Read an Excerpt
Chapter 2: Functionality
Anti-virus tools perform three basic functions. Tools may be be used to detect, identify, or remove viruses.' Detection tools perform proactive detection, active detection, or reactive detection. That is, they detect a virus before it executes, during execution, or after execution. Identification and removal tools are more straightforward in their application; neither is of use until a virus has been detected.
2.1 Detection Tools
Detection tools detect the existence of a virus on a system. These tools perform detection at a variety of points in the system. The virus may be actively executing, residing in memory, or stored in executable code. The virus may be detected before execution, during execution, or after execution and replication.
2.1.1 Detection by Static Analysis
Static analysis detection tools examine executables without executing them. Such tools can be used in proactive or reactive fashion. They can be used to detect infected code before it is introduced to a system by testing all diskettes before installing software on a system. They can also be used in a more reactive fashion, testing a system on a regular basis to detect any viruses acquired between detection phases.
2.1.2 Detection by Interception
To propagate, a virus must infect other host programs. Some detection tools are intended to intercept attempts to perform such "illicit" activities. These tools halt the execution of virus-infected programs as the virus attempts to replicate or become resident. Note that the virus has been introduced to the system and attempts to replicate before detection can occur.
All viruses cause modification of executables in their replication process. As a result, the presence of viruses can also be detected by searching for the unexpected modification of executables. This process is sometimes called integrity checking.
2.1.3 Detection of Modification
Detection of modification may also identify other security problems, such as the installation of Trojan horses. Note that this type of detection tool works only after infected executables have been introduced to the system and the virus has replicated.
2.2 Identification Tools
Identification tools are used to identify which virus has infected a particular executable. This allows the user to obtain additional information about the virus. This is a useful practice, since it may provide clues about other types of damage incurred and appropriate clean-up procedures.
2.3 Removal Tools
In many cases, once a virus has been detected it is found on numerous systems or in numerous executables on a single system. Recovery from original diskettes or clean backups can be a tedious process. Removal tools attempt to efficiently restore the system to its uninfected state by removing the virus code from the infected executable.....