ANTIVIRUS

INTRODUCTION
Antivirus (or anti-virus) software is used to prevent, detect, and remove malware, including computer viruses, worms, and Trojan horses. Such programs may also prevent and remove adware, spyware, and other forms of malware. A variety of strategies are typically employed. Signature-based detection involves searching for known malicious patterns in executable code. However, it is possible for a user to be infected with new malware in which no signature exists yet. To counter such so called zero-day threats, heuristics can be used. One type of heuristic approach, generic signatures, can identify new viruses or variants of existing viruses for looking for known malicious code (or slight variations of such code) in files. Some antivirus software can also predict what a file will do if opened/run by emulating it in a sandbox and analyzing what it does to see if it performs any malicious actions. If it does, this could mean the file is malicious. However, no matter how useful antivirus software is, it can sometimes have drawbacks. Antivirus software can degrade computer performance if it is not designed efficiently. Inexperienced users may have trouble understanding the prompts and decisions that antivirus software presents them with. An incorrect decision may lead to a security breach. If the antivirus software employs heuristic detection (of any kind), the success of it is going to depend on whether it achieves the right balance between false positives and false negatives. False positives can be as destructive as false negatives. In one case, a faulty virus signature issued by Symantec mistakenly removed essential operating system files, leaving thousands of PCs unable to boot. Finally, antivirus software generally runs at the highly trusted kernel level of the operating system, creating a potential avenue of attack. In addition to the drawbacks mentioned above, the effectiveness of antivirus software has also been researched and debated. One study found that the detection success of major antivirus software dropped over a one-year period.

DEFINITION
"Antivirus" is protective software designed to defend your computer against malicious software. Malicious software or "malware" includes: viruses, Trojans, key loggers, hijackers, dialers, and other code that vandalizes or steals your computer contents. In order to be an effective defense, your antivirus software needs to run in the background at all times, and should be kept updated so it recognizes new versions of malicious software.

HISTORY
There are competing claims for the innovator of the first antivirus product. Possibly the first publicly documented removal of a computer virus in the wild was performed by Bernt Fix in 1987. ClamTk 4.08 virus scanner running on Ubuntu 9.04 An antivirus program to counter the Polish MKS vir was released in 1987. Dr. Solomon's AntiVirus Toolkit, AIDSTEST and AntiVir were released by in 1988. Dr. Ahn Chul Soo (Charles Ahn, founder of AhnLab Inc) in South Korea also released the antivirus software called 'Vaccine in June 10, 1988.By late 1990, nineteen separate antivirus products were available including ' Norton AntiVirus and McAfee Virus Scan. Early contributors to work on computer viruses and countermeasures included Fred Cohen, Peter Tippett, John McAfee and Ahn Chul Soo. Before Internet connectivity was widespread, viruses were typically spread by infected floppy disks. Antivirus software came into use, but was updated relatively infrequently. During this time, virus checkers essentially had to check executable files and the boot sectors of floppy and hard disks. However, as internet usage became common, initially through the use of modems, viruses spread throughout the Internet. Powerful macros used in word processor applications, such as Microsoft Word, presented a further risk. Virus writers started using the macros to write viruses embedded within documents. This meant that computers could now also be at risk from infection by documents with hidden attached macros as programs. Later email programs, in particular Microsoft Outlook Express and Outlook, were vulnerable to viruses embedded in the email body itself. Now, a user's computer could be infected by just opening or previewing a message. This meant that virus checkers had to check many more types of files. As always-on broadband connections became the norm and more and more viruses were released, it became essential to update virus checkers more and more frequently. Even then, a new zero-day virus could become widespread before antivirus companies released an update to protect against it.

ADVANTAGES
Scanners can find viruses that haven't executed yet - this is critical for e-mail worms, which can spread themselves rapidly if not stopped. Also, false alarms have become extremely rare with the software available today. Finally, scanners are also very good at detecting viruses that they have the signatures for.

DISADVANTAGES
There are two major disadvantages to scanning-based techniques. First, if the software is using a signature string to detect the virus, all a virus writer would have to do is modify the signature string to develop a new virus. This is seen in polymorphic viruses. The second and far greater disadvantage is the limitation that a scanner can only scan for something it has the signature of. The Maltese Amoeba virus was a very destructive virus that activated on November 11, 1991,

and was able to spread rapidly before its activation without being detected. According to the 1991 Virus Bulletin: "Prior to November 2nd, 1991, no commercial or shareware scanner (of which VB has copies) detected the Maltese Amoeba virus. Tests showed that not ONE of the major commercial scanners in use ... detected this virus." Although virus updates occur more frequently today because of the Internet, viruses still cannot be detected until one has executed.

FUNCTIONS
An anti-virus software program is a computer program that can be used to scan files to identify and eliminate computer viruses and other malicious software (malware). Anti-virus software typically uses two different techniques to accomplish this: Examining files to look for known viruses by means of a virus dictionary Identifying suspicious behavior from any computer program which might Indicate infection Most commercial anti-virus software uses both of these approaches, with an emphasis on the virus dictionary approach. Virus dictionary approach in the virus dictionary approach, when the anti-virus software examines a file, it refers to a dictionary of known viruses that have been identified by the author of the anti-virus software. If a piece of code in the file matches any virus identified in the dictionary, then the anti-virus software can then either delete the file, quarantine it so that the file is inaccessible to other programs and its virus is unable to spread, or attempt to repair the file by removing the virus itself from the file. To be successful in the medium and long term, the virus dictionary approach requires periodic online downloads of updated virus dictionary entries. As new viruses are identified "in the wild", civically minded and technically inclined users can send their infected files to the authors of antivirus software, who then include information about the new viruses in their dictionaries. Dictionary-based anti-virus software typically examines files when the computer's operating system creates, opens, and closes them; and when the files are e-mailed. In this way, a known virus can be detected immediately upon receipt. The software can also typically be scheduled to examine all files on the user's hard disk on a regular basis. Although the dictionary approach is considered effective, virus authors have tried to stay a step ahead of such software by writing "polymorphic viruses", which encrypt parts of themselves or otherwise modify themselves as a method of disguise, so as to not match the virus's signature in the dictionary. Suspicious behavior approach The suspicious behavior approach, by contrast, doesn't attempt to identify known viruses, but instead monitors the behavior of all programs. If one program tries to write data to an executable

program, for example, this is flagged as suspicious behavior and the user is alerted to this, and asked what to do. Unlike the dictionary approach, the suspicious behavior approach therefore provides protection against brand-new viruses that do not yet exist in any virus dictionaries. However, it also sounds a large number of false positives, and users probably become desensitized to all the warnings. If the user clicks "Accept" on every such warning, then the anti-virus software is obviously useless to that user. This problem has especially been made worse over the past 7 years, since many more non malicious program designs chose to modify other .exes without regards to this false positive issue. Thus, most modern antivirus software uses this technique less and less. Other ways to detect viruses Some antivirus-software will try to emulate the beginning of the code of each new executable that is being executed before transferring control to the executable. If the program seems to be using self-modifying code or otherwise appears as a virus (it immediately tries to find other executables), one could assume that the executable has been infected with a virus. However, this method results in a lot of false positives. Yet another detection method is using a sandbox. A sandbox emulates the operating system and runs the executable in this simulation. After the program has terminated, the sandbox is analyzed for changes which might indicate a virus. Because of performance issues this type of detection is normally only performed during on-demand scans.

PURPOSE
An anti-virus program protects a computer from getting malicious viruses from the internet, through websites, email, and instant messenger. Usually it consists of a firewall, a virus scanner and remover, and sometimes other tools as well. Anti-virus software offers computers and the network they are connected with protection against a type of malware called viruses. Antivirus software can be used to prevent an infection or by find and removing an infection. To prevent an infection software usually uses a firewall. The best firewall is a 2 way firewall. A two way firewall grants or denies internet access to programs already installed on your computer. It also denies or grants access to other computers trying to access your computer. Removing infections is important because it stops annoying pop ups, irregular behavior, system failure and more.