Due
to ever increasing threat from virus and other malicious
programs, almost every computer today comes with a pre-installed
antivirus software on it. In fact, an antivirus has become one of the
most essential software package for every computer. Even though every
one of us have an antivirus software installed on our computers, only a
few really bother to understand how it actually works! Well if you are
one among those few who would really bother to understand how an
antivirus works, then this article is for you.
How Antivirus Works:
An
antivirus software typically uses a variety of strategies in detecting
and removing viruses, worms and other malware programs. The following
are the two most widely employed identification methods:
1. Signature-based dectection (Dictionary approach)
This
is the most commonly employed method which involves searching for known
patterns of virus within a given file. Every antivirus software will
have a dictionary of sample malware codes called signatures in
it’s database. Whenever a file is examined, the antivirus refers to the
dictionary of sample codes present within it’s database and compares the
same with the current file. If the piece of code within the file
matches with the one in it’s dictionary then it is flagged and proper
action is taken immediately so as to stop the virus from further
replicating. The antivirus may choose to repair the file, quarantine or
delete it permanently based on it’s potential risk.
As
new viruses and malwares are created and released every day, this
method of detection cannot defend against new malwares unless their
samples are collected and signatures are released by the antivirus
software company. Some companies may also encourage the users to upload
new viruses or variants, so that the virus can be analyzed and the
signature can be added to the dictionary.
Signature
based detection can be very effective, but requires frequent updates of
the virus signature dictionary. Hence the users must update their
antivirus software on a regular basis so as to defend against new
threats that are released daily.
2. Heuristic-based detection (Suspicious behaviour approach)
Heuristic-based detection involves identifying suspicious behaviour from
any given program which might indicate a potential risk. This approach
is used by some of the sophisticated antivirus softwares to identify new
malware and variants of known malware. Unlike the signature based
approach, here the antivirus doesn’t attempt to identify known viruses,
but instead monitors the behavior of all programs.
For
example, malicious behaviours like a program trying to write data to an
executable program is flagged and the user is alerted about this
action. This method of detection gives an additional level of security
from unidentified threats.
File emulation: This is another type of heuristic-based approach where
a given program is executed in a virtual environment and the actions
performed by it are logged. Based on the actions logged, the antivirus
software can determine if the program is malicious or not and carry out
necessary actions in order to clean the infection.
Most commercial antivirus softwares use a combination of both signature-based and heuristic-based approaches to combat malware.
Issues of concern
Zero-day threats: A
zero-day (zero-hour ) threat or attack is where a malware tries to
exploit computer application vulnerabilities that are
yet unidentified by the antivirus software companies. These attacks are
used to cause damage to the computer even before they are identified.
Since patches are not yet released for these kind of new threats, they
can easily manage to bypass the antivirus software and carry out
malicious actions. However most of the threats are identified after a
day or two of it’s release, but damage caused by them before
identification is quite inevitable.
Daily Updates: Since
new viruses and threats are released everyday, it is most essential to
update the antivirus software so as to keep the virus definitions
up-to-date. Most softwares will have an auto-update feature so that the
virus definitions are updated whenever the computer is connected to the
Internet.
Effectiveness: Even
though an antivirus software can catch almost every malware, it is
still not 100% foolproof against all kinds of threats. As explained
earlier, a zero-day threat can easily bypass the protective shield of
the antivirus software. Also virus authors have tried to stay a step
ahead by writing “oligomorphic“, “polymorphic” and, more recently, “metamorphic”
virus codes, which will encrypt parts of themselves or otherwise modify
themselves as a method of disguise, so as to not match virus signatures
in the dictionary.
Thus user
education is as important as antivirus software; users must be
trained to practice safe surfing habits such as downloading files only
from trusted websites and not blindly executing a program that is
unknown or obtained from an untrusted source. I hope this article will
help you understand the working of an antivirus software.








0 comments:
Post a Comment