Author: Liu Jie
About the first computer virus has a lot of sayings, I am sure that in the Babbidge machine era is definitely no virus, it has already been there ("Pervading Animal" and "Christmas" when UNIVAC 1108 and IBM 360/370. "), So the birth of the first computer virus is in the early 1970s or at the end of the 1960s, although there was no one called their viruses at that time. However, when the virus becomes a problem, there is a problem that solves the problem - security experts - and their results: anti-virus technology and antivirus products.
About the author: Liu Jie, China first systematically engaged in the study of computer virus and network security technology research, drafting China Safety Regulations: Computer Virus Prevention and Treatment Product Rating Standards, the Second Prize of Science and Technology Achievements of the Ministry of Science and Technology, currently relevant national ministries network security consultants Professor of the Shangqiu Normal University, is a developer of Guanghua anti-virus software.
Anti-virus software is the most effective way to deal with computer viruses, but there is no anti-virus software to ensure that the system is not infected by viral. Any advertisements claiming this anti-virus software are false, and they are not valid. The same system does not exist because each anti-virus algorithm can cause the algorithm of the opposite virus, and the created virus may not detect this particular anti-virus software (of course: any anti-virus algorithm can Developed into an anti-virus software). Moreover, it has been confirmed that "there is an absolute anti-virus on the basis of limited theory" - the testor is Fred cohen.
From anti-virus techniques, currently, the most popular anti-virus software is a scanner, and there are many scanned algorithms, usually in order to make anti-virus software functions more powerful, combined with several scanning methods.
1) Virus scan
Virus scan is the current most important killing virus method, which is mainly checked for new viruses by checking files, sectors, and system memory, searching for new viruses, using the "Mark", the virus mark is the characteristics of the viral common code, the virus is used in addition to these Tag, also use other methods. Some according to the algorithm to determine whether the file is infected with a certain virus, some anti-virus software also uses it to detect the deformation virus.
Virus scan can be divided into two types from the anti-virus method - "General" and "dedicated". "Universal" scan is designed to not rely on the operating system, you can check various viruses; and "dedicated" scan is designed to spectropically, such as macro viruses, can make some application software virus protection more reliable.
Virus scan can also be divided into real-time scan and request scan according to user mode of operation, and real-time scanning can provide better system virus protection because if there is a virus, it can be discovered that the request scan can only detect viruses when running.
2) Heuristic scan
Heuristic scanning is to determine whether the files appear in the order, or the combination of instructions to decide whether the file is infected, each object is checked, this way is the highest, but it is also the most likely false positives.
3) CRC scan
The principle of the CRC scan is the CRC value (inspection and sum) of the actual file or system sector in the disk. These CRC values are saved by the anti-virus software to its own database, when running anti-virus software, with the current CRC value with the current The calculated value is compared, you can know if the file has been modified or virus infected.
CRC scanning using this algorithm is a powerful anti-virus tool: 100% of viruses can be checked out when entering the computer. But this anti-virus method has a disadvantage - the efficiency is very low. After the virus has penetrated into the computer, it is not possible to detect quickly. Only when the virus begins to spread, it will be found, and the virus in the new file cannot be detected (such as mail, software files, backup recovery files or Unzip files) because there is no CRC value of these files in its database. In addition, some viruses use this "weak point" of CRC scanning, only infected newly created files before scanning.
Various scans have their own advantages and disadvantages, with a virus library is their basic characteristics, but if the virus library is too large, the test speed will become very slow. In addition to the above anti-virus methods, there are some common technologies. 1) behavior judgment
The behavior is judged to intercept the behavior of the user's viral danger through resident anti-virus software, which may be found when modifying executables, boot sectors, or MBRs, the advantage of this method is the early days of viral infection It is found and blocked, but some viruses can be protected so that anti-virus software completely fails.
2) Virus immunity
There are two immunization: one is a infection warning, the other is to prevent viral infection. The first immunization is mainly to prevent viruses that add themselves to the end of the document (usually a file virus), each file is checked. But there is a fatal weakness: unable to detect a tricky, so this immunization method is actually used.
The second immunity is mainly to prevent the system being infected by a particular viral. If the file is modified by viral modification (such as the string "MSDOS" in the file, the file may be infected by "Jerusalem", if the virus A small TSR program is copied to computer memory, and the system is definitely infected.
This viral immunity is not universal because it is impossible to use immunization to all viruses.
Which anti-virus technology is better?
What is anti-virus technology? The answer is - all, as long as there is no virus in the computer. But if you want to install new software, collect mail, use Word or Excel electronic watch, you need to choose several suitable anti-virus software according to your own situation.
There are some differences between various anti-virus software, and I want to be sure, the following is relatively important: reliability and convenience - anti-virus software will not only "hang", whether ordinary users are used Need specific technical knowledge.
1) Scan the document, detect the performance of various viruses, can repair the infected files, the scan engine can be updated in time to process the speed of the new virus.
2) Does anti-virus software adapt to a variety of platforms (DOS, Windows, Alpha, Linux, etc.), not only can be scanned according to user needs, but also can monitor, network taking drugs.
3) Other useful features such as checking speed.
The most important of anti-virus software is reliability, although there is no "absolute anti-virus software", but can not scan half of the file, there is no scan, and there is no scan, nor did it detect the virus in the system; anti-virus software Can not require users to have specific knowledge - Many users will only choose anti-virus software to pop up a simple [OK] or [Cancel] button message box, if anti-virus software often asks some of the complicated issues of users, users will definitely not like this antivirus software.
Obviously, the virus detection ability is the second important factor, which is called anti-virus software, and the purpose is to detect and remove viruses. Any anti-virus software that cannot be detected by viruses is invalid. If a anti-virus software does not 100% epidemic prevention, the entire system will be infected by this type of virus, such anti-virus software can only detect the partial (99%) file infected in the system, the remaining 1 % Is still not found by the infected file, at this time, the virus has been infected with a computer. When scanning, the anti-virus software will leave a 1% file without scanning, but this time is 1% of the last 99%, actual It is 1.99%, you can imagine what will be like.
Therefore, viral detection capabilities is the second most important standard for measuring the quality of anti-virus software; it is important than other features such as support multi-platform.
Of course, anti-virus software is not too sensitive. If you often mishand, you will be deleted without infection, users will also miss the true virus warning.
Multi-platform support is also an important factor, such as "onehalf" virus infected with Windows95 or WindowsNT system, if you use DOS anti-virus software to decrypt disk (this virus will encrypt disk sectors), the result will be very disappointed: Data on disk It may be destroyed because Windows95 / NT does not allow anti-virus software to read / write its sectors after the sector encryption, and the virus can be removed with Windows95 / NT anti-virus software. For anti-virus software, real-time monitoring capabilities is also a considerable standard. If the files and viruses in the disk should be 100% inspected, ensure the security of the file server (such as avoiding the attack of the Windows NT to be attacked by macrovirus, All entered mail is scanned) is required. If anti-virus software is very functional in network management, it is also very valuable.
Another important standard is working speed. If you need to scan the entire system for several hours to complete, most users may not scan frequently. Different anti-virus software use different scanning algorithms, and some speed is good, and some may be slow and the quality is not so high, these to rely on software developers.
Additional functions As the last standard for evaluating anti-virus software, because these features do not affect the use of the entire software. However, some functions are very convenient to users, making things easier, which will cause users to often use anti-virus software.
The trend of anti-virus technology
Due to the popularity of the Internet, the Internet has become a spread of viral production technology, and there is an important way for viral dissemination. There have been a tendency to cooperate between virus developers, and viral production technology is also integrated with hackers. They challenged the current virus fight, so virus protection technology is undergoing major changes, summing up, the theory of viral confrontation is doing the transformation from the works to the ideological confrontation, product forms from the independent software products The patch transition of the operating system.
1) A confrontation from the work to the ideological confrontation
Previously, the theoretical foundation of anti-virus software was to discover and confirm a virus. Then, the defense is to prevent the unknown virus, we have no effective way to deform various viruses, integration The virus of hacking technology is not effective. After a new virus episode, you can develop software that kill the virus. Users need to upgrade their own anti-virus software as soon as possible. Therefore, it can be said that the previous method is as if the police find criminals, did not see criminals in the police Crime, or before the report, even if criminals are criminal, there is no way, this is a competition between a virus manufacturer and security expert at work level. The new theory is based on a large number of viral characteristics, attack procedures, communication change statistics, establish control strategy mathematical models, and takes a method of dividing a package, effectively solving various viruses developed by the same idea, which can be great Improve the reaction time for new viruses. Since this method is achieved by inhibiting viral design ideas, this is a competition in the overall thought level between a virus manufacturer and security expert.
Therefore, the new anti-virus software is not only scanning the computer based on the virus code in the virus database, but monitors the various processes, various operations running by the computer. If an event or a typical operation is found. Viral features, or hazards for computers, then these events or operations will be blocked, which can more effectively protect the computer from new viruses.
2) Patch from a separate product to the operating system
Anti-virus software has been an independent software product that has been existing, but because the virus manufacturers are increasingly utilizing the vulnerabilities and hacking techniques of the operating system, the close combination with the operating system is an inevitable: one aspect, It can help the operating system reduce vulnerabilities, and on the other hand, the operating efficiency and software compatibility can be further improved. From a business perspective, safety technology can be integrated into a variety of application systems, reducing the security vulnerabilities of application system itself, but also providing users with a more personalized security service. Science and technology have brought progress, and also brought computer viruses. Our struggle with computer viruses is a person, a group of people with another person, a group of people's wisdom, because the virus is smart and wisdom, just like manufacturing viruses. Like those people, they invented new viruses - we have to deal with it; they invented a very high virus - we still have to deal with it. We sit in front of the computer every day, as a dumb, facing a virus monster, such a virus, we analyze the day, and write anti-virus algorithms to have a day, very like living biological evolution history , Isn't it?
