Anti-virus Software Virus Dictionary Approach Suspicious

Most commercial anti-virus software uses both of these approaches, with an emphasis on the virus dictionary approach.

1 Virus dictionary approach

In the virus dictionary approach, when the anti-virus software examines a file, it refers to a dictionary of known viruses that the authors of the anti-virus software have identified. If a piece of code in the file matches any virus identified in the dictionary, then the anti-virus software can take one of the following actions:

To achieve consistent success in the medium and long term, the virus dictionary approach requires periodic (generally online) downloads of updated virus dictionary entries. As civically minded and technically inclined users identify new viruses "in the wild", they can send their infected files to the authors of anti-virus software, who then include information about the new viruses in their dictionaries.

Dictionary-based anti-virus software typically examines files when the computer's operating system creates, opens, closes or e-mails them. In this way it can detect a known virus immediately upon receipt. Note too that a System Administrator can typically scheduled the anti-virus software to examine (scan) all files on the user's hard disk on a regular basis.

Although the dictionary approach can effectively contain virus outbreaks in the right circumstances, virus authors have tried to stay a step ahead of such software by writing " polymorphic viruses", which encrypt parts of themselves or otherwise modify themselves as a method of disguise, so as to not match the virus's signature in the dictionary.

2 Suspicious behavior approach

The suspicious behavior approach, by contrast, doesn't attempt to identify known viruses, but instead monitors the behavior of all programs. If one program tries to write data to an executable program, for example, the anti-virus software can flag this suspicious behavior, alert a user and ask what to do.

Unlike the dictionary approach, the suspicious behavior approach therefore provides protection against brand-new viruses that do not yet exist in any virus dictionaries. However, it also sounds a large number of false positives, and users probably become desensitized to all the warnings. If the user clicks "Accept" on every such warning, then the anti-virus software obviously gives no benefit to that user. This problem has worsened since 1997, since many more nonmalicious program designs came to modify other .exe files without regard to this false positive issue. Thus, most modern anti-virus software uses this technique less and less.

2.1 Other ways to detect viruses

Some antivirus-software will try to emulate the beginning of the code of each new executable that the system invokes before transferring control to that executable. If the program seems to use self-modifying code or otherwise appears as a virus (if it immediately tries to find other executables, for example), one could assume that a virus has infected the executable. However, this method too results in a lot of false positives.

Yet another detection method involves using a sandbox. A sandbox emulates the operating system and runs the executable in this simulation. After the program has terminated, software analyses the sandbox for any changes which might indicate a virus. Because of performance issues, this type of detection normally only takes place during on-demand scans.

3 Issues of concern

Computer users could inhibit the spread of Macro viruses (arguably the most destructive and widespread computer viruses) far more inexpensively and effectively, and without the need of all users to install appropriate anti-virus software, if Microsoft would fix security flaws in Microsoft Outlook and Microsoft Office which relate to the execution of downloaded code and to the ability of document macroMacro (meaning "large" or "wide") is also applied to macroeconomics, and macroscopic or "macro" lenses. Macro (meaning a kind of close-up photography) is found at Macro photography. A macro is an abstraction, whereby a certain textual pattern is replaceds to spread and wreak havoc.
User education can effectively supplement anti-virus software; simply training users in safe computing practices (such as not downloading and executing unknown programs from the Internet) would slow the spread of viruses and obviate the need of much anti-virus software.
Computer users should not always run with administratorA system administrator describes someone responsible for running, or running some aspect of, a computer system. The precise meaning varies. Organisations with very large or complex computer systems typically divide up computer staff according to specialis access to their own machine. If they would simply run in user mode then some types of viruses could not spread.
The dictionary approach to detecting viruses does not always suffice -- due to the continual creation of new viruses -- yet the suspicious behavior approach does not work well due to the false positive problem; hence, the current understanding of anti-virus software will never conquer computer viruses.
Various methods exist of encrypting and packing malicious software which will make even well-known viruses undetectable to anti-virus software. Detecting these "camouflaged" viruses requires a powerful unpacking engine, which can decrypt the files before examining them. Unfortunately, many popular anti-virus programs do not have this and thus are often unable to detect encrypted viruses.
The ongoing writing and spreading of viruses and of panic about them gives the vendors of commercial anti-virus software a financial interest in the ongoing existence of viruses.

4 Antivirus software companies

Aladdin Knowledge Systems
AlwilAlwil is a software company that produces Avast!, a virus scanning program. The program comes in a freeware version for home users and a shareware version that has some additional features. ICSA Labs has certified Avast! as a virus detector, but not as a
Computer AssociatesComputer Associates International, Inc is a computer software and consultancy company. It was founded in New York by Charles B. Wang in 1976, who retired in 2002. Until April 2004, Sanjay Kumar was its CEO and Chairman. In May 2004, Ken Cron was nominated
ClamAVClam AntiVirus ClamAV , is a widely used antivirus software toolkit for Unix. It is mainly used with a mail exchange server as a server-side email virus scanner. ClamAV is open source software distributed under the GPL. ClamAV can be configured to automat
EsetEset (founded 1992) is a anti-virus company with offices in San Diego, USA; London, UK; Prague, Czech Republic; and Bratislava, Slovakia. NOD32 the name of their virus scanner is rated as one of the best at Virus Bulletin, and it uses advanced heuristics
Frisk Software
F-Secure
GeCAD
Grisoft
Hauri
H+BEDV
Kaspersky
McAfee
Mks
Norman
Panda Software
SOFTWIN (BitDefender)
Sophos
Stiller Research
Symantec
Trend Micro

5 Testing Organizations

These organizations provide testing of virus scanning and related programs.

Virus Bulletin - http://www.virusbtn.com/
ICSA Labs - http://www.icsalabs.com/
West Coast Labs - http://www.westcoastlabs.org/

6 External links

Software Malware

<Hide>

Home > Anti-virus software