Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Antivirus Software

No description
by

Pearlyn Neo

on 8 November 2012

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Antivirus Software

ANTI VIRUS SOFTWARE WHAT are ANTI-VIRUS SOFTWARE PROGRAMS? A computer program used to scan & remove computer viruses/malicious files e.g. trojan horses, adware etc. Photo source: http://www.toptenantivirus.info/wp-content/images/paid-antivirus-software.gif (antivirusworld.com, n.a.) WHAT ARE THE TYPES OF SOFTWARE AVAILABLE? Signature Detection Behaviour Monitoring Signature-based Detection Examines files for virus & compares them to a virus dictionary Anti-virus software examines a file when the computer system creates/opens/closes/e-mails it Signatures : an algorithm or byte strings that uniquely identifies a specific virus, with minimal false alarms A single signature may be found in a number of viruses -- hence scanner is able to detect some new viruses it has never even encountered before referred to as generic detection Generic detection less likely to be be effective against completely new viruses which are outside of particular known virus "families" (Landesman, 2012) If scanner detects a piece of code in any file that is identified in the dictionary, user is prompted to either ignore, repair, quarantine, or delete the file By quarantine or deleting the infected file, the virus is stopped from infecting other files In order to be effective in the long run, periodic online downloads of updated virus dictionary entiries are required Users can alert these anti-virus software authors about new viruses to ensure that the signatures in the dictionary are updated (Landesman, 2012) (Landesman, 2012) Virus scanner can also be scheduled to scan the computer at a regular schedule for viruses What are its weaknesses? Virus authors have tried to skirt this method by creating polymorphic viruses these viruses encrypt some parts of themselves to avoid getting matched to virus dictionary entries Reoccurring need to update virus dictionary Anti-virus software author releases signature updates which improves the detection ability of the virus scanner May prove to be troublesome in the long run as user needs to constantly update their software (which still doesn't guarantee that an entirely new virus will be detected) (Landesman, 2012) Behaviour Monitoring Instead of trying to identify known virus, it monitors the behaviour of all programs e.g. if a program tries to write data to an executable program, the user is notified of this suspicious behaviour & asked what to do Compared to the signature detection method, it provides better protection against brand-new viruses Large number of alerts may desensitize users to all the warnings -- end up clicking "accept" to all the file prompts (anitvirusworld.com) Using a Sandbox The sandbox imitates the operating system & runs the executable in this simulation The sandbox is then analyzed for changes which might indicate a virus This method is usually on run upon on-demand scans as it may affect performance (anitvirusworld.com) 1. They are an essential part of a multi-layered computer security strategy. Photo source: http://innovation.internews.org/sites/default/files/content-images/computer-virus-sign.jpg HOW DOES IT SCAN YOUR COMPUTER? On-access scanning Full System Scans The anti-virus software typically runs in the background & scans every file opened Also known as background scanning / real-time protection When a .exe file is double clicked to be opened, the software checks it for viruses first before making the data visible to users SAMPLE SCREENSHOT Due to the presence of on-access scanning (mentioned previously), full system scans are not always implemented by a user Useful for when you've just downloaded the anti-virus software -- to check for dormant viruses hidden in your computer Bu But usually, the anti-virus software is always running in the background to scan every file opened or downloaded SAMPLE SCREENSHOT Photo source: http://www.howtogeek.com/wp-content/uploads/2012/10/image11.png Photo source: http://www.howtogeek.com/wp-content/uploads/2012/10/image12.png (Hoffman, 2012) (Hoffman, 2012) (Hoffman, 2012) 2. Photo source: http://media.smithsonianmag.com/images/top-10-computer-viruses-631.jpg Photo source: http://www.siliconrepublic.com/fs/img/news/201209/rs-426x288/computer-virus.jpg Photo source: http://4.bp.blogspot.com/-5rlYqNWh8Io/TwVQcOF1-eI/AAAAAAAAK4c/LxDnTqRonJQ/s1600/Screen+Shot+2012-01-05+at+8.25.17+AM.png Sample Depiction Closer look at how Signatures BUT Viruses are increasingly becoming more complex e.g. metamorphic viruses & a behaviour-based scan is required (will be covered later on) (Agustine, 2008) Some may say that signatures were only used in the anti-virus software of 1980s/1990s, but this is not the case. Signatures are still widely used in many anti-virus software's virus detections algorithms today How is the software able to scan a file within such a short amount of time when there are so many signatures on the list? Optimization criterias: Some software e.g. Norton Antivirus uses signatures that begin only with a subset of all the possible bytes (Agustine, 2008) This allows for fast scanning as the software knows all the possible prefixes (Kephart & Arnold, 1994) are extracted An algorithm examines each code sequence in a virus Estimate the probability of the code being found in any other file Code sequence with lowest false-possibility chosen as signature (Kephart & Arnold, 1994) Length of computer viruses are usually a few hundred to a few thousand bytes Hence the amount of memory required to store thousands of virus patterns would be several megabytes -- not practical Dangerous for the anti-virus software to have large library of virus signatures -- might be exploited by virus authors (Kephart & Arnold, 1994) Hence Instead of having a total match, antivirus software usually use a small part of the virus code for identification These short signatures are easier to work with & are still able to identify most viruses without revealing any useful information to virus authors (Kephart & Arnold, 1994) Monitoring through File Analysis The antivirus software analyzes the instructions of a particular program to determine whether or not it is malicious e.g. if it requires the system to delete important files, it is then flagged as a possible virus -- but may have many false alarms (easynetlive.info) Method 2: Method 1: File Emulation Other concerns about Anti-virus Software Some antivirus software may reduce performance in some ways due to the need to scan every file opened/downloaded However, the software should be enabled full-time for maximum protection Performance Security Antivirus programs may also pose some security risks as they are usually given "System" privileges (easynetlive.info) Hence any exploitation of the program itself can pose as a serious threat Some antivirus programs may actually be spyware in disguise -- important to check authenticity before installing (easynetlive.info) Here are 2 examples of cloud antivirus software that uses both Signature Detection & Behaviour Monitoring methods Here we can see, The antivirus software looks out for any suspicious behaviour in files & submit these possible virus samples for testing in the cloud The central server then extracts the signature of these new viruses & send users an update to the software's virus dictionary automatically Photo source: http://3.bp.blogspot.com/-jJ1lLzI677o/TeBs67bRYjI/AAAAAAAAAb4/PYJu9_v7erI/s1600/Dictionary+Based+Detection+Ethical+Hacking+security.jpg Photo source: http://www.razorleaf.com/wp-content/uploads/2009/09/Inspecting-Searching-Folder-200x250.jpg Photo source: http://www.familyhomesecurity.com/images/Improve-Computer-Performance.jpg Photo source: http://www.thoseguyspcrepair.com/wp-content/uploads/security-software-2.jpg (Boja & Visoiu, 2007) Characteristics of Anti-virus software 1. Space Minimization Memory required on the hard disk required to run the software Each antivirus application used to scan files involve a database of virus signatures that affects its efficiency & effectiveness 2. Speed Maximization 3. Low Profile User must be minimally restrained in his usage Other optimization methods Wildcards -- scanners ignore some characters in the virus signature Generic Degree -- number of search strings is reduced by identifying a signature common to a family of viruses Mismatches -- first introduced in IBM's antivirus. Allows for a certain number of bytes in the string to be any value, regardless of their position Top & Tail scaning -- most viruses have their code either at the end or head of the file. Scanners only examine these 2 parts to reduce time Skeleton Detection -- reduces search zone of target file by not scanning file instructions that are unlikely to be part of the virus code (Boja & Visoiu, 2007) Cloud Anti-virus software are increasingly popular The software runs on users' desktops & connects to the central monitoring server in the cloud Virus signatures are automatically updated as long as users are connected to the Internet Requires little memory space as most of the heavy processing happens in the cloud Users keep track of file infections via the central server (which is accessed on web browsers) (searchvirtualdesktop.techtarget.com) Does this mean that the computer is not protected without Internet connection? NO. The cloud antivirus saves information & signatures in local cache to keep the system secure though the computer is offline | Hassle of having to manually update the software's signature dictionary is reduced & computer is better protected from new viruses Avast! Antivirus Panda Cloud Antivirus Hope you now have a better understanding of How Anti-virus Software work! Bibliography Agustin. (2008). What is a virus signature? Are they still used?. Retrieved from: http://www.agusblog.com/wordpress/tag/virus. [Last Accessed 1 November 2012]

Antivirusworld.com. (n.a.) How does anti-virus software work?. Retrieved from: http://www.antivirusworld.com/articles/antivirus.php. [Last Accessed 2 November 2012]

Boja, C., & Visoiu, A. (2007). Optimization of Antivirus Software. Informatica Economică , 4 (44), 99-101.

Easynetlive.info. (n.a.). Behaviour Monitoring. Retrieved from: http://www.easynetlive.info/behavior-monitoring.html. [Last Accessed 1 November 2012]

Hoffman, Chris. (2012). HTG Explains: How Antivirus Software Works. Retrieved from: http://www.howtogeek.com/125650/htg-explains-how-antivirus-software-works/. [Last Accessed 3 November 2012]

Kephart, J.O & Arnold, W.C. (1994). Automatic Extraction of Computer Virus Signatures. Retrieved from: http://www.research.ibm.com/antivirus/SciPapers/Kephart/VB94/vb94.html. [Last Accessed 3 November 2012]

Landesman, Mary. (n.a.). What is a virus signature?. Retrieved from: http://antivirus.about.com/od/whatisavirus/a/virussignature.htm. [Last Accessed 3 November 2012]

Searchvirtualdesktop.techtarget.com. (2010). Should you move your antivirus protection to the cloud?. Retrieved from: http://searchvirtualdesktop.techtarget.com/feature/Should-you-move-your-antivirus-protection-to-the-cloud. [Last Accessed 3 November 2012] Photo source: http://www.thefervidgroup.com/wp-content/uploads/2012/03/reduce-time.png Photo Source: http://www.dzinepress.com/wp-content/uploads/2011/03/Track-the-Effectivity-of-Link-Building-Campaigns.jpg Photo source: http://cdn1.iconfinder.com/data/icons/sabre/snow_sabre_black/512/folder_black_byte.png Pearlyn Neo A0077197N
Full transcript