Translated by
2019/03/15 17:10:12

Antiviruses

Antivirus — the software package which is specially developed for protection, interception and removal of computer viruses and other malware.

Directory of solutions and cybersecurity projects - Antiviruses are available on TAdviser

Content

Antivirus protection — the most widespread measure for information security support of IT infrastructure in the corporate sector. However only 74% of the Russian companies apply anti-virus solutions to protection, showed the research conducted by Kaspersky Lab together with B2B International analytical company (fall of 2013).

In the report it is also said that against the background of the explosive growth of cyberthreats from which the companies are protected by simple antiviruses the Russian business begins to use complex instruments of protection even more often. In many respects for this reason application of means of data encryption on removable mediums (24%) increased by 7%. Besides, the companies began to differentiate more willingly security policies for removable devices. Also differentiation of the access level to different sections of IT infrastructure (49%) increased. Thus the companies of small and medium business pay bigger attention to control of removable devices (35%) and control of applications (31%).

Researchers also found out that despite permanent detection of new vulnerabilities in the software, the Russian companies still do not pay due attention to a regular software update. Moreover, the number of the organizations which are engaged in installation of corrections decreased in comparison with last year, and was only 59%.

Modern anti-virus software is capable to detect effectively harmful objects in files of programs and documents. In certain cases the antivirus can delete a body of a harmful object from the infected file, having recovered the file. In most cases the antivirus is capable to delete a harmful software object not only from the program file, but also from the file of office document, without having broken its integrity. Use of an anti-virus software does not require high qualification and is available practically to any user of the computer.

The majority of an anti-virus software combines functions of permanent protection (the anti-virus monitor) and functions of protection upon the demand of the user (virus scanner).

Rating of antiviruses

2019: Two thirds of antiviruses for Android were useless

In March, 2019 the Austrian  laboratory AV-Comparatives specializing in testing of anti-virus software published results of a research which showed uselessness the majority of similar programs for Android.

Only 23 antiviruses, placed in the official Google Play Store directory, precisely will recognize malware in 100% of cases. Other software or does not react to mobile threats, or adopts for them absolutely safe annexes.

AV-Comparatives studied 250 popular protective applications from the official directory of Google Play and came to a conclusion: nearly two thirds of antiviruses for Android do not perform the functions stated in their advertizing

Specialists studied 250 antiviruses and reported that only 80% from them can reveal more than 30% of malwares. Thus, 170 applications failed the test. The number of products which coped with tests included generally solutions of large producers, including Avast, Bitdefender, ESET, F-Secure, G-Data, Kaspersky Lab, McAfee, Sophos, Symantec, Tencent, Trend Micro and Trustwave.

Within the experiment researchers installed each anti-virus application on the separate device (without emulator) and automated devices on start of the browser, loading and the subsequent installation of the malware. Each device was tested on the example of 2 thousand by Android viruses most distributed in 2018.

According to AV-Comparatives calculations, the majority of anti-virus solutions for Android are counterfeits. Tens of appendices are had almost identical interface, and their creators are interested in advertizing demonstration obviously more, than in writing of the working virus scanner.

Some antiviruses "see" threat in any application which  is not entered in  their  "white list". Because of it they, in  a row absolutely  incredible things, gave the alarm because of own files as developers forgot to mention them  in  "white list".[1]

2017: Microsoft Security Essentials is recognized one of the worst antiviruses

In October, 2017 the German anti-virus  laboratory AV-Test  published results of complex testing of antiviruses. According to a research, honor the corporate software of Microsoft intended for protection against harmful activity most worse copes with the duties.

Based on the tests which are carried out in July-August, 2017, experts of AV-Test called the best antivirus for Windows 7 the solution Kaspersky Internet Security which got 18 points at assessment of level of protection, performance and convenience of using.

Top three included the Trend Micro Internet Security and Bitdefender Internet Security programs which earned 17.5 points. It is possible to learn about provision of products of other anti-virus companies which got to a research from illustrations below:

Rating of the best antiviruses, data of AV-Test
Rating of the best antiviruses, data of AV-Test

Specialists awarded Microsoft Security Essentials only 13.5 points. It is more only, than at Comodo Internet Security. The product of Microsoft had the smallest an indicator regarding convenience of work and one of the lowest according to protection level.

Comodo got only 1.5 points for performance, so the product has a serious impact on high-speed performance of a system and considerably slows down work of Windows 7.

In July, 2017 in AV-Test company spoke about achievement of Microsoft Security Essentials of result in 99% of protection against vulnerabilities of zero day, including viruses by e-mail. A month later this value was reduced to 97%. Level of detection of threats was 99.8%, is not recorded false operations and blocking of the websites. However when scanning a system in Microsoft Security Essentials there were 13 and 15 cases of recognition harmful absolutely safe applications.

According to a research, the antivirus of Microsoft slows down system operation when installing often used applications on the normal and powerful computer.

Rules of prevention of infection of computers

  • Never to open investments in letters from strangers or the organizations.
  • In the operating system to include display of expansions of files.
  • It is obligatory to check expansions of the attached files even if the letter came from the famous sender. If the name of the attached file comes to an end on "dangerous" expansions – at all not to open them. Ask the sender to send files in other format.
  • To timely set updates of the operating system and application programs.
  • Install a license anti-virus software on the computer and monitor that bases of signatures of viruses were regularly updated.

To the system administrator of the enterprise or the person responsible for the IT environment of the organization, it is strongly recommended:

  • Change settings of an antivirus according to the recommendations of the anti-virus companies for protection against viruses encoders. Not rely entirely on an antivirus as not always the antivirus software quickly reacts to emergence of new modification of a virus. To timely update anti-virus bases.
  • It is regular to make backup copies of important data.

Classification of antiviruses

Now there is no single system of classification of an anti-virus software.

Classification of antiviruses by an operation mode

The Kaspersky Lab classifies antiviruses by an operation mode:

Check in real time

Check in real time, or permanent check, provides continuity works of antivirus protection. It is implemented using obligatory check of all actions, made by other programs and the user, regarding injuriousness, out of dependences on their home location – be it the hard drive, external carriers information, other network resources or own RAM. Also to check all indirect actions through the third programs are treated.

Check on demand

In certain cases existence of constantly working check in real time can be insufficiently. The situation when on the computer the infected file was copied is possible, excluded from permanent check in view of the big sizes and therefore a virus in it it was not detected. If this file on the considered computer is not started, then a virus can remain unnoticed and prove only after its transfer on other computer.

For such mode it is usually supposed that the user will personally specify what files, directories or the area of a disk needs to check also time when it is necessary to make such check – in a type schedule or single start manually.

Classification of antiviruses by type

Also anti-virus software can be classified by type:

Scanners (other names: phage, polyphagues)

The principle of work of virus scanners is based on verification of files, sectors and a system memory and search in them known and new (unknown to the scanner) viruses. For search of the known viruses so-called masks are used. A mask of a virus is some permanent sequence of the code specific to this specific virus. If the virus does not contain a permanent mask, or length of this mask is insufficiently big, then other methods are used. An example of such method is the algorithmic language describing all possible versions of the code which can meet at infection of this kind with a virus. Such approach is used by some antiviruses for detecting of polimorfik-viruses.

In many scanners also algorithms of heuristic scanning, i.e. the analysis of the sequence of commands in the checked object, a set of some statistics and decision-making for each checked object are used.

Scanners can also be separated into two categories - universal and specialized. Universal scanners are calculated on poiskh and neutralization of all types of viruses regardless of the operating system in which work the scanner is expected. Specialized scanners are intended for neutralization of limited number of viruses or only one their class, for example macro viruses.

Scanners are also divided into resident (monitors), the making scanning to a raid, and non-resident, providing check systems only on demand. As a rule, resident scanners provide more reliable protection of a system as they immediately react to appearance of a virus while the non-resident scanner is capable to identify a virus only during the next start.

CRC scanners

The principle of operation of CRC scanners is based on calculation of the CRC amounts (checksums) for the files which are present at a disk / system sectors. These CRC amounts then remain in the database of an antivirus as, however, and some other information: lengths of files, dates of their last modification, etc. At the subsequent start CRC scanners verify the data which are contained in the database with really counted values. If information on the file written in the database does not match real values, then CRC scanners signal that the file was changed or infected with a virus.

CRC scanners are not capable to catch a virus at the time of its emergence in a system, and do it only after a while, how the virus dispersed on the computer. CRC scanners cannot define a virus in new files (in e-mail, on diskettes, in the files recovered from backup or when unpacking files from archive) as in their databases there is no information on these files. Moreover, periodically there are viruses which use this weakness of CRC scanners, infect only newly created files and remain, thus, invisible to them.

Disablers

Anti-virus disablers are the resident programs which are intercepting viruso-dangerous situations and reporting about it to the user. Calls on opening for record in the executed files, record in the boot sector of disks or the MBR winchester, attempt of programs to remain rezidentno, etc., i.e. calls which are characteristic of viruses at the moments from reproduction belong to viruso-dangerous.

Their capability belongs to advantages of disablers to detect and stop a virus at the earliest stage of its reproduction. Existence of ways of a bypass of protection of disablers and a large number of false operations belong to shortcomings.

Immunizatora

Immunizatora are divided into two types: the immunizator announcing infection and the immunizator blocking infection. The first usually register in the end of files (by the principle of a file infector) and at start of the file every time check it for change. A shortcoming at such immunizator only one, but it letalen: absolute inability to announce a stealth virus infection. Therefore such immunizator, as well as disablers, are practically not used now.

The second type of immunization protects a system from defeat by a virus of some certain type. Files on disks are modified in such a way that the virus takes them for already infected. For protection against a resident virus in memory of the computer the program imitating the copy of a virus is brought. At start the virus will come across it and considers that a system is already infected.

Such type of immunization cannot be universalny as it is impossible to immunize files from all known viruses.

Classification of antiviruses on the basis of convertibility in time

According to Valery Konyavsky, antivirus tools can be separated into two big groups - the analyzing data and the analyzing processes.

Data analysis

Auditors and polyphagues treat data analysis. Auditors analyze effects from activity of computer viruses and other malware. Effects are shown in change of data which should not change. The fact of change of data is sign of activity of malware from the point of view of the auditor. In other words, auditors control integrity of data and upon violation of integrity make the decision on existence in the computer environment of malware.

Polyphagues work in a different way. They on the basis of data analysis select fragments of a malicious code (for example, on its signature) and on this basis draw a conclusion about availability of malware. Removal or treatment of the data affected with a virus allows to warn negative effects of execution of malware. Thus, on the basis of the analysis in a statics the effects arising in dynamics are warned.

The scheme of work and auditors, and polyphagues is almost identical - to compare data (or their checksum) to one or several reference samples. Data are compared to data. Thus, to find a virus in the computer, it is necessary that it already worked that effects of its activity appeared. This method can be found only the known viruses for which fragments of the code or a signature are in advance described. It is unlikely it is possible to call such protection reliable.

Analysis of processes

A little differently the antivirus tools based on the analysis of processes work. Heuristic analyzers as well as above described, analyze data (on a disk, in the channel, in memory, etc.). The fundamental difference consists that the analysis is carried out in the assumption that the analyzed code is not data, but commands (in computers with von Neumann architecture data and commands are indiscernible with respect thereto in the analysis and it is necessary to make this or that assumption.)

The heuristic analyzer selects the sequence of transactions, appropriates to each of them some hazard assessment and on set of danger makes the decision on whether this sequence of transactions is a part of a malicious code. The code at the same time is not executed.

Other type of the antivirus tools based on the analysis of processes are behavioural locks. In this case the suspicious code is executed step by step until the set initiated by an action code is not estimated as dangerous (or safe) behavior. The code at the same time is executed partially as end of a malicious code can be detected by simpler methods of data analysis.

Technologies of virus detection

The technologies applied in antiviruses can be broken into two groups:

  • Technologies of the signature analysis
  • Technologies of the probabilistic analysis

Technologies of the signature analysis

The signature analysis - the virus detection method consisting in verification of presence in files of signatures of viruses. The signature analysis is the most known method of virus detection and is used practically in all modern antiviruses. A set of virus signatures which is stored in anti-virus base is necessary for an antivirus for conducting check.

In view of the fact that the signature analysis assumes verification of files on existence of signatures of viruses, the anti-virus base needs periodic updating for maintenance of relevance of an antivirus. The principle of work of the signature analysis also defines limits of its functionality - an opportunity to detect only already known viruses - against new viruses the signature scanner is powerless.

On the other hand, existence of signatures of viruses assumes a possibility of treatment of the infected files detected by means of the signature analysis. However, treatment is admissible not for all viruses - trojans and the majority of worms do not respond to treatment on the design features as are the integral modules created for causing damage.

Competent implementation of a virus signature allows to detect the known viruses with absolute probability.

Technologies of the probabilistic analysis

Technologies of the probabilistic analysis are in turn subdivided into three categories:

  • Heuristic analysis
  • Behavioural analysis
  • Analysis of checksums

Heuristic analysis

The heuristic analysis - the technology based on probabilistic algorithms of which work identification of suspicious objects is result. In the course of the heuristic analysis the structure of the file, its compliance to virus templates is checked. The most popular heuristic technology is check of contents of the file regarding existence of modifications of already known signatures of viruses and their combinations. It helps to define hybrids and new versions of earlier known viruses without additional updating of anti-virus base.

The heuristic analysis is applied to detection of unknown viruses, and, as a result, does not assume treatment. This technology is not capable of 100% to define a virus before it or not and as any probabilistic algorithm sins with false operations.

Behavioural analysis

The behavioural analysis - technology in which the decision on the nature of the checked object is made on the basis of the analysis of the transactions executed by it. We will very narrowly put the behavioural analysis into practice as the majority of the actions characteristic of viruses, can be executed also by normal applications. The greatest fame was gained by behavioural analyzers of scripts and macroes as the corresponding viruses practically always perform a number of the same operations.

The means of protecting sewed in BIOS can also be carried to behavioural analyzers. In attempt to make changes in the MBR computer, the analyzer blocks action and outputs the adequate notice to the user.

In addition behavioural analyzers can monitor attempts of direct access to files, making changes in the boot record of diskettes, formatting of hard drives, etc.

Behavioural analyzers do not use for work of the additional objects similar to virus bases and, as a result, are incapable to distinguish the known and unknown viruses - all suspicious programs a priori are considered as unknown viruses. Similarly, features of work of the means implementing technologies of the behavioural analysis do not assume treatment.

Analysis of checksums

The analysis of checksums is a method of change tracking in objects of a computer system. On the basis of the analysis of nature of changes - simultaneity, mass character, identical changes of lengths of files - it is possible to draw a conclusion about system infection. Analyzers of checksums (the name auditors of changes is also used) as well as behavioural analyzers do not use additional objects in work and issue a verdict about presence of a virus in a system only by method of expert evaluation. Similar technologies are applied in scanners at access - at the first check from the file checksum is withdrawn and is located in a cache, before the following verification of the same file the sum is withdrawn once again, compared, and in case of lack of changes the file is considered not infected.

Anti-virus complexes

Anti-virus complex — a set of the antiviruses using an identical anti-virus core or cores, intended for the solution of practical problems on ensuring anti-virus security of computer systems. Means of updating of anti-virus bases also without fail enter an anti-virus complex.

In addition the anti-virus complex in addition can include behavioural analyzers and auditors of changes which do not use an anti-virus core.

Select the following types of anti-virus complexes:

  • Anti-virus complex for protection of workstations
  • Anti-virus complex for protection of file servers
  • Anti-virus complex for protection of the mail systems
  • Anti-virus complex for protection of gateways.

Cloud and traditional desktop antivirus: what to select?

(On Webroot.com resource materials)

The modern market of antivirus tools is first of all traditional solutions for the desktop systems, protection mechanisms in which are constructed based on signature methods. An alternative method of antivirus protection – application of the heuristic analysis.

Problems of traditional antivirus software

Recently traditional anti-virus technologies become less effective, quickly become outdated that is caused by a number of factors. The number of the virus threats distinguished on signatures is already so high that to provide timely 100% updating of signature bases on the user computers is often unreal task. Hackers and cybercriminals even more often use the botnets and other technologies accelerating distribution of virus threats of zero day. Besides, when carrying out the targeted attacks of a signature of the corresponding viruses are not created. At last, new technologies of counteraction to anti-virus detection are applied: enciphering of the malware, creation of polymorphic viruses on server side, preliminary testing of quality of the virus attack.

Traditional antivirus protection most often is based in architecture of "thick client". It means that on the computer of the client the volume program code is established. With its help verification of the arriving data is executed and presence of virus threats comes to light.

Such approach has a number of shortcomings. First, scanning in search of the malware and comparison of signatures requires considerable computing loading which "is taken away" from the user. As a result productivity of the computer decreases, and work of an antivirus sometimes prevents to carry out in parallel applied tasks. Sometimes load of the user system is so noticeable that users disconnect an anti-virus software, removing thereby a barrier before the potential virus attack.

Secondly, each updating by the machine of the user requires transfer of thousands of new signatures. The volume of transmitted data usually is about 5 MB a day on one machine. Data transmission slows down network functioning, distracts additional system resources, requires involvement of system administrators for traffic observation.

Thirdly, the users who are in roaming or on removal from stationary work location are defenseless against zero day attacks. For receiving the updated portion of signatures they should be connected to VPN network which far off is unavailable to them.

Antivirus protection from a cloud

Upon transition to antivirus protection from a cloud the solution architecture significantly changes. On the computer of the user the "lightweight" client whose basic function – search of new files, calculation a hash values and transfer of data to a cloud server is established. In a cloud the full-scale comparison executed on big base of collected signatures is carried out. This base is constantly and timely updated at the expense of the data transferred by the anti-virus companies. The client receives the report with results of the carried-out inspection.

Thus, the cloud computing architecture of antivirus protection has a number of advantages:

  • the volume of calculations on the user computer it is insignificant it is small in comparison with the thick client, therefore, productivity of work of the user does not decrease;
  • there is no catastrophic influence of anti-virus traffic on network transmission capacity: the compact portion of data containing only several tens a hash values is subject to transfer, the average volume of day traffic does not exceed 120 Kb;
  • the cloud storage contains huge arrays of signatures, much more those which are stored on the user computers;
  • the algorithms of comparison of signatures applied in a cloud differ in much higher intellectuality in comparison with reduced models which are used at the level of local stations, and thanks to higher performance comparison of data requires less time;
  • cloud anti-virus services work with the real data obtained from anti-virus laboratories, developers of security aids, corporate and private users; threats of zero day are blocked along with their recognition, without delay, the caused necessity of gaining access to user computers;
  • users in roaming or not having access to the main jobs, receive protection against zero day attacks along with Internet connection;
  • loading of system administrators decreases: they do not need to spend time for installation of antivirus software for computers of users and also updating of bases of signatures.

Why traditional antiviruses do not cope

The modern malicious code can:

  • Bypass traps of antiviruses having created a special target virus under the company
  • Before antivirus creates a signature it will evade, using polymorphism, recoding, using dynamic DNS and URL

  • Target creation under the company
  • Polymorphism
  • Unknown yet to anybody the code – is not present a signature

It is difficult to be protected

High-speed antiviruses of 2011

The Russian independent information and analytical center Anti-Malware.ru published results of the next comparative test of 20 most popular antiviruses for high-speed performance and consumption of system resources in May, 2011.

The purpose of this test - to show what personal antiviruses has the smallest impact on implementation by the user of standard transactions on the computer, "slow down" its work less and consume the minimum quantity of system resources.

Among anti-virus monitors (scanners in real time) the whole group of products showed very high speed of work, among them: Avira, AVG, ZoneAlarm, Avast, Kaspersky's, Eset, Antivirus of Trend Micro and Dr.Web. With these antiviruses onboard deceleration of copying of a test collection made less than 20% in comparison with a standard. Anti-virus monitors of Bitdefender, PC Tools, Outpost, F-Secure, Norton and Emsisoft also showed the good results on high-speed performance which are keeping within the range of 30-50%. Anti-virus monitors of Bitdefender, PC Tools, Outpost, F-Secure, Norton and Emsisoft also showed the good results on high-speed performance which are keeping within the range of 30-50%.

At this Avira, AVG, BitDefender, F-Secure, G Data, Kaspersky's, Norton, Antivirus of Outpost and PC Tools in actual practice can be much quicker at the expense of the optimization which is available for them the subsequent checks.

The best scanning speed was shown on demand by Avira antivirus. Conceded it Kaspersky's, F-Secure, Norton, Antivirus of G Data, BitDefender, Kaspersky's Antivirus and Outpost a little. On the speed of the first scanning these antiviruses concede to the leader only a little, at the same time all of them have powerful technologies of optimization of repeated checks in the arsenal.

One more important characteristic of speed of work of an antivirus is its influence on work of application programs with which the user often works. As such for the test five were selected: Internet Explorer, Microsoft Office Word, Microsoft Outlook, Adobe Acrobat Reader and Adobe Photoshop. The smallest deceleration of start of these office programs was shown by antiviruses of Eset, Microsoft, Avast, VBA32, Comodo, Norton, Trend Micro, Outpost and G Data.

Developers and implementers of an anti-virus software

See Also

Links