30 Could an antivirus program itself be infected?
Description
This article is from the Computer Viruses FAQ, by Nick FitzGerald n.fitzgerald@csc.canterbury.ac.nz with numerous contributions by others.
30 Could an antivirus program itself be infected?
Yes, so it is important to obtain this software from good sources, and
to trust results only after running scanners from a "clean" system. But
there are situations where a scanner appears to be infected when it
isn't.
Most antivirus programs try very hard to identify viral infections only,
but sometimes they give false alarms (see C5). If two different
antivirus programs are both of the "scanner" type, they will contain
"scan strings" from which they identify viral infections. If the
strings are not "encoded", then they may be identified as a virus by
another scanner type program. Also, if the scanner does not remove the
strings from memory after it has run, then another scanner may detect a
virus string "in memory". This often causes the second scanner to
report that your system is "infected", *but* only after you have run the
first scanner (which may be a memory resident one). The major
contributors to this group are so tired of dealing with non-virus
reports of this sort that they *strongly* recommend users to avoid
antivirus software which doesn't keep its scan strings encoded in
memory.
Some "change detection" antivirus programs add a snippet of code or data
to a program in order to "protect" it. (This process is sometimes
called "inoculation", but this term is also used for other antivirus
techniques.) These file changes will likely be detected by other
"change detection" programs, and may therefore raise a warning of a
suspicious file change (see F8 for a discussion of the inadvisability of
adding self-checking code to *existing* programs).
It is good practice to use more than one antivirus program but, by their
nature, multiple antivirus programs may confuse each other!
Continue to:
My Books
