When your computer is infected with a virus, it is important to detect it. To do this you need to know about main signs of viruses:
Termination of operation or incorrect operation of previously successfully functioning programs:
- slow computer performance
- inability to download operating system
- disappearance of files and directories or corruption of their contents
- changing the date and time of file modification
- changing file sizes
- unexpected significant increase in the number of files on the disk
- significant reduction in the size of the free random access memory
- displaying unexpected messages or images on the screen
- submission of unforeseen sound signals
- frequent freezes and crashes in the computer
To protect against viruses you can use:
v general information protection tools, which are also useful as insurance against physical damage to disks, malfunctioning programs or erroneous user actions;
v preventive measures to reduce the likelihood of contracting the virus;
v specialized programs for virus protection.
General information security measures useful not only for protecting against viruses:
- copying information - creating copies of files and system areas of disks;
- access control prevents unauthorized use of information, in particular, protection against changes to programs and data by viruses, malfunctioning programs and erroneous user actions.
Preventive measures
v Do not use questionable disks or other storage media
v Restrict access to program files by making them read-only when possible
v When working on a network, if possible, do not call programs from the memory of other computers.
v Store programs and data in archives on disks and in different subdirectories hard drive.
v Do not copy programs for your own needs from random copies.
v Be sure to have an antivirus program
Specialized programs for virus protection
Antivirus programs allow you to protect, detect and remove computer viruses. All specialized programs for virus protection can be divided into several types:
Ø detectors,
Ø doctors (phages),
Ø auditors,
Ø doctor-inspectors,
Ø filters and vaccines (immunizers).
DETECTOR PROGRAMS allow you to detect files infected with one of several known viruses. These programs check whether the files on the user-specified drive contain a specific this virus combination of bytes. When it is detected in any file, a corresponding message is displayed on the screen. Many detectors have modes for curing or destroying infected files.
It should be emphasized that detector programs can only detect viruses that are “known” to them. Some detector programs can be configured for new types of viruses; they only need to indicate the byte combinations inherent in these viruses. However, it is impossible to develop such a program that could detect any previously unknown virus.
Thus, from the fact that a program is not recognized by detectors as infected, it does not follow that it is healthy - it could contain some new virus or a slightly modified version of an old virus, unknown to detector programs.
Most detector programs have a “doctor” function, i.e. they attempt to return infected files or disk areas to their original state. Those files that could not be recovered are usually rendered inoperative or deleted.
Dr.Web the program was created in 1994 by I. A. Danilov and belongs to the class of doctor detectors, has a so-called “heuristic analyzer” - an algorithm that allows you to detect unknown viruses. “The Healing Web,” as the name of the program is translated from English, became the response of domestic programmers to the invasion of self-modifying mutant viruses. The latter, when multiplying, modify their body so that not a single characteristic chain of bytes that was present in the original version of the virus remains.
This program is supported by the fact that a large license (for 2000 computers) was acquired by the Main Directorate information resources under the President of the Russian Federation, and the second largest buyer of the web is Inkombank.
Aidstest - the program was invented in 1988 by D.N. Lozinsky and is a detector doctor. The Aidstest program is designed to fix programs infected with ordinary (non-polymorphic) viruses that do not change their code. This limitation is due to the fact that this program searches for viruses using identification codes. But at the same time, a very high speed of checking files is achieved.
AUDITORS have two stages of work. First, they remember information about the state of programs and system areas of disks (the boot sector and the sector with the hard disk partition table). It is assumed that at this moment programs and system disk areas are not infected. After this, using the auditor program, you can compare the state of programs and system disk areas with the original state at any time. Any discrepancies detected are reported to the user.
ADinf (Advanced Diskinfoscope) belongs to the class of audit programs. Thisthe program was created by D. Yu. Mostov in 1991.
The antivirus has a high operating speed and is capable of successfully resisting viruses located in memory. It allows you to control the disk by reading it sector by sector through the BIOS and without using DOS system interrupts, which can be intercepted by a virus.
To cure infected files, the ADinf Cure Module is used, which is not included in the ADinf package and is supplied separately. The principle of operation of the module is to save a small database describing controlled files. Working together, these programs can detect and remove about 97% of file viruses and 100% of boot sector viruses. For example, the sensational SatanBug virus was easily detected, and files infected with it were automatically restored. Moreover, even those users who purchased ADinf and ADinf Cure Module several months before the appearance of this virus were able to get rid of it without difficulty.
AVP (Anti-Virus Protection) the program combines a detector, a doctor, and an auditor, and even has some resident filter functions (prohibiting writing to files with the READ ONLY attribute). An anti-virus kit, which is an extended version of the famous anti-virus kit "Doctor Kaspersky". While the program is running, it tests for unknown viruses. The kit also includes a resident program that monitors suspicious actions performed on the computer and makes it possible to view the memory card. A special set of utilities helps to detect new viruses and understand them.
The antivirus can treat both known and unknown viruses, and the user himself can inform the program about how to treat the latter. In addition, AVP can treat self-modifying and Stealth viruses.
Norton Antivirus - the anti-virus package is a “set it and forget it” type of tool. All required parameters configurations and scheduled activities (checking the disk, checking new and modified programs, launching the Windows Auto-Protect utility, checking the boot sector of drive A: before rebooting) are installed by default. The disk scanning program is available for DOS and Windows. Among others, Norton AntiVirus detects and destroys even polymorphic viruses, and also successfully responds to virus-like activity and fights unknown viruses.
FILTERS or WATCHMAN or MONITORS, which are located resident in the computer’s RAM and intercept those calls to the operating system that are used by viruses to reproduce and cause harm, and report them to the user. The user can allow or deny the corresponding operation.
Some filter programs do not “catch” suspicious actions, but check the programs called for execution for viruses. This causes your computer to slow down.
However, the advantages of using filter programs are very significant - they allow you to detect many viruses at a very early stage, when the virus has not yet had time to multiply and spoil anything. This way you can reduce losses from the virus to a minimum.
VACCINES, or IMMUNIZERS, modify programs and disks in such a way that this does not affect the operation of the programs, but the virus against which the vaccination is performed considers these programs or disks to be already infected. These programs are extremely ineffective. Monitor potentially dangerous operations, giving the user an appropriate request to allow/prohibit the operation.
Flaws antivirus programs
Ø None of the existing antivirus technologies can provide full protection from viruses.
Ø The antivirus program takes part of the system's computing resources, loading CPU and hard drive. This can be especially noticeable on weak computers. Slowdown in background work can reach 380%.
Ø Antivirus programs can see a threat where there is none (false positives).
Ø Antivirus programs download updates from the Internet, thereby wasting bandwidth.
Ø Various methods encryption and malware packaging make even known viruses undetectable by antivirus software. Detecting these "disguised" viruses requires a powerful decompression engine that can decrypt files before scanning them. However, in many anti virus programs However, this feature is missing and, therefore, it is often impossible to detect encrypted viruses.
There are a large number of paid and free antivirus programs. The following popular ones can be distinguished trade marks:
So, what is an antivirus? For some reason, many people believe that an antivirus can detect any virus, that is, by running an antivirus program, you can be absolutely sure of their reliability. This point of view is not entirely correct.
The fact is that an antivirus is also a program, of course written by a professional. But these programs are able to recognize and destroy only known viruses. That is, an antivirus against a specific virus can be written only if the programmer has at least one copy of this virus. So there is this endless war between the authors of viruses and antiviruses, although for some reason there are always more of the former in our country than the latter.
But the creators of antiviruses also have an advantage! The fact is that there are a large number of viruses, the algorithm of which is practically copied from the algorithm of other viruses. As a rule, such variations are created by unprofessional programmers who, for some reason, decided to write a virus. To combat such “copies”, a new weapon has been invented - heuristic analyzers. With their help, the antivirus is able to find similar analogues of known viruses, informing the user that he seems to have a virus. Naturally, the reliability of the heuristic analyzer is not 100%, but still its efficiency is greater than 0.5.
Thus, in this information war, as, indeed, in any other, the strongest remain. Viruses that are not recognized by antivirus detectors can only be written by the most experienced and qualified programmers.
Exists class of antivirus programs , which are permanently stored in the computer's RAM memory , And monitor all suspicious actions performed by other programs .
Such programs are called filters , resident monitors or guards.
Filter programs , also called resident watchmen And resident monitors , are permanently located in RAM and intercept specified interrupts for the purpose of monitoring suspicious activities . At the same time, they can block “dangerous” actions or issue a request to the user.
Actions subject to control may be the following:
modification of the master boot record (MBR) and boot records logical drives and GMD,
record by absolute address,
low-level disk formatting,
leaving the resident module in the RAM, etc.
Like auditors , filters are often “intrusive” and create certain inconveniences in the user’s work.
Residential monitor will inform the user if any program tries:
change boot hard sector disk or floppy disk, executable file;
leave a resident module in RAM, etc.
Resident monitors control the following operations :
record, update program files and system disk area;
disk formatting;
resident placement of programs in RAM .
You will be prompted to allow or deny this action.
The operating principle of these programs is based on intercepting the corresponding interrupt vectors.
Majority resident monitors allow you to automatically check all launched programs for infection with known viruses, i.e. perform scanner functions . Such a check will take some time and the program loading process will slow down, but you will be sure that known viruses will not be able to activate on your computer.
The advantages of programs of this class compared to detector programs can be attributed universality in relation to both known and unknown viruses, while detectors are written for specific types currently known to the programmer.
This is especially true now, when many mutant viruses have appeared that do not have a permanent code.
However, filter programs cannot track:
viruses that attack directly BIOS,
and BOOT viruses, which are activated even before the antivirus launches, in the initial loading stage DOS.
In the same time, resident monitors have a lot of shortcomings that make this class of programs unsuitable for use .
Many programs, even those that do not contain viruses, can perform actions to which resident monitors respond.
For example, regular The LABEL command modifies data in the boot sector and triggers the monitor.
Therefore, the user's work will be constantly interrupted by annoying antivirus messages. In addition, the user will have to decide each time whether this trigger is caused by a virus or not. As practice shows, sooner or later the user turns off the resident monitor.
Disadvantage of residential monitors also is that they must be constantly loaded into RAM and therefore reduce the amount of memory available to other programs.
As part of the operating room MS-DOS systems already have a resident anti-virus monitor VSafe.
When installing some resident antivirus monitors conflicts may arise with other resident programs using the same interrupts, which simply stop working.
Antivirus is a program that detects and neutralizes computer viruses.
Detector programs or scanners allow you to detect files infected with viruses. When detected, a corresponding message is displayed on the screen in any file. Many detectors have modes for curing or destroying infected files. The disadvantage of such programs is that they can only detect viruses that are known to the developers of such programs. The following antivirus scanners exist: A-squared Free, Dr.Web CureIt, BitDefender Free Edition, ClamWin, etc.
Programs – Doctors(phages) not only find files infected with viruses, but also “treat” them, i.e. remove the body of the virus program from the file, returning the files to the initial state. Among the phages there are polyphages, designed to search and destroy a large number of viruses. The most famous of them are Aidstest, Doctor Web, Norton AntiVirus.
Programs - auditors– these are programs that analyze the current state of files and system areas of the disk and compare it with information previously saved in one of the auditor’s data files. State comparisons are usually made immediately after the operating system boots. This checks the length of the files, their creation time and other parameters. Detected changes are displayed on the screen. By analyzing the message from the auditor program, the user can decide what caused the changes. Common audit programs include: Adinf32, AVP Inspector and the auditor built into Kaspersky Anti-Virus.
Programs - filters– these are resident programs that notify the user about all attempts by any program to write to a disk or format it, and also notify about other suspicious actions. The advantage of this program is its versatility in relation to both known and unknown viruses. The disadvantages are the frequent issuance of requests to carry out any operation. Common filter programs include AVP Monitor.
Viruses enter a computer mainly along with software. Therefore, the most important thing in protecting against viruses is the use of uninfected programs, since the main source of viruses are illegal, so-called “pirated” copies software. Particularly dangerous computer games and various types of entertainment programs, which more often than others are carriers of computer infections. Therefore, the first and most important rule of anti-virus protection is the following: YOU MUST USE ONLY LICENSE-CLEAR PROGRAMS FROM RELIABLE SUPPLIERS. The following organizational recommendations follow from this rule:
· purchase all programs in original packaging from a reliable supplier;
· do not use other people's floppy disks unless absolutely necessary;
· do not launch programs whose purpose is unknown or unclear.
Since not all users comply with the above rule and, in addition, you may encounter the actions of intruders, you must follow the following rules:
· do not give your floppy disks to others for use, so as not to infect your floppy disks;
· restrict access to your PC to unauthorized persons and prohibit them from using their floppy disks without your permission;
· before starting work on the PC after another person, perform a cold restart of the PC to remove resident viruses that may be present there from the RAM;
· when several users work on one PC, separate HDD into several logical ones and differentiate access rights to different disks;
· include anti-virus protection programs in the AUTOEXEC.BAT file;
Don't limit yourself to using just one antivirus software product. New viruses appear constantly, and new antivirus programs are required to detect them;
flexible magnetic disks Use write-protected if possible.
Protection methods.
Definition of antivirus programs and their classification.
Whatever the virus, the user needs to know the basic methods of protecting against computer viruses.
To protect against viruses you can use:
General information security tools that are also useful like insurance against physical damage to disks, malfunctioning programs or erroneous user actions;
Preventive measures to reduce probability virus infection;
Specialized programs for virus protection. There are two main types of general information security tools, providing:
Copying information - creating copies of files and system areas of disks;
Access control that prevents unauthorized use of information, in particular protection against changes to programs and data by viruses, malfunctioning programs and erroneous user actions.
To detect, remove and protect against computer viruses, several types of special programs have been developed that allow you to detect and destroy viruses. Such programs are called antivirus programs. There are the following types of antivirus programs:
Detector programs;
Doctor programs or phages;
Audit programs;
Filter programs;
Vaccine or immunizer programs.
Detector programs They search for a code (signature) characteristic of a particular virus in RAM and files and, if found, display a corresponding message. The disadvantage of such antivirus programs is that they can only find viruses that are known to the developers of such programs.
Doctor or phage programs, as well as vaccine programs, not only find files infected with viruses, but also “treat” them, that is, they remove the body of the virus program from the file, returning the files to their original state. At the beginning of their work, phages search for viruses in RAM, destroying them, and only then proceed to “cleaning” files. Among the phages, polyphages are distinguished, i.e., doctor programs designed to search for and destroy a large number of viruses. The most famous of them: Aidstest, Scan, Norton AntiVirus, Doctor Web.
Considering that new viruses are constantly appearing, detector programs and doctor programs quickly become outdated, and regular version updates are required.
Polyphage antiviruses are the most common means of combating malware. Historically, they appeared first and still hold the undisputed leadership in this area.
The work of polyphages is based on a simple principle - searching in programs and documents for familiar sections of viral code (the so-called signatures viruses). In general, a signature is a record of a virus that allows one to uniquely identify the presence of virus code in a program or document. Most often, the signature is directly a part of the viral code or him check sum(digest).
Initially, polyphage antiviruses worked on a very simple principle - they sequentially scanned files to see if they contained virus programs. If a virus signature was detected, then a procedure was carried out to remove the virus code from the body of the program or document. Before starting to scan files, the phage program always checks the RAM. If there is a virus in the RAM, it is deactivated. This is due to the fact that virus programs often infect those programs that are launched or opened at the moment when the virus is in the active stage (this is due to the desire to save on efforts to find objects of infection). Thus, if the virus remains active in memory, then a total scan of all executable files will lead to a total infection of the system.
Nowadays, virus programs have become much more complex. For example, so-called “stealth viruses” appeared. Their work is based on the fact that the operating system, when accessing peripheral devices (including hard drives) uses the interrupt mechanism. Here it is necessary to make a short digression on the topic “How the interrupt mechanism works.” When an interrupt occurs, control is transferred special program- “Interrupt handler”. This program is responsible for entering and outputting information to/from peripheral device. In addition, interrupts are divided into levels of interaction with peripherals (in our case, with hard and floppy disks). There is an operating system level (in MS DOS environment - interruption 25h), there is a level basic system I/O (BIOS level - interrupt 13h). Experienced system programmers can also work directly by accessing device I/O ports. But this is a rather serious and difficult task. Such a multi-level system was made primarily with the aim of maintaining application portability. It was thanks to such a system, for example, that it became possible to run DOS applications in multitasking environments such as MS Windows or IBM OS/2.
But in such a system, a vulnerability is initially hidden: by controlling the interrupt handler, you can control the flow of information from the peripheral device to the user. Stealth viruses, in particular, use a mechanism to intercept control when an interrupt occurs. Replacing the original interrupt handler with their own code, stealth viruses control the reading of data from the disk.
If an infected program is read from a disk, the virus “bites out” its own code (usually the code is not literally “bited out”, but the number of the disk sector being read is replaced). As a result, the user receives “clean” code to read. Thus, as long as the interrupt handler vector is modified by the virus code, the virus itself is active in the computer memory, detect it simple reading disk using the operating system is impossible. A similar camouflage mechanism is used by boot viruses, which will be discussed later. In order to combat stealth viruses, it was previously recommended (and, in principle, is still recommended) to perform an alternative boot of the system from floppy disk and only after that search for and remove virus programs. Currently, booting from a floppy disk may be problematic (in the case of Win32, antivirus applications will not be able to run them). In view of all of the above, polyphage antiviruses are most effective only when fighting already known viruses, that is, those whose signatures and methods of behavior are familiar to developers.
Only in this case will the virus be detected and removed with 100% accuracy from the computer’s memory, and then from all scanned files. If the virus is unknown, then it can quite successfully resist attempts to detect and treat it. Therefore, the main thing when using any polyphage is to update program versions and virus databases as often as possible.
Standing apart here are the so-called heuristic analyzers. The fact is that there are a large number of viruses, the algorithm of which is practically copied from the algorithm of other viruses.
As a rule, such variations are created by unprofessional programmers who, for some reason, decided to write a virus. To combat such “copies”, heuristic analyzers were invented. With their help, the antivirus is able to find similar analogues of known viruses, informing the user that he seems to have a virus. Naturally, the reliability of the heuristic analyzer is not 100%, but still its efficiency is more than 50%. Viruses that are not recognized by antivirus detectors can only be written by the most experienced and qualified programmers.
A heuristic code analyzer is a set of routines that analyze the code of executable files, memory or boot sectors to detect different types computer viruses. The main part of the heuristic analyzer is the code emulator. The code emulator works in view mode, that is, its main task is not to execute code, but to detect all kinds of events in it, i.e., a set of code or a call to a certain operating system function aimed at converting system data, working with files, or detecting frequently viral constructs used. Roughly speaking, the emulator looks at the program code and identifies the actions that this program performs. If the actions of this program fit into a certain pattern, then a conclusion is drawn about the presence of virus code in the program.
Of course, the probability of both a miss and a false positive is very high. However, by correctly using the heuristic mechanism, the user can independently come to the right conclusions. For example, if an antivirus generates a message about a suspected virus for a single file, then the probability of a false positive is very high. If this is repeated on many files (and before that the antivirus did not detect anything suspicious in these files), then we can talk about the system being infected with a virus with a probability close to 100%. Dr.Web antivirus currently has the most powerful heuristic analyzer.
The use of a heuristic analyzer, in addition to all of the above, also allows you to deal with virus generators And polymorphic viruses.
The classic method of identifying viruses by signature in this case is generally ineffective. Virus generators are a specialized set of libraries that allow the user to easily construct their own virus, even with little knowledge of programming. Generator libraries are connected to the written program and inserted into the required calls to external procedures in places - and now an elementary virus has turned into a rather complex product. The saddest thing is that in this case the signature of the virus will be different each time, so it becomes possible to track the virus only by characteristic calls to external procedures - and this is the work of a heuristic analyzer. Polymorphic virus has an even more complex structure.The body of the virus itself changes from infection to infection, while maintaining its functional content.
In the simplest case - if you scatter randomly in the body of the virus and do nothing, empty statements(such as “mov ax, ax” or “por”), then the body of the virus code will undergo significant changes, but the algorithm will remain the same. In this case, the heuristic analyzer also comes to the rescue.
There are several types of programs to detect, remove and protect against computer viruses. Such programs are called antivirus programs. There are the following types of antivirus programs:
1. vaccines;
2. detectors;
3. auditors;
4. watchman;
5. monitors;
6. polyphages;
7. heuristic analyzers.
IN Lately, developers of antivirus programs, offer users comprehensive solutions that include most or even all of the above programs.
Vaccines- These are programs designed to prevent files from being infected by any one specific virus. Vaccines are used if there are no programs that can neutralize the virus. Vaccination is possible only against known viruses that can be detected, but for some reason cannot be neutralized. The vaccine program modifies the protected program or disk in such a way that this does not affect its operation, but the real virus considers the protected program to be infected and therefore does not inject itself into its executable code.
The actions of vaccine programs are based on one of the basic properties of computer viruses - not to re-infect an already infected program. For these purposes, when infecting programs, viruses use a so-called “black mark”, which would allow them to distinguish already infected programs from uninfected ones. This could be, for example, setting the file creation time to 24 hours 1 minute and 62 seconds. Because normal programs cannot have such a creation time, then, having detected that the file was created at this time, the virus considers that it is infected and does not try to infect it again.
Thus, the vaccine program simply creates a “black mark” of a specific virus on the protected program without changing its executable code, and the virus, having detected such a mark, no longer tries to infect this file.
"Detectors" or "scanners"- these are programs that search for a signature characteristic of a particular virus in the computer’s RAM or in files on the hard drive, and when found, display a corresponding message. The disadvantage of this class of antivirus programs is that they can only find viruses that are known to the developers.
"Inspectors"- these are programs that are among the most reliable means of protection against viruses.
When infecting a computer, the virus makes changes to the hard drive: it adds its code to the infected file, changes system areas disk, etc. The work of anti-virus programs called “auditors” is based on the detection of such changes.
They are built on the opposite principle to the principle of constructing scanners. Auditors do not know specific viruses by sight, but they remember information about each specific logical drive and by changing this information, they can reliably detect both known and new, unknown viruses.
If a change in information about the data on the disk is detected, all relevant information about the changed object is provided to the user. And he himself must make a decision: is it worth, for example, checking this file for a virus (if it is an executable file) or ignoring the message if the file was modified by the user himself.
As a rule, comparison of states is carried out immediately after loading the operating system. When comparing, the length of the file, its checksum, date and time of modification, and some other parameters are checked. Auditor programs have fairly developed algorithms that allow them to detect even viruses of such classes as “stealth” viruses and “polymorphic” viruses, and some can even restore the original version of the program being checked by removing the changes made by the virus.
The advantages of auditors are: highest speed disk scanning (many tens of times faster than scanners) and high reliability of detecting even unknown viruses.
"Watchmen"- these are small resident programs designed to detect suspicious actions that occur when a user is working on a computer and are characteristic of viruses. Such actions may include:
1. attempts to correct files with extensions COM, EXE, DLL, etc., usually unchangeable;
2. changing file attributes;
4. writing to the boot sectors of the disk;
When any program tries to perform the specified actions, the “guard” sends a message to the user and offers to prohibit or allow the corresponding action.
One of the biggest disadvantages of programs of this class is that if configured incorrectly (and sometimes even correctly), they literally “bombard” the user with warnings, as a result of which they are usually disabled.
"Monitors"(or filter programs) are antivirus programs based on the polyphage principle and use a database of their signatures to detect viruses. The anti-virus monitor is located resident in the computer's memory, and checks for viruses only those programs that are manipulated by the user or the operating system.
Typically, anti-virus monitors check all files on which the following manipulations are performed:
1. launching the program for execution;
2. changing file attributes;
3. opening a document ( Microsoft Office);
4. copying or moving a file;
5. file editing;
Filter programs are useful from the point of view that they help the user detect a virus at the earliest stage of its existence, even before the spread of the virus becomes an epidemic.
"Polyphages"- these are programs that can safely remove a virus and restore the functionality of damaged programs.
For each virus, by analyzing its code, methods of infecting files, etc. a certain sequence of bytes, characteristic only for it, is highlighted. This sequence is called the signature of this virus. Searching for viruses, in the simplest case, comes down to searching for their signatures. After detecting a virus in the body of the program (or the boot sector, which also, however, contains the boot program), the polyphage neutralizes it. For this purpose the developers antivirus agents carefully study the work of each specific virus: what it spoils, how it spoils, where it hides what it spoils, etc.
Scanning is the most traditional method of searching for viruses. It consists of searching for signatures isolated from previously detected viruses. Virus databases of modern scanners contain more than 40,000 virus masks.
The disadvantage of simple scanners is their inability to detect “polymorphic” viruses that completely change their code. Modern polyphages use other methods of searching for viruses. To do this, they use more complex search algorithms, including heuristic analysis of the programs being checked. Considering that new viruses are constantly appearing, detector programs and polyphage programs quickly become outdated, and regular updating of database versions containing signatures of newly emerged viruses is required. As a result, scanners become outdated the moment a new version is released.
Heuristic analyzers– programs that execute scanned programs under their control and detect actions characteristic of viruses. Thanks to this, heuristic analyzers are able to find “polymorphic” viruses as easily as ordinary viruses that do not use a camouflage mechanism; in addition, they can detect viruses previously unknown to the authors antivirus program.
To identify these masquerading viruses, special methods. These include the processor emulation method. The method involves simulating the processor's execution of a program and feeding the virus fictitious control resources. The virus, deceived in this way and under the control of the antivirus program, decrypts its code. After this, the scanner compares the decrypted code with codes from its scanning database.
Loading...
