Evaluation of antivirus programs. Comparison of antiviruses based on the effectiveness of protection against the latest malware. Comparative analysis of computer viruses
Introduction
1. Theoretical part
1.1 Concept of information security
1.2 Types of threats
1.3 Information security methods
2. Design part
2.1 Classification of computer viruses
2.2 The concept of an antivirus program
2.3 Types of antivirus products
2.4 Comparison of antivirus packages
Conclusion
List of used literature
Application
Introduction
Development of new information technologies and general computerization have led to the fact that information security not only becomes mandatory, it is also one of the characteristics of information systems. There is a fairly large class of information processing systems in the development of which the security factor plays a paramount role.
The massive use of personal computers is associated with the emergence of self-replicating virus programs that prevent normal operation computers that destroy file structure disks and damaging information stored on the computer.
Despite the laws adopted in many countries to combat computer crimes and the development special programs With the help of new antivirus protection tools, the number of new software viruses is constantly growing. This requires the user personal computer knowledge about the nature of viruses, methods of infection by viruses and protection against them.
Viruses are becoming more sophisticated every day, resulting in a significant change in the threat profile. But also the antivirus market software does not stand still, offering many products. Their users, presenting the problem only in general terms, often miss important nuances and end up with the illusion of protection instead of the protection itself.
The purpose of this course work is to conduct a comparative analysis of antivirus packages.
To achieve this goal, the following tasks are solved in the work:
Learn concepts information security, computer viruses and antivirus products;
Determine types of threats to information security, methods of protection;
Study the classification of computer viruses and anti-virus programs;
Conduct a comparative analysis of anti-virus packages;
Create an antivirus program.
Practical significance of the work.
The results obtained and the course work material can be used as a basis for independent comparison of antivirus programs.
The structure of the course work.
This course work consists of an Introduction, two sections, a Conclusion, and a list of references.
computer virus security antivirus
1. Theoretical part
In the process of conducting a comparative analysis of antivirus packages, it is necessary to define the following concepts:
1 Information security.
2 Types of threats.
3 Information security methods.
Let's move on to a detailed consideration of these concepts:
1.1 Concept of information security
Despite increasing efforts to create data protection technologies, their vulnerability in modern conditions not only does not decrease, but also constantly increases. Therefore, the relevance of problems related to information protection is increasingly increasing.
The problem of information security is multifaceted and complex and covers a number of important tasks. For example, data confidentiality, which is ensured by using various methods and means. The list of similar information security tasks can be continued. Intensive development of modern information technologies, and in particular network technologies, creates all the prerequisites for this.
Information protection is a set of measures aimed at ensuring the integrity, availability and, if necessary, confidentiality of information and resources used for entering, storing, processing and transmitting data.
To date, two basic principles for information protection have been formulated:
1 data integrity – protection against failures leading to loss of information, as well as protection against unauthorized creation or destruction of data;
2 confidentiality of information.
Protection against failures leading to loss of information is carried out in the direction of increasing the reliability of individual elements and systems that input, store, process and transmit data, duplicating and redundant individual elements and systems, using various, including autonomous, power sources, increasing the level of user qualifications, protection from unintentional and intentional actions leading to equipment failure, destruction or change (modification) of software and protected information.
Protection against unauthorized creation or destruction of data is provided physical protection information, delimitation and restriction of access to elements of protected information, closing of protected information in the process of its direct processing, development of software and hardware systems, devices and specialized software to prevent unauthorized access to protected information.
Confidentiality of information is ensured by identification and authentication of access subjects when logging into the system using an identifier and password, identification external devices by physical addresses, identification of programs, volumes, directories, files by name, encryption and decryption of information, delimitation and control of access to it.
Among the measures aimed at protecting information, the main ones are technical, organizational and legal.
Technical measures include protection against unauthorized access to the system, redundancy of particularly important computer subsystems, organization computer networks with the possibility of redistributing resources in the event of a malfunction of individual links, installing backup power supply systems, equipping premises with locks, installing an alarm system, and so on.
Organizational measures include: security of the computer center (informatics rooms); concluding a contract for the maintenance of computer equipment with a reputable organization with a good reputation; excluding the possibility of unauthorized persons, random persons, and so on, working on computer equipment.
Legal measures include the development of standards establishing liability for the disabling of computer equipment and destruction (change) of software, public control over developers and users of computer systems and programs.
It should be emphasized that no hardware, software or any other solutions can guarantee absolute reliability and security of data in computer systems. At the same time, it is possible to minimize the risk of losses, but only with an integrated approach to information protection.
1.2 Types of threats
Passive threats are mainly aimed at unauthorized use information resources information system without affecting its functioning. For example, unauthorized access to databases, eavesdropping on communication channels, and so on.
Active threats are intended to disrupt normal functioning information system through targeted influence on its components. Active threats include, for example, the destruction of a computer or its operating system, destruction of computer software, disruption of communication lines, and so on. Active threats can come from hackers, malware, and the like.
Intentional threats are also divided into internal (arising within the managed organization) and external.
Internal threats are most often determined by social tension and a difficult moral climate.
External threats can be determined by malicious actions of competitors, economic conditions and other reasons (for example, natural disasters).
The main threats to information security and the normal functioning of the information system include:
Leakage of confidential information;
Compromise of information;
Unauthorized use of information resources;
Incorrect use of information resources;
Unauthorized exchange of information between subscribers;
Refusal of information;
Violation of information services;
Illegal use of privileges.
A leak of confidential information is the uncontrolled release of confidential information outside the information system or the circle of persons to whom it was entrusted in the course of their work or became known in the course of work. This leak may be due to:
Disclosure of confidential information;
Transfer of information through various, mainly technical, channels;
Unauthorized access to confidential information different ways.
Disclosure of information by its owner or holder is the intentional or careless actions of officials and users to whom the relevant information was entrusted in the prescribed manner through their service or work, which led to the familiarization with it of persons who were not allowed to have access to this information.
Uncontrolled loss of confidential information through visual-optical, acoustic, electromagnetic and other channels is possible.
Unauthorized access is the unlawful deliberate acquisition of confidential information by a person who does not have the right to access protected information.
The most common ways of unauthorized access to information are:
Interception of electronic radiation;
Use of listening devices;
Remote photography;
Interception of acoustic radiation and restoration of printer text;
Copying storage media by overcoming security measures;
Masking as a registered user;
Masking as system requests;
Use of software traps;
Exploiting the shortcomings of programming languages and operating systems;
Illegal connection to equipment and communication lines of specially designed hardware that provides access to information;
Malicious disabling of protection mechanisms;
Decryption of encrypted information by special programs;
Information infections.
The listed methods of unauthorized access require quite a lot of technical knowledge and appropriate hardware or software development from the burglar. For example, they are used technical channels Leaks are physical paths from a source of confidential information to an attacker through which protected information can be obtained. The cause of leakage channels is design and technological imperfections in circuit solutions or operational wear of elements. All this allows hackers to create converters operating on certain physical principles, forming an information transmission channel inherent in these principles - a leakage channel.
However, there are also quite primitive ways of unauthorized access:
Theft of storage media and documentary waste;
Initiative cooperation;
Inclination towards cooperation on the part of the burglar;
Inquiry;
Eavesdropping;
Observation and other ways.
Any means of leaking confidential information can lead to significant material and moral damage both for the organization where the information system operates and for its users.
There is and is constantly being developed a huge variety malware, the purpose of which is to damage information in databases and computer software. The large number of varieties of these programs does not allow us to develop permanent and reliable means of protection against them.
The virus is believed to be characterized by two main features:
The ability to self-reproduce;
The ability to intervene in computing process(to gain the ability to control).
Unauthorized use of information resources, on the one hand, is the consequences of its leakage and a means of compromising it. On the other hand, it has independent significance, since it can cause great damage to the managed system or its subscribers.
Erroneous use of information resources, although authorized, may nevertheless lead to the destruction, leakage or compromise of said resources.
Unauthorized exchange of information between subscribers may result in one of them receiving information to which he is prohibited from accessing. The consequences are the same as for unauthorized access.
1.3 Information security methods
The creation of information security systems is based on the following principles:
1 A systematic approach to building a protection system, meaning an optimal combination of interrelated organizational, software,. Hardware, physical and other properties confirmed by the practice of creating domestic and foreign security systems and used at all stages of the information processing technological cycle.
2 The principle of continuous development of the system. This principle, which is one of the fundamental principles for computer information systems, is even more relevant for information security systems. Methods for implementing threats to information are constantly being improved, and therefore ensuring the security of information systems cannot be a one-time act. This is a continuous process consisting of justification and implementation of the most rational methods, methods and ways of improving information security systems, continuous monitoring, identifying its bottlenecks and weaknesses, potential channels for information leakage and new methods of unauthorized access,
3 Ensuring the reliability of the protection system, that is, the impossibility of reducing the level of reliability in the event of failures, failures, intentional actions of a hacker or unintentional errors of users and maintenance personnel in the system.
4 Ensuring control over the functioning of the protection system, that is, the creation of means and methods for monitoring the performance of protection mechanisms.
5 Providing all kinds of anti-malware tools.
6 Ensuring the economic feasibility of using the system. Protection, which is expressed in the excess of possible damage from the implementation of threats over the cost of developing and operating information security systems.
As a result of solving information security problems, modern information systems should have the following main features:
Availability of information of varying degrees of confidentiality;
Ensuring cryptographic protection of information of varying degrees of confidentiality during data transfer;
Mandatory information flow management, as in local networks, and when transmitting via communication channels over long distances;
The presence of a mechanism for registering and accounting for unauthorized access attempts, events in the information system and documents printed;
Mandatory ensuring the integrity of software and information;
Availability of means for restoring the information security system;
Mandatory accounting of magnetic media;
Availability of physical security of computer equipment and magnetic media;
Availability of a special system information security service.
Methods and means of ensuring information security.
An obstacle is a method of physically blocking an attacker’s path to protected information.
Access control – methods of protecting information by regulating the use of all resources. These methods must resist all possible ways of unauthorized access to information. Access control includes the following security features:
Identification of users, personnel and system resources (assigning a personal identifier to each object);
Identification of an object or subject by the identifier presented to them;
Permission and creation of working conditions within the established regulations;
Registration of requests to protected resources;
Reaction to attempts of unauthorized actions.
Encryption mechanisms – cryptographic closure of information. These protection methods are increasingly used both when processing and storing information on magnetic media. When transmitting information over long-distance communication channels, this method is the only reliable one.
Countering malware attacks involves a set of various organizational measures and the use of anti-virus programs.
The whole set technical means divided into hardware and physical.
Hardware – devices built directly into computer technology, or devices that interface with it via a standard interface.
Physical means include various engineering devices and structures that prevent the physical penetration of attackers into protected objects and protect personnel (personal security equipment), material resources and finances, information from illegal actions.
Software tools are special programs and software systems, designed to protect information in information systems.
Among the security system software tools, it is necessary to highlight software, implementing encryption mechanisms (cryptography). Cryptography is the science of ensuring the secrecy and/or authenticity (authenticity) of transmitted messages.
Organizational means carry out their complex regulation of production activities in information systems and the relationships of performers on a legal basis in such a way that disclosure, leakage and unauthorized access to confidential information becomes impossible or significantly hampered due to organizational measures.
Legislative remedies are determined by the legislative acts of the country, which regulate the rules for the use, processing and transmission of information limited access and sanctions are established for violating these rules.
Moral and ethical means of protection include all kinds of norms of behavior that have traditionally developed previously, are formed as information spreads in the country and in the world, or are specially developed. Moral and ethical standards can be unwritten or formalized in a certain set of rules or regulations. These norms, as a rule, are not legally approved, but since their non-compliance leads to a decline in the prestige of the organization, they are considered mandatory.
2. Design part
In the design part, the following steps must be completed:
1 Define the concept of a computer virus and the classification of computer viruses.
2 Define the concept of an antivirus program and the classification of antivirus tools.
3 Conduct a comparative analysis of anti-virus packages.
2.1 Classification of computer viruses
A virus is a program that can infect other programs by including in them a modified copy that has the ability to further reproduce.
Viruses can be divided into classes according to the following main characteristics:
Destructive possibilities
Features of the operating algorithm;
Habitat;
According to their destructive capabilities, viruses can be divided into:
Harmless, that is, they do not affect the operation of the computer in any way (except for reducing free memory on the disk as a result of its distribution);
Non-hazardous, the impact of which is limited by a decrease in free memory on the disk and graphic, sound and other effects;
Dangerous viruses that can lead to serious computer malfunctions;
Very dangerous, the algorithm of which deliberately contains procedures that can lead to the loss of programs, destroy data, erase information necessary for the operation of the computer recorded in system memory areas
Features of the virus operation algorithm can be characterized by the following properties:
Residence;
Use of stealth algorithms;
Polymorphism;
Resident viruses.
The term “residence” refers to the ability of viruses to leave copies of themselves in system memory, intercept certain events and call procedures for infecting detected objects (files and sectors). Thus, resident viruses are active not only while the infected program is running, but also after the program has finished running. Resident copies of such viruses remain viable until the next reboot, even if all infected files on the disk are destroyed. Often it is impossible to get rid of such viruses by restoring all copies of files from distribution disks or backup copies. The resident copy of the virus remains active and infects newly created files. The same is true for boot viruses - formatting a disk when there is a resident virus in the memory does not always cure the disk, since many resident viruses infect the disk again after it is formatted.
Non-resident viruses. Non-resident viruses, on the contrary, are active for a rather short time - only at the moment the infected program is launched. To spread, they search for uninfected files on the disk and write to them. After the virus code transfers control to the host program, the impact of the virus on the operation of the operating system is reduced to zero until the next launch of any infected program. Therefore, it is much easier to delete files infected with non-resident viruses from the disk without allowing the virus to infect them again.
Stealth viruses. Stealth viruses in one way or another hide the fact of their presence in the system. The use of stealth algorithms allows viruses to completely or partially hide themselves in the system. The most common stealth algorithm is to intercept operating system requests to read (write) infected objects. In this case, stealth viruses either temporarily cure them or “substitute” uninfected sections of information in their place. In the case of macro viruses, the most popular method is to disable calls to the macro viewing menu. Stealth viruses of all types are known, with the exception of Windows viruses - boot viruses, DOS file viruses and even macro viruses. The emergence of stealth viruses that infect Windows files, is most likely a matter of time.
Polymorphic viruses. Self-encryption and polymorphism are used by almost all types of viruses in order to complicate the virus detection procedure as much as possible. Polymorphic viruses are rather difficult to detect viruses that do not have signatures, that is, they do not contain a single constant section of code. In most cases, two samples of the same polymorphic virus will not have a single match. This is achieved by encrypting the main body of the virus and modifying the decryption program.
Polymorphic viruses include those that cannot be detected using so-called virus masks - sections of constant code specific to a particular virus. This is achieved in two main ways - by encrypting the main virus code with a variable cry and a random set of decryptor commands, or by changing the executable virus code itself. Polymorphism of varying degrees of complexity is found in viruses of all types - from boot and file DOS viruses to Windows viruses.
Based on their habitat, viruses can be divided into:
File;
Boot;
Macroviruses;
Network.
File viruses. File viruses either inject themselves into executable files in various ways, or create duplicate files (companion viruses), or use peculiarities of the file system organization (link viruses).
A file virus can be introduced into almost all executable files of all popular operating systems. Today, viruses are known that infect all types of standard DOS executable objects: batch files (BAT), loadable drivers (SYS, including special files IO.SYS and MSDOS.SYS) and executable binary files (EXE, COM). There are viruses that infect executable files of other operating systems - Windows 3.x, Windows95/NT, OS/2, Macintosh, UNIX, including Windows 3.x and Windows95 VxD drivers.
There are viruses that infect files that contain the source code of programs, library or object modules. It is also possible for a virus to be recorded in data files, but this happens either as a result of a virus error or when its aggressive properties manifest themselves. Macro viruses also write their code into data files - documents or spreadsheets, but these viruses are so specific that they are classified as a separate group.
Boot viruses. Boot viruses infect the boot sector of a floppy disk and the boot sector or Master Boot Record (MBR) of a hard drive. The operating principle of boot viruses is based on algorithms for starting the operating system when you turn on or restart the computer - after the necessary tests of the installed equipment (memory, disks, etc.), the system boot program reads the first physical sector boot disk(A:, C: or CD-ROM depending on the parameters set in BIOS Setup) and transfers control to it.
In the case of a floppy disk or CD, control is received by the boot sector, which analyzes the disk parameter table (BPB - BIOS Parameter Block), calculates the addresses of the operating system system files, reads them into memory and launches them for execution. System files are usually MSDOS.SYS and IO.SYS, or IBMDOS.COM and IBMBIO.COM, or others depending on installed version DOS, Windows or other operating systems. If there are no operating system files on the boot disk, the program located in the boot sector of the disk displays an error message and suggests replacing the boot disk.
In the case of a hard drive, control is received by a program located in the MBR of the hard drive. This program analyzes the disk partition table, calculates the address of the active boot sector (usually this sector is the boot sector of drive C), loads it into memory and transfers control to it. Having received control, the active boot sector of the hard drive does the same actions as the boot sector of the floppy disk.
When infecting disks, boot viruses “substitute” their code instead of any program that gains control when the system boots. The principle of infection, therefore, is the same in all the methods described above: the virus “forces” the system, when it is restarted, to read into memory and give control not to the original bootloader code, but to the virus code.
Floppy disks are infected in the only known way - the virus writes its code instead of original code boot sectors of the floppy disk. Winchester becomes infected with three possible ways– the virus is written either instead of the MBR code, or instead of the boot sector code of the boot disk (usually drive C, or modifies the address of the active boot sector in the Disk Partition Table, located in the MBR of the hard drive.
Macro viruses. Macro viruses infect files such as documents and spreadsheets of several popular editors. Macro viruses are programs written in languages (macro languages) built into some data processing systems. To reproduce, such viruses use the capabilities of macro languages and, with their help, transfer themselves from one infected file to others. The most widespread are macro viruses for Microsoft Word, Excel and Office97. There are also macro viruses that infect Ami Pro documents and Microsoft Access databases.
Network viruses. Network viruses include viruses that actively use the protocols and capabilities of local and global networks to spread. The main operating principle of a network virus is the ability to independently transfer its code to a remote server or workstation. “Full-fledged” network viruses also have the ability to run their code on a remote computer or, at least, “push” the user to run an infected file. An example of network viruses is the so-called IRC worms.
IRC (Internet Relay Chat) is a special protocol designed for real-time communication between Internet users. This protocol provides them with the ability to Internet “conversation” using specially developed software. In addition to attending general conferences, IRC users have the ability to chat one-on-one with any other user. In addition, there are quite a large number of IRC commands, with the help of which the user can obtain information about other users and channels, change some settings of the IRC client, and so on. There is also the ability to send and receive files - it is this ability that IRC worms are based on. A powerful and extensive command system of IRC clients allows, based on their scripts, to create computer viruses that transmit their code to the computers of users of IRC networks, the so-called “IRC worms”. The operating principle of these IRC worms is approximately the same. Using IRC commands, a work script file (script) is automatically sent from the infected computer to each new user who joins the channel. The sent script file replaces the standard one, and during the next session the newly infected client will send out the worm. Some IRC worms also contain a Trojan component: using specified keywords, they perform destructive actions on the affected computers. For example, the “pIRCH.Events” worm, upon a certain command, erases all files on the user’s disk.
There are a large number of combinations - for example, file-boot viruses that infect both files and boot sectors of disks. Such viruses, as a rule, have a rather complex operating algorithm, often use original methods of penetrating the system, and use stealth and polymorphic technologies. Another example of such a combination is a network macro virus that not only infects documents being edited, but also sends copies of itself by email.
In addition to this classification, a few words should be said about other malware that are sometimes confused with viruses. These programs do not have the ability to self-propagate like viruses, but they can cause equally destructive damage.
Trojan horses (logic bombs or time bombs).
Trojan horses include programs that cause any destructive effects, that is, depending on certain conditions or every time they are launched, they destroy information on disks, “hang” the system, etc. As an example, we can cite this case - when such a program, during a session on the Internet, sent its author identifiers and passwords from the computers where it lived. Most well-known Trojan horses are programs that “fake” some kind of useful programs, new versions of popular utilities or additions to them. Very often they are sent to BBS stations or electronic conferences. Compared to viruses, Trojan horses are not widely used for the following reasons - they either destroy themselves along with the rest of the data on the disk, or unmask their presence and are destroyed by the affected user.
2.2 The concept of an antivirus program
Methods to counteract computer viruses can be divided into several groups:
Prevention of viral infection and reduction of expected damage from such infection;
Methods of using antivirus programs, including neutralization and removal of known viruses;
Methods for detecting and removing an unknown virus.
Preventing computer infection.
One of the main methods of combating viruses is, as in medicine, timely prevention. Computer prevention involves following a small number of rules, which can significantly reduce the likelihood of getting a virus and losing any data.
In order to determine the basic rules of computer “hygiene”, it is necessary to find out the main ways a virus penetrates a computer and computer networks.
The main source of viruses today is global network Internet. The largest number of virus infections occurs when exchanging letters in Word/Office97 formats. The user of an editor infected with a macro virus, without knowing it, sends infected letters to recipients, who in turn send new infected letters, and so on. You should avoid contact with suspicious sources of information and use only legitimate (licensed) software products.
Restoring damaged objects.
In most cases of virus infection, the procedure for restoring infected files and disks comes down to running a suitable antivirus that can neutralize the system. If the virus is unknown to any antivirus, then it is enough to send the infected file to antivirus manufacturers and after a while receive an “update” medicine against the virus. If time does not wait, then you will have to neutralize the virus yourself. For most users it is necessary to have backups your information.
General information security tools are useful for more than just virus protection. There are two main types of these funds:
1 Copying information – creating copies of files and system areas of disks.
2 Access control prevents unauthorized use of information, in particular, protection from changes to programs and data by viruses, malfunctioning programs and erroneous user actions.
Timely detection of virus-infected files and disks and complete destruction of detected viruses on each computer help avoid the spread of a virus epidemic to other computers.
The main weapon in the fight against viruses is antivirus programs. They allow you not only to detect viruses, including viruses that use various disguise methods, but also to remove them from your computer.
There are several basic virus detection methods that are used by antivirus programs. The most traditional method of searching for viruses is scanning.
To detect, remove and protect against computer viruses, several types of special programs have been developed that allow you to detect and destroy viruses. Such programs are called antivirus programs.
2.3 Types of antivirus products
Detector programs. Detector programs search for a signature characteristic of a specific virus in random access memory both in the files and when detected, they issue a corresponding message. The disadvantage of such antivirus programs is that they can only find viruses that are known to the developers of such programs.
Doctor programs. Doctor or phage programs, as well as vaccine programs, not only find files infected with viruses, but also “treat” them, that is, they remove the body of the virus program from the file, returning the files to their original state. At the beginning of their work, phages search for viruses in RAM, destroying them, and only then proceed to “cleaning” files. Among the phages there are polyphages, that is, doctor programs designed to search for and destroy a large number of viruses. The most famous of them: AVP, Aidstest, Scan, Norton AntiVirus, Doctor Web.
Considering that new viruses are constantly appearing, detector programs and doctor programs quickly become outdated, and regular version updates are required.
Auditor programs (inspectors) are among the most reliable means of protection against viruses.
Auditors (inspectors) check the data on the disk for invisible viruses. Moreover, the inspector may not use the operating system tools to access disks, which means that an active virus will not be able to intercept this access.
The fact is that a number of viruses, introducing themselves into files (that is, appending to the end or beginning of the file), replace records about this file in the file allocation tables of our operating system.
Auditors (inspectors) remember the initial state of programs, directories and system areas of the disk when the computer is not infected with a virus, and then periodically or at the user’s request compare the current state with the original one. Detected changes are displayed on the monitor screen. As a rule, comparison of states is carried out immediately after loading the operating system. When comparing, the file length, cyclic control code (file checksum), date and time of modification, and other parameters are checked. Auditor programs (inspectors) have fairly developed algorithms, detect stealth viruses and can even clean up changes in the version of the program being checked from changes made by the virus.
It is necessary to launch the auditor (inspector) when the computer is not yet infected, so that it can create a table in the root directory of each disk, with all the necessary information about the files that are on this disk, as well as about its boot area. Permission will be requested to create each table. During subsequent launches, the auditor (inspector) will scan the disks, comparing data about each file with its records.
If infections are detected, the auditor (inspector) will be able to use his own healing module, which will restore the file damaged by the virus. To restore files, the inspector does not need to know anything about a specific type of virus; it is enough to use the data about the files stored in the tables.
In addition, if necessary, an anti-virus scanner can be called.
Filter programs (monitors). Filter programs (monitors) or “watchmen” are small resident programs designed to detect suspicious actions during computer operation, characteristic of viruses. Such actions may be:
Attempts to correct files with COM, EXE extensions;
Changing file attributes;
Direct writing to disk at absolute address;
Write to boot sectors of the disk;
When any program tries to perform the specified actions, the “guard” sends a message to the user and offers to prohibit or allow the corresponding action. Filter programs are very useful because they are able to detect a virus at the earliest stage of its existence before replication. However, they do not “clean” files and disks. To destroy viruses, you need to use other programs, such as phages.
Vaccines or immunizers. Vaccines are resident programs that prevent file infections. Vaccines are used if there are no doctor programs that “treat” this virus. Vaccination is possible only against known viruses. The vaccine modifies the program or disk in such a way that it does not affect its operation, and the virus will perceive it as infected and therefore will not take root. Currently, vaccine programs have limited use.
Scanner. The operating principle of anti-virus scanners is based on checking files, sectors and system memory and searching them for known and new (unknown to the scanner) viruses. To search for known viruses, so-called “masks” are used. The mask of a virus is some constant sequence of code specific to this particular virus. If the virus does not contain a permanent mask, or the length of this mask is not long enough, then other methods are used. An example of such a method is an algorithmic language that describes everything possible options code that may occur when infected with a virus of this type. This approach is used by some antiviruses to detect polymorphic viruses. Scanners can also be divided into two categories – “universal” and “specialized”. Universal scanners designed to search for and neutralize all types of viruses, regardless of the operating system in which the scanner is designed to work. Specialized scanners are designed to neutralize a limited number of viruses or only one class of viruses, for example macro viruses. Specialized scanners designed only for macro viruses often turn out to be the most convenient and reliable solution for protecting document management systems in MSWord and MSExcel environments.
Scanners are also divided into “resident” (monitors, guards), which perform on-the-fly scanning, and “non-resident”, which scan the system only upon request. As a rule, "resident" scanners provide more reliable protection systems, since they immediately respond to the appearance of a virus, while a “non-resident” scanner is able to identify the virus only during its next launch. On the other hand, a resident scanner can somewhat slow down the computer, including due to possible false positives.
The advantages of scanners of all types include their versatility; the disadvantages are the relatively low speed of virus scanning.
CRC scanners. The operating principle of CRC scanners is based on calculating CRC sums ( checksums) for files/system sectors present on the disk. These CRC amounts are then stored in the antivirus database, as well as some other information: file lengths, dates of their last modification, and so on. When subsequently launched, CRC scanners compare the data contained in the database with the actual calculated values. If the file information recorded in the database does not match the real values, then CRC scanners signal that the file has been modified or infected with a virus. CRC scanners using anti-stealth algorithms are quite a powerful weapon against viruses: almost 100% of viruses are detected almost immediately after they appear on the computer. However, this type of antivirus has an inherent flaw that significantly reduces their effectiveness. This disadvantage is that CRC scanners are not able to catch a virus at the moment it appears in the system, but do this only some time later, after the virus has spread throughout the computer. CRC scanners cannot detect a virus in new files (in email, on floppy disks, in files restored from a backup or when unpacking files from an archive), because their databases do not contain information about these files. Moreover, viruses periodically appear that take advantage of this “weakness” of CRC scanners, infecting only newly created files and thus remaining invisible to them.
Blockers. Blockers are resident programs that intercept “virus-dangerous” situations and notify the user about it. “Virus-dangerous” include calls to open for writing to executable files, writing to boot sectors of disks or the MBR of a hard drive, attempts by programs to remain resident, and so on, that is, calls that are typical for viruses at the moment of reproduction. Sometimes some blocker functions are implemented in resident scanners.
The advantages of blockers include their ability to detect and stop a virus at the earliest stage of its reproduction. Disadvantages include the existence of ways to bypass blocker protection and a large number of false positives.
It is also necessary to note such a direction of anti-virus tools as anti-virus blockers, made in the form of computer hardware components. The most common is the write protection built into the BIOS in the MBR of the hard drive. However, as in the case of software blockers, such protection can be easily bypassed by direct writing to the disk controller ports, and launching the DOS utility FDISK immediately causes a “false positive” of the protection.
There are several more universal hardware blockers, but in addition to the disadvantages listed above, there are also problems of compatibility with standard computer configurations and complexity in installing and configuring them. All this makes hardware blockers extremely unpopular compared to other types of antivirus protection.
2.4 Comparison of antivirus packages
Regardless of what information system need to be protected, the most important parameter when comparing antiviruses is the ability to detect viruses and other malware.
However, although this parameter is important, it is far from the only one.
The fact is that the effectiveness of an antivirus protection system depends not only on its ability to detect and neutralize viruses, but also on many other factors.
An antivirus should be convenient to use, without distracting the computer user from performing his/her direct duties. If the antivirus annoys the user with persistent requests and messages, sooner or later it will be disabled. The antivirus interface should be friendly and understandable, since not all users have extensive experience working with computer programs. Without understanding the meaning of the message that appears on the screen, you can unwittingly allow a virus infection even with an antivirus installed.
The most convenient anti-virus protection mode is when all opened files are scanned. If the antivirus is not able to work in this mode, the user will have to run a scan of all disks every day to detect newly appeared viruses. This procedure can take tens of minutes or even hours if we're talking about about large disks installed, for example, on a server.
Since new viruses appear every day, it is necessary to periodically update the antivirus database. Otherwise, the effectiveness of anti-virus protection will be very low. Modern antiviruses, after appropriate configuration, can automatically update antivirus databases via the Internet, without distracting users and administrators from performing this routine work.
When protecting a large corporate network, such a parameter for comparing antiviruses as the presence of a network control center comes to the fore. If corporate network unites hundreds and thousands of workstations, tens and hundreds of servers, it is almost impossible to organize effective anti-virus protection without a network control center. One or more system administrators will not be able to bypass all workstations and servers by installing and configuring anti-virus programs on them. What is needed here are technologies that allow centralized installation and configuration of antiviruses on all computers in the corporate network.
Protecting Internet sites such as mail servers, and messaging service servers requires the use of specialized anti-virus tools. Conventional antivirus programs designed to scan files will not be able to find malicious code in the databases of messaging servers or in the data flow passing through mail servers.
Typically, other factors are taken into account when comparing antivirus products. Government agencies may, other things being equal, prefer domestically produced antiviruses that have all the necessary certificates. The reputation gained by one or another antivirus tool among computer users and system administrators also plays a significant role. Personal preferences can also play a significant role in the choice.
Antivirus developers often use independent test results to prove the benefits of their products. At the same time, users often do not understand what exactly and how was tested in this test.
In this work, the most popular ones were subjected to comparative analysis. this moment antivirus programs, namely: Kaspersky Anti-Virus, Symantec/Norton, Doctor Web, Eset Nod32, Trend Micro, McAfee, Panda, Sophos, BitDefender, F-Secure, Avira, Avast!, AVG, Microsoft.
The British magazine Virus Bulletin was one of the first to test antivirus products. The first tests published on their website date back to 1998. The test is based on the WildList collection of malware. To successfully pass the test, it is necessary to identify all viruses in this collection and demonstrate a zero level of false positives on a collection of “clean” log files. Testing is carried out several times a year on various operating systems; Products that successfully pass the test receive a VB100% award. Figure 1 shows how many VB100% awards were received by products from various antivirus companies.
Of course, Virus Bulletin magazine can be called the oldest antivirus tester, but its status as a patriarch does not exempt it from criticism of the antivirus community. First, WildList only includes viruses and worms and is only for the Windows platform. Secondly, the WildList collection contains a small number of malicious programs and is replenished very slowly: only a few dozen new viruses appear in the collection per month, while, for example, the AV-Test collection is replenished during this time with several tens or even hundreds of thousands of copies of malicious software .
All this suggests that in its current form, the WildList collection is morally outdated and does not reflect the real situation with viruses on the Internet. As a result, tests based on the WildList collection become increasingly meaningless. They are good for advertising products that have passed them, but they do not actually reflect the quality of antivirus protection.
Figure 1 – Number of successfully passed VB tests 100%
Independent research laboratories such as AV-Comparatives, AV-Tests test antivirus products twice a year for malware detection levels on demand. At the same time, the collections on which testing is carried out contain up to a million malware and are regularly updated. Test results are published on the websites of these organizations (www.AV-Comparatives.org, www.AV-Test.org) and in well-known computer magazines PC World, PC Welt. The results of the next tests are presented below:
Figure 2 – Overall malware detection rate according to AV-Test
If we talk about the most common products, then according to the results of these tests, only solutions from Kaspersky Lab and Symantec are in the top three. Avira, the leader in the tests, deserves special attention.
Tests from research laboratories AV-Comparatives and AV-Test, like any tests, have their pros and cons. The advantages are that testing is carried out on large collections of malware, and that these collections contain a wide variety of types of malware. The downside is that these collections contain not only “fresh” samples of malware, but also relatively old ones. Typically, samples collected over the past six months are used. In addition, these tests analyze the results of the verification hard drive on demand, whereas in real life the user downloads infected files from the Internet or receives them as attachments by email. It is important to detect such files exactly at the moment they appear on the user’s computer.
An attempt to develop a testing methodology that does not suffer from this problem was made by one of the oldest British computer magazines, PC Pro. Their test used a collection of malware discovered two weeks before the test in traffic passing through MessageLabs servers. MessageLabs offers its clients filtering services various types traffic, and its collection of malicious programs really reflects the situation with the spread of computer viruses on the Internet.
The PC Pro magazine team did not simply scan infected files, but simulated user actions: infected files were attached to letters as attachments, and these letters were downloaded to a computer with an antivirus installed. In addition, using specially written scripts, infected files were downloaded from a Web server, i.e., surfing the Internet was simulated. The conditions under which such tests are carried out are as close as possible to real ones, which could not but affect the results: the detection level of most antiviruses turned out to be significantly lower than with a simple on-demand scan in the AV-Comparatives and AV-Test tests. In such tests, an important role is played by how quickly antivirus developers respond to the emergence of new malware, as well as what proactive mechanisms are used to detect malware.
The speed at which antivirus updates are released with signatures of new malware is one of the most important components of effective antivirus protection. The faster the signature database update is released, the less time the user will remain unprotected.
Figure 3 – Average response time to new threats
Recently, new malware appears so frequently that antivirus laboratories barely have time to respond to the appearance of new samples. In such a situation, the question arises of how an antivirus can counter not only already known viruses, but also new threats for which a detection signature has not yet been released.
To detect unknown threats, so-called proactive technologies are used. These technologies can be divided into two types: heuristics (they detect malware based on analysis of their code) and behavioral blockers (they block the actions of malware when they run on a computer, based on their behavior).
Speaking of heuristics, their effectiveness has long been studied by AV-Comparatives, a research laboratory led by Andreas Climenti. The AV-Comparatives team uses a special technique: antiviruses are checked against the current virus collection, but they use an antivirus with signatures that are three months old. Thus, the antivirus has to fight against malware that it knows nothing about. Antiviruses are checked by scanning a collection of malware on the hard drive, so only the effectiveness of the heuristic is tested. Another proactive technology, a behavioral blocker, is not used in these tests. Even the best heuristics currently show a detection rate of only about 70%, and many of them also suffer from false positives on clean files. All this suggests that for now this proactive detection method can only be used simultaneously with the signature method.
As for another proactive technology - a behavioral blocker, no serious comparative tests have been conducted in this area. Firstly, many antivirus products (Doctor Web, NOD32, Avira and others) do not have a behavioral blocker. Secondly, conducting such tests is fraught with some difficulties. The fact is that to test the effectiveness of a behavioral blocker, you do not need to scan a disk with a collection of malicious programs, but run these programs on your computer and observe how successfully the antivirus blocks their actions. This process is very labor-intensive, and only a few researchers are able to undertake such tests. All that is currently available to the general public are the results of individual product testing conducted by the AV-Comparatives team. If, during testing, antiviruses successfully blocked the actions of malicious programs unknown to them while they were running on the computer, then the product received the Proactive Protection Award. Currently, such awards have been received by F-Secure with DeepGuard behavioral technology and Kaspersky Anti-Virus with the Proactive Protection module.
Infection prevention technologies based on the analysis of malware behavior are becoming increasingly widespread, and the lack of comprehensive comparative tests in this area is alarming. Recently, specialists from the AV-Test research laboratory held an extensive discussion of this issue, in which developers of antivirus products also participated. The result of this discussion was a new methodology for testing the ability of antivirus products to withstand unknown threats.
A high level of malware detection using various technologies is one of the most important characteristics of an antivirus. However, an equally important characteristic is the absence of false positives. False positives can cause no less harm to the user than a virus infection: block work necessary programs, block access to sites, and so on.
In the course of its research, AV-Comparatives, along with studying the capabilities of antiviruses to detect malware, also conducts tests for false positives on collections of clean files. According to the test, the largest number of false positives were found in Doctor Web and Avira antiviruses.
There is no 100% protection against viruses. Users from time to time encounter a situation where a malicious program has penetrated their computer and the computer becomes infected. This happens either because there was no antivirus on the computer at all, or because the antivirus did not detect the malware using either signature or proactive methods. In such a situation, it is important that when you install an antivirus with fresh signature databases on your computer, the antivirus can not only detect a malicious program, but also successfully eliminate all the consequences of its activity and cure an active infection. At the same time, it is important to understand that virus creators are constantly improving their “skills”, and some of their creations are quite difficult to remove from a computer - malware can different ways mask their presence in the system (including using rootkits) and even interfere with the operation of anti-virus programs. In addition, it is not enough to simply delete or disinfect an infected file; you need to eliminate all changes made by the malicious process in the system and completely restore the system’s functionality. Team Russian portal Anti-Malware.ru conducted a similar test, its results are presented in Figure 4.
Figure 4 – Treatment of active infection
Various approaches to antivirus testing were discussed above, and it was shown which parameters of antivirus operation are considered during testing. We can conclude that for some antiviruses one indicator turns out to be advantageous, for others - another. At the same time, it is natural that in their advertising materials, antivirus developers focus only on those tests where their products occupy leading positions. For example, Kaspersky Lab focuses on the speed of reaction to the emergence of new threats, Eset on the power of its heuristic technologies, Doctor Web describes its advantages in treating active infections.
Therefore, a synthesis of the results of the various tests should be carried out. This summarizes the positions that antiviruses took in the tests reviewed, and also provides an integrated assessment - what place a particular product occupies on average in all tests. As a result, the top three winners were: Kaspersky, Avira, Symantec.
Based on the analyzed antivirus packages, a software, designed to search and disinfect files infected with the SVC 5.0 virus. This virus does not lead to unauthorized deletion or copying of files, but significantly interferes with the full operation of computer software.
Infected programs are longer than the source code. However, when browsing directories on an infected machine, this will not be visible, since the virus checks whether the found file is infected or not. If a file is infected, the length of the uninfected file is recorded in the DTA.
You can detect this virus as follows. In the virus data area there is a character string "(c) 1990 by SVC,Ver. 5.0", by which the virus, if it is on the disk, can be detected.
When writing an antivirus program, the following sequence of actions is performed:
1 For each scanned file, the time of its creation is determined.
2 If the number of seconds is sixty, then three bytes are checked at an offset equal to “file length minus 8AN”. If they are equal to 35H, 2EN, 30H, respectively, then the file is infected.
3 The first 24 bytes of the original code are decoded, which are located at the offset “file length minus 01CFН plus 0BAAN”. The decoding keys are located at the offsets “file length minus 01CFН plus 0С1АН” and “file length minus 01CFН plus 0С1BN”.
4 The decoded bytes are rewritten to the beginning of the program.
5 The file is “truncated” to the value “file length minus 0С1F”.
The program was created in the TurboPascal programming environment. The text of the program is presented in Appendix A.
Conclusion
In this course work, a comparative analysis of anti-virus packages was carried out.
During the analysis, the tasks posed at the beginning of the work were successfully solved. Thus, the concepts of information security, computer viruses and anti-virus tools were studied, types of threats to information security, protection methods were identified, the classification of computer viruses and anti-virus programs was considered and a comparative analysis of anti-virus packages was carried out, a program was written that searches for infected files.
The results obtained during the work can be used when choosing an antivirus agent.
All the results obtained are reflected in the work using diagrams, so the user can independently check the conclusions drawn in the final diagram, which reflects the synthesis of the identified results of various tests of antivirus products.
The results obtained during the work can be used as a basis for independent comparison of antivirus programs.
In light of the widespread use of IT technologies, the presented course work is relevant and meets the requirements for it. During the work, the most popular antivirus tools were considered.
List of used literature
1 Anin B. Protection of computer information. – St. Petersburg. : BHV – St. Petersburg, 2000. – 368 p.
2 Artyunov V.V. Information protection: textbook. – method. allowance. M.: Liberia - Bibinform, 2008. - 55 p. – (Librarian and time. 21st century; issue No. 99).
3 Korneev I.K., E.A. Stepanov Information protection in the office: textbook. – M.: Prospekt, 2008. – 333 p.
5 Kupriyanov A.I. Fundamentals of information protection: textbook. allowance. – 2nd ed. erased – M.: Academy, 2007. – 254 p. – (Higher professional education).
6 Semenenko V. A., N. V. Fedorov Software and hardware information protection: textbook. aid for students universities – M.: MGIU, 2007. – 340 p.
7 Tsirlov V.L. Fundamentals of information security: a short course. – Rostov n/d: Phoenix, 2008. – 254 p. (Professional education).
Application
Program listing
ProgramANTIVIRUS;
Uses dos,crt,printer;
Type St80 = String;
FileInfection:File Of Byte;
SearchFile:SearchRec;
Mas: Array of St80;
MasByte:Array of Byte;
Position,I,J,K:Byte;
Num,NumberOfFile,NumberOfInfFile:Word;
Flag,NextDisk,Error:Boolean;
Key1,Key2,Key3,NumError:Byte;
MasScreen:Array Of Byte Absolute $B800:0000;
Procedure Cure(St: St80);
I: Byte; MasCure: Array Of Byte;
Assign(FileInfection,St); Reset(FileInfection);
NumError:=IOResult;
If(NumError<>
Seek(FileInfection,FileSize(FileInfection) - ($0C1F - $0C1A));
NumError:=IOResult;
If(NumError<>0) Then Begin Error:=True; Exit; End;
Read(FileInfection,Key1);
NumError:=IOResult;
If(NumError<>0) Then Begin Error:=True; Exit; End;
Read(FileInfection,Key2);
NumError:=IOResult;
If(NumError<>0) Then Begin Error:=True; Exit; End;
Seek(FileInfection,FileSize(FileInfection) - ($0C1F - $0BAA));
NumError:=IOResult;
If(NumError<>0) Then Begin Error:=True; Exit; End;
For I:=1 to 24 do
Read(FileInfection,MasCure[i]);
NumError:=IOResult;
If(NumError<>0) Then Begin Error:=True; Exit; End;
Key3:=MasCure[i];
MasCure[i]:=Key3;
Seek(FileInfection,0);
NumError:=IOResult;
If(NumError<>0) Then Begin Error:=True; Exit; End;
For I:=1 to 24 do Write(FileInfection,MasCure[i]);
Seek(FileInfection,FileSize(FileInfection) - $0C1F);
NumError:=IOResult;
If(NumError<>0) Then Begin Error:=True; Exit; End;
Truncate(FileInfection);
NumError:=IOResult;
If(NumError<>0) Then Begin Error:=True; Exit; End;
Close(FileInfection); NumError:=IOResult;
If(NumError<>0) Then Begin Error:=True; Exit; End;
Procedure F1(St: St80);
FindFirst(St + "*.*", $3F, SearchFile);
While (SearchFile.Attr = $10) And (DosError = 0) And
((SearchFile.Name = ".") Or (SearchFile.Name = "..")) Do
FindNext(SearchFile);
While (DosError = 0) Do
If KeyPressed Then
If (Ord(ReadKey) = 27) Then Halt;
If (SearchFile.Attr = $10) Then
Mas[k]:=St + SearchFile.Name + "\";
If(SearchFile.Attr<>$10) Then
NumberOfFile:=NumberOfFile + 1;
UnpackTime(SearchFile.Time, DT);
For I:=18 to 70 do MasScreen:=$20;
Write(St + SearchFile.Name," ");
If (Dt.Sec = 60) Then
Assign(FileInfection,St + SearchFile.Name);
Reset(FileInfection);
NumError:=IOResult;
If(NumError<>0) Then Begin Error:=True; Exit; End;
Seek(FileInfection,FileSize(FileInfection) - $8A);
NumError:=IOResult;
If(NumError<>0) Then Begin Error:=True; Exit; End;
For I:=1 to 3 do Read(FileInfection,MasByte[i]);
Close(FileInfection);
NumError:=IOResult;
If(NumError<>0) Then Begin Error:=True; Exit; End;
If (MasByte = $35) And (MasByte = $2E) And
(MasByte = $30) Then
NumberOfInfFile:=NumberOfInfFile + 1;
Write(St + SearchFile.Name," infected.",
"Delete? ");
If (Ord(Ch) = 27) Then Exit;
Until (Ch = "Y") Or (Ch = "y") Or (Ch = "N")
If (Ch = "Y") Or (Ch = "y") Then
Cure(St + SearchFile.Name);
If(NumError<>0) Then Exit;
For I:=0 to 79 do MasScreen:=$20;
FindNext(SearchFile);
GoToXY(29,1); TextAttr:=$1E; GoToXY(20,2); TextAttr:=$17;
Writeln("Programma dlya poiska i lecheniya fajlov,");
Writeln("zaragennih SVC50.");
TextAttr:=$4F; GoToXY(1,25);
Write(" ESC - exit ");
TextAttr:=$1F; GoToXY(1,6);
Write("Kakoj disk proveit?");
If (Ord(Disk) = 27) Then Exit;
R.Ah:=$0E; R.Dl:=Ord(UpCase(Disk))-65;
Intr($21,R); R.Ah:=$19; Intr($21,R);
Flag:=(R.Al = (Ord(UpCase(Disk))-65));
St:=UpCase(Disk) + ":\";
Writeln("Testiruetsya disk ",St," ");
Writeln("Testiruetsya fajl");
NumberOfFile:=0;
NumberOfInfFile:=0;
If (k = 0) Or Error Then Flag:=False;
If (k > 0) Then K:=K-1;
If (k=0) Then Flag:=False;
If (k > 0) Then K:=K-1;
Writeln("Verified fajlov - ",NumberOfFile);
Writeln("Zarageno fajlov - ",NumberOfInfFile);
Writeln("Izlecheno fajlov - ",Num);
Write("Check drugoj disk? ");
If (Ord(Ch) = 27) Then Exit;
Until (Ch = "Y") Or (Ch = "y") Or (Ch = "N") Or (Ch = "n");
If (Ch = "N") Or (Ch = "n") Then NextDisk:=False;
2.1.4 Comparative analysis of antiviral agents.
There are many different antivirus programs of both domestic and non-domestic origin. And in order to understand which antivirus program is better, we will conduct a comparative analysis of them. To do this, let's take modern antivirus programs, as well as those that are most often used by PC users.
Panda Antivirus 2008 3.01.00
Compatible systems: Windows 2000/XP/Vista
Installation
It is difficult to imagine a simpler and faster installation than Panda 2008 offers. We are only told what threats it will protect against this application and without any choice of installation type or update source, in less than a minute they offer protection against viruses, worms, Trojans, spyware and phishing, after scanning the computer’s memory for viruses. However, it does not support some other advanced functions of modern antiviruses, such as blocking suspicious web pages or protecting personal data.
Interface and operation
The program interface is very bright. The existing settings provide a minimum level of changes; only the essentials are available. At all, self-configuration optional in this case: the default settings suit most users, providing protection against phishing attacks, spyware, viruses, hacker applications and other threats.
Panda can only be updated via the Internet. Moreover, it is strongly recommended to install the update immediately after installing the antivirus, otherwise Panda will regularly require access to the “parent” server with a small but quite noticeable window at the bottom of the screen, indicating a low level of current protection.
Panda 2008 divides all threats into known and unknown. In the first case, we can disable scanning for certain types of threats; in the second case, we determine whether to subject files, IM messages and emails to deep scanning to search for unknown malicious objects. If Panda detects suspicious behavior in any application, it will immediately notify you, thus providing protection against threats not included in the antivirus database.
Panda allows you to scan your entire hard drive or individual sections of it. Please remember that archive scanning is disabled by default. The settings menu presents the extensions of the files being scanned; if necessary, you can add your own extensions. The statistics of detected threats, which are presented in the form of a pie chart that clearly demonstrates the share of each type of threat in the total number of malicious objects, deserves special mention. A report of detected objects can be generated for a selected period of time.
· minimum system requirements: Windows 98/NT/Me/2000/XP.
The hardware requirements correspond to those stated for the specified OS.
Main functional features:
· protection against worms, viruses, Trojans, polymorphic viruses, macro viruses, spyware, dialers, adware, hacker utilities and malicious scripts;
· update antivirus databases up to several times per hour, the size of each update is up to 15 KB;
· checking the computer's system memory to detect viruses that do not exist in the form of files (for example, CodeRed or Slammer);
· a heuristic analyzer that allows you to neutralize unknown threats before the corresponding virus database updates are released.
Installation
At the beginning, Dr.Web honestly warns that it does not intend to get along with other anti-virus applications and asks you to make sure that there are no such applications on your computer. Otherwise collaboration could lead to "unpredictable consequences". Next, select “Custom” or “Normal” (recommended) installation and begin studying the presented main components:
· scanner for Windows. Checking files manually;
· console scanner for Windows. Designed to be launched from command files;
· SpiDer Guard. Checking files on the fly, preventing infections in real time;
· SpiDer Mail. Scan messages received via POP3, SMTP, IMAP and NNTP protocols.
Interface and operation
The lack of consistency in the interface between the antivirus modules is striking, which creates additional visual discomfort with the already not very friendly access to Dr.Web components. A large number of various settings are clearly not designed for a novice user, however, quite detailed help in an accessible form will explain the purpose of certain parameters that interest you. Access to the central module of Dr.Web - a scanner for Windows - is not carried out through the tray, like all the antiviruses discussed in the review, but only through "Start" - far from the best solution, which was fixed in Kaspersky Anti-Virus at one time.
The update is available both via the Internet and using proxy servers, which, given the small size of the signatures, makes Dr.Web a very attractive option for medium and large computer networks.
You can set system scan parameters, update order, and configure operating conditions for each Dr.Web module using the convenient “Scheduler” tool, which allows you to create a coherent protection system from the “designer” of Dr.Web components.
As a result, we get an undemanding computer resource, quite uncomplicated (upon closer examination) holistic protection of the computer from all kinds of threats, whose capabilities to counter malicious applications clearly outweigh the only drawback expressed by the “variegated” interface of Dr.Web modules.
Let's consider the process of directly scanning the selected directory. A folder filled with text documents, archives, music, videos and other files inherent in the average user’s hard drive. The total amount of information was 20 GB. Initially, it was planned to scan the hard drive partition on which the system was installed, but Dr.Web intended to stretch out the scan for two to three hours, thoroughly studying system files, as a result, a separate folder was allocated for the “test site”. Each antivirus used all the provided capabilities to configure the maximum number of scanned files.
First place in terms of time spent went to Panda 2008. Incredible but true: scanning took only five (!) minutes. Dr.Web refused to rationally use the user's time and studied the contents of the folders for more than an hour and a half. The time shown by Panda 2008 raised some doubts, requiring additional diagnostics of a seemingly insignificant parameter - the number of scanned files. Doubts arose not in vain, and found a practical basis during repeated tests. We should pay tribute to Dr.Web - the antivirus did not waste so much time in vain, demonstrating the best result: a little more than 130 thousand files. Let us make a reservation that, unfortunately, it was not possible to determine the exact number of files in the test folder. Therefore, the Dr.Web indicator was taken as reflecting the real situation in this matter.
Users have different attitudes towards the process of “large-scale” scanning: some prefer to leave the computer and not interfere with the scan, others do not want to compromise with the antivirus and continue to work or play. The last option, as it turned out, allows Panda Antivirus to be implemented without any problems. Yes, this program, in which it turned out to be impossible to highlight key features, in any configuration, will cause the only concern with a green sign announcing the successful completion of the scan. Dr.Web received the title of the most stable consumer of RAM; in full load mode, its operation required only a few megabytes more than during normal operation.
Now let's take a closer look at such antiviruses as:
1. Kaspersky Anti-Virus 2009;
3. Panda Antivirus 2008;
according to the following criteria:
· Convenience rating user interface;
· Evaluating ease of use;
· Recruitment analysis technical capabilities;
· Cost estimate.
Of all the antiviruses reviewed, the cheapest is Panda Antivirus 2008, and the most expensive is NOD 32. But this does not mean that Panda Antivirus 2008 is worse and this is evidenced by the other criteria. Three programs out of the four reviewed (Kaspersky Anti-Virus, Panda Antivirus, NOD 32) have a simpler, more functional and user-friendly interface than Dr. Web, which has many settings that are incomprehensible to a novice user. In the program, you can use detailed help that will explain the purpose of certain parameters you need.
All programs offer reliable protection against worms, traditional viruses, mail viruses, spyware, Trojans, etc. Checking files in programs such as Dr. Web, NOD 32, is carried out at system startup, but Kaspersky Anti-Virus checks files at the time they are accessed. Kaspersky Anti-Virus, NOD 32, unlike all others, has an advanced proactive protection system based on heuristic analysis algorithms; the ability to set a password and thereby protect the program from viruses aimed at destroying anti-virus protection. In addition, Kaspersky Anti-Virus 2009 has a behavioral blocker. Panda Antivirus, unlike all others, does not support blocking suspicious web pages or protecting personal data. All of these antiviruses have automatic database updates and a task scheduler. Also, these antivirus programs are fully compatible with Vista. But all of them, except Panda Antivirus, require that in addition to them, there are no other similar programs in the system. Based on this data, we will create a table.
Table.1 Characteristics of antivirus programs
| criteria | Kaspersky Anti-Virus 2009 | NOD 32 | Dr. Web | Panda Antivirus |
| Cost estimate | - | - | - | + |
| User interface usability rating | + | + | - | |
| Rating ease of use | + | + | +- | - |
| Analysis of a set of technical capabilities | + | + | + | - |
| General impression of the program | + | + | - |
Each of the antiviruses considered has earned its popularity in one way or another, but absolutely perfect solution does not exist for all categories of users.
In my opinion, the most useful are Kaspersky Anti-Virus 2009 and NOD 32. Since they have almost all the requirements that an anti-virus program should have. This is both an interface and a set of technical capabilities. In general, they have what you need to protect your computer from viruses.
Conclusion
In conclusion of this course work, I would like to say that the goal I set - to conduct a comparative analysis of modern antivirus tools - was achieved. In this regard, the following tasks were solved:
1. Literature on this topic has been selected.
2. Various antivirus programs have been studied.
3. A comparison of anti-virus programs was carried out.
When completing my coursework, I encountered a number of problems related to searching for information, since in many sources it is quite contradictory; as well as with a comparative analysis of the advantages and disadvantages of each antivirus program and the construction of a summary table.
Once again, it is worth noting that there is no universal antivirus program. None of them can guarantee us 100% protection against viruses, and the choice of an antivirus program largely depends on the user.
Literature
1. Magazine for personal computer users “PC World”
2. Leontyev V.P. "The Latest Encyclopedia of the Personal Computer"
3. http://www.viruslist.com
Scans for all modules except the Computer Scan module. 1) Anti-spam module for Outlook Express and Windows Mail is pluggable. After installing Eset Smart Security in Outlook Express or Windows Mail, a toolbar appears containing the following functions of the anti-spam module 2) The anti-spam module works...
Computer viruses. For high-quality and correct treatment of an infected program, specialized antiviruses are needed (for example, Kaspersky antivirus, Dr Web, etc.). CHAPTER 2. COMPARATIVE ANALYSIS OF ANTI-VIRUS PROGRAMS To prove the advantages of their products, anti-virus developers often use the results of independent tests. One of the first to test antivirus...
Works great with the VirusBulletin ITW collection - and nothing more. The antivirus rating averaged over all tests is shown in Fig. 1. (See Appendix Fig. 1.). Chapter 2. Using anti-virus programs 2.1 Anti-virus verification Email If at the dawn of the development of computer technology the main channel for the spread of viruses was the exchange of program files via floppy disks, then...
... (for example, not downloading or running unknown programs from the Internet) would reduce the likelihood of viruses spreading and eliminate the need to use many anti-virus programs. Computer users should not work with administrator rights all the time. If they used normal user access mode, then some types of viruses would not...
Antivirus programs exist to protect your computer from malware, viruses, Trojan horses, worms and spyware that can delete your files, steal your personal data and make your computer and web connection extremely slow and problematic. Hence, choosing a good antivirus program is an important priority for your system.
Today there are more than 1 million computer viruses in the world. Because viruses and other malware are so common, there are many different options for computer users in the area of antivirus software.
Antivirus programs quickly became big business, with the first commercial antivirus products hitting the market in the late 1980s. Today you can find many, both paid and free antivirus programs to protect your computer.
What do antivirus programs do?
Antivirus programs will regularly scan your computer, looking for viruses and other malware that may be on your PC. If the software detects a virus, it will typically quarantine, disinfect, or remove it.
You choose how often the scan will occur, although it is generally recommended that you run it at least once a week. In addition, most antivirus programs will protect you during everyday activities, such as checking email and surfing the web.
Whenever you download a file to your computer from the Internet or from e-mail, the antivirus will scan it and make sure that the file is OK (virus-free or “clean”).
Antivirus programs will also update what are called “antivirus definitions.” These definitions are updated as frequently as new viruses and malware are introduced and discovered.
New viruses appear every day, so it is necessary to regularly update the anti-virus database on the website of the anti-virus program manufacturer. After all, as you know, any anti-virus program can recognize and neutralize only those viruses that the manufacturer has “trained” it to use. And it’s no secret that several days may pass from the moment the virus is sent to the program developers until the anti-virus databases are updated. During this period, thousands of computers around the world may be infected!
So, make sure you install one of the best antivirus packages and keep it updated regularly.
FIREWALL (FIREWALL)
Protecting your computer from viruses depends on more than just one antivirus program. Most users are mistaken in believing that an antivirus installed on their computer is a panacea for all viruses. Your computer can still become infected with a virus, even if you have a powerful antivirus program. If your computer has access to the Internet, one antivirus is not enough.
An antivirus can remove a virus when it is directly on your computer, but if the same virus begins to be introduced into your computer from the Internet, for example, by loading a web page, then the antivirus program will not be able to do anything with it - until it will not show its activity on the PC. Therefore, full protection of your computer from viruses is impossible without a firewall - a special security program that will notify you about the presence of suspicious activity when a virus or worm tries to connect to your computer.
Using a firewall on the Internet allows you to limit the number of unwanted connections from outside to your computer and significantly reduces the likelihood of it becoming infected. In addition to protection from viruses, it also makes it much more difficult for intruders (hackers) to access your information and attempt to download a potentially dangerous program onto your computer.
When a firewall is used in combination with an antivirus program and operating system updates, your computer's protection is maintained at the highest level of security.
UPDATING THE OPERATING SYSTEM AND PROGRAMS
An important step to protecting your computer and data is to systematically update your operating system with the latest security patches. It is recommended to do this at least once a month. Latest updates for the OS and programs will create conditions under which the computer’s protection against viruses will be at a fairly high level.
Updates are corrections to software bugs found over time. A large number of viruses use these errors (“holes”) in the security of the system and programs to spread. However, if you close these “holes”, then you will not be afraid of viruses and your computer’s protection will be at a high level. An additional advantage of regular updates is more reliable operation of the system due to bug fixes.
LOGIN PASSWORD
Password for logging into your system, especially for account“Administrator” will help protect your information from unauthorized access locally or over the network, and will also create an additional barrier to viruses and spyware. Make sure you use a complex password because... Many viruses use simple passwords to spread, for example 123, 12345, starting with empty passwords.
SAFE WEB SURFING
Protecting your computer from viruses will be complicated if, while browsing and surfing the Internet, you agree to everything and install everything. For example, under the guise of updating Adobe Flash Player is distributed by one of the varieties of the virus - “Send SMS to the number”. Practice safe web surfing. Always read what exactly they offer you to do, and only then agree or refuse. If you are offered something foreign language- try to translate this, otherwise feel free to refuse.
Many viruses are contained in email attachments and begin to spread as soon as the attachment is opened. We strongly do not recommend that you open attachments without prior agreement to receive them.
Antiviruses for SIM, flash cards and USB devices
Mobile phones produced today have a wide range of interfaces and data transfer capabilities. Consumers should carefully review protection methods before connecting any small devices.
Protection methods such as hardware, possibly antiviruses on USB devices or on SIM, are more suitable for consumers mobile phones. The technical assessment and review of how to install an antivirus program on a cellular mobile phone should be considered as a scanning process that may affect other legitimate applications on that phone.
Antivirus programs on SIM with antivirus built into a small memory area provide anti-malware/virus protection, protecting PIM and phone user information. Antiviruses on flash cards give the user the ability to exchange information and use these products with various hardware devices.
Antiviruses, mobile devices and innovative solutions
No one will be surprised when viruses that infect personal and laptop computers make their way to mobile devices. More and more developers in this area are offering antivirus programs to combat viruses and protect mobile phones. IN mobile devices There are the following types of virus control:
- § CPU limitations
- § memory limitation
- § identifying and updating the signatures of these mobile devices
Antivirus companies and programs
- § AOL® Virus Protection as part of AOL Safety and Security Center
- § ActiveVirusShield from AOL (based on KAV 6, free)
- § AhnLab
- § Aladdin Knowledge Systems
- § ALWIL Software (avast!) from the Czech Republic (free and paid versions)
- § ArcaVir from Poland
- § AVZ from Russia (free)
- § Avira from Germany (free Classic version)
- § Authentium from UK
- § BitDefender from Romania
- § BullGuard from Denmark
- § Computer Associates from USA
- § Comodo Group from the USA
- § ClamAV -- GPL License -- free and open source source codes programs
- § ClamWin -- ClamAV for Windows
- § Dr.Web from Russia
- § Eset NOD32 from Slovakia
- § Fortinet
- § Frisk Software from Iceland
- § F-Secure from Finland
- § GeCAD from Romania (Microsoft bought the company in 2003)
- § GFI Software
- § GriSoft (AVG) from the Czech Republic (free and paid versions)
- §Hauri
- § H+BEDV from Germany
- § Kaspersky Anti-Virus from Russia
- § McAfee from USA
- § MicroWorld Technologies from India
- § NuWave Software from Ukraine
- § MKS from Poland
- § Norman from Norway
- § Outpost from Russia
- § Panda Software from Spain
- § Quick Heal AntiVirus from India
- § Rising
- § ROSE SWE
- § Sophos from UK
- § Spyware Doctor
- Stiller Research
- § Sybari Software (Microsoft bought the company in early 2005)
- § Symantec from USA or UK
- § Trojan Hunter
- § Trend Micro from Japan (nominally Taiwan-US)
- § Ukrainian National Antivirus from Ukraine
- § VirusBlokAda (VBA32) from Belarus
- § VirusBuster from Hungary
- § ZoneAlarm AntiVirus (American)
- § File scanning with several antiviruses
- § Checking the file with several antiviruses (English)
- § Checking files for viruses before downloading (English)
- § virusinfo.info Portal dedicated to information security (conference of virologists), where you can request help.
- § antivse.com Another portal where you can download the most common antivirus programs, both paid and free.
- § www.viruslist.ru Internet virus encyclopedia created by Kaspersky Lab
Antiviruses
Avast! * AVS * Ashampoo Antivirus * AVG * Avira AntiVir * BitDefender * Clam Antivirus * ClamWin * Comodo Antivirus * Dr. Web * F-Prot *F-Secure Antivirus * Kaspersky Antivirus * McAfee VirusScan * NOD32 * Norton Antivirus * Outpost Antivirus * Panda Antivirus * PC-cillin *Windows Live OneCare
Comparing antivirus programs has never been an easy task. After all, companies that create these types of products have always been distinguished by their zeal for improvement and constant updating of their software. Despite this, some antiviruses are better at their tasks, while others are worse.
Each of them has its own advantages and disadvantages, but not every person is able to objectively evaluate their work and choose the one that is best suited for the operation of his computer.
Therefore, we decided to analyze the most popular antivirus programs on the market, Kaspersky, ESET NOD32, McAfee, Symantec, in order to give you a general idea of their work and help you make the right choice to protect your personal computer. The results of the analysis were displayed in the form of a table to maximize the perception of the difference between the tested software.
|
Support for the “deny by default” scenario with the ability to automatically exclude from the scenario processes and trusted update sources necessary for the system to operate |
||||
|
Allowing/blocking programs: |
||||
|
Selecting from the program registry |
||||
|
Selecting executable files from the registry |
||||
|
Entering executable file metadata |
||||
|
Entering checksums of executable files (MD5, SHA1) |
||||
|
Entering the path to executable files(local or UNC) |
||||
|
Selecting Preset App Categories |
||||
|
Allow/block applications for individual users/user groups Active Directory |
||||
|
Monitoring and limiting program activity |
||||
|
Monitoring and prioritizing vulnerabilities |
||||
|
Allowing/blocking access to web resources, warning about danger: |
||||
|
Link filtering |
||||
|
Filter content by preset categories |
||||
|
Filter content by data type |
||||
|
Active Directory Integration |
||||
|
Allowing/blocking access to web resources on a schedule |
||||
|
Generating detailed reports on PC usage to access web resources |
||||
|
Policy-based device control: |
||||
|
By port type/bus |
||||
|
By type of connected device |
||||
|
By user groups in Active Directory |
||||
|
Creating whitelists based on serial numbers devices |
||||
|
Flexible control of access rights to devices for reading/writing with the ability to configure a schedule |
||||
|
Managing temporary access permissions |
||||
|
Deny by default scenario, applied based on priority |
Analyzing the data obtained, we can confidently say that only one antivirus, Kaspersky, coped with all tasks, such as monitoring programs, Internet sites and devices. McAfee Antivirus showed good results in the “device control” category, receiving the maximum rating, but, unfortunately, it is not reliable for web control and application control.
Another important analysis of antivirus programs was their practical research to determine the quality of protection of personal computers. To carry out this analysis, three more antivirus programs were added: Dr. Web, AVG, TrustPort, thus the picture of comparison of programs in this segment has become even more complete. For testing, 3,837 infected files with various instances of threats were used, and how the tested anti-virus programs dealt with them is shown in the table below.
|
Kaspersky |
|||||
|
1 min 10 sec |
|||||
|
5 min 32 sec |
|||||
|
6 min 10 sec |
|||||
|
1 min 10 sec |
And again, Kaspersky Anti-Virus took the lead, ahead of its competitors in such an important indicator as the percentage of threat detection - more than 96%. But, as they say, there was a fly in the ointment here. The time spent searching for infected files and the resources consumed on a personal computer were the highest among all tested products.
The fastest here were Dr. Web and ESET NOD32, which spent just over one minute searching for viruses, with 77.3% and 50.8% detection of infected files, respectively. What is more important - the percentage of viruses detected or the time spent on searching - is up to you to decide. But do not forget that the security of your computer should be paramount.
ESET NOD32 showed the worst result in detecting threats, only 50.8%, which is an unacceptable result for a PC. TrustPort turned out to be the fastest, and AVG turned out to be the least demanding on resources, but, unfortunately, the low percentage of threats detected by these antivirus programs cannot allow them to compete with the leaders.
Based on the results of the tests, Kaspersky Anti-Virus can be confidently considered the best option for protecting your computer, provided that it has a sufficient amount of RAM installed and good processor. In addition, the price of the Kaspersky Lab product is not the highest, which cannot but please consumers.
