disk boot sectors

When any program tries to perform the specified actions, the "watchman" sends a message to the user and offers to prohibit or allow the corresponding action. Filter programs are very useful, as they are able to detect a virus at the earliest stage of its existence before reproduction. However, they do not "heal" files and disks. To destroy viruses, you need to use other programs, such as phages. The disadvantages of watchdog programs include their "annoyance" (for example, they constantly issue a warning about any attempt to copy an executable file), as well as possible conflicts with other software. An example of a filter program is the Vsafe program, which is part of the MS DOS utility package.

Vaccines or immunizers are resident programs that prevent file infection. Vaccines are used if there are no doctor programs that "treat" this virus. Vaccination is possible only against known viruses. The vaccine modifies the program or disk in such a way that it does not affect their work, and the virus will perceive them as infected and therefore will not take root. Vaccine programs are currently of limited use.

Timely detection of virus-infected files and disks, complete destruction of detected viruses on each computer helps to avoid the spread of a virus epidemic to other computers.

6.3. Basic measures to protect against viruses

To prevent your computer from being infected with viruses and to ensure secure storage information on disks, the following rules must be observed:

¨ equip your computer with up-to-date anti-virus programs, such as Aidstest, Doctor Web, and constantly update their versions

¨ before reading information stored on other computers from floppy disks, always check these diskettes for viruses by running anti-virus programs on your computer

¨ when transferring archived files to your computer, check them immediately after unzipping them on your hard disk, limiting the check area only to newly recorded files

¨ periodically check for viruses hard drives computer by running anti-virus programs to test files, memory and system areas of disks from a write-protected floppy disk, after loading the operating system from a write-protected system diskette

¨ always write protect your floppy disks when working on other computers if they will not be written to information

¨ be sure to make archival copies on diskettes of valuable information for you

¨ do not leave floppy disks in the pocket of drive A when turning on or rebooting the operating system to prevent infection of the computer with boot viruses

¨ use anti-virus programs for input control of all executable files received from computer networks

¨ to ensure greater security, the use of Aidstest and Doctor Web must be combined with the daily use of the Adinf disk auditor

CONCLUSION

So, we can cite a lot of facts indicating that the threat to the information resource is increasing every day, putting the responsible persons in banks, enterprises and companies all over the world into a panic. And this threat comes from computer viruses that distort or destroy vital, valuable information, which can lead not only to financial losses, but also to human casualties.

Computer virus - a specially written program that can spontaneously attach to other programs, create copies of itself and embed them in files, computer system areas and in computer networks in order to disrupt the operation of programs, damage files and directories, create all kinds of interference in the operation of the computer.

Currently, more than 5,000 software viruses are known, the number of which is constantly growing. There are cases when tutorials were created to help in writing viruses.

The main types of viruses: boot, file, file-boot. The most dangerous type of viruses is polymorphic.

From the history of computer virology, it is clear that any original computer development forces the creators of antiviruses to adapt to new technologies, constantly improve antivirus programs.

The reasons for the appearance and spread of viruses are hidden on the one hand in human psychology, on the other hand, with the lack of protection in the operating system.

The main ways for viruses to penetrate are removable drives and computer networks. To prevent this from happening, take precautions. Also, several types of special programs called anti-virus programs have been developed to detect, remove and protect against computer viruses. If you still find a virus in your computer, then according to the traditional approach, it is better to call a professional so that he can figure it out further.

But some properties of viruses puzzle even experts. Until quite recently, it was hard to imagine that a virus could survive a cold reboot or spread through document files. Under such conditions, it is impossible not to attach importance to at least the initial anti-virus education of users. Despite the seriousness of the problem, no virus is capable of causing as much harm as a whitened user with trembling hands!

So, the health of your computers, the safety of your data - in your hands!

Bibliographic list

1. Informatics: Textbook / ed. Prof. N.V. Makarova. - M.: Finance and statistics, 1997.

2. Encyclopedia of secrets and sensations / Prepared. text by Yu.N. Petrov. - Minsk: Literature, 1996.

3. Bezrukov N.N. Computer viruses. - M.: Nauka, 1991.

4. Mostovoy D.Yu. Modern technologies for fighting viruses // PC World. - No. 8. - 1993.

Although general information protection and preventive measures are very important for protection against viruses, the use of specialized programs is necessary. These programs can be divided into several types:

? Detection programs check whether the files on the disk contain a specific combination of bytes (signature) for a known virus and report this to the user (VirusScan/SCAN/McAfee Associates).
? Doctor programs or phages “cure” infected programs by “biting out” the body of the virus from infected programs, both with and without restoration of the habitat (infected file) - the curing module of the SCAN program - the CLEAN program.
? Doctor-detector programs (Lozinsky's Aidstest, Danilov's Doctor Web, MSAV, Norton Antivirus, Kaspersky's AVP) are able to detect the presence of a known virus on a disk and heal the infected file. The most common group of antivirus programs today.

In the very simple case the command to check the contents of the disk for viruses is: aidstest /key1/key2 /key3 /---

? Filter programs (watchmen) are located resident in the PC's RAM and intercept those calls to the operating system that are used by viruses to multiply and cause harm and report them to the user:
- an attempt to corrupt the main OS COMMAND.COM file;
- an attempt to write directly to the disk (the previous record is deleted), while a message is displayed that some program is trying to copy to the disk;
- disk formatting,
- resident placement of the program in memory.

Having detected an attempt of one of these actions, the filter program gives the user a description of the situation and requires him to confirm. The user can enable or disable this operation. The control of actions characteristic of viruses is carried out by replacing the handlers of the corresponding interrupts. The disadvantages of these programs include intrusiveness (the watchman, for example, issues a warning about any attempt to copy an executable file), possible conflicts with other software, bypassing watchdogs by some viruses. Examples of filters: Anti4us, Vsafe, Disk Monitor.

It should be noted that today many programs of the doctor-detector class also have a resident module - a filter (watchman), for example, DR Web, AVP, Norton Antivirus. Thus, such programs can be classified as doctor-detector-storage.

? Hardware and software anti-virus tools (Hardware and software complex Sheriff). On a par with watchdog programs are hardware and software antivirus tools that provide more reliable protection against the penetration of a virus into the system. Such complexes consist of two parts: hardware, which is installed in the form of a microcircuit on motherboard and software, written to disk. The hardware part (controller) monitors all disk write operations, the software part, being in Random access memory resident, keeps track of all input / output information. However, the possibility of using these tools requires careful consideration in terms of the configuration of additional equipment used on the PC, such as disk controllers, modems, or network cards.
? Auditor programs (Adinf/Advanced Disk infoscope/with curing block ADinf Cure Module Bridge). Program-auditors have two stages of work. First, they remember information about the state of programs and disk system areas ( boot sector and sectors with a hard disk partition table). It is assumed that at this moment programs and system areas of the disks are not infected. Then, when comparing system areas and disks with the original ones, if a discrepancy is found, it is reported to the user. Auditor programs are able to detect invisible (STEALTH) viruses. Checking the length of a file is not enough, some viruses do not change the length of infected files. A more reliable check is to read the entire file and calculate its checksum (bit by bit). Changing the entire file so that its checksum remains the same is almost impossible. Minor disadvantages of auditors include the fact that for security they must be used regularly, for example, called daily from the AUTOEXEC.BAT file. But their undoubted advantages are high speed checks and that they do not require frequent version updates. Versions of the auditor, even six months ago, reliably detect and remove modern viruses.
? Program vaccines or immunizers (CPAV). Vaccine programs modify programs and disks in such a way that this does not affect the operation of programs, but the virus against which vaccination is performed considers these programs and disks already infected. These programs are not efficient enough.

Conventionally, the strategy of protection from the virus can be defined as a multi-level "layered" defense. Structurally, it might look like this. The means of reconnaissance in the “defense” against viruses correspond to detector programs that allow you to determine the newly received software for the presence of viruses. At the forefront of defense are filter programs that are resident in computer memory. These programs can be the first to report the operation of the virus. The second echelon of "defense" is made up of audit programs. The auditors detect the attack of the virus even when it managed to "leak" through the front line of defense. Doctor programs are used to restore infected programs if a copy of the infected program is not in the archive, but they do not always cure correctly. Doctors-auditors detect the attack of the virus and treat the infected programs, and control the correctness of the treatment. The deepest layer of defense is the means of access control. They do not allow viruses and misbehaving programs, even if they have penetrated the PC, to spoil important data. The "strategic reserve" contains archival copies of information and "reference" diskettes with software products. They allow you to recover information if it is damaged.

The harmful effects of each type of virus can be very diverse. This includes deleting important files or even BIOS “firmware”, and transferring personal information, such as passwords, to a specific address, organizing unauthorized e-mails and attacks on some sites. It is also possible to start dialing through cellular telephone to premium numbers. Utilities hidden administration(backdoor) can even give the attacker full control of the computer. Fortunately, all these troubles can be successfully dealt with, and the main weapon in this fight will, of course, be anti-virus software.

Kaspersky Anti-Virus. Perhaps, "Kaspersky Anti-Virus" is the most famous product of this type in Russia, and the name "Kaspersky" has become synonymous with a fighter against malicious codes. The laboratory of the same name not only constantly releases new versions of its security software, but also conducts educational work among computer users. The latest, ninth version of Kaspersky Anti-Virus, like previous releases, has a simple and transparent interface that combines all the necessary utilities in one window. With an installation wizard and intuitive menu options, even a novice user can set up this product. The power of the algorithms used will also satisfy professionals. A detailed description of each of the detected viruses can be found by calling the corresponding page on the Internet directly from the program.

Dr. Web. Another popular Russian antivirus that rivals Kaspersky Anti-Virus in popularity is Dr. Web. Its trial version has an interesting feature: it requires mandatory registration via the Internet. On the one hand, this is very good - immediately after registration, the anti-virus databases are updated and the user receives the latest data on signatures. On the other hand, it is impossible to install a trial version offline, and, as experience has shown, problems are inevitable with an unstable connection.

Panda Antivirus + Firewall 2007. Complete Solution in the field of computer security - the Panda Antivirus + Firewall 2007 package - includes, in addition to the antivirus program, a firewall that monitors network activity. The interface of the main window of the program is designed in "natural" green colors, but, despite the external attractiveness, the menu navigation system is built inconveniently, and a novice user may well get confused in the settings.

The Panda package contains several original solutions at once, such as TruePrevent's proprietary technology for searching for unknown threats, based on the most modern heuristic algorithms. It is worth paying attention to the utility for finding computer vulnerabilities - it assesses the danger of “holes” in the security system and offers to download the necessary updates.

Norton Antivirus 2005. The main impression of the product of the famous company Symantec - the Norton Antivirus 2005 anti-virus complex - is its focus on powerful computing systems. The response of the Norton Antivirus 2005 interface to user actions is noticeably delayed. In addition, during installation, it imposes rather strict requirements on the versions of the operating system and Internet Explorer. Unlike Dr.Web, Norton Antivirus does not require mandatory updating of virus databases during installation, but it will remind you that they are outdated during the entire time of operation.

McAfee VirusScan. An interesting anti-virus product, McAfee VirusScan, which according to its developers is the No. 1 scanner in the world, was chosen for testing because among similar applications it stood out for its large distribution size (over 40 MB). Assuming that this value is due to the wide functionality, we proceeded with the installation and found that in addition to the anti-virus scanner, it includes a firewall, as well as utilities for cleaning the hard drive and guaranteed removal of objects from the hard drive (file shredder).

Questions for chapters 6 and 7

1. Stages of development of information security tools and technologies.
2. Components of the standard security model.
3. Sources of security threats and their classification.
4. Unintentional threats to information security.
5. Deliberate threats to information security.
6. Classification of information leakage channels.
7. Regulation of information security problems.
8. Structure state system information protection.
9. Methods and means of information protection.
10. Classification of data security threats.
11. Methods for protecting information from viruses.
12. Methods of integrity control.
13. Classification of computer viruses.
14. Means of protection against viruses.
15. Preventive antiviral measures.
16. Classification of software anti-virus products.

Basic methods for detecting viruses

antivirus programs have evolved in parallel with the evolution of viruses. As new technologies for creating viruses appeared, the mathematical apparatus that was used in the development of antiviruses became more complicated.

The first anti-virus algorithms were built on the basis of comparison with the standard. We are talking about programs in which the virus is determined by the classical kernel by some mask. The meaning of the algorithm is to use statistical methods. The mask should be, on the one hand, small so that the file size is acceptable, and on the other hand, large enough to avoid false positives (when "friend" is perceived as "alien", and vice versa).

The first anti-virus programs built on this principle (the so-called polyphage scanners) knew a certain number of viruses and were able to treat them. These programs were created as follows: the developer, having received the virus code (the virus code was static at first), compiled a unique mask from this code (a sequence of 10-15 bytes) and entered it into the database of the anti-virus program. The anti-virus program scanned the files and, if it found this sequence of bytes, it concluded that the file was infected. This sequence (signature) was chosen in such a way that it was unique and did not occur in a regular data set.

The described approaches were used by most anti-virus programs until the mid-90s, when the first polymorphic viruses appeared that changed their body according to algorithms that were unpredictable in advance. At that time, the signature method was supplemented by the so-called processor emulator, which made it possible to find encrypted and polymorphic viruses that did not explicitly have a permanent signature.

The principle of processor emulation is shown in Fig. one . If usually a conditional chain consists of three main elements: CPU®OS®Program, then when emulating a processor, an emulator is added to such a chain. The emulator, as it were, reproduces the work of the program in some virtual space and reconstructs its original content. The emulator is always able to interrupt program execution, controls its actions, not letting anything spoil, and calls the anti-virus scanning engine.

The second mechanism, which appeared in the mid-90s and is used by all antiviruses, is heuristic analysis. The fact is that the processor emulation apparatus, which allows you to get a summary of the actions performed by the analyzed program, does not always make it possible to search for these actions, but allows you to perform some analysis and put forward a hypothesis like “virus or not a virus?”.

In this case, decision making is based on statistical approaches. And the corresponding program is called a heuristic analyzer.

In order to reproduce, the virus must perform some specific actions: copying to memory, writing to sectors, etc. The heuristic analyzer (it is part of the anti-virus engine) contains a list of such actions, looks through the program code being executed, determines what it is doing, and based on this decides whether this program virus or not.

At the same time, the percentage of virus skipping, even unknown to the antivirus program, is very small. This technology now widely used in all anti-virus programs.

Classification of antivirus programs

anti-virus programs are classified into pure anti-viruses and dual-purpose anti-viruses (Fig. 2).

Pure antiviruses are distinguished by the presence of an antivirus engine that performs the function of scanning by patterns. The fundamental thing in this case is that treatment is possible if the virus is known. Pure antiviruses, in turn, are divided into two categories according to the type of access to files: those that control access (on access) or on demand (on demand). Typically, on access products are called monitors, and on demand products are called scanners.

On demand-product works according to the following scheme: the user wants to check something and issues a request (demand), after which the check is carried out. On access-product is a resident program that monitors access and performs verification at the time of access.

In addition, anti-virus programs, like viruses, can be divided depending on the platform within which this antivirus works. In this sense, along with Windows or Linux, platforms can include Microsoft Exchange Server, Microsoft office, Lotus Notes.

Dual purpose programs are programs used in both antivirus and non-antivirus software. For example, CRC-checker - a checksum-based change inspector - can be used not only to catch viruses. A variety of dual-purpose programs are behavioral blockers that analyze the behavior of other programs and, if suspicious actions are detected, block them. Behavioral blockers differ from a classic antivirus with an antivirus core that recognizes and cures viruses that were analyzed in the laboratory and for which a treatment algorithm was prescribed, behavioral blockers do not know how to treat viruses, because they know nothing about them. This property of blockers allows them to work with any viruses, including unknown ones. This is of particular relevance today, since the distributors of viruses and antiviruses use the same data transmission channels, that is, the Internet. At the same time, the anti-virus company always needs time to get the virus itself, analyze it and write the appropriate treatment modules. Programs from the dual-purpose group just allow you to block the spread of the virus until the company writes a treatment module.

Overview of the most popular personal antiviruses

The review includes the most popular antiviruses for personal use from five well-known developers. It should be noted that some of the companies discussed below offer several versions of personal programs that differ in functionality and, accordingly, in price. In our review, we looked at one product from each company, choosing the most functional version, which, as a rule, is called Personal Pro. Other personal antivirus options can be found on the respective websites.

Kaspersky Anti-Virus

Personal Prov. 4.0

Developer: Kaspersky Lab. Website: http://www.kaspersky.ru/ . Price $69 (license for 1 year).

Kaspersky Anti-Virus Personal Pro (Fig. 3) one of the most popular solutions on Russian market and contains whole line unique technologies.

Behavior Blocker The Office Guard module controls the execution of macros, preventing all suspicious actions. The presence of the Office Guard module provides 100% protection against macro viruses.

The Inspector monitors all changes in your computer and, if unauthorized changes are detected in files or in system registry allows you to restore the contents of the disk and remove malicious codes. Inspector does not require updates to the anti-virus database: integrity control is carried out on the basis of taking original file fingerprints (CRC-sums) and their subsequent comparison with modified files. Unlike other auditors, Inspector supports all the most popular executable file formats.

The heuristic analyzer makes it possible to protect your computer even from unknown viruses.

The Monitor background virus interceptor, permanently present in the computer's memory, performs anti-virus scanning of all files right at the moment they are launched, created or copied, which allows you to control all file operations and prevent infection even by the most technologically advanced viruses.

Antivirus email filtering prevents viruses from entering your computer. The Mail Checker plug-in not only removes viruses from the body of an email, but also completely restores the original content of emails. A comprehensive scan of mail correspondence prevents a virus from hiding in any of the elements of an email by scanning all sections of incoming and outgoing messages, including attached files (including archived and packaged) and other messages of any nesting level.

Antivirus scanner Scanner allows you to conduct a full-scale scan of the entire contents of local and network drives on demand.

The Script Checker interceptor provides an anti-virus check of all running scripts before they are executed.

Support for archived and compressed files provides the ability to remove malicious code from an infected compressed file.

Isolation of infected objects provides isolation of infected and suspicious objects with their subsequent transfer to a specially organized directory for further analysis and recovery.

Automation of anti-virus protection allows you to create a schedule and order of the program components; automatically download and connect new anti-virus database updates via the Internet; send alerts about detected virus attacks to e-mail etc.

Norton AntiVirus 2003 Professional Edition

Developer: Symantec. Website: http://www.symantec.ru/ .

The price is 89.95 euros.

The program runs under Windows control 95/98/Me/NT4.0/2000 Pro/XP.

Price $39.95

The program runs under Windows 95/98/Me/NT4.0/2000 Pro/XP.

Just about the complex. Programs. Iron. Internet. Windows