If the users are truly worried about traditional (as opposed to e-mail) viruses, they should be running a more secure operating system like UNIX. One should never hear about viruses on these operating systems because the security features keep viruses (and unwanted human visitors) away from the hard disk.
If the users are using an unsecured operating system, then buying virus protection software is a nice safeguard. Some popular anti virus programs include:
•McAfee Virus Scan
•Norton Anti Virus
•Virex
•PC—cillin
•Avast!
•AVG Anti Virus System
Automatic protection of anti-virus software should be turned on at all times.
The users should perform a manual scan (or schedule a scan to occur automatically) of their hard disks weekly. These scans supplement automatic protection and confirm that the computer is virus-free.
Scan all floppy disks before first use.
Disable floppy disk booting -- most computers now allow the user to do this, and that will eliminate the risk of a boot sector virus coming in from a floppy disk accidentally left in the drive.
The users should Enable Automatic Update option of their anti-virus software in order to update their virus definition files.
Creation and maintenance of a rescue disk should be done by the user in order to facilitate recovery from certain boot viruses.
Periodic backups of the hard disk should be done.
Users’ should buy legal copies of all software they use and make write-protected backups.
Email messages and email attachments from unknown people should not be opened. Attachments that come in as Word files (.DOC), spreadsheets (.XLS), images (.GIF and .JPG), etc., are data files and they can do no damage (noting the macro virus problem in Word and Excel documents mentioned above). A file with an extension like EXE, COM or VBS is an executable, and an executable can do any sort of damage it wants. Further it should be verified that the "author" of the email has sent the attachments. Newer viruses can send email messages that appear to be from a person user know.
The potential users should make sure that Macro Virus Protection is enabled in all Microsoft applications, and they should never run macros in a document unless they know specifically the functionality of the macros.
Appropriate Passwords should be assigned to the shared network drives.
Things that are not viruses!
Joke programs
Joke programs are not viruses and do not inflict any damage. Their purpose is to frighten their victims into thinking that a virus has infected and damaged their system. For example, a joke program may display a message warning the user not to touch any keys or else the computer’s hard disk will be formatted.
Droppers
A dropper is a program that is not a virus, nor is it infected with a virus but when run it installs a virus into memory on to the disk, or onto a file. Droppers have been written sometimes as a convenient carrier for a virus and sometimes as an act of sabotage.
Hoaxes
There must be very few people on email who haven't received a chain letter with the subject line warning of a virus doing the rounds. These are often hoaxes and meant to scare people and have fun at their expense. The warnings encourage the recipient of the e-mail to pass the warning to the netizens and thus create an unnecessary furor, besides clogging mailboxes, as it usurps an air of credibility.
Methodology of virus detection applied by antivirus softwares:
Three main methods exist for detecting viruses: integrity checking (also known as checksumming), behavior monitoring and pattern matching (scanning).
Integrity checking
Antivirus programs that use integrity checking start by building an initial record of the status (size, time, date, etc.) of every application file on the hard drive. Using this data, checksumming programs then monitor the files to see if changes have been made. If the status changes, the integrity checker warns the user of a possible virus.
However, this method has several disadvantages, the biggest being that false alarms are altogether too common. The records used by checksumming programs are often rendered obsolete by legitimate programs, which, in their normal course of operations, make changes to files that appear to the Integrity checker to be viral activity. Another weakness of integrity checking is that it can only alert the user after a virus has infected the system.
Behavior monitoring
Behavior Monitoring programs are usually terminate and stay resident (TSR) and constantly monitor requests that are passed to the interrupt table. These programs are on the lookout for activities that a virus might engage in--requests to write to a boot sector, opening an executable program for writing, or placing itself resident in memory. The behavior these programs monitor is derived from a user-configurable set of rules.
Pattern matching
Using a process called "pattern matching," the anti-virus software draws upon an extensive database of virus patterns to identify known virus signatures, or telltale snippets of virus code. Key areas of each scanned file are compared against the list of thousands of virus signatures that the anti-virus software has on record.
Whenever a match occurs, the anti-virus software takes the action the user has configured: Clean, Delete, Quarantine, Pass (Deny Access for Real-time Scan), or Rename.
Self Defense Mechanisms Evolved By Viruses
Virus authors of course wish that their child successfully lives. For this reason there are many viruses outfitted with some self-defense mechanisms against anti virus systems.
Passive Defense :
Viruses use a variety of methods to hide themselves from antivirus programs. Passive defense uses programming methods which make analysis of the virus more difficult, e.g. polymorphic viruses which were developed to counter scanners looking for constant strings of virus code.
Today antivirus systems are capable of analyzing polymorphic code and searching for virus identifiers in the decrypted body. The virus authors reacted by making the encryption too complex for antivirus software to unravel, thus mistaking it for a clean program.
Active Self-defense :
Viruses actively defend themselves by protecting their own code or by attempting to damage antivirus software. A simple method is to locate antivirus software databases and amend or delete them.
More sophisticated resident viruses use stealth techniques. When they detect a request to use an infected file, they can temporarily "clean" it or report its original (uninfected) parameters. They can monitor which programs are being executed and react if it is antivirus software. The list of such reactions is endless. Usually, the execution of the antivirus program is refused, but it could be erased (often accompanied by a bogus error message) or the virus suspends its activities while it runs. There are occasionally extremely 'clever' viruses which modify the code of a specific AV program to partially disable it.
There are very rare viruses which consider an attempt to run an anti-virus program as arrogant and immediately reply with some revenge action - for example hard disk formatting.
Trap
A trap is the most malicious form of self-defense and works as follows. Although the user’s computer is infected but everything appears to work correctly. Once the user discovers the virus and removes it things get complicated - programs no longer run properly or the hard disk may become inaccessible even when booting from a clean system diskette.
The best known trap virus is One_Half. It continuously encrypts the data on a hard disk (two tracks on every boot). If it is removed from the partition sector before data files are decoded then some files will become inaccessible. At this stage the situation is serious but recovery of the data is still possible. However, if the user runs a disk utility (Scandisk etc.) to repair the damage then the data will almost certainly be lost forever.
These utilities are designed to repair relatively minor damage to file system and do not recognize the encrypted data.
0 comments: