Antivirus (or anti-virus ) software is used to prevent, detect, and remove malware, including computer viruses, worms, and trojan horses. Such programs may also prevent and remove adware, spyware, and other forms of malware.
A variety of strategies are typically employed. Signature-based detection involves searching for known malicious patterns in executable code. However, it is possible for a user to be infected with new malware in which no signature exists yet. To counter such so called zero-day threats, heuristics can be used. One type of heuristic approach, generic signatures, can identify new viruses or variants of existing viruses for looking for known malicious code (or slight variations of such code) in files. Some antivirus software can also predict what a file will do if opened/run by emulating it in a sandbox and analyzing what it does to see if it performs any malicious actions. If it does, this could mean the file is malicious.
However, no matter how useful antivirus software is, it can sometimes have drawbacks. Antivirus software can degrade computer performance if it is not designed efficiently. Inexperienced users may have trouble understanding the prompts and decisions that antivirus software presents them with. An incorrect decision may lead to a security breach. If the antivirus software employs heuristic detection (of any kind), the success of it is going to depend on whether it achieves the right balance between false positives and false negatives. False positives can be as destructive as false negatives. In one case, a faulty virus signature issued by Symantec mistakenly removed essential operating system files, leaving thousands of PCs unable to boot. Finally, antivirus software generally runs at the highly trusted kernel level of the operating system, creating a potential avenue of attack.
In addition to the drawbacks mentioned above, the effectiveness of antivirus software has also been researched and debated. One study found that the detection success of major antivirus software dropped over a one-year period.
History
See also: Timeline of notable computer viruses and wormsThere are competing claims for the innovator of the first antivirus product. Possibly the first publicly documented removal of a computer virus in the wild was performed by Bernt Fix in 1987.
An antivirus program to counter the Polish MKS vir was released in 1987. Dr. Solomon's Anti-Virus Toolkit, AIDSTEST and AntiVir were released by in 1988. Dr. Ahn Chul Soo (Charles Ahn, founder of AhnLab Inc) in South Korea also released the antivirus software called 'Vaccine Ⅰ' in June 10, 1988. By late 1990, nineteen separate antivirus products were available including Norton AntiVirus and McAfee VirusScan. Early contributors to work on computer viruses and countermeasures included Fred Cohen, Peter Tippett, John McAfee and Ahn Chul Soo.
Before Internet connectivity was widespread, viruses were typically spread by infected floppy disks. Antivirus software came into use, but was updated relatively infrequently. During this time, virus checkers essentially had to check executable files and the boot sectors of floppy and hard disks. However, as internet usage became common, initially through the use of modems, viruses spread throughout the Internet.
Powerful macros used in word processor applications, such as Microsoft Word, presented a further risk. Virus writers started using the macros to write viruses embedded within documents. This meant that computers could now also be at risk from infection by documents with hidden attached macros as programs.
Later email programs, in particular Microsoft Outlook Express and Outlook, were vulnerable to viruses embedded in the email body itself. Now, a user's computer could be infected by just opening or previewing a message. This meant that virus checkers had to check many more types of files. As always-on broadband connections became the norm and more and more viruses were released, it became essential to update virus checkers more and more frequently. Even then, a new zero-day virus could become widespread before antivirus companies released an update to protect against it.
Identification methods
There are several methods which antivirus software can use to identify malware.
Signature based detection is the most common method. To identify viruses and other malware, antivirus software compares the contents of a file to a dictionary of virus signatures. Because viruses can embed themselves in existing files, the entire file is searched, not just as a whole, but also in pieces.
Malicious activity detection is another approach used to identify malware. In this approach, antivirus software monitors the system for suspicious program behavior. If suspicious behavior is detected, the suspect program may be further investigated, using signature based detection or another method listed in this section. This type of detection can be used to identify unknown viruses or variants on existing viruses.
Heuristic-based detection , like malicious activity detection, can be used to identify unknown viruses. This can be accomplished in one of two ways: file analysis and file emulation.
File analysis is the process of searching a suspect file for virus-like instructions. For example, if a program has instructions to reformat the C drive, the antivirus software might further investigate the file. One downside of this feature is the large amount of computer resources needed to analyse every file, resulting in slow operation.
File emulation is another heuristic approach. File emulation involves executing a program in a virtual environment and logging what actions the program performs. Depending on the actions logged, the antivirus software can determine if the program is malicious or not and then carry out the appropriate disinfection actions.
Signature based detection
Traditionally, antivirus software heavily relied upon signatures to identify malware. This can be very effective, but cannot defend against malware unless samples have already been obtained and signatures created. Because of this, signature-based approaches are not effective against new, unknown viruses.
When antivirus software scans a file for viruses, it checks the contents of a file against a dictionary of virus signatures. A virus signature is the viral code. If a virus signature is found in a file the antivirus software can resort to some combination of quarantine, repair or deletion. Quarantining a file will make it inaccessible, and is usually the first action antivirus software will take if a malicious file is found. Encrypting the file is a good quarantining technique because it renders the file useless without the encryption key.
Sometimes a user wants to save the content of an infected file because viruses can sometimes embed themselves in files, called code injection, and the file may be essential to normal operation. To do this, antivirus software will attempt to repair the file. To do this, the software will try to remove the viral code from the file. Unfortunately, some viruses might damage the file upon injection.
If a file repair operation fails, usually the best thing to do is to just delete the file. Deleting the file is necessary if the entire file is infected. This may be necessary in the case of infected ZIP files, or similar "packed" files.
Because new viruses are being created each day, the signature-based detection approach requires frequent updates of the virus signature dictionary. To assist the antivirus software companies, the software may allow the user to upload new viruses or variants to the company, allowing the virus to be analyzed and the signature added to the dictionary.
Signature-based antivirus software typically examines files when the computer's operating system creates, opens, closes, or e-mails them. In this way it can detect a known virus immediately upon receipt. System administrators can schedule antivirus software to scan all files on the computer's hard disk at a set time and date.
Although the signature-based approach can effectively contain virus outbreaks, virus authors have tried to stay a step ahead of such software by writing "oligomorphic", "polymorphic" and, more recently, "metamorphic" viruses, which encrypt parts of themselves or otherwise modify themselves as a method of disguise, so as to not match virus signatures in the dictionary.
An emerging technique to deal with malware in general is whitelisting. Rather than looking for only known bad software, this technique prevents execution of all computer code except that which has been previously identified as trustworthy by the system administrator. By following this "default deny" approach, the limitations inherent in keeping virus signatures up to date are avoided. Additionally, computer applications that are unwanted by the system administrator are prevented from executing since they are not on the whitelist. Since organizations often have large quantities of trusted applications, the limitations of adopting