How Does an Anti-Virus Software Work? - The Inside StoryBy Angsuman Chakraborty, Gaea News Network
Tuesday, September 30, 2008
We all know about anti-virus software these days. I guess you have read my comparative study on anti-virus software too. If in case you haven’t, here it is. While writing on that article I realized I have been rather superficial on the most important part of an anti-virus column and that is not WHAT cures the disease. Its about HOW they do it. Today let’s find out how they actually work.
After a lot of study, I came to know about mainly four different algorithms used by today’s anti-virus software to detect viruses:
- Generic Scanning Technique
- Integrity Checking Technique
- Heuristic Search Scanning
- Interception technique
None of them are individually perfect. However in combination they often prove to be a formidable opponent to any current viruses, trojans and more. Moreover some of the techniques also protect your computer against future viruses.
1. Generic Scanning Technique
Most of the old viruses and some new viruses and trojans have a recognizable pattern or signature (sequence of bytes) which anti-virus software looks for. Anti-virus software has a library of signature against which it matches the applications, boot sectors and other possible locations of infection. If it can detect a match it will then signal the end-user with the virus details and location where it was found. Anti-virus software’s update these signatures at regular intervals. Unfortunately mutating and polymorphic viruses evade simple signature detection by continuously changing their code. They are detected by advanced techniques discussed below.
Signature detection is simple and fast. Anti-virus software can look for virus signature in large number of files in a very short period of time. This is what makes it a popular option with anti-virus vendors.
Virus creators today mostly code polymorphic viruses which changes the code, while retaining the functionality, thereby evading signature detection algorithm. There are virus toolkits available for free which allows even a script-kiddie to code a polymorphic virus with minimal expertise. This can be a useful technique only in conjunction with other techniques but not alone. It is in some ways similar to comment spam detection or email spam detection using keyword matching for typical spam words like viagra.
2. Integrity Checking Technique
Some anti-virus softwares can maintain a log file about important files under Windows. The integrity information of those files are stored in their database and are recorded by check-summing. If a virus tries to modify a system file, the anti-virus software at once notifies the user by this technique.
The best part of this technique is, even if a system file gets corrupt (weirdly as it does sometimes without the initiative of Mr. virus) suddenly and tries to change and modify the boot sectors or say registry, the integrity of the files will be violated and the anti-virus will warn the user about that too.
- The integrity checking technique perhaps is the most foolproof of them all, as it can determine if a file has been damaged by a virus or not.
- The problem with this is, not many softwares can implement such precise and perfect technique. A data loss or a damage due to corruption can not be distinguished with a case where the file is damaged by a virus. But, there is a boon in the bane. Not any harmful activities within your computer gets unnoticed.
3. Heuristic Scanning
Heuristic Scanning follows the behavioral pattern of a virus and has different set of rule for different viruses. If any file is observed to be following that set of particular activities then it infers that the particular file is infected. The most advanced part of Heuristic Scanning is that it can work against highly randomized polymorphic viruses too. Heuristic scanning technique has the potential to detect any future virus with ease. F-Secure Anti-virus quite successfully implements this technique.
- The advantage of this scanning is that, its very it has the prospect of being the only algorithm of all the anti-virus softwares in the future because it can lead us to very accurate virus detection if properly coded.
- It doesn’t need anti-viruses to download weekly virus database because it can detect viruses from behavioral pattern from the set of rules.
- Te disadvantages of heuristic search techniques are that they are very complex to implement.
- And again, a virus coder can make a virus that will not obey the set of rules a heuristic scanner hopes it will. Then the virus will be infecting without being noticed.
- Again, chances of false alarms are more with heuristic search techniques.
4. Interception Technique
This is the newest technique which continuously monitors your files for suspicious activities.
Imagine if a virus is hidden in a CD-ROM. Then how on earth would other anti-viruses come to know about it? But interceptors watches all external drives, data devices as well as internet download or even file download from email. That is why it provides real-time protection to your computer. When a virus comes from a DVD or a pen drive, be rest assured that an anti-virus software that has implemented interception technique will detect it immediately and warn you about it. Most of them will prevent you from running infected programs too.
The key feature of an interceptor is that it has to be very fast to avoid degrading user experience. But most of the modern day anti-virus software implementing the technique do it fairly well like for example Nod 32. NAV was at one time known to slow down your computer due to sluggish performance in interception. I heard it has improved over the years.
- Gives your computer a Real Time Protection.
- Any chance of a virus coming from an external drive (CD ROM, pen drive etc) is done away with.
- Interceptors can be very easily disabled if it is not very fast to react against threats and most of the viruses do so with perfection.
- It is a nuisance for a fast and busy user as it keeps coming with logs and warning messages on trivial issues and that too very frequently.
Take home thoughts…
Thanks for reading so far. The two most important take home lessons are:
- A single anti-virus software may not offer full protection. You may be better protected with two (but not more) anti-virus software as your bases will be better covered. However their interception techniques may conflict. So you may be better off using the real-time scanning of only one of them.
- Update Keep the virus database file regularly, if possible daily. Many of today’s of anti-virus software will do that automatically for you.
As you have reached the heart of the matter, you may want to take a look at this as well. A detailed free Windows anti-virus software here.
Tags: algorrithm, anti-virus, Future, generic scanning, heuristics, interception, Say