Classification and functions of antivirus programs. Classification of antiviruses 14 purpose of antivirus programs and their classification

Useful tips

INTRODUCTION

We live at the turn of two millennia, when humanity has entered the era of a new scientific and technological revolution.

By the end of the twentieth century, people had mastered many of the secrets of the transformation of matter and energy and were able to use this knowledge to improve their lives. But besides matter and energy, another component plays a huge role in human life - information. This is a wide variety of information, messages, news, knowledge, skills.

In the middle of our century, special devices appeared - computers, focused on storing and converting information, and the computer revolution took place.

Today, the widespread use of personal computers, unfortunately, has turned out to be associated with the emergence of self-replicating virus programs that interfere with the normal operation of the computer, destroy the file structure of disks and damage the information stored on the computer.

Despite the laws adopted in many countries to combat computer crimes and the development of special anti-virus software, the number of new software viruses is constantly growing. This requires the user of a personal computer to have knowledge about the nature of viruses, methods of infection by viruses and protection against them. This was the impetus for choosing the topic of my work.

This is exactly what I talk about in my essay. I show the main types of viruses, consider the patterns of their functioning, the reasons for their appearance and ways of penetrating into a computer, and also offer protection and prevention measures.

The purpose of the work is to familiarize the user with the basics of computer virology, teach how to detect viruses and fight them. Method of work - analysis of printed publications on this topic. I was faced with a difficult task - to talk about something that has been studied very little, and how it turned out is up to you to judge.

1. COMPUTER VIRUSES AND THEIR PROPERTIES AND CLASSIFICATION

1.1. Properties of computer viruses

Nowadays, personal computers are used in which the user has free access to all the resources of the machine. This is what opened up the possibility of a danger that became known as a computer virus.

What is a computer virus? A formal definition of this concept has not yet been invented, and there are serious doubts that it can be given at all. Numerous attempts to provide a “modern” definition of the virus have failed. To get a sense of the complexity of the problem, try, for example, to define the concept of “editor”. You will either come up with something very general, or you will start listing all the known types of editors. Both can hardly be considered acceptable. Therefore, we will limit ourselves to considering some properties of computer viruses that allow us to talk about them as a certain class of programs.

First of all, a virus is a program. Such a simple statement in itself can dispel many legends about the extraordinary capabilities of computer viruses. A virus can flip the image on your monitor, but it cannot flip the monitor itself. Legends about killer viruses “destroying operators by displaying a deadly color scheme on the screen in the 25th frame” should also not be taken seriously. Unfortunately, some reputable publications from time to time publish “the latest news from the computer front,” which, upon closer examination, turn out to be the result of a not entirely clear understanding of the subject.

A virus is a program that has the ability to reproduce itself. This ability is the only means inherent in all types of viruses. But not only viruses are capable of self-replication. Any operating system and many other programs are capable of creating their own copies. Copies of the virus not only do not have to completely coincide with the original, but may not coincide with it at all!

A virus cannot exist in “complete isolation”: today it is impossible to imagine a virus that does not use the code of other programs, information about the file structure, or even just the names of other programs. The reason is clear: the virus must somehow ensure that control is transferred to itself.

1.2. Classification of viruses

Currently, more than 5,000 software viruses are known, they can be classified according to the following criteria:

¨ habitat

¨ method of contamination of the habitat

¨ influence

¨ features of the algorithm

Depending on their habitat, viruses can be divided into network, file, boot, and file-boot viruses. Network viruses distributed over various computer networks. File viruses are embedded mainly in executable modules, i.e., in files with COM and EXE extensions. File viruses can be embedded in other types of files, but, as a rule, written in such files, they never receive control and, therefore, lose the ability to reproduce. Boot viruses are embedded in the boot sector of the disk (Boot sector) or in the sector containing the system disk boot program (Master Boot Re-

cord). File-boot Viruses infect both files and boot sectors of disks.

Based on the method of infection, viruses are divided into resident and non-resident. Resident virus when a computer is infected (infected), it leaves its resident part in the RAM, which then intercepts the operating system’s access to infection objects (files, disk boot sectors, etc.) and injects itself into them. Resident viruses reside in memory and are active until the computer is turned off or rebooted. Non-resident viruses do not infect the computer’s memory and are active for a limited time.

Based on the degree of impact, viruses can be divided into the following types:

¨ non-hazardous, which do not interfere with the operation of the computer, but reduce the amount of free RAM and disk memory, the actions of such viruses are manifested in some graphic or sound effects

¨ dangerous viruses that can lead to various problems with your computer

¨ very dangerous, the impact of which can lead to loss of programs, destruction of data, and erasure of information in system areas of the disk.

2. MAIN TYPES OF VIRUSES AND THEIR FUNCTIONING SCHEME

Among the variety of viruses, the following main groups can be distinguished:

¨ boot

¨ file

¨ file-boot

Now let's take a closer look at each of these groups.

2.1. Boot viruses

Let's look at the operation of a very simple boot virus that infects floppy disks. We will deliberately bypass all the numerous subtleties that would inevitably be encountered during a strict analysis of the algorithm of its functioning.

What happens when you turn on your computer? First of all, control is transferred bootstrap program, which is stored in a read-only memory (ROM) i.e. PNZ ROM.

This program tests the hardware and, if the tests are successful, tries to find the floppy disk in drive A:

Every floppy disk is marked with the so-called. sectors and tracks. Sectors are combined into clusters, but this is not significant for us.

Among the sectors there are several service ones, used by the operating system for its own needs (these sectors cannot contain your data). Among the service sectors, we are currently interested in one - the so-called. boot sector(boot-sector).

The boot sector stores floppy disk information- number of surfaces, number of tracks, number of sectors, etc. But now we are not interested in this information, but in small bootstrap program(PNZ), which must load the operating system itself and transfer control to it.

So the normal bootstrap scheme is as follows:

PNZ (ROM) - PNZ (disk) - SYSTEM

Now let's look at the virus. Boot viruses have two parts - the so-called. head etc. tail. The tail, generally speaking, can be empty.

Suppose you have a clean floppy disk and an infected computer, by which we mean a computer with an active resident virus. As soon as this virus detects that a suitable victim has appeared in the drive - in our case, a floppy disk that is not write-protected and has not yet been infected, it begins to infect. When infecting a floppy disk, the virus performs the following actions:

Selects a certain area of the disk and marks it as inaccessible to the operating system, this can be done in different ways, in the simplest and traditional case, sectors occupied by the virus are marked as bad (bad)

Copies its tail and the original (healthy) boot sector to the selected area of the disk

These programs can be classified into five main groups: filters, detectors, auditors, doctors and vaccinators.

Antivirus filters- these are resident programs that notify the user of all attempts by any program to write to a disk, much less format it, as well as other suspicious actions (for example, attempts to change CMOS settings). You will be prompted to allow or deny this action. The operating principle of these programs is based on intercepting the corresponding interrupt vectors. The advantage of programs of this class compared to detector programs is their versatility in relation to both known and unknown viruses, while detectors are written for specific types currently known to the programmer. This is especially true now, when many mutant viruses have appeared that do not have a permanent code. However, filter programs cannot track viruses that access the BIOS directly, as well as BOOT viruses that are activated even before the antivirus starts, in the initial stage of DOS loading. Disadvantages also include the frequent issuance of requests to perform any operation: responses to questions take up a lot of the user's time and get on his nerves. When installing some antivirus filters, conflicts may arise with other resident programs that use the same interrupts, which simply stop working.

The most widespread in our country are detector programs, or rather programs that combine detector and doctor. The most well-known representatives of this class - Aidstest, Doctor Web, MicroSoft AntiVirus - will be discussed in more detail below. Antivirus detectors are designed for specific viruses and are based on comparing the sequence of codes contained in the body of the virus with the codes of the programs being scanned. Many detector programs also allow you to “clean” infected files or disks by removing viruses from them (of course, treatment is supported only for viruses known to the detector program). Such programs need to be updated regularly, as they quickly become outdated and cannot detect new types of viruses.

Auditors- these are programs that analyze the current state of files and system areas of the disk and compare it with information previously saved in one of the auditor’s data files. This checks the state of the BOOT sector, the FAT table, as well as the length of the files, their creation time, attributes, and checksum. By analyzing messages from the audit program, the user can decide whether the changes were caused by a virus or not. When issuing messages of this kind, you should not panic, since the cause of changes, for example, in the length of the program, may not be a virus at all.

The last group includes the most ineffective antiviruses - vaccinators. They write the signs of a specific virus into the vaccinated program so that the virus considers it already infected.

In our country, as mentioned above, anti-virus programs that combine the functions of detectors and doctors have become especially popular. The most famous of them is the AIDSTEST program by D.N. Lozinsky. This program was invented in 1988 and since then it has been constantly improved and expanded. In Russia, almost every IBM-compatible personal computer has one of the versions of this program. One of the latest versions detects more than 1,500 viruses.

The Aidstest program is designed to fix programs infected with ordinary (non-polymorphic) viruses that do not change their code. This limitation is due to the fact that this program searches for viruses using identification codes. But at the same time, a very high speed of checking files is achieved.

For its normal functioning, Aidstest requires that there are no resident antiviruses in memory that block writing to program files, so they should be unloaded, either by specifying the unload option to the resident program itself, or by using the appropriate utility.

When launched, Aidstest checks the RAM for viruses known to it and neutralizes them. In this case, only the functions of the virus associated with reproduction are paralyzed, while other side effects may remain. Therefore, after the virus has been neutralized in memory, the program issues a request to reboot. You should definitely follow this advice if the PC operator is not a system programmer who studies the properties of viruses. However, you should reboot using the RESET button, since during a “warm reboot” some viruses may persist. In addition, it is better to run the machine and Aidstest with a write-protected floppy disk, since when running from an infected disk, the virus can write to memory as a resident and interfere with treatment.

Aidstest tests its body for the presence of known viruses, and also judges by distortions in its code whether it is infected with an unknown virus. In this case, cases of false alarms are possible, for example, when the antivirus is compressed by a packager. The program does not have a graphical interface, and its operating modes are set using keys. By specifying the path, you can check not the entire disk, but a separate subdirectory.

Disadvantages of the Aidstest program:

Does not recognize polymorphic viruses;

It is not equipped with a heuristic analyzer that allows it to find viruses unknown to it;

Does not know how to check and disinfect files in archives;

Does not recognize viruses in programs processed by executable file packers such as EXEPACK, DIET, PKLITE, etc.

Advantages of Aidstest:

Easy to use;

Works very quickly;

Recognizes a significant part of viruses;

Well integrated with the Adinf audit program;

Works on almost any computer.

Recently, the popularity of another anti-virus program, Doctor Web, offered by the Dialog-Science company, has been rapidly growing. This program was created in 1994 by I.A. Danilov. Dr. Web, like Aidstest, belongs to the class of doctor detectors, but unlike the latter, it has a so-called “heuristic analyzer” - an algorithm that allows you to detect unknown viruses. “Healing Web,” as the name of the program is translated from English, became the response of domestic programmers to the invasion of self-modifying mutant viruses, which, when multiplying, modify their body so that not a single characteristic chain of bytes that was present in the original version of the virus remains. This program is supported by the fact that a large license (for 2000 computers) was acquired by the Main Directorate of Information Resources under the President of the Russian Federation, and the second largest buyer of the “web” was Inkombank.

Modes are controlled using keys, just like in Aidtest. The user can instruct the program to test both the entire disk and individual subdirectories or groups of files, or refuse to scan disks and test only RAM. In turn, you can test either only basic memory, or, in addition, extended memory. Like Aidstest, Doctor Web can create a work report, load a Cyrillic character generator, and support work with the Sheriff software and hardware complex.

Hard drive testing Dr. The Web test takes much longer than the Aidstest test, so not every user can afford to spend so much time checking the entire hard drive every day. Such users may be advised to check floppy disks brought from outside more carefully. If the information on the floppy disk is in an archive (and recently programs and data are transferred from machine to machine only in this form; even software manufacturers, for example Borland, package their products), you should unpack it into a separate directory on the hard drive and immediately, without delay, launch Dr. Web, giving it as a parameter instead of the disk name the full path to this subdirectory. And yet, you need to perform a full scan of the hard drive for viruses at least once every two weeks, setting the maximum level of heuristic analysis.

Just as in the case of Aidstest, during initial testing you should not allow the program to disinfect files in which it detects a virus, since it cannot be ruled out that the sequence of bytes accepted as a pattern in the antivirus can be found in a healthy program.

Unlike Aidstest, the Dr. Web:

recognizes polymorphic viruses;

equipped with a heuristic analyzer;

can check and disinfect files in archives;

allows you to test files vaccinated with CPAV, as well as packaged with LZEXE, PKLITE, DIET.

The Dialog-Nauka company offers different versions of the DrWeb program for DOS. As you know, there are two versions for DOS, which are traditionally called 16-bit And 32-bit(the latter is also called Doctor Web for DOS/386, DrWeb386). These names (16- and 32-bit) fully reflect the essence of the difference between the DOS versions, but directly from the names it is obvious only to specialists. Only the 32-bit version has all the functionality found in other modern versions of Doctor Web (in particular, versions for Windows).

The 16-bit version, due to limitations on the amount of available memory imposed by the operating system, does not have some extremely important “skills” today; in particular, they are not included in it (and due to the specified memory limitations, cannot be included) :

“servicing” modules for known modern types of viruses (in particular, we are talking about macro- and stealth viruses);

heuristic analyzer modules for detecting unknown modern viruses;

modules for unpacking modern types of archives and packaged Windows programs, etc.

Thus, although the 16-bit version uses the same virus database (VDB files) as the 32-bit versions, the absence of some modules in it makes it impossible to process the corresponding viruses.

In addition, for the same reasons, the 16-bit version does not support some modern software and hardware, which may make it unstable or incorrect.

Since the 32-bit version is fully functional and, as can be seen from its other name - Doctor Web for DOS/386, can be used when working in DOS on computers with a processor of at least 386, all users who need the Doctor Web version for DOS should use exactly her.

As for the 16-bit version, it continues to be released, since there is still a fleet of old machines on the 86/286 platform, where the 32-bit version cannot work.

(Anti-Virus Software Protection)

An interesting software product is AVSP antivirus. This program combines a detector, a doctor, and an auditor, and even has some resident filter functions (prohibiting writing to files with the READ ONLY attribute). The antivirus can treat both known and unknown viruses, and the user himself can inform the program about how to treat the latter. In addition, AVSP can treat self-modifying and Stealth viruses.

When you start AVSP, a window system with menus and information about the program status appears. Very convenient contextual hint system, which provides explanations for each menu item. It is called classically, with the F1 key, and changes when moving from item to item. Another important advantage in our age of Windows and OS/2 is mouse support. A significant drawback of the AVSP interface is the lack of the ability to select menu items by pressing a key with the corresponding letter, although this is somewhat compensated by the ability to select an item by pressing ALT and the number corresponding to the number of this item.

The AVSP package also includes resident driver AVSP.SYS, which allows you to detect most invisible viruses (except for viruses like Ghost-1963 or DIR), deactivate viruses for the duration of its operation, and also prohibits modifying READ ONLY files.

Another function of AVSP.SYS is disabling resident viruses while AVSP.EXE is running, however, along with viruses, the driver also disables some other resident programs. When you launch AVSP for the first time, you should test your system for known viruses. This checks the RAM, BOOT sector and files. In some cases, you can even recover files damaged by an unknown virus. You can check file sizes, their checksums, the presence of viruses, or all of this together. You can also specify what exactly to check (Boot sector, memory, or files). As with most antivirus programs, here the user is given the opportunity to choose between speed and quality. The essence of the high-speed check is that not the entire file is scanned, but only its beginning; in this case, most viruses can be detected. If a virus is written to the middle, or the file is infected with several viruses (while the “old” viruses are, as it were, pushed into the middle by the “young” ones), then the program will not notice it. Therefore, quality optimization should be installed, especially since in AVSP high-quality testing does not take much more time than high-speed testing.

AVSP can make many mistakes when automatically detecting new viruses. So, when automatically detecting a pattern, you should take the time to check whether it is really a virus and whether this pattern will occur in healthy programs.

If AVSP detects a known virus during the process, you should take the same actions as when working with Aidstest and Dr. Web: copy the file to disk, reboot from the backup floppy and launch AVSP. It is also advisable that the AVSP.SYS driver be loaded into memory, since it helps the main program treat Stealth viruses.

Another useful feature is built-in disassembler. With its help, you can figure out whether there is a virus in the file or whether AVSP caused a false positive when checking the disk. In addition, you can try to find out the method of infection, the principle of operation of the virus, as well as the place where it “hid” the replaced bytes of the file (if we are dealing with this type of virus). All this will allow you to write a virus removal procedure and restore damaged files. Another useful feature is issuing visual map of changes. The change map allows you to evaluate whether these changes correspond to the virus or not, as well as narrow the search area for the virus body during disassembly.

The AVSP program has two algorithms for neutralizing stealth viruses (“invisible”), and both of them work only if there is an active virus in memory. Here's what happens when these algorithms are implemented: all files are copied into data files and then erased. Only files with the SYSTEM attribute are saved. In Adinf, the process of removing Stealths is much simpler.

The AVSP program also monitors the status of boot sectors. If the BOOT sector on a floppy disk is infected and the antivirus cannot cure it, then you should erase the boot code. The floppy disk will become non-systemic, but the data will not be lost. You can't do this with a hard drive. If changes are detected in one of the BOOT sectors of the hard drive, AVSP will offer to save it in a file and then try to remove the virus.

Microsoft Antivirus

Modern versions of MS-DOS (for example, 6.22) include the Microsoft Antivirus (MSAV) antivirus program. This antivirus can work in detector-doctor and auditor modes. MSAV has MS-Windows style interface, naturally, mouse is supported. Well implemented contextual help: There is a hint for almost any menu item, for any situation. Access to menu items is universally implemented: for this you can use the cursor keys, key keys (F1-F9), keys corresponding to one of the letters of the item name, as well as the mouse. A serious inconvenience when using the program is that it saves tables with file data not in one file, but scatters them across all directories.

When launched, the program loads its own character generator and reads the directory tree of the current disk, after which it exits to the main menu. It is not clear why the directory tree should be read immediately upon startup: after all, the user may not want to check the current disk.

During the first check, MSAV creates CHKLIST.MS files in each directory containing executable files, into which it writes information about the size, date, time, attributes, as well as the checksum of the controlled files. During subsequent checks, the program will compare files with information in CHKLIST.MS files. If the size and date have changed, the program will inform the user about this and ask for further actions: update the information (Update), set the date and time in accordance with the data in CHKLIST.MS (Repair), continue, not paying attention to changes in this file (Continue), interrupt the check (Stop).

In the Options menu you can configure the program as you wish. Here you can set the mode to scan for invisible viruses (Anti-Stealth), check all (not just executable) files (Check All Files), and also allow or disable the creation of CHKLIST.MS tables (Create New Checksums). In addition, you can set the mode for saving a report on the work done in a file. If you set the Create Backup option, then before removing the virus from the infected file, a copy of it will be saved with the VIR extension.

While in the main menu, you can view the list of viruses known to the MSAV program by pressing the F9 key. This will display a window with the names of the viruses. To view more detailed information about the virus, you need to move the cursor to its name and press ENTER. You can quickly navigate to the virus of interest by typing the first letters of its name. Information about the virus can be output to the printer by selecting the appropriate menu item.

(Advanced Diskinfoscope)

ADinf belongs to the class of audit programs. This program was created by D.Yu. Mostov in 1991

The ADinf family of programs are disk auditors designed to work on personal computers running MS-DOS, MS-Windows 3.xx, Windows 95/98 and Windows NT/2000 operating systems. The programs work based on regular monitoring of changes occurring on hard drives. If a virus appears, ADinf detects it by the modifications it makes to the file system and/or boot sector of the disk and informs the user about it. Unlike antivirus scanners, ADinf does not use “portraits” (signatures) of specific viruses in its work. Therefore, ADinf is especially effective for detecting new viruses for which an antidote has not yet been invented.

It should be especially noted that ADinf does not use operating system functions to monitor disks. It reads the disk sector by sector and independently parses the file system structure, which allows it to detect so-called stealth viruses.

If the Adinf treatment unit is installed in the system ( ADinf Cure Module ), then this tandem is capable of not only detecting, but also successfully removing emerging infections. Testing has shown that ADinf Cure Module is able to successfully deal with 97% of viruses, restoring damaged files down to the byte.

The useful properties of ADinf are not limited to just fighting viruses. In essence, ADinf is a system that allows you to monitor the safety of information on disks and detect any, even subtle changes in the file system, namely, changes in system areas, file changes, creating and deleting directories, creating, deleting, renaming and moving files from a directory to catalog. The composition of controlled information is flexibly configured, which allows you to control only what is needed.

The first version of the program was released in 1991 and since then ADinf has deservedly been the most popular auditor in Russia and the countries of the former USSR. Today it is difficult to count the number of legal and illegal users of ADinf. More than 2,500 corporate subscribers of the Dialog-Science Anti-Virus Suite, which includes ADinf, protect their computers with it. The ADinf program has received certificates in the GOST R. Certification System, the Certification System for Information Security Tools of the Ministry of Defense and the Certificate of the State Technical Commission under the President of the Russian Federation (as part of the Dialog-Science Anti-Virus Kit). The program is constantly being improved and is always on the cutting edge of modern technology.

Initially, the ADinf auditor was developed for the MS-DOS operating system. Then versions of the program were released for Windows 3.xx and Windows 95/98/NT. Now there is a family of compatible auditors for various operating systems. All ADinf variants today support Windows 95/98 file systems, long file and directory names, and parse the internal structure of Windows 95/98 and NT executable files.

So, the Adinf program:

has a high operating speed;

is able to successfully resist viruses located in memory;

allows you to control the disk by reading it sector by sector through the BIOS and without using DOS system interrupts, which can be intercepted by a virus;

can process up to 32,000 files on each drive;

unlike AVSP, in which the user has to independently analyze whether the machine is infected with a Stealth virus by booting first from the hard drive and then from the reference floppy disk, in ADinf this operation occurs automatically;

Unlike other antiviruses, Advansed Diskinfoscope does not require booting from a reference, write-protected floppy disk. When loading from a hard drive, the reliability of protection does not decrease;

ADinf has a well-executed user-friendly interface, which, unlike AVSP, is implemented not in text, but in graphical mode;

When installing ADinf into the system, it is possible to change the name of the main file ADINF.EXE and the name of the tables, and the user can specify any name. This is a very useful function, since recently a lot of viruses have appeared that “hunt” for antiviruses (for example, there is a virus that changes the Aidstest program so that instead of the DialogueScience screensaver it writes: “Lozinsky is a stump”), including including for ADinf.

There are several versions of the Adinf auditor for different operating systems. Each of them has its own characteristics.

Auditor ADinf designed for MS-DOS and Windows 95/98 operating systems. This is a development of the first version of the auditor, created back in 1991. Today ADinf is the most reliable tool for detecting both known and new unknown viruses. This is the only auditor in the world that checks the file system by reading sector by sector directly through the computer's BIOS.

Auditor ADinf for Windows designed for the Windows 3.xx operating system. This version of the program adds a convenient graphical user interface to all the properties of the ADinf auditor.

Auditor ADinf Pro is designed to monitor the safety of particularly valuable information, such as databases or documents, in the environment of MS-DOS, Windows 3.xx and Windows 95/98 operating systems. A special feature of this version of the program is the use of a 64-bit hash function to control the integrity of files, developed by the well-known Russian company LAN-Crypto. Using this hash function not only ensures that accidental file changes or changes caused by viruses are detected, but also makes it impossible to intentionally modify the data on the disk without being noticed.

Auditor ADinf32 is a 32-bit multi-threaded application for Windows 95/98 and Windows NT operating systems with a modern user interface. This version of the program not only has all the advantages of other options, but also contains a lot of new things compared to them.

It should be noted that the Adinf program is well integrated with other programs of the DSAV kit from Dialog-Nauka. Thus, Adinf creates a list of new and changed files on the disk, and Aidstest and DrWeb can check files from this list, which significantly reduces the operating time of these programs.

(AntiViral Toolkit Pro)

This program was created by Kaspersky Lab. AVP has one of the most advanced virus detection mechanisms. Today AVP is practically in no way inferior to its Western counterparts.

AVP provides users with maximum service - the ability to update anti-virus databases via the Internet, the ability to set parameters for automatic scanning and disinfection of infected files. Updates on the AVP website appear almost weekly, and the database includes descriptions of almost 40 thousand viruses.

AVP consists of several important modules:

1) AVP scanner checks hard drives for viruses. You can set a full search, in which the program will scan all files in a row, and also set the scanning mode for archived files. One of the main advantages of AVP is fight against macroviruses. The user can select a special mode in which documents created in Microsoft Office format will be scanned. After detecting viruses or infected files, AVP offers several options to choose from: remove viruses from files, delete the infected files themselves, or move them to a special folder.
2) AVP Monitor. This program is automatically loaded when Windows starts. AVP Monitor automatically checks all files and documents opened on the computer and, in the event of a virus attack, notifies the user about this. Moreover, in most cases, AVP Monitor simply does not allow the infected file to run, blocking its execution process. This program function is very useful for those who constantly deal with many new files, for example, for active Internet users (since it is impossible to launch AVP every five minutes to check downloaded files, this is where AVP Monitor comes to the rescue).
3) AVP Inspector - the last and very important module of the AVP kit, which allows you to catch even unknown viruses. "Inspector" uses a method to control file size changes. By introducing itself into a file, the virus inevitably increases its size, and the “inspector” easily detects it.

In addition to all of the above, there is the so-called AVP Control Center - “control panel” for all programs of the AVP complex. The most important function of this program is the built-in Task Scheduler, which allows you to quickly check (and, if necessary, treat the system) automatically, without user intervention, but at a time specified by the user.

Basic methods for detecting viruses

antivirus programs developed in parallel with the evolution of viruses. As new technologies for creating viruses emerged, the mathematical apparatus used in the development of antiviruses became more complex.

The first anti-virus algorithms were based on comparison with a standard. We are talking about programs in which the virus is detected by the classical kernel using a certain mask. The point of the algorithm is to use statistical methods. The mask should, on the one hand, be small so that the file volume is of an acceptable size, and on the other hand, large enough to avoid false positives (when “one’s own” is perceived as “someone else’s”, and vice versa).

The first antivirus programs built on this principle (the so-called polyphage scanners) knew a certain number of viruses and knew how to treat them. These programs were created as follows: the developer, having received the virus code (the virus code was initially static), created a unique mask (a sequence of 10-15 bytes) based on this code and entered it into the antivirus program database. The antivirus program scanned the files and, if it found this sequence of bytes, concluded that the file was infected. This sequence (signature) was chosen so that it was unique and not found in a regular data set.

The described approaches were used by most antivirus programs until the mid-90s, when the first polymorphic viruses appeared that changed their body according to algorithms that were unpredictable in advance. Then the signature method was supplemented by the so-called processor emulator, which makes it possible to find encrypted and polymorphic viruses that do not explicitly have a permanent signature.

The principle of processor emulation is demonstrated in Fig. 1 . If usually a conditional chain consists of three main elements: CPU®OS®Program, then when emulating a processor, an emulator is added to such a chain. The emulator, as it were, reproduces the work of the program in some virtual space and reconstructs its original contents. The emulator is always able to interrupt the execution of the program, controls its actions, preventing anything from being spoiled, and calls the anti-virus scanning kernel.

The second mechanism, which appeared in the mid-90s and is used by all antiviruses, is heuristic analysis. The fact is that the processor emulation apparatus, which allows you to obtain a summary of the actions performed by the analyzed program, does not always make it possible to search for these actions, but it allows you to perform some analysis and put forward a hypothesis like “virus or not a virus?”

In this case, decision making is based on statistical approaches. And the corresponding program is called a heuristic analyzer.

In order to reproduce, the virus must perform some specific actions: copying into memory, writing to sectors, etc. The heuristic analyzer (it is part of the anti-virus kernel) contains a list of such actions, looks at the executable code of the program, determines what it does, and based on this makes a decision whether the program is a virus or not.

At the same time, the percentage of missing viruses, even those unknown to the antivirus program, is very small. This technology is now widely used in all antivirus programs.

Classification of antivirus programs

antivirus programs are classified into pure antiviruses and dual-use antiviruses (Fig. 2).

Pure antiviruses are distinguished by the presence of an antivirus core, which performs the function of scanning samples. The principle in this case is that treatment is possible if the virus is known. Pure antiviruses, in turn, are divided into two categories based on the type of access to files: those that exercise control by access (on access) or by user demand (on demand). Typically, on access products are called monitors, and on demand products are called scanners.

The on-demand product works according to the following scheme: the user wants to check something and issues a request (demand), after which the verification is carried out. On access product is a resident program that monitors access and performs verification at the time of access.

In addition, antivirus programs, like viruses, can be divided depending on the platform within which the antivirus operates. In this sense, along with Windows or Linux, platforms can include Microsoft Exchange Server, Microsoft Office, Lotus Notes.

Dual-use programs are programs used both in antiviruses and in software that is not an antivirus. For example, CRC-checker - a change auditor based on checksums - can be used not only to catch viruses. A type of dual-purpose programs are behavioral blockers, which analyze the behavior of other programs and block them when suspicious actions are detected. Behavioral blockers differ from a classic antivirus with an antivirus core, which recognizes and treats viruses that were analyzed in the laboratory and for which a treatment algorithm was prescribed, in that they cannot treat viruses because they know nothing about them. This property of blockers allows them to work with any viruses, including unknown ones. This is of particular relevance today, since distributors of viruses and antiviruses use the same data transmission channels, that is, the Internet. At the same time, an antivirus company always needs time to obtain the virus itself, analyze it and write the appropriate treatment modules. Programs from the dual-use group allow you to block the spread of the virus until the company writes a treatment module.

Review of the most popular personal antiviruses

The review includes the most popular antiviruses for personal use from five well-known developers. It should be noted that some of the companies discussed below offer several versions of personal programs that differ in functionality and, accordingly, in price. In our review, we looked at one product from each company, choosing the most functional version, which is usually called Personal Pro. Other options for personal antiviruses can be found on the corresponding websites.

Kaspersky Anti-Virus

Personal Pro v. 4.0

Developer: Kaspersky Lab. Website: http://www.kaspersky.ru/. Price: $69 (1 year license).

Kaspersky Anti-Virus Personal Pro (Fig. 3) is one of the most popular solutions on the Russian market and contains a number of unique technologies.

The Office Guard behavioral blocker module keeps macro execution under control, stopping all suspicious actions. The presence of the Office Guard module provides 100% protection against macro viruses.

Inspector monitors all changes in your computer and, if unauthorized changes are detected in files or in the system registry, allows you to restore the contents of the disk and remove malicious codes. Inspector does not require updates to the anti-virus database: integrity control is carried out based on taking original file fingerprints (CRC sums) and their subsequent comparison with modified files. Unlike other inspectors, Inspector supports all the most popular executable file formats.

The heuristic analyzer makes it possible to protect your computer even from unknown viruses.

The Monitor background virus interceptor, which is constantly present in the computer's memory, conducts an anti-virus scan of all files immediately at the time they are launched, created or copied, which allows you to control all file operations and prevent infection by even the most technologically advanced viruses.

Anti-virus email filtering prevents viruses from entering your computer. The Mail Checker plug-in not only removes viruses from the body of an email, but also completely restores the original content of emails. A comprehensive scan of email correspondence does not allow a virus to hide in any element of an email by scanning all areas of incoming and outgoing messages, including attached files (including archived and packaged ones) and other messages of any nesting level.

The Scanner anti-virus scanner makes it possible to conduct a full-scale scan of the entire contents of local and network drives on demand.

The Script Checker script virus interceptor provides anti-virus scanning of all running scripts before they are executed.

Support for archived and compressed files provides the ability to remove malicious code from an infected compressed file.

Isolation of infected objects ensures the isolation of infected and suspicious objects and their subsequent movement to a specially organized directory for further analysis and recovery.

Automation of anti-virus protection allows you to create a schedule and order of operation of program components; automatically download and connect new anti-virus database updates via the Internet; send warnings about detected virus attacks by email, etc.

Norton AntiVirus 2003 Professional Edition

Developer: Symantec. Website: http://www.symantec.ru/.

Price 89.95 euros.

The program runs under Windows 95/98/Me/NT4.0/2000 Pro/XP.

Price: $39.95

The program runs under Windows 95/98/Me/NT4.0/2000 Pro/XP.

Despite the fact that general information security and preventative measures are very important for protecting against viruses, the use of specialized programs is necessary. These programs can be divided into several types:

? Detector programs check whether the files on the disk contain a specific combination of bytes (signature) for a known virus and report this to the user (VirusScan/SCAN/McAfee Associates).
? Doctor programs or phages “treat” infected programs by “biting out” the body of the virus from infected programs, both with and without restoration of the habitat (infected file) - the healing module of the SCAN program - the CLEAN program.
? Doctor-detector programs (Lozinsky's Aidstest, Danilov's Doctor Web, MSAV, Norton Antivirus, Kaspersky's AVP) are able to detect the presence of a known virus on a disk and heal the infected file. The most common group of antivirus programs today.

In the simplest case, the command to check the contents of the disk for viruses looks like: aidstest / key1 / key 2 / key 3 /---

? Filter programs (watchmen) are located resident in the PC's RAM and intercept those calls to the operating system that are used by viruses to reproduce and cause harm and report them to the user:
- an attempt to corrupt the main OS file COMMAND.COM;
- an attempt to write directly to the disk (the previous record is deleted), and a message appears that some program is trying to copy to the disk;
- disk formatting,
- resident placement of the program in memory.

Having detected an attempt to one of these actions, the filter program provides the user with a description of the situation and requires confirmation from him. The user can allow or deny this operation. Control of actions, characteristic of viruses, is carried out by replacing the corresponding interrupt handlers. The disadvantages of these programs include intrusiveness (the guard, for example, issues a warning about any attempt to copy an executable file), possible conflicts with other software, and bypassing the guards by some viruses. Examples of filters: Anti4us, Vsafe, Disk Monitor.

It should be noted that today many programs of the doctor-detector class also have a resident module - filter (guard), for example, DR Web, AVP, Norton Antivirus. Thus, such programs can be classified as doctor-detector-guard.

? Hardware and software antivirus tools (Sheriff hardware and software complex). On a par with watchdog programs are hardware and software antivirus tools that provide more reliable protection against virus penetration into the system. Such complexes consist of two parts: hardware, which is installed in the form of a microcircuit on the Motherboard, and software, which is recorded on disk. The hardware part (controller) monitors all write operations to the disk, the software part, being resident in the RAM, monitors all information input/output operations. However, the possibility of using these tools requires careful consideration in terms of the configuration of additional equipment used on the PC, for example, disk controllers, modems, or network cards.
? Auditor programs (Adinf/Advanced Disk infoscope/with treatment block ADinf Cure Module Mostovoy). Audit programs have two stages of work. First, they remember information about the state of programs and system areas of disks (boot sector and sector with a table for dividing the hard disk into logical partitions). It is assumed that at this moment programs and system disk areas are not infected. Then, when comparing system areas and disks with the original ones, if a discrepancy is found, the user is notified. Auditor programs are capable of detecting invisible (STEALTH) viruses. Checking file length is not sufficient; some viruses do not change the length of infected files. A more reliable check is to read the entire file and calculate its checksum (bit by bit). It is almost impossible to change the entire file so that its checksum remains the same. Minor disadvantages of auditors include the fact that to ensure security they must be used regularly, for example, called daily from the AUTOEXEC.BAT file. But their undoubted advantages are the high speed of checks and the fact that they do not require frequent version updates. Versions of the auditor, even six months old, reliably detect and remove modern viruses.
? Vaccine or immunizer programs (CPAV). Vaccine programs modify programs and disks in such a way that this does not affect the operation of the programs, but the virus against which the vaccination is performed considers these programs and disks to be already infected. These programs are not effective enough.

Conventionally, a strategy to protect against a virus can be defined as a multi-level “layered” defense. Structurally it might look like this. Reconnaissance tools in the “defense” against viruses correspond to detector programs that allow you to detect newly received software for the presence of viruses. At the forefront of defense are filter programs that reside in the computer's memory. These programs can be the first to report the operation of the virus. The second echelon of “defense” consists of audit programs. Auditors detect a virus attack even when it has managed to “leak” through the front line of defense. Doctor programs are used to restore infected programs if a copy of the infected program is not in the archive, but they do not always cure correctly. Doctor-inspectors detect a virus attack and treat infected programs, and monitor the correctness of the treatment. The deepest echelon of defense is access control means. They do not allow viruses and malfunctioning programs, even if they have penetrated the PC, to spoil important data. The “strategic reserve” contains archival copies of information and “reference” floppy disks with software products. They allow you to restore information if it is damaged.

The harmful actions of each type of virus can be very diverse. This includes deleting important files or even BIOS firmware, transferring personal information, such as passwords, to a specific address, organizing unauthorized email campaigns and attacks on certain websites. It is also possible to start dialing through a cell phone to paid numbers. Hidden administration utilities (backdoor) can even transfer full control of the computer to an attacker. Fortunately, all these troubles can be successfully fought, and the main weapon in this fight will, of course, be antivirus software.

Kaspersky Anti-Virus. Perhaps, “Kaspersky Anti-Virus” is the most famous product of this type in Russia, and the name “Kaspersky” has become synonymous with the fighter against malicious codes. The laboratory of the same name not only constantly releases new versions of its security software, but also conducts educational work among computer users. The latest, ninth version of Kaspersky Anti-Virus, like previous releases, is distinguished by a simple and extremely transparent interface that combines all the necessary utilities in one window. Thanks to the installation wizard and intuitive menu options, even a novice user can configure this product. The power of the algorithms used will satisfy even professionals. A detailed description of each of the detected viruses can be found by calling the corresponding page on the Internet directly from the program.

Dr. Web. Another popular Russian antivirus, rivaling Kaspersky Anti-Virus in popularity, is Dr. Web. Its trial version has an interesting feature: it requires mandatory registration via the Internet. On the one hand, this is very good - immediately after registration, the anti-virus database is updated and the user receives the latest data on signatures. On the other hand, it is impossible to install the trial version offline, and, as experience has shown, problems are inevitable with an unstable connection.

Panda Antivirus + Firewall 2007. A comprehensive solution in the field of computer security - the Panda Antivirus + Firewall 2007 package - includes, in addition to the anti-virus program, a firewall that monitors network activity. The interface of the main program window is designed in “natural” green tones, but despite its visual appeal, the menu navigation system is built inconveniently, and a novice user may well get confused in the settings.

The Panda package contains several original solutions, such as TruePrevent, a proprietary technology for searching for unknown threats, based on the most modern heuristic algorithms. It is also worth paying attention to the utility for searching for computer vulnerabilities - it assesses the danger of “holes” in the security system and offers to download the necessary updates.

Norton Antivirus 2005. The main impression from the product of the famous company Symantec - the anti-virus complex Norton Antivirus 2005 - is its focus on powerful computing systems. The response of the Norton Antivirus 2005 interface to user actions is noticeably delayed. In addition, during installation it places quite strict requirements on the versions of the operating system and Internet Explorer. Unlike Dr.Web, Norton Antivirus does not require updating the virus databases during installation, but will remind you that they are out of date throughout the entire operation.

McAfee VirusScan. We chose an interesting anti-virus product, which, according to the developers, is the No. 1 scanner in the world - McAfee VirusScan - for testing because, among similar applications, it stood out for its large distribution size (more than 40 MB). Believing that this value was due to its wide functionality, we proceeded with the installation and discovered that in addition to the anti-virus scanner, it included a firewall, as well as utilities for cleaning the hard drive and guaranteed removal of objects from the hard drive (file shredder).

Questions for Chapters 6 and 7

1. Stages of development of information security tools and technologies.
2. Components of the standard security model.
3. Sources of security threats and their classification.
4. Unintentional threats to information security.
5. Deliberate threats to information security.
6. Classification of information leakage channels.
7. Regulation of information security problems.
8. Structure of the state information security system.
9. Methods and means of information security.
10. Classification of data security threats.
11. Methods of protecting information from viruses.
12. Methods of integrity control.
13. Classification of computer viruses.
14. Anti-virus protection.
15. Preventive antivirus measures.
16. Classification of anti-virus software products.

INTRODUCTION

We live at the turn of two millennia, when humanity has entered the era of a new scientific and technological revolution.

In the middle of our century, special devices appeared - computers, focused on storing and converting information, and the computer revolution took place.

1. COMPUTER VIRUSES AND THEIR PROPERTIES AND CLASSIFICATION

1.1. Properties of computer viruses

Nowadays, personal computers are used in which the user has free access to all the resources of the machine. This is what opened up the possibility of a danger that became known as a computer virus.

1.2. Classification of viruses

Currently, more than 5,000 software viruses are known, they can be classified according to the following criteria:

¨ habitat

¨ method of contamination of the habitat

¨ influence

¨ features of the algorithm

cord). File-boot Viruses infect both files and boot sectors of disks.

Based on the degree of impact, viruses can be divided into the following types:

¨ dangerous viruses that can lead to various problems with your computer

¨ very dangerous, the impact of which can lead to loss of programs, destruction of data, and erasure of information in system areas of the disk.

2. MAIN TYPES OF VIRUSES AND THEIR FUNCTIONING SCHEME

Among the variety of viruses, the following main groups can be distinguished:

¨ boot

¨ file

¨ file-boot

Now let's take a closer look at each of these groups.

2.1. Boot viruses

What happens when you turn on your computer? First of all, control is transferred bootstrap program, which is stored in a read-only memory (ROM) i.e. PNZ ROM.

This program tests the hardware and, if the tests are successful, tries to find the floppy disk in drive A:

Every floppy disk is marked with the so-called. sectors and tracks. Sectors are combined into clusters, but this is not significant for us.

So the normal bootstrap scheme is as follows:

Now let's look at the virus. Boot viruses have two parts - the so-called. head etc. tail. The tail, generally speaking, can be empty.

Copies its tail and the original (healthy) boot sector to the selected area of the disk

Replaces the boot program in the (real) boot sector with its head

Organizes a chain of control transfer according to the scheme.

Thus, the head of the virus is now the first to receive control, the virus is installed in memory and transfers control to the original boot sector. In a chain

PNZ (ROM) - PNZ (disk) - SYSTEM

a new link appears:

PNZ (ROM) - VIRUS - PNZ (disk) - SYSTEM

The moral is clear: Never leave floppy disks (accidentally) in drive A.

We examined the functioning scheme of a simple boot virus that lives in the boot sectors of floppy disks. As a rule, viruses can infect not only the boot sectors of floppy disks, but also the boot sectors of hard drives. Moreover, unlike floppy disks, the hard drive has two types of boot sectors containing boot programs that receive control. When the computer boots from the hard drive, the boot program in the MBR (Master Boot Record) takes control first. If your hard drive is divided into several partitions, then only one of them is marked as boot. The boot program in the MBR finds the boot partition of the hard drive and transfers control to the boot program of this partition. The code of the latter coincides with the code of the boot program contained on ordinary floppy disks, and the corresponding boot sectors differ only in the parameter tables. Thus, on the hard drive there are two objects of attack by boot viruses - boot program in MBR And primary program boot sector downloads boot disk.

2.2. File viruses

Let us now consider how a simple file virus works. Unlike boot viruses, which are almost always resident, file viruses are not necessarily resident. Let's consider the functioning scheme of a non-resident file virus. Let's say we have an infected executable file. When such a file is launched, the virus gains control, performs some actions and transfers control to the “master” (although it is not yet known who the master is in such a situation).

What actions does the virus perform? It looks for a new object to infect - a file of a suitable type that has not yet been infected (if the virus is “decent”, otherwise there are some that infect immediately without checking anything). By infecting a file, the virus injects itself into its code in order to gain control when the file is executed. In addition to its main function - reproduction, the virus may well do something intricate (say, ask, play) - this already depends on the imagination of the author of the virus. If the file virus is resident, then it will install itself in memory and will be able to infect files and exhibit other abilities not only while the infected file is running. When infecting an executable file, a virus always changes its code - therefore, infection of an executable file can always be detected. But by changing the file code, the virus does not necessarily make other changes:

à he is not obliged to change the file length

à unused code sections

à is not required to change the beginning of the file

Finally, file viruses often include viruses that “have some relation to files” but do not have to be embedded in their code. Let us consider as an example the functioning scheme of viruses of the known Dir-II family. It must be admitted that, having appeared in 1991, these viruses became the cause of a real plague epidemic in Russia. Let's look at a model that clearly shows the basic idea of the virus. Information about files is stored in directories. Each directory entry includes the file name, the date and time it was created, some additional information, first cluster number file, etc. reserve bytes. The latter are left “in reserve” and are not used by MS-DOS itself.

When running executable files, the system reads the first cluster of the file and then all other clusters from the directory entry. Viruses of the Dir-II family perform the following “reorganization” of the file system: the virus itself writes to some free sectors of the disk, which it marks as bad. In addition, it stores information about the first clusters of executable files in reserved bits, and in place of this information writes references to itself.

Thus, when any file is launched, the virus gains control (the operating system launches it itself), installs itself resident in memory and transfers control to the called file.

2.3. Boot file viruses

We will not consider the boot-file virus model, because you will not learn any new information. But here is a good opportunity to briefly discuss the recently extremely “popular” boot-file virus OneHalf, which infects the master boot sector (MBR) and executable files. The main destructive effect is the encryption of hard drive sectors. Each time it is launched, the virus encrypts another portion of sectors, and having encrypted half of the hard drive, it happily reports this. The main problem in treating this virus is that it is not enough to simply remove the virus from the MBR and files; you must decrypt the information encrypted by it. The deadliest action is to simply overwrite a new healthy MBR. The main thing is don't panic. Weigh everything calmly and consult with experts.

2.4. Polymorphic viruses

Most questions are related to the term “polymorphic virus”. This type of computer virus seems to be the most dangerous today. Let us explain what it is.

Polymorphic viruses are viruses that modify their code in infected programs in such a way that two copies of the same virus may not match in a single bit.

Such viruses not only encrypt their code using different encryption paths, but also contain encryptor and decryptor generation code, which distinguishes them from ordinary encryption viruses, which can also encrypt sections of their code, but at the same time have a constant encryptor and decryptor code.

Polymorphic viruses are viruses with self-modifying decryptors. The purpose of such encryption: if you have an infected and original file, you still will not be able to analyze its code using regular disassembly. This code is encrypted and is a meaningless set of commands. Decryption is performed by the virus itself during execution. In this case, options are possible: he can decrypt himself all at once, or he can perform such decryption “on the fly,” he can re-encrypt sections that have already been used. All this is done to make it difficult to analyze the virus code.

3. HISTORY OF COMPUTER VIROLOGY AND REASONS FOR THE APPEARANCE OF VIRUSES

The history of computer virology today seems to be a constant “race for the leader”, and, despite all the power of modern anti-virus programs, it is viruses that are the leaders. Among thousands of viruses, only a few dozen are original developments that use truly fundamentally new ideas. All the rest are “variations on a theme.” But every original development forces antivirus creators to adapt to new conditions and catch up with virus technology. The latter can be disputed. For example, in 1989, an American student managed to create a virus that disabled about 6,000 computers of the US Department of Defense. Or the epidemic of the famous Dir-II virus that broke out in 1991. The virus used a truly original, fundamentally new technology and at first managed to spread widely due to the imperfection of traditional antivirus tools.

Or the surge in computer viruses in the UK: Christopher Pyne managed to create the Pathogen and Queeq viruses, as well as the Smeg virus. It was the last one that was the most dangerous; it could be superimposed on the first two viruses, and because of this, after each run of the program they changed the configuration. Therefore, it was impossible to destroy them. To spread viruses, Pine copied computer games and programs, infected them, and then sent them back onto the network. Users downloaded infected programs onto their computers and infected their disks. The situation was aggravated by the fact that Pine managed to introduce viruses into the program that fights them. By launching it, instead of destroying viruses, users received another one. As a result, the files of many companies were destroyed, causing losses amounting to millions of pounds.

The American programmer Morris became widely known. He is known as the creator of the virus, which in November 1988 infected about 7 thousand personal computers connected to the Internet.

The reasons for the emergence and spread of computer viruses, on the one hand, are hidden in the psychology of the human personality and its shadow sides (envy, revenge, vanity of unrecognized creators, the inability to constructively use one’s abilities), on the other hand, due to the lack of hardware protection and counteraction from the operating room. personal computer systems.

4. WAYS OF VIRUSES ENTERING A COMPUTER AND THE MECHANISM OF VIRUS PROGRAM DISTRIBUTION

The main ways viruses enter a computer are removable disks (floppy and laser), as well as computer networks. A hard drive can become infected with viruses when loading a program from a floppy disk that contains a virus. Such an infection can also be accidental, for example, if the floppy disk was not removed from drive A and the computer was rebooted, and the floppy disk may not be a system one. It is much easier to infect a floppy disk. A virus can get onto it even if the floppy disk is simply inserted into the disk drive of an infected computer and, for example, its table of contents is read.

A virus, as a rule, is introduced into a working program in such a way that when it is launched, control is first transferred to it and only after all its commands are executed, it returns to the working program. Having gained access to control, the virus first of all rewrites itself into another working program and infects it. After running a program containing a virus, it becomes possible to infect other files. Most often, the boot sector of the disk and executable files with the extensions EXE, COM, SYS, BAT are infected with a virus. It is extremely rare for text files to become infected.

After infecting a program, the virus can perform some kind of sabotage, not too serious so as not to attract attention. And finally, do not forget to return control to the program from which it was launched. Each execution of an infected program transfers the virus to the next one. Thus, all software will be infected.

To illustrate the process of infecting a computer program with a virus, it makes sense to liken disk storage to an old-fashioned archive with folders on tape. The folders contain programs, and the sequence of operations for introducing a virus in this case will look like this. (See Appendix 1)

5. SIGNS OF VIRUSES

When your computer is infected with a virus, it is important to detect it. To do this, you should know about the main signs of viruses. These include the following:

¨ termination or incorrect operation of previously successfully functioning programs

¨ slow computer performance

¨ inability to load the operating system

¨ disappearance of files and directories or distortion of their contents

¨ changing the date and time of file modification

¨ resizing files

¨ unexpected significant increase in the number of files on the disk

¨ significant reduction in the size of free RAM

¨ display of unexpected messages or images

¨ giving unexpected sound signals

¨ frequent freezes and computer crashes

It should be noted that the above phenomena are not necessarily caused by the presence of a virus, but may be the result of other reasons. Therefore, it is always difficult to correctly diagnose the condition of a computer.

6. VIRUS DETECTION AND PROTECTION AND PREVENTION MEASURES

6.1. How to detect a virus ? Traditional approach

So, a certain virus writer creates a virus and launches it into “life”. He might walk around to his heart’s content for a while, but sooner or later the “lafa” will end. Someone will suspect something is wrong. As a rule, viruses are discovered by ordinary users who notice certain anomalies in the behavior of their computer. In most cases, they are not able to cope with the infection on their own, but this is not required of them.

It is only necessary that the virus gets into the hands of specialists as soon as possible. Professionals will study it, find out “what it does”, “how it does”, “when it does”, etc. In the process of such work, all the necessary information about this virus is collected, in particular, the signature of the virus is isolated - a sequence of bytes that quite definitely characterizes him. To build a signature, the most important and characteristic sections of the virus code are usually taken. At the same time, the mechanisms of how the virus works become clear, for example, in the case of a boot virus, it is important to know where it hides its tail, where the original boot sector is located, and in the case of a file virus, the method of infecting the file. The information obtained allows you to find out:

· how to detect a virus, for this purpose, methods for searching for signatures in potential objects of a virus attack - files and / or boot sectors are specified

· how to neutralize the virus, if possible, algorithms are being developed to remove virus code from affected objects

6.2. Virus detection and protection programs

To detect, remove and protect against computer viruses, several types of special programs have been developed that allow you to detect and destroy viruses. Such programs are called antivirus . There are the following types of antivirus programs:

· detector programs

· doctor programs or phages

· audit programs

· filter programs

Vaccine or immunizer programs

Detector programs They search for a signature characteristic of a particular virus in RAM and files and, if found, issue a corresponding message. The disadvantage of such antivirus programs is that they can only find viruses that are known to the developers of such programs.

Doctor programs or phages, and vaccine programs not only find files infected with viruses, but also “treat” them, i.e. remove the body of the virus program from the file, returning the files to their original state. At the beginning of their work, phages search for viruses in RAM, destroying them, and only then proceed to “cleaning” files. Among the phages, polyphages are distinguished, i.e. Doctor programs designed to search and destroy a large number of viruses. The most famous of them: Aidstest, Scan, Norton AntiVirus, Doctor Web.

Considering that new viruses are constantly appearing, detector programs and doctor programs quickly become outdated, and regular version updates are required.

Auditor programs are among the most reliable means of protection against viruses. Auditors remember the initial state of programs, directories and system areas of the disk when the computer is not infected with a virus, and then periodically or at the user’s request compare the current state with the original one. Detected changes are displayed on the monitor screen. As a rule, comparison of states is carried out immediately after loading the operating system. When comparing, the file length, cyclic control code (file checksum), modification date and time, and other parameters are checked. Auditor programs have fairly developed algorithms, detect stealth viruses and can even clean up changes in the version of the program being checked from changes made by the virus. Among the audit programs is the Adinf program, widely used in Russia.

Filter programs or "watchman" are small resident programs designed to detect suspicious actions during computer operation, characteristic of viruses. Such actions may be:

· attempts to correct files with COM, EXE extensions

· changing file attributes

direct writing to disk at absolute address

· writing to disk boot sectors

When any program tries to perform the specified actions, the “guard” sends a message to the user and offers to prohibit or allow the corresponding action. Filter programs are very useful because they are able to detect a virus at the earliest stage of its existence before replication. However, they do not “clean” files and disks. To destroy viruses, you need to use other programs, such as phages. The disadvantages of watchdog programs include their “intrusiveness” (for example, they constantly issue a warning about any attempt to copy an executable file), as well as possible conflicts with other software. An example of a filter program is the Vsafe program, which is part of the MS DOS utility package.

Vaccines or immunizers- These are resident programs that prevent file infection. Vaccines are used if there are no doctor programs that “treat” this virus. Vaccination is possible only against known viruses. The vaccine modifies the program or disk in such a way that it does not affect its operation, and the virus will perceive it as infected and therefore will not take root. Currently, vaccine programs have limited use.

Timely detection of virus-infected files and disks and complete destruction of detected viruses on each computer help avoid the spread of a virus epidemic to other computers.

6.3. Basic measures to protect against viruses

In order to avoid exposing your computer to viruses and to ensure reliable storage of information on disks, you must follow the following rules:

¨ equip your computer with modern antivirus programs, such as Aidstest, Doctor Web, and constantly update their versions

¨ before reading information stored on other computers from floppy disks, always check these floppy disks for viruses by running anti-virus programs on your computer

¨ when transferring files in archived form to your computer, check them immediately after unzipping them on your hard drive, limiting the scan area to only newly recorded files

¨ periodically check your computer hard drives for viruses by running anti-virus programs to test files, memory and system areas of disks from a write-protected floppy disk, after loading the operating system from a write-protected system floppy disk

¨ always protect your floppy disks from writing when working on other computers, if information will not be written to them

¨ be sure to make backup copies on floppy disks of information that is valuable to you

¨ do not leave floppy disks in the pocket of drive A when turning on or rebooting the operating system to prevent the computer from becoming infected with boot viruses

¨ use anti-virus programs for input control of all executable files received from computer networks

¨ to ensure greater security, Aidstest and Doctor Web must be combined with everyday use of the Adinf disk auditor

CONCLUSION

So, we can cite a lot of facts indicating that the threat to the information resource is increasing every day, panicking decision-makers in banks, enterprises and companies around the world. And this threat comes from computer viruses that distort or destroy vital, valuable information, which can lead not only to financial losses, but also to human casualties.

Computer virus - a specially written program that is capable of spontaneously attaching to other programs, creating copies of itself and introducing them into files, system areas of the computer and into computer networks in order to disrupt the operation of programs, damage files and directories, and create all kinds of interference in the operation of the computer.

Currently, more than 5,000 software viruses are known, the number of which is constantly growing. There are known cases where tutorials were created to help in writing viruses.

The main types of viruses: boot, file, file-boot. The most dangerous type of viruses is polymorphic.

From the history of computer virology it is clear that any original computer development forces antivirus creators to adapt to new technologies and constantly improve antivirus programs.

The reasons for the appearance and spread of viruses are hidden, on the one hand, in human psychology, and on the other hand, due to the lack of protection measures in the operating system.

The main routes for viruses to penetrate are removable disks and computer networks. To prevent this from happening, follow protective measures. Also, several types of special programs called anti-virus programs have been developed to detect, remove and protect against computer viruses. If you do find a virus on your computer, then using the traditional approach it is better to call a professional to figure it out further.

But some properties of viruses puzzle even specialists. Just recently, it was hard to imagine that a virus could survive a cold boot or spread through document files. In such conditions, it is impossible not to attach importance to at least the initial anti-virus education of users. Despite the seriousness of the problem, no virus can cause as much harm as a white-faced user with trembling hands!

So, the health of your computers, the safety of your data is in your hands!

Bibliography

1. Computer Science: Textbook / ed. Prof. N.V. Makarova. - M.: Finance and Statistics, 1997.

2. Encyclopedia of secrets and sensations / Prepared by. text by Yu.N. Petrova. - Mn.: Literature, 1996.

3. Bezrukov N.N. Computer viruses. - M.: Nauka, 1991.

4. Mostovoy D.Yu. Modern technologies for fighting viruses // PC World. - No. 8. - 1993.

Classification and functions of antivirus programs. Classification of antiviruses 14 purpose of antivirus programs and their classification

Classification of antivirus programs

Review of the most popular personal antiviruses

Kaspersky Anti-Virus

Personal Pro v. 4.0

Norton AntiVirus 2003 Professional Edition

Popular articles

Latest articles

Sections

Pages

Special projects

Contacts