Malicious software comes in many different forms: viruses, worms, trojans, and advertising-related spyware and adware are the most common categories. But each category is also composed of many different types of threats. For example, within worms there are autorun worms, network worms, Internet worms, email worms, etc. There are equally as many different methods of combating malware; most of today's anti-malware scanners combine several of these techniques. Following are four of the more commonly encountered approaches used in consumer-focused malware protection.
In the antivirus world, a signature is an algorithm or hash (a number derived from a string of text) that uniquely identifies a specific virus. Signature scanners look for known threats, i.e. malware that has previously been analyzed and identified. They also offer some limited protection against unknown threats, by employing generic signatures that trigger on commonalities typical of previously seen malware.
In its simplest form, behavior blocking monitors file activities, preventing certain modifications to the operating system or related files. For example, behavior blockers may monitor the system registry, and warn users accordingly if a file being executed is attempting to modify it. Some programs, of course, do this legitimately, i.e. a SETUP program. Other files, however, may have malicious intent. The key benefit to a behavior blocker is that it questions whether the action was expected and whether the user wants to allow it.
Signature scanners work from a blacklist approach, i.e. blocking any known bad code. Whitelisting does the opposite - identifying all known good items and allowing only those to run on a system. Whitelisting is seldom seen as a standalone solution - most view the practice as too expensive and time consuming in standalone form to be practical. However, when whitelists is used as an exception list (for example, to exclude known good files from signature scanning), a whitelist can streamline performance.
A host intrusion prevention system (HIPS) monitors each activity a program attempts and (depending on configuration) prompts the user for action or responds based on pre-defined criteria. HIPS is application-level control; and while it offers very granular control over the system, it is best suited for experienced users who have both the knowledge and the patience to answer the prompts and make the proper configuration choices.
