The world of the computer virus is ever-changing. The rise of e-mail as a primary tool to transfer files has created new viruses, and viruses of the past are still tough. John Costello looked at the issues and players in the antivirus market today.
Despite all the warnings, antivirus software developer McAfee Associates estimates only 38 per cent of corporate workstation users actually deploy virus protection products regularly.
"Since effective antivirus products are available, it appears that organisations have found the establishment of protective measures to be confusing, disruptive and/or possibly too expensive.
"The decision process is complex, especially in distributed multi-user, multiplatform environments which typically undergo almost constant evolution," the com-pany noted in an evaluation of distributed virus protection products. The evaluation was authored by Scott Gordon, McAfee Associates' product manager and primary spokesperson for security solutions.
More importantly, it would seem that no two product comparison reviews offer similar assumptions, results or conclusions.
IBM-compatible and Macintosh viruses (which constitute the majority of network infections) fall into two basic categories - boot and file.
Boot viruses activate upon system startup and are the most common type. They infect a system's floppy or hard disk and then spread (by replicating and attaching) to any logical disks available.
File viruses are actually programs which must be executed in order to become active, and include executable files such as .com, .exe and .dll. Once executed, file viruses replicate and attach to other executable files.
Particularly troublesome virus classes are known as stealth (active and passive), encrypted, polymorphic and macro.
Stealth viruses are difficult to detect because, as their name implies, they actually disguise their actions. Passive stealth viruses can increase a file's size, yet present the appearance of the original file size, evading integrity checking, one of the most fundamental detection tactics.
Active stealth viruses may be written so that they actually attack installed antivirus software, rendering the product's detection tools useless.
"The challenge of encrypted viruses is not primarily one of detection," Gordon noted. "The encryption engine of this type of virus masks its viral code - making identification, as opposed to detection, more difficult. Therefore, detection and prevention of recurring infections is harder even with frequent anti-virus software updates."
He said the polymorphic category has grown considerably, presenting a particular detection challenge. Each polymorphic virus has a built-in mutation engine.
This engine creates random changes to the virus' signature on given replications.
Recently, macro viruses have gained much notoriety and have grown in number. A macro virus is a set of macro commands, specific to an application's macro language, which automatically executes in an unsolicited manner and spreads to that application's documents. Since macro virus creation and modification is easier than other viruses and since documents are more widely shared than applications, they pose a significant new threat.
As the threat and number of viruses grew along with the conditions so conducive to their spread, so did the sophistication of the efforts to combat them. There are now five major virus detection methods:
Integrity checking. Based on determining whether virus-attached code modified a program's file characteristics.
Interrupt monitoring. Looks for virus activity that may be flagged by certain sequences of program system calls, after virus execution.
Memory detection. Depends on recognition of a known virus' location and code while in memory. Has a downside in that it may impose impractical resource requirements and can interfere with legal operations.
Signature scanning. Recognises a virus' unique signature - a pre-identified set of hexadecimal codes.
Recognises virus-like characteristics within programs for identification.
Usually, all five techniques can be used, and on both network servers and workstations. Due to the large number of virus types, all effective antivirus products today leverage a combination of methods to combat viruses.
The Paradigm Agency
Tel (02) 9437 5866 Fax (02) 9439 5166