Suspicious behavior
The suspicious behavior approach, by contrast, doesn't attempt to identify known viruses, but instead monitors the behavior of all programs. If one program tries to write data to an executable program, for example, the antivirus software can flag this suspicious behavior, alert a user and ask what to do.
Unlike the dictionary approach, the suspicious behavior approach therefore provides protection against brand-new viruses that do not yet exist in any virus dictionaries. However, it can also sound a large number of false positives, and users probably become desensitized to all the warnings. If the user clicks "Accept" on every such warning, then the antivirus software obviously gives no benefit to that user. This problem has worsened since 1997, since many more nonmalicious program designs came to modify other .exe files without regard to this false positive issue. Thus, most modern antivirus software uses this technique less and less.
Other approaches
Some antivirus-software uses of other types of heuristic analysis. For example, it could try to emulate the beginning of the code of each new executable that the system invokes before transferring control to that executable. If the program seems to use self-modifying code or otherwise appears as a virus (if it immediately tries to find other executables, for example), one could assume that a virus has infected the executable. However, this method could result in a lot of false positives. Yet another detection method involves using a sandbox. A sandbox emulates the operating system and runs the executable in this simulation. After the program has terminated, software analyzes the sandbox for any changes which might indicate a virus. Because of performance issues, this type of detection normally only takes place during on-demand scans. Also this method may fail as virus can be nondeterministic and result in different actions or no actions at all done then run - so it will be impossible to detect it from one run. Some virus scanners can also warn a user if a file is likely to contain a virus based on the file type.
An emerging technique to deal with malware in general is whitelisting. Rather than looking for only known bad software, this technique prevents execution of all computer code except that which has been previously identified as trustworthy by the system administrator. By following this default deny approach, the limitations inherent in keeping virus signatures up to date are avoided. Additionally, computer applications that are unwanted by the system administrator are prevented from executing since they are not on the whitelist. Since modem enterprise organizations have large quantities of trusted applications, the limitations of adopting this technique rest with the system administrators' ability to properly inventory and maintain the whitelist of trusted applications. As such, viable implementations of this technique include tools for automating the inventory and whitelist maintenance processes.
Issues of concern
• The spread of viruses using e-mail as their infection vector could be inhibited far more inexpensively and effectively, without the need to install additional antivirus software; if bugs in e-mail clients, which allow the unauthorized execution of code, were fixed
• User education can effectively supplement antivirus software. Simply training users in safe computing practices (such as not downloading and executing unknown programs from the Internet) would slow the spread of viruses and obviate the need of much antivirus software.
• The ongoing writing and spreading of viruses and of panic about them gives the vendors of commercial antivirus software a financial interest in the ongoing existence of viruses. Some theorize that antivirus companies have financial ties to virus writers, to generate their own market, though there is currently no evidence for this.
• Some antivirus software can considerably reduce performance. Users may disable the antivirus protection to overcome the performance loss, thus increasing the risk of infection. For maximum protection the antivirus software needs to be enabled all the time — often at the cost of slower performance (see also software bloat).
• It is sometimes necessary to temporarily disable virus protection when installing major updates such as Windows Service Packs or updating graphics card drivers. Having antivirus protection running at the same time as installing a major update may prevent the update installing properly or at all.
• When purchasing antivirus software, the agreement may include a clause that your subscription will be automatically renewed, and your credit card automatically billed at the renewal time without your approval. For example, McAfee requires one to unsubscribe at least 60 days before the expiration of the present subscription, yet it does not provide phone access nor a way to unsubscribe directly through their website. In that case, the subscriber's recourse is to contest the charges with the credit card issuer.
History
There are competing claims for the innovator of the first antivirus product. Perhaps the first publicly known neutralization of a wild PC virus was performed by European Bemt Fix (also Bemd) in early 1987. Fix neutralized an infection of the Vienna virus. Following Vienna a number of highly successful viruses appeared including Ping Pong, Lehigh, and Suriv-3 aka Jemsalem. In January 1988, researchers in the Hebrew University developed "unvirus" and "immune", which tell users whether their disks have been infected and applies an antidote to those that have.
From 1988 onwards many companies formed with a focus on the new field of antivirus technology. One of the first breakthroughs in antivirus technology occurred in March 1988 with the release of the Den Zuk viruses created by Denny Yanuar Ramdhani of Indonesia. Den Zuk neutralized the Brain virus. April 1988 saw the Virus-L forum on Usenet created, and mid 1988 saw the development by Peter Tippett of a heuristic scanner capable of detecting viruses and Trojans which was given a small public release. Fall 1988 also saw antivirus software Dr. Solomon's Anti-Virus Toolkit released by Briton Alan Solomon. By December 1990 the market had matured to the point of nineteen separate antivirus products being on sale including Norton AntiVirus and ViruScan from McAfee.
Tippett made a number of contributions to the budding field of virus detection. He was an emergency room doctor who also ran a computer software company. He had read an article about the Lehigh virus were the first viruses to be developed, but it was Lehigh that Tippett read about and he questioned whether they would have similar characteristics to viruses that attack humans. From an epidemiological viewpoint, he was able to determine how these viruses were affecting systems within the computer (the boot-sector was affected by the Brain virus, the .com files were affected by the Lehigh virus, and both .com and .exe files were affected by the Jemsalem virus). Tippett's company Certus International Corp. then began to create anti-virus software programs. The company was sold in 1992 to Symantec Corp, and Tippett went to work for them, incorporating the software he had developed into Symantec's product, Norton AntiVirus.
Best antivirus soft
NOD32 is an antivirus package made by the Slovak company Eset. Versions are available for Microsoft Windows, Linux, FreeBSD and other platforms. Remote administration tools for multiuser installations are also available at extra cost. NOD32 Enterprise Edition consists of NOD32 AntiVirus and NOD32 Remote Administrator. The NOD32 Remote Administrator program allows a network administrator to monitor anti-virus functions, push installations and upgrades to unprotected PCs on the network and update configuration files from a central location.
NOD32 is certified by ICSA Labs. It has been tested 44 times by Virus Bulletin and has failed only 3 times, the lowest failure rate in their tests. At CNET.com, it received a review of 7.3/10.
Technical information
NOD32 consists of an on-demand scanner and four different real-time monitors. The on-demand scanner (somewhat confusingly referred to as NOD32) can be invoked by the scheduler or by the user. Each real-time monitor covers a different virus entry point:
AMON (Antivirus MONitor) - scans files as they are accessed by the system, preventing a virus from executing on the system.
DMON (Document MONitor) - scans Microsoft Office documents and files for macro viruses as they are opened and saved by Office applications.
IMON (Internet MONitor) - intercepts traffic on common protocols such as POPS and HTTP to detect and intercept viruses before they are saved to disc.
XMON (MS eXchange MONitor) - scans incoming and outgoing mail when NODS 2 is running and licensed for Microsoft Exchange Server – i.e, running on a server environment. This module is not present on workstations at all.
NOD32 Virus Detection Alert
NOD32 is written largely in assembly code, which contributes to its low use of system resources and high scanning speed, meaning that NOD32 can easily process more than 23MB per second while scanning on a modest P4 based PC and on average, with all real-time modules active, uses less than 20MB of memory in total but the physical RAM used by NOD32 is often just a third of that. According to a 2005 Virus Bulletin test, NOD32 performs scans two to five times faster than other antivirus competitors.
In a networked environment NOD32 clients can update from a central "mirror server" on the network, reducing bandwidth usage since new definitions need only be downloaded once by the mirror server as opposed to once for each client.
NOD32's scan engine uses heuristic detection (which Eset calls "ThreatSense") in addition to signature files to provide better protection against newly released viruses.
Text 2
What is a virus?
B. Kelley
IOWA STATE UNIVERSITY, PM 1789 Rewised June, 2006.
In 1983, researcher Fred Cohen defined a computer virus as "a program that can 'infect' other programs by modifying them to include a ... version of itself. " This means that viruses copy themselves, usually by encryption or by mutating slightly each time they copy.
There are several types of viruses, but the ones that are the most dangerous are designed to corrupt your computer or software programs. Viruses can range from an irritating message flashing on your computer screen to eliminating data on your hard drive. Viruses often use your computer's internal clock as a trigger. Some of the most popular dates used are Friday the 13th and famous birthdays. It is important to remember that viruses are dangerous only if you execute (start) an infected program.
There are three main kinds of viruses*. Each kind is based on the way the virus spreads.
1. Boot Sector Viruses - These viruses attach themselves to floppy disks and then copy themselves into the boot sector of your hard drive. (The boot sector is the set of instructions your computer uses when it starts up.) When you start your computer (or reboot it) your hard drive gets infected. You can get boot sector viruses only from an infected floppy disk. You cannot get one from sharing files or executing programs. This type of virus is becoming less common because today's computers do not require a boot disk to start, but they can still be found on disks that contain other types of files. One of the most common boot sector viruses is called "Monkey," also known as "Stoned."
2. Program Viruses - These viruses (also known as traditional file viruses) attach themselves to programs' executable files. Usually a program virus will attach to an .exe or .corn file. However, they can infect any file that your computer runs when it launches a program (including .sys, .dll, and others). When you start a program that contains a virus, the virus usually loads into your computer's Memory.
* Three kinds of viruses
1. Boot Sector viruses attach to floppy disks and then copy into the boot sector of your hard drive.
2. Program viruses attach to a program's executable files.
3. Macro viruses attach to templates.
The truth about viruses
The majority of people believe that the most common source of viruses is the Internet through e-mail or downloaded files. The truth is however, that the majority of viruses spread through shared floppy disks or shared files on internal network.
Even if you are not connected to the Internet you should still be concerned about viruses. You should also be aware that there are thousands of false rumors of viruses (virus hoaxes).
Контрольные вопросы для самопроверки
1. Какие источники информации являются основными видами переработки иностранных печатных изданий?
2. Какой принцип наиболее актуален для компрессии информации при составлении аннотаций и рефератов?
3. Какая основная цель написания реферата?
4. Чем отличается аннотация от реферата?
5. Какая основная функция библиографического описания?
6. Как можно оформить библиографическое описание, если реферируются или аннотируются иностранные документы?
7. Каковы отличительные черты информативного и индикативного видов реферата?
8. Что такое аннотация?
9. Какие составные части имеет аннотация?
10. Как подразделяются клише, используемые при написании аннотаций и рефератов?
Тест
1. Какие источники переработки научно-технической информации имеют первостепенное значение?
a. Библиографические описания, аннотации и рефераты.
b. Каталоги и рекламные проспекты.
c. Газеты и инструкции.
2. В чем заключается сущность аннотирования и реферирования?
a. В максимальном увеличении объема текста за счет использования несущественных деталей.
b. В максимальном усложнении грамматической структуры за счет применения причастных оборотов и герундиальных конструкций.
c. В максимальном сокращении объема источника информации при существенном сохранении его основного содержания.
3. С какой целью составляется реферат?
a. Чтобы заставить читателя прочитать первоисточник и перевести его полностью.
b. Чтобы дать читателю относительно полное представление о затронутых в первоисточнике вопросах и освободить его от перевода оригинала.
c. Чтобы создать у читателя краткое представление о затронутых в первоисточнике вопросах и заставить его перевести оригинал.
4. Для чего составляется библиографическое описание?
a. Чтобы ознакомить читателя с главными персонажами первоисточника и сформировать у него положительное отношение к ним.
b. Чтобы ознакомить читателя с предыдущими достижениями научно-технического прогресса в полной форме.
c. Чтобы известить читателя о вышедшей в свет или готовящейся к печати публикации на определенную тему.
5. Какого рода сведения содержит информативный реферат?