Antivirus software. Antivirus from Microsoft

Lesson "Antivirus programs"

When your computer is infected with a virus, it is important to detect it. To do this you need to know about main signs of viruses:

Termination of operation or incorrect operation of previously successfully functioning programs:
- slow computer performance
- inability to load the operating system
- disappearance of files and directories or corruption of their contents
- changing the date and time of file modification
- changing file sizes
- unexpected significant increase in the number of files on the disk
- significant reduction in the size of free RAM
- displaying unexpected messages or images on the screen
- submission of unforeseen sound signals
- frequent freezes and computer malfunctions

To protect against viruses you can use:

v general information protection tools, which are also useful as insurance against physical damage to disks, malfunctioning programs or erroneous user actions;

v preventive measures to reduce the likelihood of contracting the virus;

v specialized programs for protection against viruses.

General information security measures useful not only for protecting against viruses:

1. copying information - creating copies of files and system areas of disks;
2. access control prevents unauthorized use of information, in particular, protection against changes to programs and data by viruses, malfunctioning programs and erroneous user actions.

Preventive measures

v Do not use questionable disks or other storage media

v Restrict access to program files by making them read-only when possible

v When working on a network, if possible, do not call programs from the memory of other computers.

v Store programs and data in disk archives and in various subdirectories of the hard drive.

v Do not copy programs for your own needs from random copies.

v Be sure to have an antivirus program

Specialized programs for virus protection

Antivirus programs allow you to protect, detect and remove computer viruses. All specialized programs for virus protection can be divided into several types:

Ø detectors,

Ø doctors (phages),

Ø auditors,

Ø doctor-inspectors,

Ø filters and vaccines (immunizers).

DETECTOR PROGRAMS allow you to detect files infected with one of several known viruses. These programs check whether files on a user-specified drive contain a combination of bytes specific to a given virus. When it is detected in any file, a corresponding message is displayed on the screen. Many detectors have modes for curing or destroying infected files.

It should be emphasized that detector programs can only detect viruses that are “known” to them. Some detector programs can be configured for new types of viruses; they only need to indicate the byte combinations inherent in these viruses. However, it is impossible to develop such a program that could detect any previously unknown virus.

Thus, the fact that a program is not recognized by detectors as infected does not mean that it is healthy - it may contain some new virus or a slightly modified version of an old virus, unknown to detector programs.

Most detector programs have a “doctor” function, i.e. they attempt to return infected files or disk areas to their original state. Those files that could not be recovered are usually rendered inoperative or deleted.

Dr.Web the program was created in 1994 by I. A. Danilov and belongs to the class of doctor detectors, has a so-called “heuristic analyzer” - an algorithm that allows you to detect unknown viruses. “The Healing Web,” as the name of the program is translated from English, became the response of domestic programmers to the invasion of self-modifying mutant viruses. The latter, when multiplying, modify their body so that not a single characteristic chain of bytes that was present in the original version of the virus remains.

This program is supported by the fact that a large license (for 2000 computers) was acquired by the Main Directorate of Information Resources under the President of the Russian Federation, and the second largest buyer of the “web” was Inkombank.

Aidstest - the program was invented in 1988 by D.N. Lozinsky and is a detector doctor. The Aidstest program is designed to fix programs infected with ordinary (non-polymorphic) viruses that do not change their code. This limitation is due to the fact that this program searches for viruses using identification codes. But at the same time, a very high speed of checking files is achieved.

AUDITORS have two stages of work. First, they remember information about the state of programs and system areas of disks (the boot sector and the sector with the hard disk partition table). It is assumed that at this moment programs and system disk areas are not infected. After this, using the auditor program, you can compare the state of programs and system disk areas with the original state at any time. Any discrepancies detected are reported to the user.

ADinf (Advanced Diskinfoscope) belongs to the class of audit programs. Thisthe program was created by D. Yu. Mostov in 1991.

The antivirus has a high operating speed and is capable of successfully resisting viruses located in memory. It allows you to control the disk by reading it sector by sector through the BIOS and without using DOS system interrupts, which can be intercepted by a virus.

To cure infected files, the ADinf Cure Module is used, which is not included in the ADinf package and is supplied separately. The principle of operation of the module is to save a small database describing controlled files. Working together, these programs can detect and remove about 97% of file viruses and 100% of boot sector viruses. For example, the sensational SatanBug virus was easily detected, and files infected with it were automatically restored. Moreover, even those users who purchased ADinf and ADinf Cure Module several months before the appearance of this virus were able to get rid of it without difficulty.

AVP (Anti-Virus Protection) the program combines a detector, a doctor, and an auditor, and even has some resident filter functions (prohibiting writing to files with the READ ONLY attribute). An anti-virus kit, which is an extended version of the famous anti-virus kit "Doctor Kaspersky". While the program is running, it tests for unknown viruses. The kit also includes a resident program that monitors suspicious actions performed on the computer and makes it possible to view the memory card. A special set of utilities helps to detect new viruses and understand them.

The antivirus can treat both known and unknown viruses, and the user himself can inform the program about how to treat the latter. In addition, AVP can treat self-modifying and Stealth viruses.

Norton Antivirus - the anti-virus package is a “set it and forget it” type of tool. All necessary configuration parameters and scheduled activities (checking the disk, checking new and modified programs, launching the Windows Auto-Protect utility, checking the boot sector of drive A: before rebooting) are installed by default. The disk scanning program is available for DOS and Windows. Among others Norton AntiVirus detects and destroys even polymorphic viruses, and also successfully responds to virus-like activity and fights against unknown viruses.

FILTERS or WATCHMAN or MONITORS, which are located resident in the computer’s RAM and intercept those calls to the operating system that are used by viruses to reproduce and cause harm, and report them to the user. The user can allow or deny the corresponding operation.

Some filter programs do not “catch” suspicious actions, but check the programs called for execution for viruses. This causes your computer to slow down.

However, the advantages of using filter programs are very significant - they allow you to detect many viruses at a very early stage, when the virus has not yet had time to multiply and spoil anything. This way you can reduce losses from the virus to a minimum.

VACCINES, or IMMUNIZERS, modify programs and disks in such a way that this does not affect the operation of the programs, but the virus against which the vaccination is performed considers these programs or disks to be already infected. These programs are extremely ineffective. Monitor potentially dangerous operations, giving the user an appropriate request to allow/prohibit the operation.

Flaws antivirus programs

Ø None of the existing antivirus technologies can provide complete protection against viruses.

Ø The antivirus program takes away some of the computing power system resources, loading CPU And HDD. This can be especially noticeable on weak computers. The background slowdown can be up to 380%.

Ø Antivirus programs can see a threat where there is none (false positives).

Ø Antivirus programs download updates from the Internet, thereby wasting bandwidth.

Ø Various encryption and malware packaging techniques make even known viruses undetectable by antivirus software. Detecting these "disguised" viruses requires a powerful decompression engine that can decrypt files before scanning them. However, many antivirus programs do not have this feature and, as a result, it is often impossible to detect encrypted viruses.

There are a large number of paid and free antivirus programs. The following popular ones can be distinguished trade marks:

So, what is an antivirus? For some reason, many people believe that an antivirus can detect any virus, that is, by running an antivirus program, you can be absolutely sure of their reliability. This point of view is not entirely correct.

The fact is that an antivirus is also a program, of course written by a professional. But these programs are able to recognize and destroy only known viruses. That is, an antivirus against a specific virus can be written only if the programmer has at least one copy of this virus. So there is this endless war between the authors of viruses and antiviruses, although for some reason there are always more of the former in our country than the latter.

But the creators of antiviruses also have an advantage! The fact is that there are a large number of viruses, the algorithm of which is practically copied from the algorithm of other viruses. As a rule, such variations are created by unprofessional programmers who, for some reason, decided to write a virus. To combat such “copies” a new weapon has been invented - heuristic analyzers. With their help, the antivirus is able to find similar analogues known viruses, informing the user that he appears to have a virus. Naturally, the reliability of the heuristic analyzer is not 100%, but still its efficiency is greater than 0.5.

Thus, in this information war, as, indeed, in any other, the strongest remain. Viruses that are not recognized by antivirus detectors can only be written by the most experienced and qualified programmers.

Let's begin our consideration of the material in this section by getting acquainted with the principles of constructing anti-virus software. Many people believe that an antivirus program is an antidote to all diseases, and by running an antivirus program or monitor, you can be absolutely sure of their reliability. This point of view is fundamentally wrong. The fact is that an antivirus is also a program, even if written by a high-class professional. But this program is able to recognize and destroy only known viruses. In other words, an antivirus against a specific virus can be written only if the programmer has at least one copy of this virus.

Therefore, between the authors of viruses and antiviruses goes on endlessly"war". And although there are many more virus creators, their opponents have an advantage! The fact is that there are a large number of viruses, the algorithm of which is practically copied from the algorithm of other viruses. As a rule, such variations are created by unprofessional programmers who, for some reason, decided to write a virus. To combat such “copies”, a new weapon has been invented - heuristic analyzers. With their help, the antivirus is able to find similar analogues of known viruses, informing the user that his computer seems to have a virus. Naturally, the reliability of the heuristic analyzer is not 100%, but still its efficiency is greater than 0.5. Thus, in this information war, as, indeed, in any other, the strongest survive. Viruses that are not recognized by antivirus detectors can only be written by experienced and highly qualified programmers.

To organize effective anti-virus protection, it is necessary to have an appropriate anti-virus tool. Despite all the variety of modern antivirus software products, the principles of their operation are the same. The main functions of modern antiviruses include:

– scanning memory and disk contents according to a schedule;

– scanning the computer memory, as well as recorded and readable files in real time using a resident module;

– selective scanning of files with changed attributes (size, modification date, checksum, etc.);

– scanning archive files;

– recognition of behavior characteristic of computer viruses;

– remote installation, setting up and administering anti-virus programs from the system administrator console; notifying the system administrator about events related to virus attacks by email, pager, etc.;

– forced check of connected to corporate network computers, initiated system administrator;

– remote updating of anti-virus software and databases with information about viruses, including automatic updating of virus databases via the Internet;

– filtering Internet traffic to detect viruses in programs and documents transmitted via SMTP, FTP, HTTP protocols;

– identification of potentially dangerous Java applets and ActiveX modules;

– functioning on various server and client platforms, as well as in heterogeneous corporate networks;

– maintaining protocols containing information about events related to anti-virus protection.

Due to the fact that one of the main characteristics of modern virus attacks is their high speed of spread and high frequency emergence of new attacks, modern antivirus software need to be updated as often as possible, thereby increasing the quality of protection. It is necessary to take into account all relevant this moment time virus threats. But the presence of anti-virus software is a mandatory, but not sufficient condition for repelling a virus attack. It is not enough to have a means at your disposal; you should also think about its methods. correct use. Virus protection should be part of a security policy that is understood and followed by all users of the system. Currently, a typical corporate computer network of a domestic customer includes tens and hundreds of workstations, dozens of servers, a variety of active and passive telecommunications equipment and, as a rule, has a very complex structure (Fig. 36).

The cost of maintaining such a network grows catastrophically along with the increase in the number of connected workstations. Now everyone is talking about how, under these conditions, it is possible to reduce the total cost of owning or operating an enterprise’s computer infrastructure. Obviously, the cost of anti-virus protection of the corporate network is not the last item on the list of general expenses of the enterprise. However, there is a fundamental opportunity to optimize and reduce these costs by using special solutions that allow centralized management of anti-virus protection of a corporate network in real time. It is necessary that such solutions allow enterprise network administrators to monitor all virus penetration points from a single management console and, using client-server technology, to effectively manage all anti-virus tools from various manufacturers present in the corporate network.

This anti-virus protection strategy allows you to block all possible entry points for viruses, such as:

– penetration of viruses into workstations when infected files from portable sources (floppy disks, CDs, Zip, Jazz, Floptical, etc.) are used on the workstation;

– infection with viruses using free infected software obtained from the Internet via the Web or FTP and stored on a local workstation;

– penetration of viruses when infected workstations of remote or mobile users connect to the corporate network;

– infection with viruses from a remote server connected to the corporate network and exchanging infected data with corporate servers of file applications and databases;

- spreading Email containing Excel and Word files infected with macro viruses in applications.

However, it is precisely the requirement of comprehensive centralized management became a stumbling block for successful creation effective comprehensive anti-virus protection systems for corporate networks in domestic companies, which ultimately led to such a widespread penetration of computer viruses into the Internet/intranet. The use of local anti-virus solutions in a corporate network is necessary, but not sufficient for the effective implementation of anti-virus protection of an enterprise. The current situation requires the immediate intervention of relevant officials and the adoption of decisions aimed at ensuring and creating enterprise anti-virus protection systems. According to many experts, anti-virus protection systems must meet the requirements given in table. 3.5

Table 3.5. Basic requirements for corporate system antivirus protection
Functionality	Value for the corporate customer
Virus detection	It is fundamentally important because it directly justifies the financial costs of purchasing and operating anti-virus software
Detection of destructive Trojan horse code, hostile ActiveX applets, Java	Quite important for a corporate user
Readiness to quickly respond to the emergence of new types of threats	The manufacturer’s ability to respond promptly and promptly to the emergence of new threats is relevant.
Maintenance and support	As a rule, answers to the following questions are important for the user: “What components are included in basic configuration? “What can you get additionally?” “What services are included in the cost of annual technical support?”
An exhaustive list of protected points of possible virus penetration	Viruses and malware can come from a variety of sources. Therefore, users want to be sure that there is not a single unprotected point of entry for viruses. Periodic centralized updating of virus signatures is also important.
Controllability	The ability to centrally administer antivirus software is extremely important. Because end users cannot be relied upon to keep antivirus protection running and updated on their workstations
Managing antivirus protection for remote users	Now there are a large number of users who do their work at home, connecting to corporate resources through a computer network and introducing new points of entry for viruses. Therefore, the administrator needs to maintain them at the same level of anti-virus protection as those running on local computers
Centralized notification	Users understand that if they cannot get an instant, unified view of all network vulnerabilities, they may miss a potential, usually real, virus attack.
System Performance	If antivirus protection conflicts with system performance, mail delivery, or other key aspects of the modern process business communication, the end user has a desire to disable it
Remote administration (via browser)	If the administrator is himself a remote user, the browser interface gives him the ability to administer the entire enterprise, regardless of his location
Automatic distribution and update	Today, administrators may be responsible for hundreds of workstations and dozens of different segments of an enterprise network that they cannot visit on their own. Therefore, the requirement of an administrator who wants to automate the process of automatic distribution and updating using antivirus software is understandable.

The best way to deal with a virus attack is to prevent it. To solve this problem you need:

– configure anti-virus software accordingly;

– use only licensed software;

– limit the set of programs that the user is able to install on the system;

– eliminate known vulnerabilities in the software used;

– control the use of floppy disk drives and CD-ROM drives;

– develop an email processing policy;

– develop a security policy for applications that process documents with interpreted languages.

To properly configure your antivirus software, you must make the following antivirus settings:

– scanning in real time, in the background or similar, must be enabled;

– when the system starts, you need to scan the memory, boot sector and system files;

– update virus databases in a timely manner;

– it is advisable to scan files of all types or, at a minimum, COM and EXE files, as well as files such as VBS, SHS, OCX;

– set up an audit of all actions of anti-virus programs.

Since software derived from unknown source, may be a Trojan or infected with a virus, you must use only licensed software.

The set of programs that a user can install on a system is limited because these programs can be infected with viruses or cause other attacks to succeed. Particular attention should be paid to the various Internet services and, first of all, to messaging programs such as IRC, ICQ, Microsoft Chat (they can transfer files and serve as a source of infection for the system).

To eliminate known “holes” in the software used, databases that are usually published on Internet mailing lists, as well as on special sites, can be used as a source of information about vulnerabilities.

All information contained on floppy disks and CDs must be scanned for viruses before it is handled by computer system users.

Due to the fact that email messages are one of the most popular and quick ways to combat the spread of viruses, every organization should have an email policy in place. To protect against the penetration of viruses through email messages, each user of the system must:

– never immediately open an email attachment in a message that comes to him, but save it in a certain “quarantine” directory;

– never open email attachments that have not been requested or notified by the sender (even when the sender is known, the message may contain a virus; if the sender is unknown, it is best to delete the message with the attachment);

– before opening an attachment, be sure to check it using anti-virus software;

– if after completing all these procedures there are still doubts, you should contact the sender and find out from him information about the attachment sent;

– eliminate possible vulnerabilities in client email software.

If a user or organization uses applications that process documents with interpreted languages ​​(for example, a family of products Microsoft Office), then the procedure for working with these documents should also be reflected in the security policy.

Let's take a closer look at how antivirus programs work and what types of these programs there are.

Typically, virus analysis consists of isolating signatures in them and then searching for them in potential objects virus attack. Thus, just a few years ago it was enough to catch a virus, study its code (for professionals this was usually a matter of a few minutes) and extract a signature. But virus technologies did not stand still. New viruses were developed, and after them new anti-virus software products.

There are quite a lot of antivirus products. And since in each specific case it is necessary to choose an anti-virus kit based on the general concept of information security of the organization and the needs specific user, then the main types of antivirus agents are briefly described below.

There are the following standard programs protection (Table 3.6):

– detectors (scanner);

– phages (polyphages) (scanner/cleaner, scanner/remover);

– auditors;

– watchman;

– special vaccines;

– blockers.

Table 3.6. Standard antivirus programs

In most cases, a virus that has infected a computer will be detected by already developed detector programs. They check whether the files on the user-specified drive contain a sequence of bytes specific to a given virus. When a virus is detected, the program displays a corresponding message on the screen. The purpose of the detector is only to detect the virus. Either another antivirus program or a system programmer will have to deal with it.

Among the detectors, we can highlight heuristic code analyzers - a set of routines that analyze the code of executable files, memory or boot sectors to detect different types of computer viruses in it. Let's consider the universal circuit of such a code analyzer. Acting in accordance with this scheme, the code analyzer is able to use as efficiently as possible all the information collected for the object under test.

The heuristic approach consists of trying to propose a perhaps suboptimal but quick solution to extremely complex (or even intractable) problems based on increasingly reliable assumptions.

The basic idea of ​​this approach is that the heuristic first considers the behavior of the program and then compares it with that characteristic of a malicious attack, such as the behavior of a Trojan horse. Establishing a pattern of behavior and making decisions regarding it can be done using several mechanisms. In order to identify and determine all possible program actions, two approaches are used:

– scanning;

– emulation.

The scanning approach involves searching for “behavioral patterns,” for example, the most common low-level ways to open files. Or the procedure for scanning a regular executable file looks at all the places where a program opens another file, and determines what kind of files it opens and what it writes to them.

The second method for determining behavior is emulation. This approach is somewhat more complicated. The program is passed through Windows emulator or a Macintosh or Word macro emulator to see what it will do. However, questions arise because in this case a lot depends on the quirks of the viruses. For example, if a virus is programmed to format your hard drive on February 25 at 10 a.m. morning, and when emulating this virus on the simulator, the date is set to February 24, then the virus will not yet show its intentions.

The whole trick to fast recognition is to combine the two approaches and obtain the most detailed catalog of behavioral patterns in the shortest possible time. To check whether a file is infected with a virus, specialists can use various options artificial intelligence- expert systems and neural networks.

The disadvantage of the heuristic approach is precisely its heuristic nature. There is always the possibility that an extremely suspicious file is actually completely harmless. However, Symantec's latest heuristic engine, called Bloodhound, can detect up to 80% of unknown executable viruses and up to 90% of unknown macro viruses.

It is also worth noting that detector programs are not very universal, since they can only detect known viruses. Some such programs can be given a special sequence of bytes characteristic of a virus, and they will be able to detect files infected by it: for example, NotronAntiVims or an AVP scanner can do this.

The Aidstest program is outdated and is now practically not used. The most widely used programs are DrWeb and AVP. Thanks to their latest detectors, they can detect any viruses: both the oldest and the newly emerging ones. We also need to mention the ADinf detector. This antivirus program detects all viruses that do not change the length of files, invisible viruses, and many others. Thus, these three programs provide powerful protection against viruses. All these programs can be entered into the AUTOEXEC.BAT file, then when the computer boots, a check for virus infection will be carried out automatically. By the way, in the West they also prefer to use Russian programs such as DrWeb and AVP.

A few years ago, detectors almost lost their position to programs called polyphages, but today they are returning to the computer market.

For those who use only licensed software, there is no need to waste time treating virus-infected files. It is easier to restore an infected program from the distribution kit. But due to the fact that even in many fairly large organizations they very often use not licensed, but “pirated” products (possibly already infected with a virus), clean detectors (scanners) will not soon be able to compete with phages.

Phages (polyphages) (scanner/cleaner, scaner/remover) are programs that can not only detect, but also destroy viruses, that is, treat “sick” programs (a polyphage can destroy many viruses). The following also belongs to polyphages old program, like Aidstest, which detects and neutralizes about 2000 viruses.

The basic principle of operation of a traditional phage is simple and no secret. For each virus, by analyzing its code, methods of infecting files, etc., a certain sequence of bytes characteristic only of it is isolated. This sequence is called the signature of this virus. In the simplest case, searching for viruses comes down to searching for their signatures (this is how any detector works). Modern phages use other methods of searching for viruses.

After detecting a virus in the body of the program (or the boot sector, which also, however, contains the boot program), the phage neutralizes it. To do this, developers of antivirus products carefully study the work of each specific virus: what it spoils, how it spoils it, where it hides what it spoils (if it hides, of course). In most cases, the phage is able to safely remove the virus and restore the functionality of damaged programs. But it is necessary to understand well that this is not always possible.

Programs called auditors monitor possible ways spread of infection. The ingenuity of malware authors is limited by certain limits, based on what is possible in principle. These frameworks are well known and therefore viruses are still not omnipotent. If you take control of all conceivable directions of a virus attack on a computer, then you can be practically in complete safety. Of the audit programs that can be purchased in Russia, you should pay attention to the ADinf program already mentioned above.

Watchmen are small resident programs that reside permanently in the computer's memory and monitor operations that they consider suspicious. An example of a watchdog program is the VSAFE software product, which was included with some versions of MS DOS.

Since both viruses and regular programs perform the same operations, it is impossible to even single out a class of exclusively “viral” operations. As a result, the watchman is either forced to not control anything and passively observe what is happening, or to “ring” for every suspicious operation. Therefore, it is advisable to use watchdog programs actually minimum level control (for example, tracking changes in boot sectors). Some modern BIOSes have such watchdog functions, although this is not so simple. This BIOS function may conflict with some operating systems, and sometimes may not work at all.

Special vaccines are designed to process files and boot sectors. Vaccines are either passive or active. An active vaccine, “infecting” a file, like a virus, protects it from any changes and in some cases is capable of not only detecting the fact of infection, but also curing the file. Passive vaccines are used only to prevent infection of files by certain viruses that use simple signs of infection - “strange” time or date of creation, certain character strings, etc.

Currently, vaccination is not widely used. Thoughtless vaccination of everything and everyone can cause entire epidemics of non-existent viral diseases. So, for several years in the territory former USSR A terrible epidemic of the terrible TIME virus was raging. Hundreds of absolutely healthy programs processed by the ANTI-KOT antivirus program fell victim to this virus.

Let's give an example from practice. There are currently quite a few viruses that prevent reinfection files with some kind of “black mark” with which they mark the infected program. There are, for example, viruses that set the file creation time seconds field to 62. Quite a long time ago, a virus appeared that added five bytes to all infected files - MsDos. Normal files does not contain such a character string at the end, so the virus used this sign as an indicator of file infection. Vaccinating files against such a virus is not at all difficult. It is enough to add the above-mentioned character string to the end - and you are not afraid of infection with such a virus. Another scary thing is that some anti-virus programs, having encountered an ill-fated line at the end of a file, begin to immediately treat it. There is practically no chance that after such “treatment” a “disabled” person will work normally.

Another type of antivirus programs are virus blockers. They help limit the spread of the epidemic until the virus is destroyed. Almost everything resident viruses determine the fact of their presence in the machine’s memory by causing some software interrupt with “tricky” parameters. If you write a simple resident program that will simulate the presence of a virus in the computer’s memory, correctly “responding” to a certain password, then the virus will most likely consider this machine already infected.

Even if some files on the computer contain virus code, when using the blocker, all other files will not be infected. For normal operation such a program must run the blocker before all other programs, for example, in the CONFIG.SYS file. But if the virus managed to infect COMMAND. COM or starts from the boot sector, then the antivirus blocker will not help.

It is very important to use alternative antivirus solutions. By themselves, antivirus scanners and protection settings in various applications do not provide adequate protection against malware. Antivirus scanners must be constantly updated, although rapidly spreading viruses can outpace these upgrades.

The only way to avoid exposure to malware is to block suspicious files on your firewall or email gateway. Many organizations now block all incoming attached files that have the following potentially dangerous extensions: EXE, CORN, SCR, NTA, NTO, ASF, CHM, SHS, PIE Others install even stricter filters, blocking files with the extensions ADE, ADP, BAS , BAT, CMD, CNT, CPL, CRT, CSS, HIP, INF, INS, ISP, JS, JSE, INK, MDB, MDE, MSC, MSI, MSP, MST, PCD, REG, SET, SHB, URI, VB , VBE, VBS, WSC, WSF, WSH.

One of the key questions that will face the detection systems industry over the coming years is whether customers will continue to buy these systems as stand-alone products or whether they will soon begin purchasing them bundled with network equipment such as routers, switches or devices for local networks. The answer has not yet been found, but there is no doubt that network attack detection systems, used today primarily by large organizations such as banks and federal agencies, will eventually find their way to a wider range of corporate users.

With the advent of computers and the operating systems they ran on, malicious programs began to appear, called viruses by analogy with medical terminology. This phenomenon had to be dealt with somehow, so back in those distant times the first antivirus was developed. This, in fact, was the only protection against threats that initially had a destructive effect on the computer system. Today viruses have evolved. Antivirus programs have changed accordingly.

Antivirus: what is it?

First, let's look at the history of the development of antivirus software. If we compare the very first means of protection and modern developments, we can say that today's antivirus is a comprehensive protection of the operating system, installed user programs, personal data of the user, and any other confidential or non-disclosure information.

Why is that? Let's look at any modern antivirus. The basic concepts associated with its operation will be discussed separately, but for now we should proceed from how threats have changed since their first appearance.

Indeed, previously the impact of threats was mainly aimed only at disabling the operating system. The first hackers created such programs, as they say today, purely for sport. Over time, their intentions began to go even beyond the law. Thefts have begun classified information, activation of advertising, filling the computer with unnecessary garbage in order to increase the load on the system, etc. That is why in modern world The work of an antivirus is not limited to detecting destructive threats. They actively use anti-spyware and anti-advertising modules, providing the most full protection from everything that can be considered viruses. But it’s impossible to protect yourself from absolutely everything, because viruses today appear like mushrooms after rain.

An antivirus program is... Types of antiviruses

As for modern anti-virus programs, their classification is purely conditional, since most packages are full-featured complexes designed to detect, isolate or remove threats of all known types.

The only exceptions are scanners that are portable or run before the operating system starts, and are designed to identify threats of a certain type. For example, applications with the general name Rescue Disk start before the system boots and detect viruses that have a critical impact on the system and cause problems with its startup.

Applications like AdwCleaner and other Malwarebytes software products are focused primarily on removing ads and related spy modules. Thus, installable or portable applications do not always provide complete protection and can be used mainly to scan for a specific type of threat.

On the other hand, installing several antivirus programs on the system is absolutely impractical. At best, you can use it in pairs with, say, ESET Smart Security and some Malwarebytes product. But if you simultaneously install antiviruses like NOD32 and Kaspersky Free, conflicts cannot be avoided (they will “compete” with each other). Once on the Internet, one of the users spoke on this topic, saying that installing two such packages together would be like putting Stalin and Hitler in the same cell. And there is some truth in this.

Operating principles of modern antiviruses

Now a few words about how any modern antivirus works. This is a process that includes stages of on-demand scanning, threat intrusion prevention based on several types of analysis of potentially dangerous files or resources on the Internet, and isolation or complete destruction threats.

Two types of analysis are used as virus detection tools: signature and probabilistic.

Signature analysis

This type of analysis is based directly on accessing special databases that contain information about already known viruses.

When scanning a potentially dangerous object, the program compares its structure with the already known structures of other detected threats. That is why we can safely say that a modern antivirus is an application for which such databases need to be periodically updated, since new information is entered into them almost daily. As already mentioned, viruses evolve much faster than antivirus software. Thus, the antivirus version also needs to be updated, since the built-in modules become outdated and may not cope with the functions assigned to them over time.

Probabilistic Analysis

This type of verification consists of three subtypes: heuristic and behavioral analysis, plus a checksum comparison method.

Each of these three types could be divided into independent categories, but in world practice they are combined into one type in the form of subsections. Let's look at each of them.

Heuristic analysis

Heuristic analysis is essentially very similar to signature analysis, since it is based on comparing the threat structure based on already known isolated threats.

The only difference is that it also provides for the determination of the algorithms built into the virus, on the basis of which the probable way in which the malicious code may influence the computer system is identified.

Behavioral analysis

Based on the name of this type of testing, it is easy to guess that it is associated with heuristic analysis and allows you to predict how the impact of a threat will affect the state of the system. However, this technique is used more in relation to various kinds of macros and scripts.

Checksum analysis

Another interconnected component that allows you to determine the presence of a virus is comparing file checksums. All information about the structure of any file present in the system is written to the cache, and when an attempt is made to change objects, the initial and final sums corresponding to the same file are compared.

When changes to a file are made by a user or a system process, we do not take them into account now. But in the case when a massive or simultaneous change of checksums begins, this may indicate that the impact of the malicious code has already been activated.

Modern antivirus packages

As a rule, almost all modern security packages require activation or entering a license code. Even in free version Any antivirus provides them for a year (sometimes less). Paid and shareware products may only work for a trial period, after which you will either have to purchase them or renew your license. For example, you don’t have to buy ESET programs. For them, it is enough to activate a new product code every 30 days. Reviews indicate that on the Internet you can find daily updated logins and passwords, which can then be converted into required code licenses.

As for the anti-virus packages themselves, quite a lot of them have been developed today, however, among everything that is offered on the anti-virus software market, the following products can be singled out separately (including anti-viruses, Internet defenders, etc.):

• Kaspersky Lab products;
• ESET security tools;
• developed by Dr. Web;
• Malwarebytes tools;
• antiviruses Avast, Avira, Panda, AVG, 360 Security, Bitdefender, Comodo, MS Security Essentials, McAfee and many others.

Instead of an afterword

As can be seen from all of the above, a modern antivirus is quite serious software package, focused on the timely identification and elimination of any possible threat when attempting to penetrate a computer system. If we consider the completely logical question of which tool to use to ensure full protection, judging by the reviews of specialists and many users on the forums, it is better not to install free programs, since many of them are capable of passing threats, and some also cause conflicts at the system level Windows processes. Given that the tools of Windows systems themselves are clearly inferior to third-party programs, it is better to install at least some package from ESET. Of course, you will have to renew your license every month. Inconvenient. But such packages will be able to protect both the computer and user information at all levels.

Download antivirus for free to your computer without registration and SMS.
The best free antiviruses to download in Russian for Windows.
Install Antivirus for free on your computer, laptop and tablet.

version: 5.3.1 from March 18, 2019

Program for safe online checks files for viruses - SA+ tests objects in an isolated cloud container without installing them on a computer, using 12 anti-virus engines of the VirusTotal online scanner for analysis.

SecureAPlus Freemium is a set of tools to protect your computer from malicious code penetration, based on three components: the ClamAV antivirus kernel, special method detection of dangerous programs based on whitelist and the function of scanning all new objects in a secure cloud, using AV engines of the Virustotal service.

version: 15.0.44.143 from March 15, 2019

Free antivirus Avira Free Antivirus 2016 is intended for non-commercial use. But despite its free status, this program offers full set capabilities related to the detection and removal of malicious modules.

The program has a special wizard for more convenient updating of anti-virus databases.

version: 19.3.2369 from March 12, 2019

Avast is a popular antivirus solution for PC and mobile platforms that allows you to protect all your devices from viruses, spyware and targeted hacker attacks.
Avast! Antivirus is designed to provide a good level of security not only for a laptop, tablet and phone individually, but also for the entire home network Wi-Fi.

version: 19.3.3084 from March 12, 2019

Developers from the Czech company AVG present a powerful antivirus that can give a head start to many paid analogues. Interestingly, in some respects it surpasses such “heavyweights” as Kaspersky Internet Security (does not load the RAM as much and works without false positives) and Panda Antivirus Pro (guarantees reliable protection both online and offline).

Taking into account increasingly sophisticated methods of theft personal information, in the new version the authors decided to rely on Internet security, in particular on intercepting the so-called “spies” and “hijackers”. By the way, it is precisely because of the emphasis on technologies aimed against data thieves and hackers that the AVG antivirus removal program is installed in Amazon.com, Wal-Mart and Yahoo!

version: 10.2.0.1310 from March 11, 2019

Powerful free antivirus 360 Total Security with an optimization function, it works on five engines at once and is able to provide comprehensive protection for all your devices in real time.

Introducing the no-compromise antivirus solution from Chinese developer Qihoo 360, which will help to reliably protect your computer from viruses, rootkits, Trojans and other threats, as well as restore the system, clean it of unwanted elements and optimize your PC.

version: 7.2.7.0 from February 01, 2019

version: 11.0.0.6744 from January 10, 2019

Russian-language Comodo antivirus can protect your computer and prevent intrusion unwanted programs And virus threats, including those originating from the Internet, and does not require registration or purchase of a license.

Each computer should be under continuous antivirus protection. But in the era of commerce, it is very difficult to find a truly high-quality antivirus that is also free. One of the few is Comodo Antivirus.

version: 11.1.2 from December 28, 2018

Dr.Web CureIt is a free anti-virus tool that quickly scans for vulnerabilities and neutralizes them when detected. The program works without installation and helps restore system functionality even in case of serious infections.

There are times when malicious applications cause your computer to malfunction. The Doctor Web CureIt application can revive it in the shortest possible time. It does not require installation and can detect different types virus threats, and most importantly - absolutely free. You just need to download the latest version of Dr.Web CureIt, start the scanning process, after which, if viruses are detected, the program will offer to neutralize them.