Your Peace of Mind is our Commitment

Contact Us English Recent Articles

Protecting Against Viruses

First published: 02nd April 1995

By Allan G. Dyer M.Sc.(tech) B.Sc. AIDPM MIAP MHKCS, Head of F-PROT Technical Support, Yui Kee Co. Ltd.

After finding out about the many types of viruses, the vital question is what can we do to stop them?

  1. Disconnect the computer from the power supply.
  2. Lock it in a safe. (throw away the key and combination)
  3. Bury the safe in concrete.
  4. Surround with barbed wire and armed guards.

Figure 1: An (almost) Perfect Protection System against Viruses

There is no such thing as a perfect security system, and any product that claims it is perfect should be treated with great suspicion. As a comparison, the President of the United States is probably the best-protected man in the world, but a number of Presidents have been assassinated. In choosing a security system such as anti-virus protection, you must balance the cost and inconvenience of the system against the damage it can prevent. A method of (almost) perfect virus defence is given in fig. 1, but the cost of installation is too high, and the inconvenience is too great.

How about more practical systems of protection? They can be divided into three parts, Detection, Prevention and Recovery. The earlier you can detect a virus, the less costly the recovery will be. Prevention sounds the best option, we will look at it first.

Prevention

Write Protection

The write protection of diskettes is implemented in hardware, so a virus cannot circumvent it. Write protect your original software diskettes. Most methods of recovering from a virus involve a cold boot from a write-protected diskette known to be clean. If you do not have one, make one now!

Floppy Boot Protection

Boot sector viruses infect your hard disk when you boot from an infected diskette. This usually happens accidently, when a diskette is forgotten in drive A: while the machine is switched on. Avoid accidently booting from floppy disks. Original PCs always looked for a disk in drive A: before trying to boot from the hard disk. Most PCs now allow the boot sequence to be set, this is done in the Setup options, and is called something like:

Initial System Load: Fixed/Diskette

or

System Boot Up Sequence C:, A:

When set correctly, the system will always try booting from the hard disk first, ignoring any floppy in drive A.

Behavior Blockers

Another method of preventing damage by viruses is behavior blockers. These are a resident program that trap key operating system events and give the user the choice of allowing the event or not. Thus, it would warn on attempts to write EXE or COM files, or formatting a disk. These generally tend to be too cumbersome and unreliable to be useful. They require the user to make an informed decision on each event, many users are not suitably knowledgeable, and the repetition of questions leads to an automatic OK, or the removal of the protection software entirely.

A general problem with simply preventing a virus from affecting our system is that the virus remains a disaster waiting to happen. It may affect our system later, when the protection has been removed for some reason, or it may affect someone elses system. Either way, it is better in the long run to detect and remove the virus.

Detection

Signature Scanners

Many anti-virus packages use signature scanning. This involves selecting a part of the virus code and searching for it in programs. Signatures must be selected and tested carefully, many viruses have been modified specifically to avoid a particular scanner. Choosing a signature in a critical area of the virus can make such a change more difficult. Conversely, a signature may also occur in some innocent software, causing a false positive. Regional software, such as Chinese language software, can be more prone to such false positives because of a lack of opportunity to test new versions if a foreign software producer does not have a good network of beta-test sites.

Signature scanning is fairly well understood by some virus writers, and various attempts have been made to avoid it. The most complex method is used by the polymorphic viruses, discussed in a previous article. Against these an advanced extension of signature scanning, best described as algorithmic scanning, is used. This searches for a common pattern in the decryption routines.

Heuristic Scanners

A great weakness of signature scanners is that they only detect known viruses. In fact, a well-designed signature scanner can detect many variants, and since most new viruses are variants of others this is often sufficient. Heuristic scanners, rather than looking for a particular signature, look for virus-like code and can therefore find entirely new viruses. This results in a potentially greater chance of false positives, but careful refinement has produced some reliable examples.

Integrity Checking

Another approach to finding viruses is to look for programs that change. If a program changes unexpectedly, maybe a virus did it. This method is used by checksumming programs, and it is very secure. It is equally good at catching known and unknown viruses. Some of the more advanced checksumming programs can often repair the changes made. However, checksumming must be installed before a virus has attacked. The initial installation should be performed after a scan with an up-to-date scanner. Additionally, checksummers are vulnerable to slow viruses and a stealth virus active in memory can also fool them.

Active Detection

A checksumming or scanning program that is run occasionally to check a system is clean is limited because it cannot prevent infection. A scanner used on all incoming software and disks can stop infection at source, but program or disk may be forgotten or skipped. Resident versions of both methods exist. These scan or checksum each executable as it is run, and prevent execution if a virus or a change, respectively, is found. These have a permanent impact on system performance and memory, programs will take slightly longer to load. Security is balanced against speed and reduced size, a resident anti-virus program is useless if the machine runs too slowly or has too little memory for productive work. The situation here is worst with TSR's in DOS, more advanced operating systems, such as OS/2 and Windows, can allow more powerful resident protection.

To avoid the memory overhead of a checksumming resident program, some packages offer a method, sometimes called inoculation, of making programs self-checking. The package adds code to other programs to perform a check as they start. This modification is virus-like in many ways, and an unaware scanner or a checksummer would give a false positive. Some programs already have self-checking built in, and would naturally object to such modification. Additionally, if the inoculation is inadvertently performed on already infected software, many scanners would not be able to see past the inoculation and detect the virus.

Recovery

Once a virus has been detected, the system must be restored to a clean state.

Backups

The safest method is replacement of the affected software from a clean backup or reinstallation from uninfected original diskettes.

Disinfection

Many viruses can be safely removed, saving time and trouble. It has already been mentioned that some checksumming programs, by virtue of their knowledge of the original form of the program, can do a repair. Also, scanners often have a cleaning module, either integral or as a separate program. Here, specific knowledge of how a particular virus infects is used to remove it. It is most important that the identification of the virus is accurate, many slight variants exist, and attempting to remove the wrong variant might also cut out some of the original program code.

Damage Assessment

Even after a virus has been removed, damage caused by it may remain. Some viruses cause deliberate, random corruption to data files. For this reason, it is best to identify the virus and check what it does.