antiviruses

Antiviruses

An antivirus is a program helpful to detect the viruses presence, and, in that case, to fix the problem. Antiviruses check continuously system's activities, and locate all those suspect. They detect all those activities which change boot sectors for instance, or all files executables' writing. In addition they have a scanning engine to verify the system (files, memory and boot sectors). This engine use an antivirus internal database, where all identification strings of all known viruses are stored. This database is updated periodically, whenever new viruses are discovered (and therefore, new strings are available). But the single scanning engine can't locate those encrypted or polimorphic viruses. To detect them, antiviruses use some heuristic search techniques. They examine files to point out any possible suspect statement. In other words, they search for encryption/decryption routines, or not documented system calls, or direct disk access and so on. This kind of techniques have a crucial problem: they generate a lot of fake allarms (in other words, some allowed actions can be pointed out as viral attacks). To discover crypted viruses presence, antiviruses use a virtual machine inside of the memory (a little bit like a Dos windows, to understand each other) absolutely isolated. This virtual machine and the system are two separated environments. Inside of this virtual machine, antiviruses can freely examine what a potential infected program does, in that every possible viral action, can't damage the system. When an encrypted virus is running its decryption routine decrypts the body of virus, which is therefore exposed by the antivirus program. The fault of this technique is its slowly, because the program has to be runned many times inside of the virtual machine to be exposed. Another thing that antiviruses do, is the files integrity check. For each file antiviruses build a number (produced by special algorithms) to identify univocally its structure. These numbers are stored, and, periodically, are compared with files' structure to point out possible differences. The fault of of this technique is its ineffectiveness against those viruses which don't change the files' structure. Besides, viruses are recognized only when damage is already done.

Index Home Back About Contact us!