How Antivirus software works worth reading


Before I start I want you to consider why are you paying so much for the top 10 Antivirus solutions (Kaspersky, Symantec, Trend Micro AV, Eset) on a annual basis vs only paying for a monthly subscription…Think about it try it before you commit to it annually if they do not have a monthly drop them.

How Antivirus software works:
There are two common methods that an antivirus software application uses to detect viruses, as described in the antivirus software article. The first, and by far the most common method of virus detection is using a list of virus signature definitions. This works by examining the content of the computer’s memory (its RAM, and boot sectors) and the files stored on fixed or removable drives (hard drives, floppy drives, or USB flash drives), and comparing those files against a database of known virus “signatures”. Virus signatures are just strings of code that are used to identify individual viruses; for each virus, the anti-virus designer tries to choose a unique signature string that will not be found in a legitimate program. Different anti-virus programs use different “signatures” to identify viruses. The disadvantage of this detection method is that users are only protected from viruses that are detected by signatures in their most recent virus definition update, and not protected from new viruses. (see “full zero-day attack definition“)
(A zero-day (or zero-hour or day zero) attack or threat is an attack that exploits a previously unknown vulnerability in a computer application, meaning that the attack occurs on “day zero” of awareness of the vulnerability. This means that the developers have had zero days to address and patch the vulnerability. Zero-day exploits (actual software that uses a security hole to carry out an attack) are used or shared by attackers before the developer of the target software knows about the vulnerability.)

A second method to find viruses is to use a heuristic algorithm based on common virus behaviors. This method has the ability to detect new viruses for which anti-virus security firms have yet to define a “signature”, but it also gives rise to more false positives than using signatures. False positives can be disruptive, especially in a commercial environment.

Attack vectors
Malware writers are able to exploit zero-day vulnerabilities through several different attack vectors. Web browsers are a particular target because of their widespread distribution and usage. Attackers can also send e-mail attachments, which exploit vulnerabilities in the application opening the attachment. Exploits that take advantage of common file types are listed in databases like US-CERT. Malware can be engineered to take advantage of these file type exploits to compromise attacked systems or steal confidential data such as banking passwords and personal identity information.
Vulnerability window

Zero-day attacks occur during the vulnerability window that exists in the time between when a vulnerability is first exploited and when software developers start to develop and publish a counter to that threat.

For worms, viruses, Trojans and other zero-day malware attacks, the vulnerability window follows this time line:
The developer creates software containing an unknown vulnerability.
The attacker finds the vulnerability before the developer does (or while the developer is aware of but has neglected or been unable to fix it).
The attacker writes an exploit while the vulnerability is either not known to the developer or known but still not closed (e.g., due to an internal assessment of the threat’s potential damage costs being lower than the costs of developing a fix), usually also using and distributing it.
The developer or the public becomes aware of the exploited vulnerability and the developer is forced to start working on a fix, if still not working on one. The developer releases the fix.
Conceptually, there is one more event in the zero-day attack time line, which is the users applying the fix, effectively closing the vulnerability window, but that can vary, as some users may simply stop using the affected software as soon as the problem surfaces, while others may never know of it at all, never fixing it and therefore keep the vulnerability window open. Thus, the vulnerability window’s length is usually just measured until the developer releases the fix.

Measuring the length of the vulnerability window can be difficult, as attackers do not announce when the vulnerability was first discovered. Developers may not want to distribute data for commercial or security reasons. Developers also may not know if the vulnerability is being exploited when they fix it, and so may not record the vulnerability as a zero-day attack. By one estimate, “hackers exploit security vulnerabilities in software for 10 months on average before details of the holes surface in public,” i.e., the average vulnerability window of a zero-day exploit is about 10 months. However, it can be easily shown that this window can be several years long. For example, in 2008, Microsoft confirmed a vulnerability in Internet Explorer, which affected some versions that were released in 2001. The date the vulnerability was first found by an attacker is not known; however, the vulnerability window in this case could have been up to 7 years. Some windows may never be closed, for example, if they are hardwired in a device, requiring its replacement or the installation of additional hardware to protect it from exploitation.
Virus removal
Many websites run by antivirus software companies provide free online virus scanning, with limited cleaning facilities (the purpose of the sites is to sell anti-virus products). Additionally, several capable antivirus software programs are available for free download from the Internet (usually restricted to non-commercial use). Microsoft offers an optional free antivirus utility called Microsoft Security Essentials, a Windows Malicious Software Removal Tool that is updated as part of the regular Windows update regime, and an older optional anti-malware (malware removal) tool Windows Defender that has been upgraded to an antivirus product in Windows 8.

Some viruses disable System Restore and other important Windows tools such as Task Manager and Command Prompt. An example of a virus that does this is CiaDoor. Many such viruses can be removed by rebooting the computer, entering Windows safe mode with networking, and then using system tools or Microsoft Safety Scanner. System Restore on Windows Me, Windows XP, Windows Vista and Windows 7 can restore the registry and critical system files to a previous checkpoint. Often a virus will cause a system to hang, and a subsequent hard reboot will render a system restore point from the same day corrupt. Restore points from previous days should work provided the virus is not designed to corrupt the restore files and does not exist in previous restore points.
Operating system reinstallation
Microsoft’s System File Checker (improved in Windows 7 and later) can be used to check for, and repair, corrupted system files.

Restoring an earlier “clean” (virus-free) copy of the entire partition from a cloned disk, a disk image, or a backup is one solution—restoring an earlier backup disk image is relatively simple to do, usually removes any malware, and may be faster than disinfecting the computer—or reinstalling and reconfiguring the operating system and programs from scratch, as described below, then restoring user preferences.

Reinstalling the operating system—as described here—is another approach to virus removal, if the above options don’t work: It may be possible to recover copies of essential user data by booting from a live CD, or connecting the hard drive to another computer and booting from the second computer’s operating system, taking great care not to infect that computer by executing any infected programs on the original drive. The original hard drive can then be reformatted and the OS and all programs installed from original media. Once the system has been restored, precautions must be taken to avoid reinfection from any restored executable files.

Point being behind this is why are you spending so much for AntiVirus software..Follow MspPortal tomorrow for information on why hackers want your system

Tags: , , , , ,

Comments are closed.

%d bloggers like this: