Wikipedia (2002) defines an anti-virus software program as a computer program that can be used to scan files to identify and eliminate computer viruses and other malicious software (Malware). Typically, anti-virus software uses two different approaches to eradicate viruses - examining files to look for known viruses by means of a virus dictionary; and identifying suspicious behaviour from any computer program which might indicate infection (AntivirusWorld.com 2003).
The virus dictionary approach utilises prior knowledge of virus characteristics to identify any already-known viruses that could infect the host. AntivirusWorld.com (2003) suggests that as the anti-virus software examines a file, it refers to a virus dictionary – put together by those behind the program – that consists of all viruses that the authors have already identified. If a piece of code within a targeted file matches any virus identified in the dictionary, the software automatically takes action. In order to be effective, virus dictionaries require periodic online downloads of updated entries. Typically, dictionary-based anti-virus software examines files as they are created, opened, closed, and emailed so that a virus can be detected immediately upon receipt; and can also be scheduled to examine files on the user’s hard disk on a regular basis.
AntivirusWorld.com (2003) implies that the suspicious behaviour approach monitors the behaviour of all programs, and alerts the user when programs’ actions are flagged as suspicious. This approach does provide effective protection against brand-new viruses, however also desensitises users to warnings due to the large amount of harmless activity that is identified as a threat. This desensitisation has increased in multitude in recent times due to an increasing number of new programs choosing not to take this method of virus protection into account during their actions, thus increasing the number of warnings that the user is faced with. Most modern anti-virus software uses this particular approach less and less.
Another approach that some anti-virus programs take in regards to identifying viruses is attempting to emulate the beginning of the code of each new executable file before control is transferred. If the program seems to be using self-modifying code or otherwise appears as a virus, the approach assumes that the file has been infected with a virus (Wikipedia 2002).
One other method of virus detection is using a sandbox. Wikipedia (2002) suggests that a sandbox imitates the operating system and runs the executable file in this simulation. After the program has terminated, the sandbox is analysed for changes that may indicate a virus. This type of detection is only performed during on-demand scans due to performance issues.
Regardless of what approach an anti-virus program utilises, once a virus is successfully detected most programs take similar action. All Anti-Virus Software either deletes the file – eradicating it from the computer all together; quarantines the file – makes the file inaccessible to other programs and its virus unable to spread; or attempts to repair the file – works to remove the virus itself from the file.
Anti-virus Software. 2002. Wikipedia Web site: http://en.wikipedia.org/wiki/Anti-virus_software (accessed October 26, 2004).
How does anti-virus software work? 2003. AntivirusWorld.com Web site: http://www.antivirusworld.com/articles/antivirus.php (accessed October 27, 2004).
Melissa Patch 22:29, 28 Oct 2004 (EST)
