The antiviruses of old were relatively simple to design. This was mainly because viruses spread slowly, through traditional exchange of media like floppy disks and tapes. Therefore antiviruses were generally able to stop the virus from wreaking major havoc in the corporate environment.
But this is no longer the case. With the advent of internet and P2P file sharing services, viruses spread at lightning fast speed. Thus there is a great need for new technologies to come up to counter this threat of 'blended attacks'.
Antivirus softwares traditionally use fingerprint scanning technology. This means that a particular byte or string sequence is taken from the virus strain and is used in detecting that particular virus. For example, the fingerprint of a virus may be the string,
char virus = 0
So whenever in a file, the antivirus sees the result char virus = 0, it alerts the user for the presence of the virus. But clearly, this technique clearly has its downfalls.
Firstly the antivirus, has to be updated frequently, to say the least, for it to be able to detect all the 'in the wild viruses'. This may not be always possible, since users generally update their virus definitions about once a month, and new viruses come out everyday.
Secondly, a real smart virus writer can possibly hide the above result but achieve the same logic consequence, by modifying the fingerprint. For example, the above fingerprint can be modified like:
char virus = 1 AND 0
This still would give the same result, but the scanner won't be able to detect the virus.
Thus we see that there is a great need for newer technologies to come up to supplement, if not replace fingerprint scanning technology. The technologies are :-
- Heuristic Scanning
- Behaviour Blocking
Heuristic Scanning involves searching for unusual instructions which are generally not found in typical applications. Thus heuristic scanning can find previously unknown malicious code. Heuristic scanners generally employ either weight based system or rule based system. In weight based system, each unusual instruction carries a weight, and all these weights are added up. If the sum of these weights exceeds a pre determined value, the scanner alerts the user. This system is not generally used now-a-days since it generates many false alarms.
In the rule based system, the scanner analyses the file for certain rules and these rules are matched with a previously made rule set. If they match, the scanner alerts the user. The advantage of heuristic scanning is that it can find new virus strains, and can detect and possibly clean a file before access is allowed to it.
Behaviour blocking involves monitoring applications in real time for malicious activity. The user is then given the option to either allow or block a particular behaviour. For example, most applications do not need to access system files. If an application is trying to access the system files, then the behaviour blocker can alert the user of this activity.
The advantage of behaviour blocking is that it can stop new virus strains which are not detected by fingerprint methods. But it also has some disadvantages. For example, it can have many false alarms and a beginner can easily be confused with the alarms triggered by the blocker. Also a lot of time is spent on making rules for all kinds of applications.
The above discussed generic scanning techniques will never completely replace the fingerprint scanning, but can serve faithfully both in personal and corporate environments.
Written by Elastic Reality (8 July 2004)
Member of CAU Knowledge-Bank Tutorial Writers
This article was originally published by CyberArmy.net in the CyberArmy Library.
|
|