Next: Summary Up: Signature Scanning and Algorithmic Previous: Functionality

Selection Factors

Accuracy

Scanners are very reliable for identifying infections of viruses that have been around for some time. The vendor has had sufficient time to select a good signature or develop a detection algorithm for these well-known viruses. For such viruses, a detection failure is unlikely with a scanner. An up-to-date scanner tool should detect and to some extent identify any virus you are likely to encounter. Scanners have other problems, though. In the detection process, both false positives and false negatives can occur.

False positives occur when an uninfected executable includes a byte string matching a virus signature in the scanner's database. Scanner developers test their signatures against libraries of commonly-used, uninfected software to reduce false positives. For additional assurance, some developers perform statistical analysis of the likelihood of code sequences appearing in legitimate programs. Still, it is impossible to rule out false positives. Signatures are simply program segments; therefore, the code could appear in an uninfected program.

False negatives occur when an infected executable is encountered but no pattern match is detected. This usually results from procedural problems; if a stealth virus is memory-resident at the time the scanner executes, the virus may hide itself. False negatives can also occur when the system has been infected by a virus that was unknown at the time the scanner was built.

Scanners are also prone to misidentification or may lack precision in naming. Misidentification will usually occur when a new variant of an older virus is encountered. As an example, a scanner may proclaim that Jerusalem-B has been detected, when in fact the Jerusalem-Groen Links virus is present. This can occur because these viruses are both Jerusalem variants and share much of their code. Another scanner might simply declare ``Jerusalem variant found in filename.'' This is accurate, but rather imprecise.

Ease of Use

Scanners are very easy to use in general. You simply execute the scanner and it provides concise results. The scanner may have a few options describing which disk, files, or directories to scan, but the user does not have to be a computer expert to select the right parameters or comprehend the results.

Administrative Overhead

New viruses are discovered every week. As a result, virus scanners are immediately out of date. If an organization distributes scanners to its users for virus detection, procedures must be devised for distribution of updates. A scanner for a DOS PC that is more than a few months old will not detect most newly developed viruses. (It may detect, but misidentify, some new variants.) Timely updates are crucial to the effectiveness of any scanner-based anti-virus solution. This can present a distribution problem for a large organization.

Installation is generally simple enough for any user to perform. Interpreting the results is very simple when viruses are correctly identified. Handling false positives will usually require some assistance from technical support. This level of support may be available from the vendor.

Efficiency

Scanners are very efficient. There is a large body of knowledge about searching algorithms, so the typical scanner executes very rapidly. Proactive application will generally result in higher system overhead.



Next: Summary Up: Signature Scanning and Algorithmic Previous: Functionality


konczal@csrc.ncsl.nist.gov
Fri Mar 11 21:26:02 EST 1994