Antivirus Software

Antivirus software consists of computer programs that attempt to identify, thwart and eliminate computer viruses and other malicious software. Antivirus software typically uses two different techniques to accomplish this:

Examining (scanning) files to look for known viruses matching definitions in a virus dictionary
Identifying suspicious behavior from any computer program which might indicate infection. Such analysis may include data captures, port monitoring and other methods.

Most commercial antivirus software uses both of these approaches, with an emphasis on the virus dictionary approach. In the virus dictionary approach, when the antivirus software looks at a file, it refers to a dictionary of known viruses that the authors of the antivirus software have identified. If a piece of code in the file matches any virus identified in the dictionary, then the antivirus software can take one of the following actions:

• –1.–Attempt to repair the file by removing the virus itself from the file
• –2.–Quarantine the file (such that the file remains inaccessible to other programs and its virus can no longer spread)
• –3.–Delete the infected file

How to choose the best Anti virus program?

• –1.–To achieve consistent success in the medium and long term, the virus dictionary approach requires periodic (generally online) downloads of updated virus dictionary entries. As civically minded and technically inclined users identify new viruses "in the wild", they can send their infected files to the authors of antivirus software, who then include information about the new viruses in their dictionaries. The application must provide online updates.
• –2.– Dictionary-based antivirus software typically examines files when the computer's operating system creates, opens, closes or e-mails them. In this way it can detect a known virus immediately upon receipt. It should contain a scheduled inspection. You should schedule the antivirus software to examine (scan) all files on the computer's hard disk on a regular basis.
• –3.–Although the dictionary approach can effectively contain virus outbreaks in the right circumstances, virus authors have tried to stay a step ahead of such software by writing "oligomorphic", "polymorphic" and more recently "metamorphic" viruses, which encrypt parts of themselves or otherwise modify themselves as a method of disguise, so as to not match the virus's signature in the dictionary. The user should be suspicious about programs he installs. The suspicious behavior approach, by contrast, doesn't attempt to identify known viruses, but instead monitors the behavior of all programs. If one program tries to write data to an executable program, for example, the antivirus software can flag this suspicious behavior, alert a user and ask what to do. Unlike the dictionary approach, the suspicious behavior approach therefore provides protection against brand-new viruses that do not yet exist in any virus dictionaries. However, it can also sound a large number of false positives, and users probably become desensitized to all the warnings. If the user clicks "Accept" on every such warning, then the antivirus software obviously gives no benefit to that user.
• –4.– The anti-virus program should contain a sandbox. A sandbox emulates the operating system and runs the executable in this simulation. After the program has terminated, software analyzes the sandbox for any changes which might indicate a virus. Because of performance issues, this type of detection normally only takes place during on-demand scans. Also, this method may fail as virus can be non-deterministic and result in different actions or no actions when first run - so it will be impossible to detect it from one run.
• –5.–It should support whitelisting. An emerging technique to deal with malware in general is whitelisting. Rather than looking for only known bad software, this technique prevents execution of all computer code except that which has been previously identifed as trustworthy by the people operating the machine. By following this default deny approach, the limitations inherent in keeping virus signatures up to date are avoided. Additionally, computer applications that are unwanted by the operator are prevented from executing since they are not on the whitelist.

Other recommendations

<.li>–1.–User education can effectively supplement antivirus software. Simply training users in safe computing practices (such as not downloading and executing unknown programs from the Internet) would slow the spread of viruses and eliminate the need for much antivirus software.
• –2.–Some antivirus software can considerably reduce performance. Users may disable the antivirus protection to overcome the performance loss, thus increasing the risk of infection. For maximum protection the antivirus software needs to be enabled all the time — often at the cost of slower performance. It is sometimes necessary to temporarily disable virus protection when installing major updates such as Windows Service Packs or updating graphics card drivers. Having antivirus protection running at the same time as installing a major update may prevent the update installing properly or at all.
• –3.– When purchasing antivirus software, the agreement may include a clause that your subscription will be automatically renewed, and your credit card automatically billed at the renewal time without your approval. For example, antivirus software requires one to unsubscribe at least 60 days before the expiration of the present subscription, yet it does not provide phone access nor a way to unsubscribe directly through their website. In that case, the subscriber's recourse is to contest the charges with the credit card issuer.

Take home lesson:
Run a good anti-virus software and keep it turned on at all times.