For technique of Virus and Trojan Detection and Engines. I think these resources will help. I know it is frustrating to answer some of the question that have and will come up. But when they start getting very technical this information might help if you have time to read it all
********************
Antivirus Research and Detection Techniques
http://www.extremetech.com/article2/0,3973...3,325439,00.asp
Polymorphic and Metamorphic Detection
Scanning with signatures or analyzing code sequences is only possible when a virus is in an unencrypted form. Since the purpose of a virus is to run and spread as far as it can before being discovered, virus writers will use techniques to avoid detection. One early technique was to encrypt the virus so that a signature scanner couldn't get a match. These polymorphic viruses would change form each time the virus infected a new victim, encrypting its code to look like gibberish to the scanner. When the virus was run, a decryptor engine built into the virus code would run first, and decrypt the virus executable code. The engine would then pass execution to the virus code to do the dirty work.
To work, a decryptor engine must be a valid executable that the OS recognizes. In some cases, antivirus software is able to get signatures of the decryptors for detection. However, knowing that, the virus writers started obfuscating the code by adding bogus code, and using different instructions to accomplish the same thing. The virus would randomly put extra instructions such as jumps between each valid instruction, or just add junk code that looks good, but doesn't do anything. If the code was not too badly changed, it was still possible to get heuristic signatures that could still identify code sequences, or "magic numbers" that wouldn't change between versions.
Heuristic techniques are generally engaged when signature-based scanning does not reveal a problem. If the heuristic indicates the file is suspicious, it's loaded into an isolated virtual machine that emulates a basic execution environment. The virtual machine, while not as complex as standalone products like VMware or VirtualPC, provides enough emulation that the virus thinks it is executing on the victims PC, and decrypts itself. Once decrypted, the code is scanned with the signature scanner to attempt to identify the virus. If it does, the execution ends, and the virus is eradicated.
Metamorphic viruses, however, will change the structure of the virus body as well as the decryption engine, making it impossible to get a signature match. To get an idea of the lengths that a virus can go to, consider the W32.Simili virus as described in the Virus Bulletin, May, 2002. The W32.Simili virus uses a polymorphic decryptor which changes size and location in its infections. It creates a metamorphic virus body by disassembling the virus to an intermediate form, compresses it by removing redundant and unused code, then mutating it by reordering functions and breaking up code. It then expands the intermediate form by adding random redundant code and unused instructions. It finally reassembles the intermediate code to a native code which is used to infect other hosts. To add insult to injury, the payload, a message box, is only displayed on certain days, depending on the virus variant.
This type of virus is run within the emulator, and its behavior is monitored. Much like the techniques used by researchers in the labs, the heuristic scanner looks for behaviors like disassembling code, adding code, or encrypting files, and analyzes the probability of an infection. Running a suspicious file in a virtual machine can effectively find malicious code that reveals its form or intent early in the process, but it can't keep the suspicious file in an analysis state forever. Additionally, since many viruses do not always infect an application's entry point, the antivirus software needs to figure out where to find the descriptor code in the first place, which can take more time. When you run an application on your PC, a small amount of delay could be tolerated, but if you had to wait until the date changes to an odd number, you would quickly uninstall the antivirus software, of course! In the cases where the emulation does not find an infection, either by signatures, or behaviors, the antivirus software will then rely on certain on-the-fly methods.
For on-the-fly scanning, antivirus products hook the Windows APIs, and DOS interrupts that are focused on loading and executing applications. When the application is run, the antivirus software is aware of the situation and scans the file for virus signatures or static behaviors. If it's clean, the application is allowed to run, but under the watchful eye of the antivirus heuristics. The heuristics hook APIs and interrupts for potentially damaging system calls, like writing and deleting files, or accessing SMTP or email functions. As the program makes the calls, the behaviors are analyzed for suspicious actions. If the executing program makes a series of suspicious actions, the antivirus watchdog will pop up a warning that it may be a virus.
Conclusion
As you can see, no one detection method works for all cases. Virus detection is accomplished more often by a combination of many tests and techniques. The researcher's goal with every new virus is to find positive identifying characteristics that can be incorporated into the scanner for a quick and safe detection. Through analysis of existing threats, patterns of form, architecture, and behavior emerge that are used to create heuristic methods that may catch the next new threat before it has been identified. As we rely more and more on computers, networks and the Internet, the stakes are rising. No one antivirus package is foolproof. Virus writers are getting more sophisticated, and viruses are more complex. It is a constant volley between virus writers and antivirus researchers to keep a step ahead of the other.
For users, either corporate, or personal, the best defense is a good offense. Using common sense, like not opening unidentified email, turning off boot from floppy in the BIOS, and turning on macro security in your Office applications, can go a long way to preventing infection. Corporate IT can minimize infection through policies and monitoring at the firewall, such as blocking double extension (.jpg.vbs) attachments and scanning inbound and outgoing mail. Choosing an antivirus product is a serious decision, and we'd recommend checking the Virus Bulletin site for reports on the latest tests and software. Most antivirus software is certified by the ICSA labs, which tests against the monthly Wild List. The Wild list represents the current viruses that have been reported "in the wild" or actually found on users machines. Check out the ICSA Labs site for information and product certification. And lastly, when using an antivirus tool on the desktop, as well as at the gateway, remember the tool is only as good as its last update.
*****************************
Heuristic Scanning
http://www.extremetech.com/article2/0,3973...3,367096,00.asp
Types of Heuristics
http://www.extremetech.com/article2/0,3973...3,367092,00.asp
Conclusion
http://www.extremetech.com/article2/0,3973...3,367094,00.asp
Full Version: How AV/AT Products Work
Gladiator Security Forum > Security Software & Hardware > Anti-Virus, Anti-Malware, Anti-Spyware & Privacy
Heuristics brings intelligence to virus fight
By Edward Hurley, Assistant News Editor
12 Feb 2002, searchSecurity
AT this very moment, your systems may be protected by heuristics-based antivirus or intrusion detection software.
The emergence of predictive antivirus software marks a shift in virus detection. Traditional signature-based antivirus software protects systems from known viruses. Heuristics adds a level of intelligence. Instead of looking for specific viruses, heuristics-based software looks for characteristics in the code.
"Heuristic engines have the ability to detect unknown malicious codes based on known functionality," said Markus Schmall, who works in the IT Security department of T-Mobile Germany. Signature-based scanners can also this, "but with the risk of enormous false positive rates."
With some tweaking, a heuristics-based system can have virtually no false positives, Schmall said. "Modern heuristic engines can detect about 95% of all existing macro viruses and the false positive rate is really low (heard of cases of about 4 false positives per year for a popular AV engine)," Schmall said.
As virus writers increase their use of encryption, polymorphism and other techniques to keep their malicious code from being detected, heuristics offers an added layer of protection. "With heuristics you don't need to match an exact match, but just look for the telltale signs of a virus," said Edward Skoudis, vice president of security strategy for New York-based Predictive Systems, an infrastructure network consulting company.
Skoudis offers a linguistic analogy. A signature-based system would recognize a statement like "How are you?" but it wouldn't recognize equivalents such as "How are you doing?" and "What's up?" Heuristics seeks to recognize such distinctions, Skoudis said.
Heuristics aren't just for antivirus software. Intrusion detection system makers are also using the technology, though AV companies are ahead, Skoudis said.
Analyst Peter Lindstrom likens signature-based antivirus software to a police officer having pictures of suspects. He protects by recognizing specific faces. Heuristics, by contrast, would be similar to a cop with a lot of experience who is able to spot a potential criminal just by their behavior, said Lindstrom, director of security strategies for Framingham, Mass.-based Hurwitz Group.
Yet, even companies that are vigilant about updating virus definitions will occasionally get a virus before an update is released, Lindstrom said. The surest way to keep systems updated is to install antivirus software at the gateway. "It's much easier to have it at the choke point than all the distribution points," he said.
Even this isn't enough protection. "Users shouldn't have to worry about clicking on an attachment. To heck with training people not to click on them as someone always will," Lindstrom said.
Lindstrom recommends the use of personal firewalls and application-layer security products, Lindstrom suggested. The latter monitors the behavior of applications for suspicious activity that a virus may try. In keeping with the police analogy, such an approach is like sitting in an armored truck, he said.
"You don't know who the bad guys are. You just wait for an attack to occur," Lindstrom said.
By Edward Hurley, Assistant News Editor
12 Feb 2002, searchSecurity
AT this very moment, your systems may be protected by heuristics-based antivirus or intrusion detection software.
The emergence of predictive antivirus software marks a shift in virus detection. Traditional signature-based antivirus software protects systems from known viruses. Heuristics adds a level of intelligence. Instead of looking for specific viruses, heuristics-based software looks for characteristics in the code.
"Heuristic engines have the ability to detect unknown malicious codes based on known functionality," said Markus Schmall, who works in the IT Security department of T-Mobile Germany. Signature-based scanners can also this, "but with the risk of enormous false positive rates."
With some tweaking, a heuristics-based system can have virtually no false positives, Schmall said. "Modern heuristic engines can detect about 95% of all existing macro viruses and the false positive rate is really low (heard of cases of about 4 false positives per year for a popular AV engine)," Schmall said.
As virus writers increase their use of encryption, polymorphism and other techniques to keep their malicious code from being detected, heuristics offers an added layer of protection. "With heuristics you don't need to match an exact match, but just look for the telltale signs of a virus," said Edward Skoudis, vice president of security strategy for New York-based Predictive Systems, an infrastructure network consulting company.
Skoudis offers a linguistic analogy. A signature-based system would recognize a statement like "How are you?" but it wouldn't recognize equivalents such as "How are you doing?" and "What's up?" Heuristics seeks to recognize such distinctions, Skoudis said.
Heuristics aren't just for antivirus software. Intrusion detection system makers are also using the technology, though AV companies are ahead, Skoudis said.
Analyst Peter Lindstrom likens signature-based antivirus software to a police officer having pictures of suspects. He protects by recognizing specific faces. Heuristics, by contrast, would be similar to a cop with a lot of experience who is able to spot a potential criminal just by their behavior, said Lindstrom, director of security strategies for Framingham, Mass.-based Hurwitz Group.
Yet, even companies that are vigilant about updating virus definitions will occasionally get a virus before an update is released, Lindstrom said. The surest way to keep systems updated is to install antivirus software at the gateway. "It's much easier to have it at the choke point than all the distribution points," he said.
Even this isn't enough protection. "Users shouldn't have to worry about clicking on an attachment. To heck with training people not to click on them as someone always will," Lindstrom said.
Lindstrom recommends the use of personal firewalls and application-layer security products, Lindstrom suggested. The latter monitors the behavior of applications for suspicious activity that a virus may try. In keeping with the police analogy, such an approach is like sitting in an armored truck, he said.
"You don't know who the bad guys are. You just wait for an attack to occur," Lindstrom said.
Advanced Virus Detection Technology for the Next Millennium
Improved Defense: The evolution of malicious code detection and cleaning technology for advanced code inspection.
http://www.cedpa-k12.org/databus-issues/v4...v40n2/nai.shtml
EACH one of these are articles/white papers you can read and link to at this site
http://www.securitytechnet.com/security/virus.html
Papers/Articles
Vulnerabilities Worms: Predicting the next outbreak, Steven Drew and Joe Stewart, SCmagazine, April 2003.
A Tour of the Worm, Donn Seeley, University of Utah, March 2003
The Norman Book on Computer Viruses, HelpNet-Security, October 2001. (local copy).
naming conventions for malware
The Great Analogy, Ken Dunham, SecurityPortal, July 2, 2001.
Malware Taxonomy: Introduction, Ken Dunham, SecurityPortal, July 4, 2001.
Review: Panda Antivirus 6.X Platinum, Ken Dunham, SecurityPortal, Jun 18, 2001
Email Filtering and Virus Scanning for UNIX MTA's, Kurt Seifried, May 30, 2001, SecurityPotal
Protecting Your Organization From Electronic Message Viruses, Robert Grupe, May 30, 2001, SecurityFocus
THE NEW BREED OF COMPUTER VIRUSES by Wallace Wang, Boardwatch Magazine, Apr, 01 2001.
Computer Viruses, Evgene Kaspersky's online virus book with a history of appearance of viruses, their classification, and methods of detection and deleting of computer viruses.
The NORMAN Book on Computer Viruses (38 pages), March 1998 (local copy).
Fifth Annual ICSA Labs Computer Virus Prevalence Survey:1999 (100 pages) (local copy).
Virus Hoaxes and the Real Dangers They Pose, Scott Granneman, SecurityFocus, March 25, 2003.
OpenAV: Developing Open Source AntiVirus Engines, Costin G. Raiu, SecurityFocus, December 16, 2002.
.NET/MSIL malicious code and AV/heuristic Engines, Markus Schmall, SecurityFocus, November 18, 2002.
The Anti-virus Paradigm Shift, Goh Chee Hoh, Networkmagazineindia, November 2002.
Polymorphic Macro Viruses, Part Two, Gabor Szappanos, SecurityFocus, November 5, 2002.
Polymorphic Macro Viruses, Part One, Gabor Szappanos, SecurityFocus, October 17, 2002.
Ideas for Future Viruses, Allegro, BCVG, September 20, 2002.
Who Goes There: An Introduction to On-Access Virus Scanning, Part Two, Bill Hayes, SeucurittFocus, September 17, 2002.
Who Goes There: An Introduction to On-Access Virus Scanning, Part One, Bill Hayes, SeucurittFocus, September 3, 2002.
New Infection Vectors for Malware, Paul Schmehl, SecurityFocus, August 6, 2002.
Unix Shell Scripting Malware, Marius van Oers, McAfee AVERT, The Netherlands, July 26, 2002.
Detecting and Removing Malicious Code, Matthew Tanase, SecurityFocus, July 22, 2002.
The perfect Internet worm via BATCH, SeCoNd PaRt To HeLl, BCVG Network Security, July 18, 2002.
Antivirus Research and Detection Techniques II, Jay Munro, ExtremeTech, July 10, 2002.
Life After AV: If Anti-Virus is Obsolete, What Comes Next?, Paul Schmehl, SecurityFocus, July 8, 2002.
What's Coming?, Peter Morley, Network Associates Inc., July 03, 2002.
Computer virus History: 1986-1993, SeCoNd PaRt To HeLl, EBCVG Network Security, July 01, 2002.
Antivirus Research and Detection Techniques I, Jay Munro, ExtremeTech, July 1, 2002.
The Threat of Internet Worms, Yona Hollander, SCmagazine, July 2002.
Benefits and Considerations for a Single-Vendor Antivirus Strategy, IDC, June 2002. (local copy)
A Short History of Computer Viruses and Attacks, Brian Krebs, Washingtonpost, June 26, 2002.
Virus protection policy, TechRepublic, June 2002. (local copy)
A Virus by Any Other Name: Virus Naming Practices, Costin Raiu, Kaspersky Labs Romania, June 3, 2002.
A Physilogocal Decomposition of Virus and Worm Programs, Prabhat Kumar Singh, Univ. of Louisiana, Spring 2002. (local copy)
The Viral Mind: Understanding the Motives of Malicious Coders, D. D. Shelby, SecurityFocus, May 21, 2002.
VBA Emulation - A Viable Method of Macro Virus Detection? Part Two, Gabor Szappanos, SecurityFocus, May 2, 2002.
Virus Advancements, Illena Armstrong, SCmagazine, May 2002.
Internet Tips: Stop Those Sneaky E-Mail Viruses in Their Tracks, Scott Spanbauer, IDG, April 24, 2002.
VBA Emulation? A Viable Method of Macro Virus Detection? Part One, Gabor Szappanos, SecurityFocus, April 18, 2002.
Past its Prime: Is Anti-Virus Scanning Obsolete?, Paul Schmehl, SecurityFocus, April 1, 2002.
Buffer Overflow Vulnerabilities, a Challenge for Everyone, Carlos Ardanza, SCmagazine, April 2002.
Behavior Blocking: The Next Step in Anti-Virus Protection, Carey Nachenberg. SecurityFocus, March 19, 2002.
Anatomy of the Web Application Worm, CGIsecurity, March 2002.
Building an Anti Virus engine, Markus Schmall, SecurityFocus, March 4, 2002.
The Next Virus, Jaime Borrego, SCmagazine, January 29, 2002.
Behavior blocking repels new viruses, Ellen Messmer, NetworkWorld, January 28, 2002.
Web Security for the Enterprise: How to Increase Protection against Port 80 Threats, Blue Coat Systems, Inc., January 1, 2002. (local copy)
One Virus Engine Is Not Enough, GFI software, 2002.
Why You Need an Email Exploit Detection Engine, GFI software, 2002.
A Brief History of The Worm, Nicholas Weaver, SecurityFocus, November 26, 2001.
E-mail policies that prevent viruses, Advosys consulting, November 2001. (local copy)
Sanctum Technical Advisory : Server-Based Worms, Sanctum Inc., October 2001. (local copy)
Preventing and Detecting Malware Installations on NT/2K, H. Carvey, SecurityFocus, October 24, 2001.
Comparing E-mail Server Virus Protection Solutions, Part Two, Robert Grupe, SecurityFocus, October 30, 2001.
Comparing E-mail Server Virus Protection Solutions, Part One, Robert Grupe, SecurityFocus, October 15, 2001.
Defend against viruses with this prevention plan, Ric Liang, Tech Republic, October 10, 2001.
Macro Virus Protection in the Microsoft Office Line, Part Two, Gabor Szappanos, Security Focus, October 01, 2001.
UNIX and viruses, Kurt Seifried, Serifried.org, Septemebr 14, 2001.
Macro Virus Protection in the Microsoft Office Line, Part One, Gabor Szappanos, Security Focus, September 13, 2001.
Implement a four-layer virus prevention strategy, Ric Liang, TechRepublic, July 18, 2001.
Emerging Technology: Snaring Rogue Code, Robert Vibert, Network Magazine, 04/05/01.
Airborne Viruses Network Magazine, 12/05/00 (viruses on handheld devices).
Achilles' Shield: A New Internet Security System for Protecting Networks and Computer Systems Against Viruses and Malicious Code InDefense, June 2000. (local copy)
The Evolution of Malicious Agents, Lenny Zeltser, April 2000 (local copy, presentation).
Fighting Computer Viruses by Jeffrey O. Kephart, Gregory B. Sorkin, David M. Chess and Steve R. White
Computer virus prevention: a primer, Sophos white paper, 2000.
Enterprise Anti-Virus Software, Robert Richardson, Network Magazine, February 1, 2000.
A Guide to Evaluating Anti-Virus Software Dr. Solomon at Technical Papers.
Understanding Virus Behavior in 32-bit Operating Environments, Symantec white paper, 2000.
An Environment for Controlled Worm Replication ; Analysis (Internet-inna-Box), Ian Whalley et al., Virus Bulletin Conference, September 2000.
An Undetectable Computer Virus, David Chess and Steve White, Virus Bulletin Conference, September 2000.
What you really need to know about network backdoor "TROJAN" programs, H. Carvey, 2000.
Viruses and Worms: More Than a Technical Problem, M. E. Kabay, Ubiquity
http://www.securitytechnet.com/security/virus.html
Improved Defense: The evolution of malicious code detection and cleaning technology for advanced code inspection.
http://www.cedpa-k12.org/databus-issues/v4...v40n2/nai.shtml
EACH one of these are articles/white papers you can read and link to at this site
http://www.securitytechnet.com/security/virus.html
Papers/Articles
Vulnerabilities Worms: Predicting the next outbreak, Steven Drew and Joe Stewart, SCmagazine, April 2003.
A Tour of the Worm, Donn Seeley, University of Utah, March 2003
The Norman Book on Computer Viruses, HelpNet-Security, October 2001. (local copy).
naming conventions for malware
The Great Analogy, Ken Dunham, SecurityPortal, July 2, 2001.
Malware Taxonomy: Introduction, Ken Dunham, SecurityPortal, July 4, 2001.
Review: Panda Antivirus 6.X Platinum, Ken Dunham, SecurityPortal, Jun 18, 2001
Email Filtering and Virus Scanning for UNIX MTA's, Kurt Seifried, May 30, 2001, SecurityPotal
Protecting Your Organization From Electronic Message Viruses, Robert Grupe, May 30, 2001, SecurityFocus
THE NEW BREED OF COMPUTER VIRUSES by Wallace Wang, Boardwatch Magazine, Apr, 01 2001.
Computer Viruses, Evgene Kaspersky's online virus book with a history of appearance of viruses, their classification, and methods of detection and deleting of computer viruses.
The NORMAN Book on Computer Viruses (38 pages), March 1998 (local copy).
Fifth Annual ICSA Labs Computer Virus Prevalence Survey:1999 (100 pages) (local copy).
Virus Hoaxes and the Real Dangers They Pose, Scott Granneman, SecurityFocus, March 25, 2003.
OpenAV: Developing Open Source AntiVirus Engines, Costin G. Raiu, SecurityFocus, December 16, 2002.
.NET/MSIL malicious code and AV/heuristic Engines, Markus Schmall, SecurityFocus, November 18, 2002.
The Anti-virus Paradigm Shift, Goh Chee Hoh, Networkmagazineindia, November 2002.
Polymorphic Macro Viruses, Part Two, Gabor Szappanos, SecurityFocus, November 5, 2002.
Polymorphic Macro Viruses, Part One, Gabor Szappanos, SecurityFocus, October 17, 2002.
Ideas for Future Viruses, Allegro, BCVG, September 20, 2002.
Who Goes There: An Introduction to On-Access Virus Scanning, Part Two, Bill Hayes, SeucurittFocus, September 17, 2002.
Who Goes There: An Introduction to On-Access Virus Scanning, Part One, Bill Hayes, SeucurittFocus, September 3, 2002.
New Infection Vectors for Malware, Paul Schmehl, SecurityFocus, August 6, 2002.
Unix Shell Scripting Malware, Marius van Oers, McAfee AVERT, The Netherlands, July 26, 2002.
Detecting and Removing Malicious Code, Matthew Tanase, SecurityFocus, July 22, 2002.
The perfect Internet worm via BATCH, SeCoNd PaRt To HeLl, BCVG Network Security, July 18, 2002.
Antivirus Research and Detection Techniques II, Jay Munro, ExtremeTech, July 10, 2002.
Life After AV: If Anti-Virus is Obsolete, What Comes Next?, Paul Schmehl, SecurityFocus, July 8, 2002.
What's Coming?, Peter Morley, Network Associates Inc., July 03, 2002.
Computer virus History: 1986-1993, SeCoNd PaRt To HeLl, EBCVG Network Security, July 01, 2002.
Antivirus Research and Detection Techniques I, Jay Munro, ExtremeTech, July 1, 2002.
The Threat of Internet Worms, Yona Hollander, SCmagazine, July 2002.
Benefits and Considerations for a Single-Vendor Antivirus Strategy, IDC, June 2002. (local copy)
A Short History of Computer Viruses and Attacks, Brian Krebs, Washingtonpost, June 26, 2002.
Virus protection policy, TechRepublic, June 2002. (local copy)
A Virus by Any Other Name: Virus Naming Practices, Costin Raiu, Kaspersky Labs Romania, June 3, 2002.
A Physilogocal Decomposition of Virus and Worm Programs, Prabhat Kumar Singh, Univ. of Louisiana, Spring 2002. (local copy)
The Viral Mind: Understanding the Motives of Malicious Coders, D. D. Shelby, SecurityFocus, May 21, 2002.
VBA Emulation - A Viable Method of Macro Virus Detection? Part Two, Gabor Szappanos, SecurityFocus, May 2, 2002.
Virus Advancements, Illena Armstrong, SCmagazine, May 2002.
Internet Tips: Stop Those Sneaky E-Mail Viruses in Their Tracks, Scott Spanbauer, IDG, April 24, 2002.
VBA Emulation? A Viable Method of Macro Virus Detection? Part One, Gabor Szappanos, SecurityFocus, April 18, 2002.
Past its Prime: Is Anti-Virus Scanning Obsolete?, Paul Schmehl, SecurityFocus, April 1, 2002.
Buffer Overflow Vulnerabilities, a Challenge for Everyone, Carlos Ardanza, SCmagazine, April 2002.
Behavior Blocking: The Next Step in Anti-Virus Protection, Carey Nachenberg. SecurityFocus, March 19, 2002.
Anatomy of the Web Application Worm, CGIsecurity, March 2002.
Building an Anti Virus engine, Markus Schmall, SecurityFocus, March 4, 2002.
The Next Virus, Jaime Borrego, SCmagazine, January 29, 2002.
Behavior blocking repels new viruses, Ellen Messmer, NetworkWorld, January 28, 2002.
Web Security for the Enterprise: How to Increase Protection against Port 80 Threats, Blue Coat Systems, Inc., January 1, 2002. (local copy)
One Virus Engine Is Not Enough, GFI software, 2002.
Why You Need an Email Exploit Detection Engine, GFI software, 2002.
A Brief History of The Worm, Nicholas Weaver, SecurityFocus, November 26, 2001.
E-mail policies that prevent viruses, Advosys consulting, November 2001. (local copy)
Sanctum Technical Advisory : Server-Based Worms, Sanctum Inc., October 2001. (local copy)
Preventing and Detecting Malware Installations on NT/2K, H. Carvey, SecurityFocus, October 24, 2001.
Comparing E-mail Server Virus Protection Solutions, Part Two, Robert Grupe, SecurityFocus, October 30, 2001.
Comparing E-mail Server Virus Protection Solutions, Part One, Robert Grupe, SecurityFocus, October 15, 2001.
Defend against viruses with this prevention plan, Ric Liang, Tech Republic, October 10, 2001.
Macro Virus Protection in the Microsoft Office Line, Part Two, Gabor Szappanos, Security Focus, October 01, 2001.
UNIX and viruses, Kurt Seifried, Serifried.org, Septemebr 14, 2001.
Macro Virus Protection in the Microsoft Office Line, Part One, Gabor Szappanos, Security Focus, September 13, 2001.
Implement a four-layer virus prevention strategy, Ric Liang, TechRepublic, July 18, 2001.
Emerging Technology: Snaring Rogue Code, Robert Vibert, Network Magazine, 04/05/01.
Airborne Viruses Network Magazine, 12/05/00 (viruses on handheld devices).
Achilles' Shield: A New Internet Security System for Protecting Networks and Computer Systems Against Viruses and Malicious Code InDefense, June 2000. (local copy)
The Evolution of Malicious Agents, Lenny Zeltser, April 2000 (local copy, presentation).
Fighting Computer Viruses by Jeffrey O. Kephart, Gregory B. Sorkin, David M. Chess and Steve R. White
Computer virus prevention: a primer, Sophos white paper, 2000.
Enterprise Anti-Virus Software, Robert Richardson, Network Magazine, February 1, 2000.
A Guide to Evaluating Anti-Virus Software Dr. Solomon at Technical Papers.
Understanding Virus Behavior in 32-bit Operating Environments, Symantec white paper, 2000.
An Environment for Controlled Worm Replication ; Analysis (Internet-inna-Box), Ian Whalley et al., Virus Bulletin Conference, September 2000.
An Undetectable Computer Virus, David Chess and Steve White, Virus Bulletin Conference, September 2000.
What you really need to know about network backdoor "TROJAN" programs, H. Carvey, 2000.
Viruses and Worms: More Than a Technical Problem, M. E. Kabay, Ubiquity
http://www.securitytechnet.com/security/virus.html
Heuristic Analysis: A virus-infected file displays suspicious behavior, has strange code or content. GAV is built to recognize such files. Heuristic analysis of your system reveals any file, folder or application, which appears strange to the application. Such files can be either deleted or quarantined. You can then mail a copy of this file to us and we will analyze it and come back to you with a solution
Reference Analysis: Known viruses are identified by their code called virus signatures.Gladiator has a vast database of over 50,000 known viruses. Reference Analysis creates a checksums of files that are analyzed and refers to these sums the next time an analysis is performed. This will allow GAV to detect unknown viruses.
Advanced Heuristic Analysis Behavior-based "heuristic" scanning detects and blocks unknown viruses. This ensures protection against virus variants, which are quickly created after the "parent" virus has been identified and neutralized.
Provides behavior-based (heuristic) scanning to detect undiscovered virusesSafely quarantines infected and suspicious files
powerful heuristic scan engine. Based on a method that uses generic algorithms for virus detection,detect using its heuristic scanning technology include unknown Macro viruses, DOS and Win32 executable and Script viruses.
Reduced Memory Footprint VirusScan Online uses up to 70% less memory and hard-drive space than traditional anti-virus software programs.
Award-Winning Protection The VirusScan Online Olympus scanning engine has consistently proven in independent tests to be extremely effective in detecting viruses, worms and other malicious code. FIRST in AntiVirus (AV) detection of unknown viruses (July 2001) FIRST in AV and Anti-Malware (malicious software) test (April 2001) PERFECT false alarm record (April 2001) 100% DETECTION of `in the wild' macro viruses (April 2001) (University of Hamburg, Virus Test Center) Incremental Virus Definition File (DAT) Updates VirusScan Online downloads only the new or modified portions of its virus definition files, dramatically reducing download times. File Quarantine File quarantine safely isolates and neutralizes infected and suspicious files. Files are isolated to the quarantine directory, encrypted and saved with a new file extension rendering them harmless until an appropriate action can be taken. The Web Service Advantage As a Web Service Provider, McAfee.com delivers and manages VirusScan Online updates via the Internet. VirusScan Online regularly checks for updates and upgrades, automatically prompting you to download and install any new releases from McAfee.com
Reference Analysis: Known viruses are identified by their code called virus signatures.Gladiator has a vast database of over 50,000 known viruses. Reference Analysis creates a checksums of files that are analyzed and refers to these sums the next time an analysis is performed. This will allow GAV to detect unknown viruses.
Advanced Heuristic Analysis Behavior-based "heuristic" scanning detects and blocks unknown viruses. This ensures protection against virus variants, which are quickly created after the "parent" virus has been identified and neutralized.
Provides behavior-based (heuristic) scanning to detect undiscovered virusesSafely quarantines infected and suspicious files
powerful heuristic scan engine. Based on a method that uses generic algorithms for virus detection,detect using its heuristic scanning technology include unknown Macro viruses, DOS and Win32 executable and Script viruses.
Reduced Memory Footprint VirusScan Online uses up to 70% less memory and hard-drive space than traditional anti-virus software programs.
Award-Winning Protection The VirusScan Online Olympus scanning engine has consistently proven in independent tests to be extremely effective in detecting viruses, worms and other malicious code. FIRST in AntiVirus (AV) detection of unknown viruses (July 2001) FIRST in AV and Anti-Malware (malicious software) test (April 2001) PERFECT false alarm record (April 2001) 100% DETECTION of `in the wild' macro viruses (April 2001) (University of Hamburg, Virus Test Center) Incremental Virus Definition File (DAT) Updates VirusScan Online downloads only the new or modified portions of its virus definition files, dramatically reducing download times. File Quarantine File quarantine safely isolates and neutralizes infected and suspicious files. Files are isolated to the quarantine directory, encrypted and saved with a new file extension rendering them harmless until an appropriate action can be taken. The Web Service Advantage As a Web Service Provider, McAfee.com delivers and manages VirusScan Online updates via the Internet. VirusScan Online regularly checks for updates and upgrades, automatically prompting you to download and install any new releases from McAfee.com
Bump :)
which antivirus is the best according to you?
There is no definite best AV program but usually a top 3 or 5, there is probably a topic containg this info somewere on the board. But these are the methods the programs use to find viruses. Usually programs will use a mixture of all types of scanning, except SandBoxing. This is usually used by big corportate servers. There are some programs that will do SandBoxing on a smaller scale.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.