In previous segments, we've looked at potential problems with pre-installed software and the who and how of certification. This third segment examines the various types of products designed to stop viruses and the mechanism(s) these scanners employ. In a very basic sense, there are four means of virus detection - signature based scanning, emulation, heuristics, behavioral analysis and checksumming.

Signature-based scanning searches for specific strings of code inherent to particular viruses. When this string of code is found, the file is declared infected. Relying on signature files for detection poses two problems. First, users must update their scan engines frequently in order to ensure the latest possible protection is installed, Secondly, signature-based scanners are only effective in identifying known viruses.

Emulation simulates the execution of the file to determine any malicious intent. Essentially, the file is contained in what is referred to as a sandbox or virtual environment. In plain language, the file is tricked into believing its interacting with the operating system, when in fact, it is not. Emulation can be time-consuming and result in a noticeable performance slowdown.

Heuristics attempt to detect unknown viruses and often employ generalized signature scanning geared to detect &"families" of viruses. If the virus is related to a known family, heuristics will detect it and report it as suspicious or infected with an unknown virus. Heuristics also rely on emulation, or a combination of signatures and emulation. Due to heuristics' penchant for false positives (identifying a clean file as infected) and performance concerns, many vendors have suppressed the level of heuristics employed. As a result, only a very small number of products have gained a track record for detecting previously unknown threats.

Checksumming, essentially a count of bits, is sometimes used to verify file integrity. An initial scan of system files is performed, the numerical quotient for each file is derived and stored in a database. When subsequent scans are performed, the program checks the database to ensure the numerical quotient matches. If it has changed, the file is considered suspicious and/or infected.

Behavioral analysis monitors the execution of the file and gives the user an opportunity to either prevent or undo any proposed or taken action. For example, if a file attempts to write to the system registry, the action can be blocked, either by the user or automatically depending on configuration. In many respects, behavioral analysis and emulation are closely related, though behavioral analysis often lets the file executve in realtime, stopping it only when suspicious behavior is detected. This method overcomes the performance slowdown side affect of emulation.

The question, of course, is, How effective are these methods in preventing virus infections? The next segment of this series will review individual antivirus software solutions, including the methods used to detect viruses, their track record for doing so, and performance issues such as system impact and scan speeds. In the meantime, an interesting graphic follows depicting, until 1999, the rather flat cost of antivirus software paralleling the equally flat cost of virus recovery. However, beginning in 1999, with the appearance of the Melissa virus, cost of recovery spiraled at an unprecedented rate despite installed antivirus protection. These figures, obtained from IDC and PriceWaterhouseCoopers, corroborate a disturbing reality: today's viruses travel at the speed of technology. Next in the series: Can your antivirus keep up?

Previous Articles