Next: Worms Up: Viruses Previous: History of Viruses

Current Protection Against Viruses

Although many anti-virus tools and products are now available, personal and administrative practices and institutional policies, particularly with regard to shared or external software usage, should form the first line of defense against the threat of virus attack. Users should also consider the variety of anti-virus products currently available.

There are three classes of anti-virus products: detection tools, identification tools, and removal tools. Scanners are an example of both detection and identification tools. Vulnerability monitors and modification detection programs are both examples of detection tools. Disinfectors are examples of a removal tools. A detailed description of the tools is provided below.

Scanners and disinfectors, the most popular classes of anti-virus software, rely on a great deal of a priori knowledge about the viral code. Scanners search for ``signature strings'' or use algorithmic detection methods to identify known viruses. Disinfectors rely on substantial information regarding the size of a virus and the type of modifications to restore the infected file's contents.

Vulnerability monitors, which attempt to prevent modification or access to particularly sensitive parts of the system, may block a virus from hooking sensitive interrupts. This requires a lot of information about ``normal'' system use, since personal computer viruses do not actually circumvent any security features. This type of software also requires decisions from the user.

Modification detection is a very general method, and requires no information about the virus to detect its presence. Modification detection programs, which are usually checksum based, are used to detect virus infection or trojan horses. This process begins with the creation of a baseline, where checksums for clean executables are computed and saved. Each following iteration consists of checksum computation and comparison with the stored value. It should be noted that simple checksums are easy to defeat; cyclical redundancy checks (CRC) are better, but can still be defeated; cryptographic checksums provide the highest level of security.



Next: Worms Up: Viruses Previous: History of Viruses


konczal@csrc.ncsl.nist.gov
Thu Mar 10 15:32:44 EST 1994