Your Peace of Mind is our Commitment

Contact Us English Recent Articles
Home > Other Publications > PC Week Asia > Anti-Virus Techniques

Anti-Virus Techniques

By Allan G. Dyer M.Sc.(tech) B.Sc. AIDPM MIAP
Head of F-PROT Technical Support, Yui Kee Co. Ltd.

The Anti-Virus arena sounds like a doctor's surgery, there are a large number of toolkits with a bewildering array of vaccinations, inoculations and behavior blockers. Here I will describe the major methods used against viruses, and some of their advantages and disadvantages. Understanding these is the first step in planning a coherent and secure strategy against viruses.

A better simile is defence, there are different methods because there are different situations, a General knows how to combine tanks and infantry to best effect, and sometimes you need a navy. The best protection comes from using the techniques in combination. Some anti-virus packages recognise this and provide a range of tools.

Two of the most powerful techniques are often left unmentioned and no anti-virus toolkit provides them: the "Off" switch and the write-protect tag on diskettes.

Switching a machine off is the ultimate way of ensuring a virus is not running. The disk may be infected, but the infection cannot be spreading. Additionally, the contents of RAM are wiped, so when power is restored, there is no virus in memory, potentially subverting your actions.

The write protection of diskettes is implemented in hardware, so a virus cannot circumvent it. Most methods of recovering from a virus involve a cold boot from a write-protected diskette known to be clean. If you do not have one, make one now!

However, although secure, these methods are limited. A PC without power may be safe, but it is not useful. A write-protected diskette can not be changed by a virus, or you. What other methods exist:

A good backup strategy can prevent much of the loss from a virus incident. Backing-up data and programs separately and keeping several generations of backups are important. Backups assist in recovering from a virus incident, but prevention is the ideal solution.

Many anti-virus packages use signature scanning. This involves selecting a part of the virus code and searching for it in executables. Signatures must be selected and tested carefully, many viruses have been modified specifically to avoid a particular scanner. Choosing a signature in a critical area of the virus can make such a change more difficult. Conversely, a signature may also occur in some innocent software, causing a false positive. The worst example of this is where a virus has been linked with standard libraries, and an anti-virus researcher has inadvertently chosen part of a library routine, thus giving a false positive on every other program that uses that routine. Regional software, such as Chinese language software, can be more prone to such false positives because of a lack of opportunity to test new versions if a foreign software producer does not have a good network of beta-test sites.

Signature scanning is fairly well understood by some virus writers, and various attempts have been made to avoid it. The simpler methods involve either interspersing random "do nothing" instructions with the useful code or using alternate instructions that have the same result (eg. MOV AX,0 and XOR AX,AX). These are countered by using a signature with "don't care" parts. The most complex method is used by the so-called "mutation engines". These can create fully polymorphic viruses that have no common parts between two infections by the same virus. This is achieved by encrypting the main body of the virus, and selecting one of a number of short decryption routines to add to the beginning. There are a number of mutation engines circulated as object modules ready to link into any virus, written by virus writers or groups of virus writers to assist their less-able brethren. Against these an advanced extension of signature scanning, best described as algorithmic scanning, is used. This searches for the common pattern in the decryption routines.

A great weakness of signature scanners is that they only detect known viruses. In fact, a well-designed signature scanner can detect many variants, and since most new viruses are variants of others this is often sufficient. Heuristic scanners, rather than looking for a particular signature, look for virus-like code. This results in a potentially greater chance of false positives, but careful refinement has produced some reliable examples.

Another approach to finding viruses is to look for programs that change. If a program changes unexpectedly, maybe a virus did it. This method is used by checksumming programs, and it is very secure. It is equally good at catching known and unknown viruses. Some of the more advanced checksumming programs can often repair the changes made. However, checksumming must be installed before a virus has attacked. The initial installation should be performed after a scan with an up-to-date scanner. Additionally, checksummers are vulnerable to "slow" viruses. Most viruses infect any program on disk or when a program is executed. Slow viruses only infect when a program is being written to disk. This restricts their spread to the installation of software, or the linking of new software. The next time the checksummer is run, it warns about the changed program, but the user believes the change is entirely due to the new version they installed and OK's it. The virus has slipped by unnoticed. Some checksummers are also vulnerable to "companion" viruses, that, rather than modifying the host program's code, create a new file that will be earlier on the execution path.

A checksumming or scanning program that is run occasionally to check a system is clean is limited because it cannot prevent infection. A scanner used on all incoming software and disks can stop infection at source, but program or disk may be forgotten or skipped. Resident versions of both methods exist. These scan or checksum each executable as it is run, and prevent execution if a virus or a change, respectively, is found. These have a permanent impact on system performance and memory, programs will take slightly longer to load. Security is balanced against speed and reduced size, a resident anti-virus program is useless if the machine runs too slowly or has too little memory for productive work. The situation here is worst with TSR's in DOS, more advanced operating systems, such as OS/2 and Windows, can allow more powerful resident protection.

To avoid the memory overhead of a checksumming resident program, some packages offer a method, sometimes called inoculation, of making programs self-checking. The package adds code to other programs to perform a check as they start. This modification is virus-like in many ways, and an unaware scanner or a checksummer would give a false positive. Some programs already have self-checking built in, and would naturally object to such modification. Additionally, if the inoculation is inadvertently performed on already infected software, many scanners would not be able to see past the inoculation and detect the virus.

Another method of preventing damage by viruses is behaviour blockers. These are a resident program that trap key operating system events and give the user the choice of allowing the event or not. Thus, it would warn on attempts to write EXE or COM files, or formatting a disk. These generally tend to be too cumbersome and unreliable to be useful. They require the user to make an informed decision on each event, many users are not suitably knowledgeable, and the repetition of questions leads to an automatic OK, or the removal of the protection software entirely.

Once a virus has been detected, the system must be restored to a clean state. The safest method is replacement of the affected software from a clean backup, but many viruses can be safely removed, saving time and trouble. It has already been mentioned that some checksumming programs, by virtue of their knowledge of the original form of the program, can do a repair. Also, scanners often have a cleaning module, either integral or as a separate program. Here, specific knowledge of how a particular virus infects is used to remove it. It is most important that the identification of the virus is accurate, many slight variants exist, and attempting to remove the wrong variant might also cut out some of the original program code.

To increase the protection, more than one good anti-virus package should be used, one on general release throughout a company, the second in the systems group for cross-checking. Even if the packages offer the same general methods, the implementations will differ, and each will catch viruses the other misses. This will be particularly true of scanners, where the signatures chosen are probably different and therefore able to catch different variants.

Anti-virus protection is not just a matter of installing any old package and leaving it running. Regular updates are important, even for generic methods of detection because virus writers are continually searching for new ways to fool the detectors. The useability of the software is an important issue, the most sophisticated package is worthless if users remove it because it is slowing down their work or do not use it because it is confusingly complex. A useful package will be invisible to users until a virus is found, but will still provide powerful tools for the expert. Plan wisely, viruses are not a static issue.