70 What are "virus simulators" and what use are they? (Computer virus)
Description
This article is from the Computer Viruses FAQ, by Nick FitzGerald n.fitzgerald@csc.canterbury.ac.nz with numerous contributions by others.
70 What are "virus simulators" and what use are they? (Computer virus)
There are three different kinds of programs that are often called "virus
simulators". None of the three generate actual viruses. The first kind
demonstrate the audio- and video-effects of some real computer viruses.
The second kind are programs that simulate a virtual environment--a
virtual computer, with virtual disks, virtual files, and virtual viruses
on them. The user of such programs can manipulate the simulated
objects, letting the simulated viruses infect the simulated files on the
simulated disks, watching every step of the process, without a danger of
"real infection". The third kind are programs that generate files
containing scan strings used by some scanners to detect real viruses.
The idea is that those scanners will detect the generated files too,
thus letting the user get the feeling of what discovering a virus is
like, but without the danger of risking a real infection.
There are three ways in which virus simulators are usually used:
1) For educational purposes. The second kind of virus simulators are
very useful and valuable for this purpose, provided the simulated
environment is realistic enough. The first kind are also somewhat
useful--mainly teaching the users what the video- or audio-effects of
particular viruses are like. There is the danger, however, that users
will get the incorrect impression that *every* computer virus
demonstrates itself in some visible or audible way. The third kind of
virus simulators are not useful for this purpose--they do not show how
computer viruses work, do not show what computer viruses do, and because
their virus fragments are not reliably detected as viruses by many good
scanners, may give the wrong impression of a scanner's value.
2) As an installation check that antivirus defenses are installed and
working. The first and second kinds of virus simulators are unsuitable
for this, because they do not trigger any antivirus defenses. Even the
third kind of virus simulators have a rather limited value in this
regard, as the files generated by them often fail to trigger virus
defenses, which are designed to protect against *real* viruses. Unlike
the producers of such simulators, many believe it is the job of the
producer of an antivirus product to provide the means of checking
whether their product is installed and working. This position is based
on the authors knowing their products better than anyone else and that
updated check methods will normally be provided as the antivirus
defenses employed in any given product change.
3) As a test of the quality of the antivirus defense--usually a scanner.
Again, the first two kinds of simulators are unsuitable for this purpose
because they do not trigger antivirus defenses. The third kind of virus
simulators often do, from which many users get the impression that they
are suitable for these testing purposes. This is a serious
misconception. The files that such programs generate are not real
viruses; antivirus programs, particularly virus-specific ones like
scanners, are designed to detect real viruses. Therefore, one must not
draw a conclusion from the ability or the inability of a product to
detect "simulated viruses" of the third kind--the fact that they are
detected does not necessarily mean that a real virus will be detected,
and the fact that they are not detected does not mean that the real
virus it is supposed to represent will not be detected!
One exception to the above are simulators that do not generate files
containing scan strings, but which simulate the different kinds of
attacks that real viruses use, but without being able to replicate.
Examples of such attacks include different methods of tunnelling,
stealth, attacks against integrity checkers, and so on. Such simulators
are useful for testing antivirus products that are not virus-specific,
especially if the simulator exercises a wide range of known attacks.
Continue to:
My Books
