How antivirus software works and the types of computer viruses

Posted: January 4, 2010 in Windows XP
Tags: , , , , , , , , , , , , , , , , , , , , , ,

I have recently stumbled upon a question, which I found really interesting. The question was about how antivirus programs work, this including firewalls as well and the types of viruses. So I decided to undergo some research, which helped me understand the principle better.
Basically, an antivirus is a program or software that has the function to scan files and if found dangerous such as viruses or any malware, spyware, Trojans, worms etc., these would be eliminated or be put in quarantine to stop any further spreading. Another definition to note down is that of a computer virus, which is a program or software meant to make copies of itself and infect or damage files used by the operating system or programs which are installed. This Is meant to have a negative and malicious effect on your computers and can cause both material and non-material damage.
Antivirus software is usually programmed to use two methods of identifying viruses and dealing with the problem. The first and most know method is the scanning of computer files and by using a virus signature list (which is obtained when the software is purchased or installed and is kept up to date with the frequent updates) any malware such as viruses and Trojans can be identified resulting in the deletion of the file. The antivirus program itself can also try and heal the file and if this fails then the file is either put into quarantine or deleted. Another approach is by identifying any suspicious behavior from programs that could cause damage to the operating system.
Computer viruses can increase their chances of spreading to other computers by infecting files on a network file system or a file system that is accessed by another computer.
In order to replicate itself, a virus must be permitted to execute code and write to memory. For this reason, many viruses attach themselves to executable files that may be part of legitimate programs. If a user attempts to launch an infected program, the virus’ code may be executed simultaneously. Viruses can be divided into two types based on their behavior when they are executed. Nonresident viruses immediately search for other hosts that can be infected, infect those targets, and finally transfer control to the application program they infected. Resident viruses do not search for hosts when they are started. Instead, a resident virus loads itself into memory on execution and transfers control to the host program. The virus stays active in the background and infects new hosts when other programs or the operating system itself accesses those files. (Wikipedia)
Polymorphic code was the first technique that posed a serious threat to virus scanners. Just like regular encrypted viruses, a polymorphic virus infects files with an encrypted copy of itself, which is decoded by a decryption module. In the case of polymorphic viruses, however, this decryption module is also modified on each infection. A well-written polymorphic virus therefore has no parts which remain identical between infections, making it very difficult to detect directly using signatures. Antivirus software can detect it by decrypting the viruses using an emulator, or by statistical pattern analysis of the encrypted virus body. To enable polymorphic code, the virus has to have a polymorphic engine (also called mutating engine or mutation engine) somewhere in its encrypted body.
To avoid being detected by emulation, some viruses rewrite themselves completely each time they are to infect new executables. Viruses that utilize this technique are said to be metamorphic. To enable metamorphism, a metamorphic engine is needed. A metamorphic virus is usually very large and complex. For example, W32/Simile consisted of over 14000 lines of Assembly language code, 90% of which is part of the metamorphic engine.
A firewall is now mostly a function integrated into an antivirus program, which has the clear aim of acting as a barrier, or wall, which filters any incoming information from the Internet wanting to enter the computer. If any incoming data is flagged, then the firewall will take action and stop the incoming data from entering the network or computer.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s