38 What is the best antivirus program?
Description
This article is from the Computer Viruses FAQ, by Nick FitzGerald n.fitzgerald@csc.canterbury.ac.nz with numerous contributions by others.
38 What is the best antivirus program?
None! Different products are more or less appropriate in different
situations, but in general you should build a cost-effective *strategy*
based on multiple layers of defense. There are three main kinds of
antivirus software, plus several other means of protection, such as
hardware write-protect methods (see D4). When planning your antivirus
strategy you should also look closely at your backup policies and
procedures (see 10).
1. ACTIVITY MONITORING programs. These try to prevent infection
before it happens by looking for virus-like activity, such as
attempts to write to another executable, reformat the disk,
etc. An alternative term is BEHAVIOR BLOCKER.
Examples: SECURE and FluShot+ (PC), and GateKeeper
(Macintosh).
These programs are considered the weakest line of defense
against viruses on a system that does not have memory
protection, because in such an environment it is possible for
a tunnelling virus (see B12) to bypass or disable them.
2. SCANNERS. Most look for known viruses by searching your
disks and files for "scan strings" or patterns, but a few use
heuristic techniques to recognize viral code. Most now also
include some form of "algorithmic scanning" in order to
detect known polymorphic viruses. A scanner may be designed
to examine specified disks or files on demand, or it may be
resident, examining each program which is about to be
executed. Most scanners also include virus removers.
Examples: FindViru in Dr Solomon's AntiVirus ToolKit, Frisk
Software's F-PROT, McAfee's VirusScan (all PC), Disinfectant
(Macintosh).
Resident scanners: McAfee's V-Shield, and F-PROT's VIRSTOP.
Heuristic scanners: the Analyse option in F-PROT, TBAV's
TbScan and ChkBoot (from Padgett Peterson's FixUtils).
Scanners are the most convenient and the most widely used
kind of antivirus programs. They are a relatively weak line
of defense because even the simplest virus can bypass them if
it is new and unknown to the scanner. Therefore, your virus
protection system should not rely on a scanner alone.
3. INTEGRITY CHECKERS or MODIFICATION DETECTORS. These compute
a small "checksum" or "hash value" (usually CRC or
cryptographic) for files when they are presumably uninfected,
and later compare newly calculated values with the original
ones to see if the files have been modified. This catches
unknown viruses as well as known ones and thus provides
*generic* detection. On the other hand, modifications can
also be due to reasons other than viruses. Usually, it is up
to the user to decide which modifications are intentional and
which might be due to viruses, although a few products give
the user help in making this decision. As in the case of
scanners, integrity checkers may be called to checksum entire
disks or specified files on demand, or they may be resident,
checking each program which is about to be executed (the
latter is sometimes called an INTEGRITY SHELL). A third
implementation is as a SELF-TEST, where the checksumming code
is attached to each executable file so they check themselves
just before execution. It is generally considered a bad idea
to add such code to existing executables (see F8).
Examples: ASP Integrity Toolkit (commercial), and Integrity
Master and VDS (shareware), all for the PC.
Integrity checkers are considered to be the strongest line of
defense against computer viruses, because they are not virus-
specific and can detect new viruses without being constantly
updated. However, they should not be considered as an
absolute protection--they have several drawbacks, cannot
identify the particular virus that has attacked the system,
and there are successful methods of attack against them too.
3a. Some modification detectors provide HEURISTIC DISINFECTION.
Sufficient information is saved for each file so that it can
be restored to its original state in the case of the great
majority of viral infections, even if the virus is unknown.
Examples: V-Analyst 3 (BRM Technologies, Israel), the VGUARD
module of V-Care and ThunderByte's TbClean.
Note that behavior blockers and scanners are virus *prevention* tools,
while integrity checkers are virus *detection* tools.
Of course, only a few examples of each type have been given. All of
these types of antivirus program have a place in protecting against
computer viruses, but you should appreciate the limitations of each
method, along with system-supplied security measures that may or may not
be helpful in defeating viruses. Ideally, you should arrange a
combination of methods that cover each others' weaknesses.
A typical PC installation might include a protection system on the hard
disk's MBR to protect against viruses at load time (ideally this would
be hardware or in BIOS, but software methods such as DiskSecure and
Henrik Stroem's HS are pretty good). This would be followed by resident
virus detectors loaded as part of the machine's startup (CONFIG.SYS or
AUTOEXEC.BAT), such as FluShot+ and/or VirStop and/or ChkBoot. A
scanner such as F-PROT or McAfee's VirusScan and an integrity checker,
such as Integrity Master, could be put into AUTOEXEC.BAT, but this may
be a problem if you have a large disk to check, or don't reboot often
enough. Most importantly, new files and diskettes should be scanned as
they arrive *regardless* of their source. If your system has DR DOS
installed, you should use the PASSWORD command to write-protect all
system executables and utilities. If you have Stacker or SuperStor, you
can get some improved security from these compressed drives, but also a
risk that those viruses stupid enough to directly write to the disk
could do much more damage than normal. In this case a software write-
protect system (such as provided with Disk Manager or The Norton
Utilities) may help. Possibly the best solution is to put all
executables on a disk of their own, with a hardware write-protect system
that sounds an alarm if a write is attempted.
If you do use a resident BSI detector or a scan-while-you-copy detector,
it is important to trace back any infected diskette to its source. The
reason viruses survive so well is that usually you cannot do this,
because the infection is found long after the infecting diskette has
been forgotten due to most people's lax scanning policies.
Organizations should devise and implement a careful policy that may
include a system of vetting new software brought into the building and
free virus detectors for home machines of employees/students/etc who
take work home with them.
Other antivirus techniques include:
1. Creation of a special MBR to make the hard disk inaccessible
when booting from a diskette (the latter is useful since
booting from a diskette will normally bypass any protection
measures loaded in the CONFIG.SYS and/or AUTOEXEC.BAT files
on the hard disk).
Some of these systems won't prevent attack by some MBR virus
infections if booting from an infected floppy. This approach
is less important now, as most newer PCs allow you to change
the boot order so the first hard drive is tried *before* any
of the floppy drives.
2. Use of Artificial Intelligence to learn about new viruses and
extract scan patterns for them.
Examples: V-Care (CSA Interprint, Israel; distributed in the
US by Sela Consultants Corp.), Victor Charlie (Bangkok
Security Associates, Thailand; distributed in the US by
Computer Security Associates).
3. Encryption of files (with decryption before execution).
4. Diskette "fences". There are three different approaches to
this. One prevents executables from being accessed from
floppy drives while another prohibits the use of unscanned
(possibly "unclean") files or diskettes. A third method uses
a non-standard diskette format so diskettes can only be used
on (and therefore shared among) machines using the
appropriate antivirus software (usually all those within a
site or company). This last method is probably the most
common diskette fence and provides better protection against
boot sector viruses than the other "fence" types.
The workings of the first and third are probably fairly clear
from these brief descriptions. The second approach works by
writing special information to normally unused areas of the
diskette as part of the scanning process and employing a
driver in the users' machines prevents access to files that
aren't marked as scanned (or to any part of a diskette that
contains unscanned files). Alternatives include encrypting
scanned files and drivers that only allow access to encrypted
files, and so on. One advantage of this second type of
system is that you only need scanners for "perimeter
checking" machines, reducing the overhead and cost of keeping
your scanners up to date.
Examples: D-Fence, Virus Fence, TbFence, DiskNet.
Continue to:
My Books
