The intent of an antivirus program is to identify, inoculate, disinfect, or clean a virus or other malware program from a computer. Antivirus programs usually work in two different ways. Most scan a computer in its entirety, looking for known viruses based on their databases of virus listings, and then they delete, inoculate, remove, or quarantine the infected file. Other antivirus programs watch file behavior on the computer. If the program detects unusual behavior, it will usually capture the file, scan it, and then either ask the user for input on how to handle the issue or quarantine the file for further inspection and possible deletion.
Most current commercial antivirus programs use both of these methods to detect and eradicate viruses from infected computers. This helps eliminate the threat of infection by watching the most consistent way viruses try to infiltrate computers. The most common elements of virus removal involve repair of the file itself. This consists of the antivirus program trying to remove the offending code from the infected file. If the removal process does not work, the antivirus program usually will quarantine the file discovered and prompt you for further instructions on how to handle the problem with the infected file. When you log on to the computer after the quarantine process, you must decide whether to try to repair the file again or delete the infected file.
It should be noted that you should always attempt to use multiple antivirus programs to repair either files of a sensitive nature or those used by the operating system before deleting the files. If you have a virus in a file you want to keep, you should try to use multiple antivirus engines to repair the file. This also holds true for operating system files. Operating system files infected with viruses may render the infected computer incapable of operating correctly, sometimes to the point where the infected computer will not boot into the operating system. Infections of this type sometimes require a boot disk with an antivirus program to remove the virus from the computer.
Antivirus programs detect viruses via dictionary scans, behavior analysis, and other methods. Each detection technique follows a specific type of logic in order to find, repair, remove, or delete an infected file. Each approach is unique. Most antivirus engines employ at least two of these types of analysis in order to identify viruses. The third category is usually used only when specific types of viruses are encountered. Each approach helps us to identify the methods virus writers employ to launch their code so that we can begin the process of eradicating viruses from our environment:
This approach uses a database of known antivirus types. When the antivirus program scans the computer in question, it looks for specific code listed in the files it scans. If it discovers suspect code, it will try to identify the virus strain, report the infection, and complete whatever predefined options the user has defined in case of corruption. Usually a dictionary-based antivirus program scans the files when the operating system opens the files for use. This includes files, programs, email, and other known methods of attack.
Not all virus writers allow their code to remain static. That means the code may be able to change or "morph" into something different to eliminate the effectiveness of dictionary scanning. These types of viruses fall into the polymorphic and meta-morphic categories. They modify themselves to prevent detection, and even employ encryption to help hide portions of themselves from antivirus programs.
Polymorphic code changes into different forms while keeping the original algorithm intact, allowing the same action to occur when executed but letting the code slip past dictionary analysis. This helps the code hide its presence from antivirus programs trying to detect and rid infected computers of viruses. Malicious-virus programmers use this type of mechanism to keep their code "in the wild," allowing the virus to propagate freely without detection.
Metamorphic code literally reprograms itself by translating itself into a similar representation, and then back into the original form. Metamorphic code can also use different operating systems affected by the virus. That means a single virus could employ different methods of infecting Windows, Linux, and BSD in the same code. This method allows the virus to slip through detection of dictionary analysis by antivirus programs. Programmers go to great lengths to see that their viruses do maximum damage by eliminating the simplest of detection efforts by the public.
This is a different approach to virus identification. This approach does not employ dictionary databases to find and eradicate viruses. Instead, it monitors a program's behavior on the computer. When the antivirus program sees a program attempt to write data into an executable program, the antivirus program will identify the behavior, flag it as a potential problem, and ask the user what to do with the offending file.
Metamorphic viruses that reprogram themselves create brand-new types of viruses. Because the new virus does not have a signature to match in a database, the behavior analysis method allows the antivirus program to capture and begin to identify the new offending virus. However, if the user accepts the behavior of the offending virus, this allows the virus to propagate, eliminating the effectiveness of the antivirus program. This type of analysis also lends itself to lots of false positives, making it a less effective technique than other methods of virus identification and eradication.
Other approaches to identify, capture, and eliminate viruses include heuristic analysis and sandboxes. Each method employs different processes to identify and capture viruses in an effort to eradicate their capability to propagate. Heuristic analysis may emulate the beginning lines of code executed by a program to identify the program's behavior as self-modifying, or it may use a similar technique to discover that a program is looking for other executable files. In either case, the antivirus program may flag the file as a virus. Heuristic filters employ replicable methods to study, ascertain, or identify viruses through their perceived behavior. Sandboxes emulate an operating system and allow code to run in a simulated environment. When the code runs, the antivirus program analyzes the emulated operating system for changes that are perceived as a virus. These types of analysis require sophisticated programs and use large amounts of computer resources to run. These features lend themselves to finding new viruses and keeping them out of the user environment, but they do not lend themselves to real-time analysis, requiring the antivirus program to run either as a managed background process or during off-peak usage times.
Each process lends itself to different types of virus identification and removal processes. Not all antivirus programs use the same methods of identification and no one antivirus program can identify and eliminate all viruses. Because of this, you may want to supplement scans of your installed virus software with online scans using a different virus engine. Take the time to research the different antivirus programs available, including free scanners online, to help identify and eliminate viral code from your computer.
Was this article helpful?