Repair Accuracy
When a scanner finds malware, you want it to clean your files and make your system healthy again. With some malicious programs that permanently overwrite or delete files, a repair process is impossible. If an antivirus program can't repair a file with 100 percent accuracy and return it to its original state, it won't attempt the repair. For this reason, many infected files end up quarantined.
With today's sophisticated hybrid threats, simply cleaning up infected files is insufficient. Viruses and worms often make many system modifications—for example, they can write registry entries, modify startup files, and install chat and FTP servers. An antivirus tool that removes the culprit but can't fix the other repairable damage is only half a scanner.
For example, one of the Nimda worm's many behaviors is to create open drive shares for every logical disk on an infected machine and make them accessible with full control to everyone, including guests. The administrative drive shares on a Nimda-infected system are no longer password-protected. This behavior complicates disinfection because Nimda can simply reinfect through the many open drive shares.
In the few hours after Nimda debuted, the best that antivirus removal tools could do was to delete infected files, but because this effort left drive shares open, damage continued. The next generation of Nimda repair tools patched large security holes by deleting all drive shares, but the result was that nobody on the network could access previously established drive shares. To make matters worse, network administrators typically don't keep track of permissions to drive shares, so recreating those shares was time-consuming. The third generation of Nimda repair tools can restore most drive-share permissions if the affected machine hasn't been rebooted since infection. This solution still isn't perfect, but at least it gives some administrators a chance to make an easy recovery. All three generations of Nimda-removal tools delete all Nimda files (including killing the active process in memory), and the second- and third-generation tools restore startup files and the registry to pre-Nimda status. Often, complicated cleanups require a separate tool from the vendor because the large repair tool isn't included in the basic scanner.
Emulation
Many of today's viruses are so good at modifying, encrypting, and hiding themselves that a virus-scanning engine must actually execute a suspect program before beginning a scan. When the engine executes a virus, the virus reveals the portions of its code that are necessary to continue operating and spreading, which lets the scanner grab a reliable signature.
Of course, a harmful program launched into your environment can damage infected systems and spread, so scanners often offer virtual environments in which the engine can safely execute and examine suspect code. Some engines emulate OS environments (e.g., Windows XP, Windows 2000). Other engines emulate particular CPUs because certain viruses thrive only in the presence of a particular CPU component—for example, a Network Processing Unit (NPU). Your antivirus product should offer emulation coding. Simple scanners—those that have poor detection rates—don't.
Heuristics
Most antivirus scanners feature a heuristic mode, in which the scanner attempts to detect and prevent malware that has no known signatures. The heuristic mode watches for suspicious coding behavior, known suspicious coding instructions, and routines that malware writers typically use. For example, any program that spends time encrypting and decrypting itself or that attempts to modify the system kernel or copy itself into other files is suspicious.
Enabling heuristic mode can significantly affect system performance. Although a heuristics approach is adequate at detecting previously unknown threats (some heuristic scanners claim detection rates higher than 80 percent), they suffer universally from false positives. Most antivirus engines let you turn on and off heuristic mode; great scanners let you set the level (e.g., 100 percent maximum) of heuristic use.
Prev. page
1
2
[3]
4
5
next page 
