Anti-virus software

Most of the users install anti-virus software that can detect and eliminate known viruses after copying files, installing new applications, downloading, or running executable files. There are two common methods that an anti-virus software application uses to detect viruses.

The first, and by far the most common method of virus detection is using a list of virus signature definitions. This works by examining the content of the computer's memory (its RAM, and boot sectors) and the files stored on fixed or removable drives (hard drives, floppy drives), and comparing those files against a database of known virus "signatures".

The disadvantage of this detection method is that users are only protected from viruses that pre-date their last virus definition update.

The second method is to use a heuristic algorithm to find viruses based on common behaviors. This method has the ability to detect viruses that anti-virus security firms have yet to create a signature for.

Some anti-virus programs are able to scan opened files in addition to sent and received e-mails 'on the fly' in a similar manner. This practice is known as "on-access scanning". Anti-virus software does not change the underlying capability of host software to transmit viruses.

Users must update their software regularly to patch security holes. Anti-virus software also needs to be regularly updated in order to prevent the latest threats.

One may also minimise the damage done by viruses by making regular backups of data (and the Operating Systems) on different media, that are either kept unconnected to the system (most of the time), read-only or not accessible for other reasons, such as using different file systems. This way, if data is lost through a virus, one can start again using the backup (which should preferably be recent).

Hosts/files affected by Viruses

Viruses targets various types of files, transmission media, or hosts. This list is not exhaustive:

  • Binary executable files (such as COM files and EXE files in MS-DOS, Portable Executable files in Microsoft Windows, and ELF files in Linux).
  • Volume Boot Records of floppy disks and hard disk partitions.
  • The master boot record (MBR) of a hard disk.
  • General-purpose script files (such as batch files in MS-DOS and Microsoft Windows, VB Script files, and shell script files on Unix-like platforms).
  • System specific autorun script files (such as Autorun.inf file needed for Windows to automatically run software automatically stored on external devices).
  • Documents that can contain macros (such as Microsoft Word documents, Microsoft Excel spreadsheets, and Microsoft Access database files).
  • Cross-site scripting vulnerabilities in web applications.
  • Arbitrary computer files. An exploitable buffer overflow, format string, race condition or other exploitable bug in a program which reads the file could be used to trigger the execution of code hidden within it. Most bugs of this type can be made more difficult to exploit in computer architectures with protection features such as an execute disable bit and/or address space layout randomization.

In operating systems that use file extensions to determine program associations (such as Microsoft Windows), the extensions may be hidden from the user by default. This makes it possible to create a file that is of a different type than it appears to the user. For example, an executable may be created named "picture.png.exe", in which the user sees only "picture.png" and therefore assumes that this file is an image and most likely is safe.