Probability of Success
Due to the constant advancement of mark commodity (viruses, worms, Trojaner etc.) and the unforeseeable nature of the assigned harming logic (Evil Intelligence) practically no virus scanner can protect against all conceivable viruses and worms. Virus scanners should be regarded and/or used from there generally only as addition to general precautionary measures. Caution and attentive acting are therefore indispensable for responsible computer users despite the employment of a virus scanner.
In principle can be differentiated with the recognition between two techniques:
- Reactively: With this kind of the recognition a parasit is only recognized if an appropriate signature were made available on the part of the manufacturer of the anti-virus software. This is the classical kind of the virus recognition, which is used of practically each anti-virus software.
- Pro active: This designates the recognition of viruses, without an appropriate signature is available. Due to the rapid increase of new mark commodity is to be assumed the future of the virus recognition lies in this technology. Pro-active procedures are for instance the heuristic or the sand box technology.
Scan Engines
By a Scan engine one understands the program section of a virus scanner, which is responsible to computers or network for the investigation on defective software mark commodity. A Scan engine is thus directly responsible for the efficiency of anti-virus software. Usually Scan engines are software modules, which can be updated and used independently of the remainder of a virus scanner.
There is anti-virus software, which begins beside the own Scan engine licensed Scan engines of other AV-manufacturers. The Recognition rate can be theoretically increased by the employment of several Scan engines, however this always leads to drastic performance losses. It remains doubtful from there whether virus scanners with several Scan engines prove as meaningful. That depends of the safety requirement and/or the requirement at system performance and must be decided for each individual case.
The efficiency of a signature-based anti-virus scanner with the recognition of harmful files does not only depend of the used virus signatures. Often the executable files are packed in such a way before their spreading that they can unpack themselves later (run time compression). So an actually well-known virus of the recognition can escape by some scanners, because they are not able to examine contents of the run time compressed Archives.
With these scanners only archives can be taken up as such to the signatures. If archives are again packed to change (without contents), this archives would have to be likewise taken up to the signatures. A scanner with the ability as much as possible formats to unpack to be able is here in the advantage, because it examines contents of archives. Thus also the number of used signatures states still nothing over the recognition achievement.
Heuristic
Some virus scanners order over the possibility, also after general characteristics of searching (heuristic), in order to recognize unknown viruses, or they bring along a rudimentary intrusion Detection system (IDS). The importance of these - preventive - kind of the recognition constantly increases, there the periods, in which new viruses and variants of a virus become ever shorter on the market urge. For the anti-virus manufacturers will it thus ever more complex and more with difficulty to recognize all parasite time near by an appropriate signature. Heuristika should be regarded only as auxiliary function of the virus scanner, since the actual recognition is rather small still unknown quantity mark commodity. The increase at security is minimal from there.
Sand box
In order to increase the recognition from unknown viruses and worms to, of the Norwegian anti-virus manufacturer Norman was introduced 2001 a new technology, with which the programs in a secured environment, which sand box, are implemented. This system functioned, simplifies expressed, like a computer in the computer. In this environment the file is implemented and analyzed, it implements which actions. If necessary the sand box can make available also to network functionalities, about a Mail or an IRC server. The sand box expects a behavior typical for this file during the execution of the file. If the file deviates from this to a certain degree, the sand box classifies these as potential danger. It can differentiate between the following endangerments:
- W32/Malware
- W32/EMailWorm
- W32/NetworkWorm
- W32/BackDoor
- W32/P2PWorm
- W32/FileInfector
- W32/Dialer
- W32/Downloader
- W32/Spyware
As result it supplies besides an expenditure, which shows, the file would have implemented which actions on the system and which damage would have been arranged. In addition, this information can be useful, in order to make a clearing of an infected computer system.
39 % still unknown quantities viruses and worms could be recognized by the technology of the sand box after tests of AV-test, before a signature was available. Compared with a conventional heuristic this is a real progress in per-active recognition.
