|
Virus
Pattern Scanning
After the newly found virus is analyzed, its tell-tale virus
code will be extracted and added into the virus pattern
database. When the antivirus program starts to scan the
program files, it will compare the files against the virus
pattern database and determines if they are infected with
viruses. Virus Pattern Scanning method is fast and effective
(such as Trend Micro's PC-cillin and ServerProtect, which
applies deep scanning technology, taking about 1/20 second
averagely when scanning a file real-time.) This method is
used by most of the antivirus softwares. However, one disadvantage
is that it is not able to detect unknown viruses and polymorphic
viruses.
 |
|
|
Integrity
Checking(Check-summing)
Integrity Checking antivirus programs begin by building
an initial record of the file status, including the file
name, size, time, date, and contents. Then, it will append
the record to the end of each file, or keep the records
of all the files in a database. With the check-summing system,
integrity checking antivirus programs can determine if the
file is infected by monitoring and examining if the status
of each file has been modified. It is like writing down
the mileage everytime you stop your car. When next time
you start to drive the car, you will know if anyone has
driven your car by checking the mileage record. This method
can detect various kinds of viruses, but one biggest disadvantage
is that it causes false alarm. Also, it can not tell what
kind of virus a file is infected with, and can not detect
Stealth viruses.
|
|
|
Rule-based
Virus Traps
Rule-based Virus Traps are a TSR scanning technology to
monitor the computer's behavior. It collects all the virus
activities. When any program resident in memory starts the
unusual behavior, the system will detect and then alert
the user. Rule-based Virus Traps have some advantages: responding
fast, easy to process, and able to detect all kinds of viruses.
On the other hand, the disadvantages are it is difficult
to design and hard to cover thoroughly. However, with today's
ever-changing viruses, Rule-based Virus Traps at least offer
a new point of view for security. The current version of
Trend Micro's PC-cillin comprises 12 traps for the suspicious
virus activities, in order to prevent the damage in advance.
|
|
|
Software
Emulation Scanning
Software Emulation technology is designed to tackle Polymorphic/Mutation
viruses. Every time Polymorphic/Mutation viruses start the
infection, they will generate random numbers, encrypt the
numbers and then insert them into the infected files. Traditional
virus pattern matching method can not detect this kind of
viruses at all, while the Software Emulation technology
can emulate CPU activities, executes the decoding program
of mutation engines under the specially designed DOS virtual
machine, safely and completely uncover the Polymorphic/Mutation
viruses for scanning.
|
|
|
VICE(Virus Instruction Code Emulation)
Following the Software Emulation technology, Virus Instruction
Code Emulator is another breaking-through technology. Since
the Software Emulation method can create a Protected Mode
DOS virtual machine, emulate CPU activities and execute
the program to have polymorphic viruses expose themselves,
similar technology can be applied to analyze normal application
softwares for suspicious virus codes. Therefore, using the
same method as engineers use to determine if a program contains
virus codes, VICE first creates an expert knowledge base
system after analysis, then runs the new viruses through
the Software Emulation method, and derives the new virus
pattern for later generated viruses.
|
|
|
Real-time
I/O Scanning
Real-time I/O Scanning filters data I/O stream for virus
pattern matching, with a purpose to block the virus before
it executes. Theoretically, real-time I/O scanning will
affect the data transferring speed. With the real-time I/O
scanning, however, whenever a file is coming in, it will
be scanned once. There is no significant influence as a
whole.
MacroTrap™
Integrated with the virus pattern matching and rule-based
virus trap technology, MacroTrap draws upon the virus behavior
rule base to detect known and unknown macro viruses. Using
the OLE2 technology to separate macros from the document,
MacroTrap scans at high speed and can remove macro viruses
effectively and completely.
|
