10.6. Antivirus software

The wide spread of computer viruses has led to the development of antivirus programs that allow you to detect and destroy viruses, “cure” the affected resources.

The basis of most antivirus programs is the principle of searching for virus signatures. A virus signature refers to some unique characteristic of a virus program that indicates the presence of a virus in a computer system. Most often, a periodically updated virus signature database is included in antivirus programs. The antivirus program studies and analyzes the computer system, and also makes a comparison, looking for a match with the signatures in the database. If the program finds a match, it tries to clean out the detected virus.

By the way of working, antivirus programs can be divided into filters, auditors, doctors, detectors, vaccines, etc.

Filter programs are “watchmen” who are constantly in the OP. They are resident and intercept all requests to the OS to perform suspicious actions, that is, operations that use viruses to replicate and damage information and software resources in the computer, including reformatting the hard disk. Among them are attempts to change file attributes, correct executable COM– or EXE files, write to the boot sectors of a disk.

With each request for such an action, a message appears on the computer screen about what action has been requested and which program will execute it. In this case, the user must either allow or prohibit its execution. The constant presence of programs, "watchmen" in the OP significantly reduces its volume, which is the main disadvantage of these programs. In addition, filter programs cannot “cure” files or disks. This function is performed by other antivirus programs, such as AVP, Norton Antivirus for Windows, Thunder Byte Professional, McAfee Virus Scan.

Audit programs are a reliable means of protection against viruses. They remember the initial state of the programs, directories and system areas of the disk, provided that the computer has not yet been infected with a virus. Subsequently, the program periodically compares the current state with the original. If any inconsistencies are detected (by file length, modification date, cyclic file control code), a message appears on the computer screen. Among the audit programs, we can distinguish the Adinf program and the supplement to it in the form of the Adinf cure Module.

The doctor program can not only detect, but also “cure” infected programs or disks. At the same time, it destroys the infected programs of the virus body. Programs of this type can be divided into phages and polyphages. Phages are programs that are used to find viruses of a certain type. Polyphages are designed to detect and destroy a large number of various viruses. Polyphages such as MS Antivirus, Aidstest, Doctor Web are most commonly used in our country. They are continuously updated to deal with emerging new viruses.

Detection programs are able to detect files infected by one or more viruses known to software developers.

Vaccine programs, or immunizers, belong to the class of resident programs. They modify programs and disks so that it does not affect their work. However, the virus from which vaccination is made, considers them already infected and does not penetrate into them. At the moment, a lot of anti-virus programs have been developed that are widely recognized and are constantly being updated with new anti-virus tools.

The Doctor Web polyphage program is used to combat polymorphic viruses that appeared relatively recently. In the heuristic analysis mode, this program effectively detects files infected with new, unknown viruses. Using Doctor Web to control floppy disks and files received over a network, one can almost certainly avoid system infection.

When using Windows NT, there are problems with protection against viruses created specifically for this environment. There is also a new type of infection - macro viruses, which are “implanted” in the documents prepared by the word processor Word and Excel spreadsheets. The most common antivirus programs include AntiViral Toolkit Pro (AVP32), Norton Antivirus for Windows, Thunder Byte Professional, McAfee Virus Scan. These programs operate in the mode of program scanners and carry out antivirus monitoring of RAM, folders and disks. In addition, they contain algorithms for recognizing new types of viruses and allow to cure files and disks during the scan process.

AntiViral Toolkit Pro (AVP32) is a 32-bit application running on Windows NT. It has a convenient user interface, a help system, a flexible system of user-selectable settings, and it recognizes more than 7 thousand different viruses. This program detects (detects) and removes polymorphic viruses, mutant viruses and invisible viruses, as well as macro viruses that infect a Word document and Excel spreadsheets, Access objects are Trojan horses.

An important feature of this program is the ability to monitor all file operations in the background and detect viruses before the actual system infection, as well as detect viruses within the ZIP, ARJ, ZHA, RAR archives.

The program interface of AllMicro Antivirus is simple. It does not require additional product knowledge from the user. When working with this program, click the Start button (Scan), after which the scan or scanning of the hard disk, boot and system sectors of the hard disk, and then all files, including archived and packed, will start.

Vscan 95 program at boot time checks the computer's memory, boot sectors of the system disk and all files in the root directory. The other two programs of the package (McAfee Vshield, Vscan) are Windows applications. The first one after Windows boot is used to monitor newly connected disks, control executable programs and copied files, and the second one - for additional checking of memory, disks and files. McAfee VirusScan is able to find macro viruses in MS Word files.

In the process of developing local computer networks, e-mail and the Internet, and the introduction of Windows NT network operating systems, anti-virus software developers have prepared and delivered to the market such programs as Mail Checker, which allows checking incoming and outgoing e-mail, and AntiViral Toolkit Pro for Novell NetWare (AVPN). ) used to detect, disinfect, delete and move to a special directory of infected files. The AVPN program is used as an anti-virus scanner and filter that constantly monitors files stored on the server. It is able to remove, move and “cure” the affected objects; scan packed and archived files; identify unknown viruses using a heuristic mechanism; check in the scanner mode remote servers; disconnect the infected station from the network. The AVPN program is easily configured to scan files of various types and has a convenient scheme for replenishing the anti-virus database.