"Virus-specific" Antivirus Software
Courtesy of the alt.comp.virus newsgroup participants.
(These "anti-malware" pages are the result of a continuing cooperative effort.)
Translated versions available: en Français
Main Menu
"Virus-specific" Antivirus Products - Common Questions - With Answers
by Andrew J Lee (AVIEN Founding Member http://avien.net | gladius@gladius.f9.co.uk)
and Frederic Bonroy
- Overview
- On Access Scanners
- On Demand Scanners
- Heuristics Engines
-
Anti-Virus scanners are by nature reactive.
"What, wait a minute? I'm lost already!"
Ok, what I mean is, scanners can't test for a virus if
they don't know that the virus exists.
(Well, some can, to some degree, but I'll tackle that later before I confuse the issue!)
This means that, unless you keep telling it about new viruses, then it won't check for them.
"So, you're saying that I'm not entirely safe, even though I've got a virus scanner?"
Yes, that pretty well sums it up. There is not a single Anti-Virus scanner on the market today that
will detect 100% of all viruses all of the time. Even the best scanners, whose vendors
supply updates within hours of new viruses appearing, still require those updates to see the new
virus.
"But, it says on the box of Poopscooper 4.9 that it detects all known and unknown viruses."
Yup, and I bet it says that it detects over 50,000 different viruses too. Welcome to the world of
marketing. Anti-virus products are largely sold on fear. The thought of what might happen to you
should you not be running Poopscooper on your machine when the dreaded "killer virus" strikes.
The truth is, that when a new virus or worm is released and begins to spread, the anti-virus
vendors have to update their detection, then you have to update yours.
That's why on this site you will see Safe Hex mentioned so often, there really is no substitute
for common sense and sensible computing practices. You can run all the scanners in the world if you like,
but it won't stop you getting a virus if you just have to click on that file that your buddy sent you.
"So, I shouldn't buy a virus scanner then?"
Well, no, that's not really the point. Virus scanners are very useful, once they know about a virus
they may stop it infecting your machine should you have an accident. They may clean your machine
should you have been unfortunate enough to forget about safe hex. They may tell you what virus you
have, should you need to know. They can help prevent you infecting other people.
As part of an overall security policy they are in fact really quite useful, but you
should be aware of their limitations.
If you don't update your scanner, including any engine versions and upgrades, then you lessen its value
considerably. If you update it, use it properly, and resist the urge to click on that file that
promises such delights as canine congress or naked celebrities, then it should serve you well.
"So then, what is a virus scanner?"
Well, not surprisingly there's more than one answer.
I've divided into sections descriptions of the two main classes of scanner, and in a third
section dealt with a specific type of scanning component which may be a part of some of the
virus scanners dealt with in the first two sections.
[Back to the top]
-
"Can I run two virus scanners at the same time?"
There are two types of anti-virus programs. Those that you invoke
explicitly (called on-demand scanners) and those that are always
active in the background (called on-access scanners).
You should never let two on-access scanners monitor your system
at the same time. Instead of providing better protection, the
combination of two or more such scanners will likely cause your system
to behave in a weird manner and possibly crash because the scanners will
interfere with each other.
Also, a single background scanner will use some of the resources
of your computer; the supplementary protection offered by the second
scanner is not worth the additional resources it consumes (and the
additional trouble mentioned above).
However, you can install as many on-demand scanners as you wish.
Because they do not run simultaneously, they won't disturb each other,
and two scanners detect more viruses than one.
Note that you should switch off your on-access scanner before
running an on-demand scanner.
On-Access Scanners (sometimes called Memory Resident Scanners), as their name implies, run
in the background all the time the PC is switched on and running. Usually you will see a little
icon in the taskbar that indicates it's there.
The main function of an on-access scanner is to monitor all activity on your machine, like
files being read, processor streams, Internet downloads, receiving, sending and reading email
and so on.
Basically they watch what's going on, and if they see something that they think is
a virus, they tell you about it.
If you work in a reasonably large company, you may find that it is corporate policy to have a
virus scanner running at all times on your workstation. That will be an on access scanner.
They need updating just like all scanners, though they can usually be configured to make this
automatic if you have a network or Internet connection.
"So, they're a great idea then, better make sure I get one of those!"
Well, yes, they can be a good idea, but let's have a think about it before we rush out
and grab a copy of Poopscooper off the store shelf.
Having anything running in the background monitoring every file that is read, and every process
in your machine, is very likely to slow it down somewhat. You might find that some scanners are better at crippling
your machine than others, but when it comes down to it, it will have at least some effect.
If you are constantly working on the Internet, using email, participating in chatrooms (IRC) or newsgroups, then
it might be an idea to have an on access scanner running. However, if you are a strict practitioner of
safe hex, don't really use the Internet much, use a sensible email reader that isn't going to let any
old piece of code run, then you may find you don't need it all the time.
Personally, I like Quake to run at full speed so I turn off my scanner when I'm playing, but most
of the time it doesn't bother me so I let it run.
[Back to the top]
-
On demand scanners, as their name implies, (It's great this, these things are named according to
what they do, makes a change in this strange computer world) are scanners that only run
when you tell them to.
I suppose that they can be further subdivided as DOS scanners - those that can run in pure DOS mode,
and Windows Scanners - those that need to be run in Windows. Of the two, the DOS variety - or one that
works in both DOS and Windows is usually the better option.
"Why's that then, and isn't DOS a bit old?"
Well, when Windows is running, certain files are "locked" - i.e. they are in use by the system, and if
one of those gets infected with a virus, then your Windows scanner won't be able to clean or delete it.
All versions (except Windows NT/2000) are built on the same basic code, DOS.
Yep, it's true, despite all the fancy paneling, it's basically the same beast that's been there all these years.
DOS - in case you were wondering it stands for "Disk Operating System" - doesn't lock any files when
it runs, so booting to pure DOS and running an on demand scanner will allow you to clean or delete
any file on the system. (There are instructions elsewhere on this site to help you make such a disk)
"What, any file?"
Yup, any file, so be careful!
Having an on demand scanner is a good idea, in fact, I like to have a couple, just because I can.
Usually both Windows and DOS versions can be configured to scan all files on all drives, just one drive
or individual directories or files. This is useful if you think you may have a virus in a particular file.
They often, though not always, use the same engine and definitions as the on access scanner if there is one with your
brand of scanner, so the detection rate will be as up-to-date as your last update.
Use them for scanning floppy disks or CD's before you give them to colleagues or friends. (Trust me,
they won't thank you for giving them a virus!) Use them for scanning email attachments, Internet downloads
and anything else you like.
There are certain difficulties if you use WinNT/2000 with the NTFS file system if you want to use
a DOS scanner, but you should be able to use an on-demand scanner made for those versions of Windows with reasonable success.
[Back to the top]
-
"Heuristics, what's that? It sounds like some dreadful disease!"
Well, don't worry, all will be made clear.
Heuristic virus detection is a fancy way of a scanner saying, "I'm guessing that is a virus".
The technicalities are really beyond the scope of this article, so I'll just cover on
a simplistic level what happens.
Heuristic scanning engines work on the principle that viruses will usually use certain
"tricks" or methods of infecting, and therefore if a program looks like it might be using
those tricks, there is a possibility that the program is a virus.
Sound simple? No, not really, it's actually incredibly hard to write a foolproof 100% effective
heuristics engine. (Engine, simply put, is just a word we use to describe the bit that drives the virus detector
and compares files to the database of known infection agents)
The more aggressive heuristic scanner may well detect large numbers of so called "False Positives"
i.e. files that are really totally innocent but look like they might alter other files, the less aggressive
ones might miss files that really are viruses.
In reality heuristics work quite well for some types of viruses, such as Macro Viruses, but not so well for other
types. However, they are a reasonable attempt at providing protection against currently unknown viruses.
Now you see the reason for my comment at the top! In practice, heuristic scanners offer a little more protection
than standard scanning, but they are by no means totally effective.
[Back to the top]
© Andrew J Lee 2001
© Claymania Creations 2001 - 2008. All applicable rights reserved.
Updated: March 21, 2001
|