This virus technology is the wide topic for generating seminar report.This post show you that how to generate seminar report and also this is the one of the best example of seminar report.If you want to make seminar report in 2 minute you simply select the below content and past it in to your ms word file.This seminar report is in well format so its easy to implement your report.For more seminar report and topics you please visit it regularly that will be updated as soon as possible. please cooperate us. I hope that you like my post.
Abstract
The term virus is as old as hills are now in the world of computer technologies. A virus basically is software that is made to run automatically usually used for destructive purpose by the computer experts. Though virus is a well known but not known well.
Definition :
A computer virus is a coded program that is written in Assembly or a system programming language such as ‘C’ to deliberately gain entry into a host system and modify existing programs and/or perform a series of action, without user consent.
In this paper we would like to throw light on some of the unturned stones of the world of virus. We would start from history of the virus i.e. who created the first virus, for what purpose and hoe it affect to the computer. Then classification of viruses by to different methods:
>General classification of the virus.
>Behavioral classification of the virus.
We covered the topic how nowadays viruses affects to the Mobiles, how they come to the mobile. The small and most important topic that we covered is the ‘Positive Virus’.
We covered how the virus actually works in the host computer along with one example as they would enlighten our knowledge about viruses, this is because we want to secure of viruses and actually need to known how are they programmed and executed automatically.
We also covered some information about the most popular viruses with some vital information i.e. how they work, how much harmful to the host etc.
At last we covered the solution for the virus i.e. Anti-virus. In this topic we covered how to detect the computer virus, how anti-virus works
AN INTRODUCTION TO VIRUSES:-
In the mid-eighties, so legend has it, the Amjad brothers of Pakistan ran a computer store. Frustrated by computer piracy, they wrote the first computer virus, a boot sector virus called Brain. From those simple beginnings, an entire counter-culture industry of virus creation and distribution emerged, leaving us today with several tens of thousands of viruses.
In just over a decade, most of us have been familiar with the term computer virus. Even those of us who don’t know how to use a computer have heard about viruses through Hollywood films such as Independence Day or Hackers (though Hollywood’s depiction of viruses is usually highly inaccurate). International magazines and newspapers regularly have virus-scares as leading stories. There is no doubt that our culture is fascinated by the potential danger of these viruses.
Many people believe the worst a virus can do is format your hard disk. In fact, this type of payload is now harmless for those of us who back up our important data. Much more destructive viruses are those which subtly corrupt data. Consider, for example, the effects of a virus that randomly changes numbers in spreadsheet applications by plus or minus 10% at a stockbroker. Other nasty viruses post company confidential documents in your own name to some of the atlases Internet newsgroups, an act, which can both, ruin your reputation and the company’s confidentiality.
Despite our awareness of computer viruses, how many of us can define what one is, or how it infects computers? This paper aims to demystify the basics of computer viruses, summarizing what they are, how they attack and what we can do to protect ourselves against them.
DEFINITION:-
“A computer virus is a coded program that is written in Assembly or a System programming language such as ‘C’ to deliberately gain entry into a host system and modify existing programs and/or perform a series of action, without user consent. In addition, a virus is designed to replicate copies of itself in order to spread the infection widely among other uninfected programs and systems.”
A virus is nothing more than a program. A virus is a serious problem for everyone in the information technology industry. Viruses range from the harmless programs displaying a character on your screen to the malicious codes which go on to format your entire hard-disk.
Just like a biological virus that takes over a living cell, a computer virus containing a set of coded instructions, also invades a host system and tries to replicate and infect new hosts. A sophisticated virus can spread undetected for a long time, waiting for a signal to begin destroying or altering data. A signal can be in the form of date, or a change in a system resource data, etc.
The difference between a computer virus and other programs is that viruses are designed to self-replicate (that is to say, make copies of themselves). They usually self-replicate without the knowledge of the user. Viruses often contain ‘payloads’, actions that the virus carries out separately from replication. Payloads can vary from the annoying (for example, the WM97/Class-D virus, which repeatedly displays messages such as “I think ‘username’ is a big stupid jerk”), to the disastrous (for example, the CIH virus, which attempts to overwrite the Flash BIOS, which can cause irreparable damage to certain machines).
Many people believe the worst a virus can do is format your hard disk. In fact, this type of payload is now harmless for those of us who back up our important data. Much more destructive viruses are those which subtly corrupt data.
Viruses can be hidden in programs available on floppy disks or CDs, hidden in email attachments or in material downloaded from the web. If the virus has no obvious payload, a user without anti-virus software may not even be aware that a computer is infected.
A computer that has an active copy of a virus on its machine is considered infected. The way in which a virus becomes active depends on how the virus has been designed, e.g. macro viruses can become active if the user simply opens, closes or saves an infected document.
A BRIEF HISTORY OF VIRUSES
Over the past decades, the computer viruses have evolved through numerous avatars. From being rather 'dumb', they have developed into programs exhibiting surprising 'smart¬ness'. We give you an overview of how viruses have devel¬oped over time.
1950'S-1970:THE PRE-HISTORIC PERIOD
The viruses, as we know them now, actually started out in unpretentious surroundings of research laboratories. In the 1950's, researchers studied, what they called as-'Self-altering Automata' programs. Simple program codes were writ-ten to demonstrate rather limited characteristics. In a way, these programs were the pre-historic (in a manner of speaking) ancestors of the modern virus.
In the 1960's computer scientists at the Bell Laboratories had viruses battling each other in a game called Core Wars. The object of the game was to create a virus small enough to destroy opposing viruses without being caught. Like computers, viruses too were studied keeping in mind their military implications. Of course, several research foundations too worked on the non-military uses of viruses.
1970'S-1980:THE EARLY TIMES
This was the time when the term 'VIRUS' gained recognition by moving from the research labs to the living rooms of common users. Science fiction novels in the early 1970's were replete with several instances of viruses and their resultant effects. In fact, an entire episode of the famous science fiction TV series, Star Trek, was devoted to viruses. Around the same time, researchers at the Xerox Corp. demonstrated a self-replicating code they had developed.
By now, the use of computers had proliferated to include most government and corporate users. These computers were beginning to be connected by networks. Several or-ganizations began working on developing useful viruses which could help in improving productivity.
1980'S-1990:THE MIDDLE AGES
While on the one hand, the exponentially increasing use of computers and their availability proved to be a boon to the common users, on the other hand, the ugly faces of compu¬ter viruses also made their appearances. From the compu¬ter-science labs, viruses fell into the hands of cyberpunks -unprincipled programmers; who obtained sadistic pleasures from ruining computer systems across the globe.
Among the earliest instances of malicious uses of viruses was when Gene Burelon a disgruntled employee of a US securities firm, introduced a virus in the company computer network and managed to destroy nearly 1, 68,000 records of the corporate database. In October 1987, the (c) Brain virus, later to be known as the 'Pakistani' virus, was found to be working its way quietly through the computer systems in¬stalled at the University of Delaware. This was probably the first mass distributed virus of its kind. In 1988, the so-called Internet Virus was responsible for the breakdown of nearly 6000 UNIX based computers connected to the Internet network in the US. Other well known viruses that made their appearances were Cascade, Jerusalem, Dark Avenger, etc. During this decade, viruses were written to attack different operating software platforms such as, DOS, MAC, UNIX, etc.
1990'S-2004:THE CURRENT PICTURE
The early part of the 1990's was witness to development of sophisticated strains of existing viruses. It was more of a matching of wits between the developers of viruses and the developers of anti-virus programs. In addition to plugging the loopholes in existing viruses, a new family of viruses called the Macro Viruses also made their appearance. These viruses affected files created in the popular MS Word and MS Excel programs.
The decade of the 1990's has seen more and more virus developers writing stealth virus codes giving rise to sophis¬ticated viruses such as the Zero Hunt virus, the Michael Angelo virus, etc. In addition, viruses written to invade net¬worked environments have also come into being, in line with the increasing use of communication networks. The Year 2000 problem, in all probability, will generate families of new viruses which will come in the guise of Y2K solution pro¬grams.
2005-2015: THE EMERGING SCENARIO
The first decade in the next millennium will see the generation of the 'intelligent viruses' displaying fuzzy logic characteristics. These viruses will be programmed to alter their codes as and when they detect the presence of anti-virus programs. They will not only attack the traditional computer systems and communication networks, but also, software controlled components in cars, trains, air-traffic control systems, defense equipment, etc. The virus developers in all likelihood will include more and more young adolescents and even, children." Viruses will become the new tools of terrorism; giving rise to 'Cyber Terrorists'.
Since Internet will connect the farthest corners of the globe, the time it takes for a virus to proliferate will be greatly reduced. However, on the flip side, special software development tools will be available to common users to automatically develop anti-virus programs to counter most virus threats.
CLASSIFICATION OF VIRUS: -
There are mainly two methods for classification of the viruses. While classifying a particular virus, we have to keep in mind the general, as well as the behavioral aspects of the virus. Most viruses are designed to exhibit a mixture of properties. Hence, a particular virus can be a file virus, a direct action virus, as well as a stealth virus. Or, a virus can be a boot sector virus, a transient virus, as well as a poly¬morphic virus.
GENERAL CLASSIFICATION OF VIRUSES
The viruses are generally classified according to the sys¬tem areas they infect. Refer to the chart in Figure Chapter 2-1 to get an overview of the classification. Please also refer to the
Abstract
The term virus is as old as hills are now in the world of computer technologies. A virus basically is software that is made to run automatically usually used for destructive purpose by the computer experts. Though virus is a well known but not known well.
Definition :
A computer virus is a coded program that is written in Assembly or a system programming language such as ‘C’ to deliberately gain entry into a host system and modify existing programs and/or perform a series of action, without user consent.
In this paper we would like to throw light on some of the unturned stones of the world of virus. We would start from history of the virus i.e. who created the first virus, for what purpose and hoe it affect to the computer. Then classification of viruses by to different methods:
>General classification of the virus.
>Behavioral classification of the virus.
We covered the topic how nowadays viruses affects to the Mobiles, how they come to the mobile. The small and most important topic that we covered is the ‘Positive Virus’.
We covered how the virus actually works in the host computer along with one example as they would enlighten our knowledge about viruses, this is because we want to secure of viruses and actually need to known how are they programmed and executed automatically.
We also covered some information about the most popular viruses with some vital information i.e. how they work, how much harmful to the host etc.
At last we covered the solution for the virus i.e. Anti-virus. In this topic we covered how to detect the computer virus, how anti-virus works
AN INTRODUCTION TO VIRUSES:-
In the mid-eighties, so legend has it, the Amjad brothers of Pakistan ran a computer store. Frustrated by computer piracy, they wrote the first computer virus, a boot sector virus called Brain. From those simple beginnings, an entire counter-culture industry of virus creation and distribution emerged, leaving us today with several tens of thousands of viruses.
In just over a decade, most of us have been familiar with the term computer virus. Even those of us who don’t know how to use a computer have heard about viruses through Hollywood films such as Independence Day or Hackers (though Hollywood’s depiction of viruses is usually highly inaccurate). International magazines and newspapers regularly have virus-scares as leading stories. There is no doubt that our culture is fascinated by the potential danger of these viruses.
Many people believe the worst a virus can do is format your hard disk. In fact, this type of payload is now harmless for those of us who back up our important data. Much more destructive viruses are those which subtly corrupt data. Consider, for example, the effects of a virus that randomly changes numbers in spreadsheet applications by plus or minus 10% at a stockbroker. Other nasty viruses post company confidential documents in your own name to some of the atlases Internet newsgroups, an act, which can both, ruin your reputation and the company’s confidentiality.
Despite our awareness of computer viruses, how many of us can define what one is, or how it infects computers? This paper aims to demystify the basics of computer viruses, summarizing what they are, how they attack and what we can do to protect ourselves against them.
DEFINITION:-
“A computer virus is a coded program that is written in Assembly or a System programming language such as ‘C’ to deliberately gain entry into a host system and modify existing programs and/or perform a series of action, without user consent. In addition, a virus is designed to replicate copies of itself in order to spread the infection widely among other uninfected programs and systems.”
A virus is nothing more than a program. A virus is a serious problem for everyone in the information technology industry. Viruses range from the harmless programs displaying a character on your screen to the malicious codes which go on to format your entire hard-disk.
Just like a biological virus that takes over a living cell, a computer virus containing a set of coded instructions, also invades a host system and tries to replicate and infect new hosts. A sophisticated virus can spread undetected for a long time, waiting for a signal to begin destroying or altering data. A signal can be in the form of date, or a change in a system resource data, etc.
The difference between a computer virus and other programs is that viruses are designed to self-replicate (that is to say, make copies of themselves). They usually self-replicate without the knowledge of the user. Viruses often contain ‘payloads’, actions that the virus carries out separately from replication. Payloads can vary from the annoying (for example, the WM97/Class-D virus, which repeatedly displays messages such as “I think ‘username’ is a big stupid jerk”), to the disastrous (for example, the CIH virus, which attempts to overwrite the Flash BIOS, which can cause irreparable damage to certain machines).
Many people believe the worst a virus can do is format your hard disk. In fact, this type of payload is now harmless for those of us who back up our important data. Much more destructive viruses are those which subtly corrupt data.
Viruses can be hidden in programs available on floppy disks or CDs, hidden in email attachments or in material downloaded from the web. If the virus has no obvious payload, a user without anti-virus software may not even be aware that a computer is infected.
A computer that has an active copy of a virus on its machine is considered infected. The way in which a virus becomes active depends on how the virus has been designed, e.g. macro viruses can become active if the user simply opens, closes or saves an infected document.
A BRIEF HISTORY OF VIRUSES
Over the past decades, the computer viruses have evolved through numerous avatars. From being rather 'dumb', they have developed into programs exhibiting surprising 'smart¬ness'. We give you an overview of how viruses have devel¬oped over time.
1950'S-1970:THE PRE-HISTORIC PERIOD
The viruses, as we know them now, actually started out in unpretentious surroundings of research laboratories. In the 1950's, researchers studied, what they called as-'Self-altering Automata' programs. Simple program codes were writ-ten to demonstrate rather limited characteristics. In a way, these programs were the pre-historic (in a manner of speaking) ancestors of the modern virus.
In the 1960's computer scientists at the Bell Laboratories had viruses battling each other in a game called Core Wars. The object of the game was to create a virus small enough to destroy opposing viruses without being caught. Like computers, viruses too were studied keeping in mind their military implications. Of course, several research foundations too worked on the non-military uses of viruses.
1970'S-1980:THE EARLY TIMES
This was the time when the term 'VIRUS' gained recognition by moving from the research labs to the living rooms of common users. Science fiction novels in the early 1970's were replete with several instances of viruses and their resultant effects. In fact, an entire episode of the famous science fiction TV series, Star Trek, was devoted to viruses. Around the same time, researchers at the Xerox Corp. demonstrated a self-replicating code they had developed.
By now, the use of computers had proliferated to include most government and corporate users. These computers were beginning to be connected by networks. Several or-ganizations began working on developing useful viruses which could help in improving productivity.
1980'S-1990:THE MIDDLE AGES
While on the one hand, the exponentially increasing use of computers and their availability proved to be a boon to the common users, on the other hand, the ugly faces of compu¬ter viruses also made their appearances. From the compu¬ter-science labs, viruses fell into the hands of cyberpunks -unprincipled programmers; who obtained sadistic pleasures from ruining computer systems across the globe.
Among the earliest instances of malicious uses of viruses was when Gene Burelon a disgruntled employee of a US securities firm, introduced a virus in the company computer network and managed to destroy nearly 1, 68,000 records of the corporate database. In October 1987, the (c) Brain virus, later to be known as the 'Pakistani' virus, was found to be working its way quietly through the computer systems in¬stalled at the University of Delaware. This was probably the first mass distributed virus of its kind. In 1988, the so-called Internet Virus was responsible for the breakdown of nearly 6000 UNIX based computers connected to the Internet network in the US. Other well known viruses that made their appearances were Cascade, Jerusalem, Dark Avenger, etc. During this decade, viruses were written to attack different operating software platforms such as, DOS, MAC, UNIX, etc.
1990'S-2004:THE CURRENT PICTURE
The early part of the 1990's was witness to development of sophisticated strains of existing viruses. It was more of a matching of wits between the developers of viruses and the developers of anti-virus programs. In addition to plugging the loopholes in existing viruses, a new family of viruses called the Macro Viruses also made their appearance. These viruses affected files created in the popular MS Word and MS Excel programs.
The decade of the 1990's has seen more and more virus developers writing stealth virus codes giving rise to sophis¬ticated viruses such as the Zero Hunt virus, the Michael Angelo virus, etc. In addition, viruses written to invade net¬worked environments have also come into being, in line with the increasing use of communication networks. The Year 2000 problem, in all probability, will generate families of new viruses which will come in the guise of Y2K solution pro¬grams.
2005-2015: THE EMERGING SCENARIO
The first decade in the next millennium will see the generation of the 'intelligent viruses' displaying fuzzy logic characteristics. These viruses will be programmed to alter their codes as and when they detect the presence of anti-virus programs. They will not only attack the traditional computer systems and communication networks, but also, software controlled components in cars, trains, air-traffic control systems, defense equipment, etc. The virus developers in all likelihood will include more and more young adolescents and even, children." Viruses will become the new tools of terrorism; giving rise to 'Cyber Terrorists'.
Since Internet will connect the farthest corners of the globe, the time it takes for a virus to proliferate will be greatly reduced. However, on the flip side, special software development tools will be available to common users to automatically develop anti-virus programs to counter most virus threats.
CLASSIFICATION OF VIRUS: -
There are mainly two methods for classification of the viruses. While classifying a particular virus, we have to keep in mind the general, as well as the behavioral aspects of the virus. Most viruses are designed to exhibit a mixture of properties. Hence, a particular virus can be a file virus, a direct action virus, as well as a stealth virus. Or, a virus can be a boot sector virus, a transient virus, as well as a poly¬morphic virus.
GENERAL CLASSIFICATION OF VIRUSES
The viruses are generally classified according to the sys¬tem areas they infect. Refer to the chart in Figure Chapter 2-1 to get an overview of the classification. Please also refer to the
table in Figure Chapter 2-2 to get an idea of the system areas infected by
the various viruses.
Let's take a closer look at the various types of viruses in this classification.
FILE VIRUSES
File viruses are designed to enter your system and infect program and data files. Program files are those files which contain coded instructions, necessary to run or execute software programs. These program files are generally ap¬pended by .COM or .EXE file extensions. However, some file viruses can also infect other executable files, having file extensions such as, .SYS, .OVL, .PRG, .MNU, etc. The program files, most prone to file virus attacks include oper¬ating software, spreadsheets, word processors, games and utilities program files.
The data files, susceptible to virus attacks are those that have been created using popular programs, such as, MS-Word, MS-Excel, etc. Usually, such files are attacked by Macro virus
A file virus, ordinarily enters the system when you copy data or start your system using an infected floppy disk or, download an infected file from a networked system or, use infected software obtained from unauthorized sources.
Once in your system, depending upon the virus code, the virus can either infect other program or data files straightway or, it can choose to hide itself in the system memory (RAM) for the time being. Then, at an appropriate time or if certain system conditions are met, it begins to infect other executed program or data files.
The virus infects a program or a data file by replacing part of the original file code with a new code. This new code is designed to pass the actual control of the file to the virus. The virus normally attaches itself to the end of the host file.
On execution of an infected file by the user, the virus makes sure that the file is executed properly; to avoid sus¬picion. However, it uses this opportunity to infect other files. At the same time, the virus keeps tabs on the various system resources, so that at an appropriate time (depending upon the virus code), it can unleash its destructive activities. It is interesting to note that most viruses do not infect an already infected file. This is to prevent the file from becoming too large. Because then, the system would be compelled to display the message 'Not enough memory,' thus alerting the user to the possibility of a virus attack.
Examples of file viruses are Vienna, Jerusalem, Concept Word Macro virus, etc.,
BOOT SECTOR VIRUSES
A boot sector virus attacks the boot sectors of floppy disks and the master boot records (boot sectors and partition tables) of hard disks. Hence, the boot sector viruses can be sub-divided into the following categories:
• Floppy Disk Boot Sector Viruses:
As the name suggests, these viruses infect the floppy disk boot sectors only.
• Hard Disk MBR Viruses :
These viruses infect the master boot records, that is, the partition tables of the hard disks. These viruses are also designed to infect the boot sectors of the floppy disks.
FILE VIRUSES
File viruses are designed to enter your system and infect program and data files. Program files are those files which contain coded instructions, necessary to run or execute software programs. These program files are generally ap¬pended by .COM or .EXE file extensions. However, some file viruses can also infect other executable files, having file extensions such as, .SYS, .OVL, .PRG, .MNU, etc. The program files, most prone to file virus attacks include oper¬ating software, spreadsheets, word processors, games and utilities program files.
The data files, susceptible to virus attacks are those that have been created using popular programs, such as, MS-Word, MS-Excel, etc. Usually, such files are attacked by Macro virus
A file virus, ordinarily enters the system when you copy data or start your system using an infected floppy disk or, download an infected file from a networked system or, use infected software obtained from unauthorized sources.
Once in your system, depending upon the virus code, the virus can either infect other program or data files straightway or, it can choose to hide itself in the system memory (RAM) for the time being. Then, at an appropriate time or if certain system conditions are met, it begins to infect other executed program or data files.
The virus infects a program or a data file by replacing part of the original file code with a new code. This new code is designed to pass the actual control of the file to the virus. The virus normally attaches itself to the end of the host file.
On execution of an infected file by the user, the virus makes sure that the file is executed properly; to avoid sus¬picion. However, it uses this opportunity to infect other files. At the same time, the virus keeps tabs on the various system resources, so that at an appropriate time (depending upon the virus code), it can unleash its destructive activities. It is interesting to note that most viruses do not infect an already infected file. This is to prevent the file from becoming too large. Because then, the system would be compelled to display the message 'Not enough memory,' thus alerting the user to the possibility of a virus attack.
Examples of file viruses are Vienna, Jerusalem, Concept Word Macro virus, etc.,
BOOT SECTOR VIRUSES
A boot sector virus attacks the boot sectors of floppy disks and the master boot records (boot sectors and partition tables) of hard disks. Hence, the boot sector viruses can be sub-divided into the following categories:
• Floppy Disk Boot Sector Viruses:
As the name suggests, these viruses infect the floppy disk boot sectors only.
• Hard Disk MBR Viruses :
These viruses infect the master boot records, that is, the partition tables of the hard disks. These viruses are also designed to infect the boot sectors of the floppy disks.
A boot sector virus, like other viruses, enters the system when you copy data or start
your system using an infected floppy
disk or, download an infected file from a networked system or, use infected
software obtained from unauthorized
sources.
A boot sector virus typically replaces the boot sector (on the first track of the
disk) with a part of itself. It then hides the rest of the virus code, along with
the real boot sector, on a different area of the disk. In order to avoid detection,
this area is marked as a bad sector
by the virus. A boot sector virus can also
hide itself in the system area of the disk.
From now onwards,
whenever the system is turned on (that is,
booted), the virus is also loaded in the system memory (RAM). The virus ensures that the real boot sector starts the machine normally. After the startup,
the virus takes over and monitors and
controls the critical system resources.
On
completion of a certain time period or after certain system conditions are met, the virus
carries out its designed activities. These activities may range from merely displaying a harmless message on the
screen, to irreversibly crashing your
hard disk.
This type of virus spreads its infection widely by infecting the boot sectors of other
floppy disks inserted in the infected machine. Most boot sector viruses do not infect an already infected disk.
These
viruses can be very complex in character and are capable of seriously jeopardizing the
working of the infected systems. Some of the examples of Boot Sector viruses include Brain, Stone,
Empire, Michelangelo, etc.
Directory Viruses
These
viruses are also called as Cluster Viruses and are programmed to modify the directory
table entries in an infected system.
A directory virus, like other viruses, enters the system when you copy data or
start your system using an infected floppy
disk or, download an infected file from a networked system or, use infected software, obtained from unauthorized sources.
The virus, on
entering your system, resides in the last cluster
of the hard disk. Also, it modifies the starting cluster addresses of all the executable files, by
inserting references to the virus address in the File Allocation Table
(FAT).
The files
themselves are not infected, only their starting cluster addresses are altered, so that every time the file is executed, the virus also becomes active and loads
into the system memory. The virus allows the actual program to proceed unhindered (for the time being) in order
to avoid detection. Also, the virus, when loaded in memory, continues to show the original starting cluster address
of the file, so as to confuse the user. Like other viruses, this type of a virus also disrupts the smooth working of your
system.
These
viruses are very intelligent and spread faster than other classes of viruses. Examples of
these viruses are DIR II, DIR III, DIR BYWAY, etc.
Hoaxes
Psychologists
the world over attributes the proliferation of viruses to the constant human desire
for recognition and admiration from fellow beings. While some virus developers are smart enough to write
and develop innovative viruses (of course,
if they could use their ingenuity for more constructive work, the world would be a better place to live in), there are
others who would not like to waste time on such work. They would rather gain
notoriety in more resourceful ways such as,
simply claiming to have developed a virus; without actually having done
so.
While visiting a BBS or surfing the Internet, one often comes across
information announcing the discovery of a new virus. It is in your interest to
take such information with more
than a pinch of salt. Please do not take this to mean that you have to lower your guard against suspected viruses. Only, you must make it a point to substantiate
the veracity of the information
before taking any action.
Should you come across a suspected hoax regarding a virus, keep in mind the
following checklist while going through the information:
•
Before accepting a statement, find out more about its source. Look for
references that can be cross-checked for authenticity.
•
Most
hoaxes, while deliberately posted, die quick deaths because of their outrageous contents. Try to separate the chaff
(junk) from the grain (contents). Look for technical
details that can be rationalized.
•
Cross-check
the technical details with a known expert in the
subject.
•
Keep track of who else might have received the same information as you. Get in
contact with them to elicit their response
to the information.
•
Look for the location of posting of the 'information. Should the posting be in an inappropriate newsgroup, be
suspicious.
•
Look at the name of the person posting the information. Is it someone who is clearly identifiable and is an
expert in the field?
•
Double check the information with other independent sources such as, other
sites, other BBSs, etc,
To
give you an idea what a hoax looks like, listed below are some of the more notorious hoaxes
that have been floating around in cyberspace.
Good
Times Virus: The information about this virus when reported, sounded like a sincere
warning; issued by naive though, caring users. This virus was supposed to wipe
out the data on the system hard
disk. Some variations of this theme were the
Deeyendra Virus Alert and the Pen Pal Virus Alert- also found to be hoaxes.
Irina Virus:
This was a marketing ploy employed by the UK publishing giant, Penguin Books, to generate
reader interest in the latest release of one
of their books. Despite a subsequent
correction, the virus seemed to have caught the fancy of quite a few computer users.
The Porno GIF Virus:
This virus was purported to be hidden in a pornographic .GIF graphics file and
contained indecipherable text in it. Since such contents are indicative of a
virus or a Trojan program, this hoax was also believed by many to be true.
Macro
viruses
A
macro is an instruction that carries out program commands automatically. Many
common applications (e.g. word processing, spreadsheet, and slide presentation
applications)
make use of macros. Macro viruses are macros that self-replicate. If a user
accesses
a document containing a viral macro and unwittingly executes this macro virus,
it can
then copy itself into that application’s startup files. The computer is now
infected—
a copy
of the macro virus resides on the machine.
Any
document on that machine that uses the same application can then become
infected. If the infected computer is on a network, the infection is likely to
spread rapidly to other machines on the network. Moreover, if a copy of an
infected file is passed to anyone else (for example, by email or floppy disk),
the virus can spread to the recipient’s computer. This process of infection
will end only when the virus is noticed and all viral macros are eradicated.
Macro
viruses are the most common type of viruses. Many popular modern applications
allow macros. Macro viruses can be written with very little specialist
knowledge, and these viruses can spread to any platform on which the
application is running. However, the main reason for their ‘success’ is that documents
are exchanged far more frequently than executables or disks, a direct result of
email’s popularity and web use.
Trojan
horse
A Trojan horse is a
program that does something undocumented which the programmer intended, but
that the user would not approve of if he or she knew about it. According to
some people, a virus is a particular case of a Trojan horse, namely one which
is able to spread to other programs (i.e., it turns them into Trojans too).
According to others, a virus that does not do any deliberate damage (other than
merely replicating) is not a Trojan. Finally, despite the definitions, many
people use the term "Trojan" to refer only to a non-replicating
malicious program.
Parasitic viruses
Parasitic
viruses attach themselves to programs, also known as executables. When a user
launches a program that has a parasitic virus, the virus is surreptitiously
launched first. To cloak its presence from the user, the virus then triggers
the original program to open. The parasitic virus, because the operating system
understands it to be part of the program, is given the same rights as the
program to which the virus is attached. These rights allow the virus to
replicate, install itself into memory, or release its payload. In the absence
of anti-virus software, only the payload might raise the normal user’s
suspicions. A famous parasitic virus called Jerusalem has a payload of slowing down the
system and eventually deleting every program the user launches.
Behavioral Classification of Viruses
In addition to the
general classification, viruses can also be classified according to the
following behavior patterns exhibited by
them:
•
Nature of attack
•
Deception techniques
employed
•
Frequency of infection
The chart in Figure Chapter 2-3 gives an overview of the behavioral classification of viruses.
Nature of Attack
Depending upon the way a virus attacks the various files, it can be classified as
follows:
Direct Action
Virus
A Direct Action virus is one that infects one or more program files; every time
an infected file is run or executed. An example of such a virus is the Vienna virus.
Resident Virus
A Resident virus is one which hides itself in the system memory the first time a
file, infected with this virus, is executed. After a programmed time period or when certain system conditions are met,
the virus becomes active and begins to infect other programs and files. An example of
such a virus
is the Jerusalem
virus.
Deception
Techniques Employed
Depending upon the way a virus
employs the various deception techniques to avoid detection, it can be classified as follows:
Stealth Virus
A Stealth virus is one which hides the modifications made by it to an infected file
or a boot sector. This it does by monitoring the disk input/output requests
made by other programs.
Should a particular program demand to view the infected areas or files on the disk,
the virus ensures that the program reads the original uninfected areas; stored elsewhere on the disk by it.
Hence, the virus manages to remain undetected for as long as possible. The Brain virus is an
'example of a
Stealth virus.
Polymorphic Virus
A Polymorphic virus is one which produces multiple, but varied copies of itself; in
the hope that the virus scanner will not be able to detect all its mutations. This type of
virus carries
out the infection while changing its code by using a variety of encryption
(encoding) techniques. Since a virus scanner would also require a variety of
decryption (decoding) codes in order to decipher the various forms of the virus, the scanning process
becomes cumbersome, difficult and unreliable. The Dark Avenger virus is an example of this
type of virus
Armored Virus
This virus is one
which uses special techniques to avoid its
tracing and detection. An anti-virus program has to take into account the virus code in order to be
effective. An Armored virus is written using a variety of methods so
that disassembling of its code becomes
extremely difficult. However, this also makes the virus size much larger. The
Whale virus is an example of such a virus.
Companion Virus
A
Companion virus is one, which instead of modifying an existing .EXE executable file,
creates a new infected copy of the same file, having the same name; but, with a .COM
file extension.
Hence, whenever the user executes the program file by typing the name of the program at the DOS prompt, the COMMAND.COM file (the Command Interpreter)
loads the infected copy of the file.
This happens because the .COM files
get precedence over the .EXE files. Since in this case, the original file
remains unchanged, the virus scanner checking
for modifications in the existing files, would fail to notice the virus.
Multipartite/Boot-and-File Virus
This type of virus
infects the boot sector as well as the program
files. Such viruses usually exhibit dual characteristics. For example, a file virus of this category
can also infect the system boot
sector and vice-versa. Hence, such a virus becomes difficult to identify. The Tequila virus is an example of
such a virus.
Batch File Virus
This
type of virus is embedded into an especially written batch file. The batch file
in the guise of carrying out a set of instructions in a particular sequence, actually uses the opportunity to
copy the virus code to other batch files. Fortunately, such viruses are not common.
Cavity Virus
Some
program files have empty spaces inside them, for a variety of reasons. A Cavity virus
uses this empty space to install
itself inside the file, without in anyway altering the program itself.
Since the length of the program is not increased, the virus does not need to employ
complex deception techniques. However such viruses are rare. The Lehigh virus is an example of such a virus.
Camouflage Virus
This type of virus is masked to look like a harmless virus-like code; a code that an
anti-virus software is likely to ignore. Most anti-virus scanners have a built-in database
of virus code data strings. Hence,
while scanning a system, there is always a
distinct possibility of a false alarm being raised by the scanner. This is particularly so when a system has more than one type of scanner installed in it.
Thus, in order to avoid
panic reactions by users, most signature based
virus scanners are designed to ignore virus codes that meet certain predetermined conditions. A Camouflage virus uses this chink in the anti-virus
program's Armour to fool it by
disguising itself as a harmless virus-like code and thus, escaping detection. Fortunately, most modern
scanners check and cross-check a set of parameters before declaring a file to be virus free. Hence, it is difficult to hide such a virus; with the result that these
viruses are not widely found.
Tunneling Virus
An
anti-virus interception program keeps track of the system resources in order to detect
the presence of a virus. It
monitors the interrupt calls made by the various devices. A tunneling virus
pre-empts this process by gaining direct access
to the DOS and BIOS interrupt handlers. This it does by installing
itself under the interception program. Some anti-virus
scanners are able to detect such an action and may attempt to reinstall
themselves under the virus. This results in
interrupt wars between the virus and the anti-virus program, thus resulting in a hung system.
Frequency of Infection
A virus is
programmed to propagate copies of itself by spreading the infection to other
files within the system. A virus can also be classified according to the frequency
with which it spreads the
infection.
Fast Infector Virus
This type of
virus is one which when active in system memory,
not only infects the executed program files, but also, all files that
are merely opened. With such a virus in 1 memory,
should a scanner be in operation, it would result in all the files getting infected within a short
period of time.
Slow
Infector Virus
This
type of virus, when in system memory, infects only those files which are created or
opened. Hence, the user is fooled
into thinking that the changes in the file size, as reported by the virus scanner, are due to legitimate reasons.
Sparse Infector Virus
This
type of virus is designed to infect other files, only occasionally. For
example, the virus may infect every 10th executed file, or only those files
having specific lengths, etc. By infecting less often, such viruses minimize the
possibility of being discovered.
Stages in the Life
Cycle of a Virus
The
entire life cycle of a virus can be divided into the following stages.
Creation
In
this stage, a systems programmer creates the
virus by writing
its program code; using either Assembly language or a systems programming language such as
'C'. Usually, Assembly language code is the preferred choice of most virus programmers.
Various software-writing tools, available off-the-shelf or on various BBSs and
Internet sites, can be used to write the virus code. The entire exercise can
take anywhere from a few days to a couple of weeks to complete.
Gestation
This refers to the stage wherein the virus developer secretly introduces the Virus
into the outside world. This is done in a variety of ways. One way is to bundle the virus
with a useful software utility or a
games program and offer it to unsuspecting users. Another way involves
introducing the virus through a network such as a public BBS, a company LAN or
the Internet.
Propagation
Viruses
are designed to replicate copies of themselves and spread the infection
exponentially, For example, one infected system infects two other systems, which in turn
infect four
systems and so on. Before you know it, an entire chain of infections is in progress.
In this stage, an infected system spreads the infection to other
systems through the use of infected floppy disks and also by transferring
infected files over a network. A network is the fastest way of spreading a
virus. A 'good' virus design provides a virus with enough time to spread the infection
widely,
before being activated.
Activation
This is the stage where a virus becomes active and proceeds to carry out the
designed activity. When and how a virus becomes active, depends on the 'trigger'
mechanism of
the virus. This 'trigger' may be in the form of a particular date (for example, on the
12th of June - the Independence
Day of the Philippines) or,
when certain system conditions are met (for example, after opening the 10th file).
The effects of the virus activity may range from simply displaying a harmless
message on the screen, to completely formatting the hard disk and thus erasing
all data on it. Some viruses, while not causing any outward damage, may use up scarce system resources
such as RAM; thus slowing down the computer.
Discovery
This is when a user notices the virus and successfully isolates it. When a virus
has managed to propagate widely and infect a number of other systems, there may
be several users,
who individually or collectively, discover the presence of the virus. Usually,
this stage is reached after the Activation stage. However, there have been
cases where enterprising users have detected a virus even before it has had the time to activate
itself.
As
a rule of thumb, a virus is usually discovered at least a year before it has had
the opportunity of becoming a major threat.
Assimilation
After
a virus is discovered and the information about it publicized, developers of anti-virus
software analyze the virus code and develop vaccines for its detection and eradication. At times, even
individual users may be able to devise vaccines for the virus.
Depending
upon the complexity of the virus code and the efforts put into the process,
developing a vaccine for a virus may take anywhere from a day to six months. Competent anti-virus software
professionals have been known to develop vaccines for a new virus within 48 hours.
ERADICATION
If sufficient numbers of anti-virus software developers are able to develop programs that detect and eradicate the virus; and if adequate numbers of users are able to buy and use these programs, then, the virus ceases to be a major threat and is considered to be eradicated.
While, no virus has been known to disappear completely, however, due to constant progress made in improving the effectiveness of the various anti-virus programs, quite a few viruses have ceased to be major threats to the average computer users.
We would like to bring to the notice of our readers the fact that just because a virus has been eradicated, it is not the end of the story. An adamant virus developer can once again use his ingenuity to develop a different 'strain' of the same virus or a different virus altogether. And then, the entire cycle is repeated. There have been numerous cases where a harmless virus has been fine-tuned by successive virus developers, to develop into an intelligent, but dangerous program.
You can well imagine the extent of the virus problem if you think about thousands of virus writers churning out a variety of new viruses or modifying existing viruses; for introduction to the outside world.
SYMPTOMS OF A VIRUS INFECTION
Viruses by nature are designed to spread unnoticed as much as possible; before carrying their payload (that is, before carrying out their activities). However, before those happens, there are a variety of symptomatic indications, there are a variety of symptomatic indications that can be used to spot the infection. An eye trained to judge these early warning signs can notice the following subtle and not-so-subtle changes:
1. Unusual messages and graphics and graphics appear on your screen for inexplicable reasons.
2. Music, not associated with any of the current programs, begins to play for no reason at all.
3. You suddenly find that some of your program and/or data files have either been corrupted, or they have become difficult to locate.
4. Your disk volume label has been changed mysteriously.
5. Unknown files or sub-directories have been created.
6. Your computer begins to run rather slowly.
7. Your hardware devices begin to exhibit unusual behavior.
8. Some of your executable files have had the sizes and/or dates changed.
9. Some of the interrupt vectors have changed.
10. The sizes of total and free system memory have changed unexpectedly.
While these are some of the common indications confirming a virus infection, the only foolproof way and expert can actually analyze the infection is to study the assembly code containing in all programs and systems areas, using utilities such as, Debug.exe.
A non-expert user if DOS-5.0 and above, can also try his/her hand at playing the detective; by using a combination of the SCANDISK/CHKDSK and MEM programs to analyze the various program files (for more details, face to face with Viruses).
Mac users can use the ‘info’ options, along with the ResEdit for more details about the memory use. However the least risky way to go about detecting the virus infection is by using the latest risky way to go about detecting the virus infection is by using the latest upgrade of a good quality anti-virus software.
QUALITIES OF A VIRUS :-
While creating a virus, the developer generally pay attention to the following qualities that every viruses have. The below is the list of the qualities that every viruses have :
1. A virus must incorporate a replicating routine so as to duplicate itself and spread infection or multiple carriers. These carriers are usually hard disk and floppy-disk data structures (boot sectors, partition tables, program and data files).
2. A virus should be able to install itself in the memory (RAM), from where it can keep an eye on the various systems resources and carry out its activities; without being hindered or detected by routine system functions (for example, while booting, an MBR virus will let the original boot sector start the computer, and then, take control).
3. A virus has a trademark trigger routine (also called as its payload), which is essentially a collection of coded instructions that direct the virus to carry out a certain virus activity (or a series of activities) after a certain time period, or after a certain system events. For example, the Raindrop starts to randomly drop characters on the screen. Some viruses carry out more sinister actions such as, destroying hard disk data.
4. Some viruses have an encryption routine that is programmed to scramble the actual virus code. This is done to escape detection by signature based antivirus scanners. Usually, masking the actual code does this and making it seems as a harmless program.
5. Polymorphic viruses are particularly hard to detect since in addition to normal virus qualities, they also have a mutation engine that creates different encryption in routines after every infection. Hence, ordinarily signature based scanners, due to their limited storehouse of virus signatures, cannot detect such viruses.
6. Most viruses are designed to exhibit some sort of stealth characteristics, to avoid detection. For example, a virus may employ certain techniques to avoid returning the actual memory values after the user has run CHKDSK or MEM programs. Other viruses may let the user view the original uninfected potions of a file, stored elsewhere; thus, avoiding detection portions as possible. Yet other viruses are designed to hide behind TSR and Device Driver programs loaded through AUTOEXEXC.BAT and/ or CONFIG.SYS files (it is due to this, that you are at times asked to start your systems using a clean, bootable system Disk).
HOW VIRUS WORKS?
Computer viruses are the "common cold" of modern technology. They can spread swiftly across open networks such as the Internet, causing billions of dollars worth of damage in a short amount of time. Five years ago, the chance you'd receive a virus over a 12-month period was about 1 in 1000; today, your chances have dropped to about 1 in 10. The vital statistics:
• Viruses enter your system via e-mail, downloads, infected floppy disks, or (occasionally) hacking.
• By definition, a virus must be able to self-replicate (make copies of itself) to spread.
• Thousands of viruses exist, but few are found "in the wild" (roaming, unchecked, across networks) because most known viruses are laboratory-made, never released variations of common "wild" viruses.
• Virus behavior can range from annoying to destructive, but even relatively benign viruses tend to be destructive due to bugs introduced by sloppy programming.
• Antivirus software can detect nearly all types of known viruses, but it must be updated regularly to maintain effectiveness.
HOW VIRUSES SPREAD QUICKLY?
A verity of complex, inter-linked factors are responsible for making a virus spread quickly and widely. Chiefly, the factors responsible for propagation of viruses are :
1. The number of target computer users influences the spread of viruses. The larger the users base, the more widespread and quicker the virus infection would be.
2. Usually, a virus is introduced to the outside world bundled with popular software programs. The more popular software programs, the faster are the spread of the virus.
3. The level of software piracy also influences the spread of viruses. The greater the incidents of piracy, the quicker the proliferation of viruses.
4. The level of ignorance (about good computing practices) among computer users also influences the spread pf viruses.
5. The complexity and characteristics of the virus code also helps spread a virus effectively. Some viruses due to their code, are able to spread unchecked for a long time.
6. The effectiveness of good quality anti-virus software help in solving down the spread by viruses.
7. More and more computer users these days are linked to one another through networks, BBSs and on-line services such as the internet. While such.
ANTI-VIRUS: -
In the above topics we have learned about the different viruses, their qualities, their work, spreading techniques etc. Now in this topic we are going to learn about the Anti-Virus technology. This is very important to read and learn to save our computer and our important data from the different types of viruses.
1.1) DEFINITION:-
“A specialized utility program, which is used to detect, eradicate and prevent viruses”
Now what actually anti-virus is? As I stated above in the definition that it is also a user made program, which is not harmful as the virus, but it is totally opposite to the virus. It prevent us from the viruses and other malicious codes that are harmful to our computer as well as our data.
DIFFERENT ANTIVIRUS TECHNOLOGIES FOR SERVER
There are currently two technologies used by antivirus products for servers in corporate Notes/Domino environments: Hook Driver and the new Extension Manager.
This document aims to analyze the differences in functionality and implementation of these technologies in corporate Notes/Domino environments.
HOOK DRIVER: -
Hook Driver is the first and oldest antivirus technology provided for scanning and disinfecting document databases in Notes and Domino environments. Antivirus products based on Hook Driver technology hook onto the Notes system and monitor its tasks. The antivirus has to recognize when the server has performed a task and intercept this task and its content (mail or document) in order to scan and, if necessary, disinfect it. Although Hook Driver technology has a way of hooking onto the server databases, the fact that it does not offer a functional interface integrated with the Router (MAIL.BOX) represents an important limitation. In the case of antivirus products that scan the document and Router (MAIL.BOX) databases, the antivirus based on Hook Driver needs to extract documents and mail from the Notes system, scan and disinfect them and then reinsert them in the Notes / Domino environment mail flow.
Another limitation of this technology is that the antivirus can only hook the task that manages the normal user databases and not other tasks such as:
• Mail Router
• Replication between servers tasks
• HTTP (Domino) server
• Other server tasks
In order to scan these tasks, in particular the mail Router, it is necessary to create procedures that are not recommended by the manufacturer Lotus. The commercial antivirus solutions for Notes/Domino servers that use Hook Driver technology are: McAfee, Symantec, Trend Micro and Sybari. We are now going to examine the consequences of using an antivirus product based on Hook Driver technology.
The risks involved in using Hook Driver technology in antivirus products for Notes or Domino servers are quite significant, above all because of the load and limitations this technology presents when natively accessing server tasks. The main risks are as follows:
Difficult to install: one of the characteristics of using Hook Driver technology is that the clients (network administrators) need to manually create a Cross Certificate for each server in which they want to install the antivirus. A Cross Certificate is a digital authorization that a company generates in order to allow another entity to access its Notes servers. In other words, the antivirus manufacturer needs authorization to be able to access the company’s servers, with the security problem that this involves. In addition, creating cross certificates is not an easy task and as this process must be carried out in each server, it makes the task of installing the antivirus in servers more difficult.
Unnecessary load on the server: the antivirus solutions that use the Hook Driver technology extract documents from the Notes system, copy them to a temporary file in the hard disk, scan and disinfect them in the hard disk and then reinsert them in the Notes system flow. All of these read and write disk operations significantly slow down the performance of the Notes / Domino servers.
Corrupt messages in the Router: as the Hook Driver technology does not have an antivirus interface integrated with the Router, the antivirus solutions based on this technology need to create an additional task that accesses the MAIL.BOX in the Notes system. This additional task searches for new messages in the original MAIL.BOX queue every portion of a second. If it finds one, it scans and disinfects the message using the following process:
• Marks the message as ‘dead’ in the original MAIL.BOX.
• Figures out that the message must be scanned.
• Extracts the attached file to a temporary file in the hard disk.
• Scans the file in the hard disk, where it will also be disinfected if necessary.
• Reinserts the file in the MAIL.BOX document.
• Removes the ‘dead’ mark.
Figuring out that there´s a new message in the Router and marking it as dead has to be done quickly (faster than the Router) so that the antivirus can get to it before the Router hooks it in order to send it. There is a risk that the Router could hook the message from the queue before the antivirus can mark it as dead.
The Router (MAIL.BOX) is not designed to be accessed by several tasks at the same time, which means that Hook Driver antiviruses are breaking this ‘rule’ of Notes / Domino functionality, therefore the probability of the database being corrupted is quite high, as there are two tasks modifying the database and they could corrupt the indexes. Below is an example of a typical scenario:
• The Router recognizes the message as ‘live’.
• At the same time, the antivirus marks it as ‘dead’.
• As the Router thinks that it is live it tries to route it, but it has already been marked as dead, which means that a message marked as dead reaches the next server. This message will be permanently blocked in the next server.
Altering the process of the Router like this could result in queue backlog problems.
Difficult to manage: the antivirus solutions for Notes / Domino environments based on the Hook Driver technology cannot truly be managed remotely and centrally, as the antivirus must be installed in each server one by one, in the majority of cases from the server console itself. In addition, some of them do not have an administration interface and in order to make simple changes to the antivirus configuration, files such as NOTES.INI must be modified manually.
Reliability: if an antivirus based on Hook Driver has a problem with the databases (not only because of the antivirus, but also because of corruption, due to a problem with cross certification, etc), the Hook Driver technology will cause the whole server to block. In other words, the antivirus operations are not independent of the Notes server.
EXTENSION MANAGER
‘Extension Manager’ is the most modern system developed by Lotus that allows a program to be run natively in a Notes or Domino server. The main difference between Extension Manager technology and Hook Driver is the high level of integration that Extension Manager allows in server tasks (in databases, Router and other server tasks). In the case of antivirus programs, the Notes/Domino server itself informs the antivirus when to carry out its tasks. An antivirus that uses Extension Manager technology allows all databases and all of the other server tasks to be protected natively, while those that use Hook Driver technology can only protect the task that manages the user databases, but not the task of the Router, Replication, etc. The access of Hook Driver technology is limited to three events, while Extension Manager accesses more than 160 events.
An antivirus that uses Extension Manager integrates perfectly in the Notes / Domino system, acting as another system thread rather than an external application that has to monitor and interrupt the Notes operations and processes every time it needs to act.
There are significant advantages to using this new technology in antivirus products for servers. We will look at some of the main advantages in more detail:
Easy to install: with Extension Manager technology it is not necessary to manually create cross certificates for each server that needs protecting. Thanks to this advancement, it is possible to install, configure and manage the server antivirus in a way that is truly centralized and remote.
Optimized performance: thanks to the combined use of Panda Software’s Virtual File technology and Extension Manager technology, the antivirus can scan absolutely all traffic (documents and mail) in memory. Hook Driver technology however, needs to extract the files to a temporary file in the hard disk, which significantly slows down the server. The antivirus based on Extension Manager optimizes server performance by quickly scanning in memory.
Native integration in the Router: Extension Manager technology natively integrates external applications in the Router, which is non-existent in Hook Driver technology. The difference is huge, above all in terms of server performance and mail scan efficiency.
Centralized and remote administration: as cross certificates do not need to be created manually between each server and with the antivirus manufacturer, the solution based on Extension Manager allows the antivirus to be managed (installed, configured, updated, monitored, etc.) in a way that is truly automatic, centralized and remote.
“Panda Antivirus for Notes / Domino is, as of today, the first and only antivirus on the market to use Extension Manager technology, recommended by Lotus.”
Index
ANTIVIRUS TECHNOLOGIES FOR EXCHANGE SERVER
ANTIVIRUS API (AVAPI 1.0)-MCAFEE, TREND, SYMENTEC
ScanMail and Norton use both AntiVirusAPI (AVAPI 1.0) and MAPI technologies. Although they market this as an advantage, they are actually loading two residents (Services under Windows NT) in each server instead of one. This considerably reduces server performance. Although the antivirus can be managed remotely through these products, it can only be managed in one server at a time. These products are not designed for large scale installation with remote offices and WAN links. Neither of these products can scan the content of RTF, HTML or RTFHTML messages, nested messages or embedded OLE objects. As these products rely on the first version of the AntiVirusAPI (AVAPI 1.0), these antivirus products cause many problems not only when detecting viruses, but also limiting functionality and performance of the Exchange server. Many of the problems that these antivirus products can cause are documented in the Knowledge Base on the Microsoft web site, for example:
• Information Store Crashes When Using Antivirus Application Programming (AVAPI)
• Internet Mail Service Does Not Deliver Message After You Install Virus Scan Software
• Inaccessible attachments
• Messages that seem to be stuck in the Outbox
• Autoforward Rules May Be Disabled When Using Antivirus API
• Increased latency of directory and public folder replication
• Offline folder (*.ost) synchronization time-outs
• Move Mailbox Utility Does Not Work When Antivirus API Is In Use
If you are considering a move to third-party products that use the antivirus API, you must be aware that issues may arise that may seem related to performance of the information store. Based on the architecture of the antivirus API, the speed at which attachments are scanned is bound by the vendor's implementation of the scanning DLL. In addition, because third-party vendor's solutions run in process with the information store service, issues (such as memory or processor use and access violations in the Store.exe program) may become harder to troubleshoot because there is no way to distinguish between the information store and the vendor's DLL.
ESE API –SYBARI,TREND
Sybari and Trend use a series of undocumented calls to the Microsoft ESE API. What they do is to hook the Exchange server .EDB file. Although this method has its advantages by scanning the read and write methods of files, it also runs more risks than other antivirus products. Curiously the biggest criticism of this technology comes from Microsoft, who say in one of their web pages on antivirus strategies for Exchange server: No software or hardware should preempt or modify the Exchange Server services´method of reading to and writing from the data files. This might cause the Exchange Server
services to stop working or corrupt the data files. Sybari is not an antivirus manufacturer. It uses third party antivirus scan engines, which means that the client indirectly depends on other companies for updates, virus alerts and technical support for problems with the scan engine. For obvious reasons, there have been rumors that Microsoft will not support Exchange clients who have Sybari Antigen installed.
MAPI - PANDA ANTIVIRUS FOR EXCHANGE SERVERINDEX
It is the most effective and best performing antivirus solution for companies and institutions of all sizes. Panda has implemented advanced antivirus functionalities and techniques that offer stability and performance required by the most demanding corporate Exchange installations.
Our antivirus is optimized for better server performance. Through the use of MAPI, it achieves better server performance than other antivirus solutions. This is due to the fact that antivirus solutions based on AVAPI 1.0 completely stop the functioning of the Exchange server until the antivirus returns the messages. The Panda Antivirus for Exchange Server solution offers the most centralized management of Exchange servers available on the market. From Panda Administrator it is possible to remotely install, configure and update multiple Exchange servers at the same time from the network administrator’s workstation. Other solutions can only manage the antivirus protection of Exchange servers one by one. Panda detects viruses in places other antivirus solutions can’t reach: body of messages in any format (such as RTF, HTML y RTFHTML), embedded OLE objects, and many more compressed formats and nested messages at all levels. There is a mistaken concept in the market about antivirus products based on MAPI, as it is often said that outgoing messages slip past them. Although this may be true for other antivirus solutions based on MAPI, this is not true for Panda, as we offer the only antivirus based on MAPI that as well as disinfecting the Information Store, also scans and disinfects the Internet Mail Connector (the SMTP stack), protecting both incoming and outgoing mail in real-time. Panda Antivirus for Exchange Server includes a heuristic scan engine for detecting unknown DOS, Win32 and Macro viruses. Other products do not include a heuristic scan or only scan one of these three types of files. In their web site Microsoft refers to a model installation of Exchange Server in a large organization. About the antivirus solution for the installation they say: “The solution suggested [...] is to install the Panda corporate anti-virus system, because of its level of integration with Microsoft Exchange.” Panda Antivirus integrates its own technology for intelligent CPU monitoring, called AutoTuning. Thanks to this technology we optimize server performance to the maximum during on-demand scans, without interfering in the slightest way with the normal operations of Exchange.Panda Software works in collaboration with Microsoft on many occasions, providing antivirus know-how to Microsoft developments, such as Virus Scanning API (VSAPI 2.0), which Microsoft is going to launch with Service Pack 1 for Exchange 2000. This collaboration offers clients Panda solutions that are totally compatible and perfectly integrated in Exchange environments.
VIRUS SCANNING API (VSAPI) – PANDA ANTIVIRUS FOR EXCHANGE 2000
Panda Software has been working in collaboration with Microsoft for over a year, promoting the new technology Virus Scanning API (VSAPI 2.0) available with Service Pack 1 of Exchange 2000.
Panda Software is using VSAPI 2.0 in the new Panda Antivirus for Exchange 2000, whose Beta version release will be announced soon. In this way and by responding to market demand, we provide administrators with the two antivirus solutions that use the most advanced technology, thereby demonstrating the continuous commitment to antivirus protection for e-mail of Panda Software:
Panda Antivirus for Exchange Server (MAPI): Exchange 4.0/5.0/5.5
Panda Antivirus for Exchange Server (VSAPI 2.0): Exchange 2000*
HOW EFFECTIVE IS AN ANTI-VIRUS SOFTWARE IS?
A good quality anti-virus is certainly and effective may to safeguard your system against virus attacks. However, even the best of such programs suffer from the following disadvantages:
1. An anti-virus software is only as good as the methodology used by it to detect virus and virus-like activities. If your anti-virus program does not incorporate the latest virus detection techniques, your may leave yourself open to virus attacks.
2. Most anti-virus programs, among other criteria store a database of virus strings. These strings are used to detect the presence of a virus. Should the program come across a virus string it does not detect, then, there are chances that you may not be forewarned of an actual virus attack.
3. An exceptionally ‘intelligent, virus may succeed in breaching your anti-virus software defenses.
4. To ensure that your anti-virus software provides you with the best possible security, please keep in mind the following facts :
5. Use good quality anti-virus software packages that incorporate exhaustive virus detection modules.
6. Use only licensed copies of anti-virus programs.
7. Use anti-virus software that provides you with regular and timely upgrades.
8. If possible, use anti-virus software from more than one developers, to regularly scan your hard disk. However, beware of the possible false virus detection messages that one virus scanner may display while scanning another.
9. Make use of the rest of the useful anti-virus utilities that might come packed with the software, Each utility is designed to increase your data security.
10. Rather than using your anti-virus software as a standalone line of defense, for maximum effectiveness. Make to a part of the overall data security strategy.
COULD ANTI-VIRUS PROGRAM ITSELF BE INFECTED?
Surprisingly The executable code of an anti-virus program can be infected by an exceptionally clever virus. However, since such a happening is rate, you must be very sure about the true by nature of the infection before sounding an alarm about your anti-virus program.
You must make sure that your have obtained your program from an authentic source. Use a clean. Bootable system. Now, use the original, write protected anti-virus floppy disk to
Check the installed copy of the program on your hard disk (make sure that the anti-virus program on the floppy disk is of the same version as that being checked on the hard disk).
Alternately, your can use another anti-virus scanner (from another developer) to check for infection in the program under investigation, When you use one anti-virus scanner to check another for infections, you have to take into account the following facts:
1. Since anti-virus scanners contain database of virus signature strings while using two different anti-virus scanners, each now might falsely indicate the other to be infected. This is particularly so if the signature strings are not encrypted.
2. Should a scanner fail to remove strings from memory, after it terminates its operation; another anti-virus scanner might raise an alarm while scanning the system memory.
3. Some anti-virus programs add a special; code or data to a program to protect its integrity. Another anti-virus scanner might detect this additional data as a virus attack on the file and thus raise an incorrect alarm. Hence, while it is good practice to use anti-virus scanners from two different developers, you must be aware of the pitfalls in the practice.
4. The best course of action, should you suspect anti-virus program to be infected, is to send a copy if the program on a floppy disk, to the developer if the program for confirmation.
QUALITIES OF AN ANTI-VIRUS PROGRAM
Just as a virus developer aims at incorporating certain characteristics in a virus, an anti-virus program developer also attempts to compile d\certain properties in their virus detection and removal software.
Among some of the qualities that anti-virus programs are expected to have are :
1. An anti-virus program should be able to disable a virus that is resident in system memory. This is extremely important because should an anti-virus program succeed in removing a virus directly from the storage media only, it should subsequently reemerges and continue the infection process, Pardon the analogy, but a virus attack is like cancer, you leave an infected cell in the body and soon you leave an infected cell in the body and soon you find that the disease has spread to other organs.
2. Detect and remove viruses form system partition table and boot sector (should you computer be infected by an MBR of a boot sector virus). Some viruses (that is, multipartite viruses) infect the system partition table and program files. An anti-virus program must be able to first disinfect the partition table and restore disk partition information, and later, clean program files too. As if this were not enough, during an attack by a particular mischievous virus such as, one half, the software is also required to decrypt the hard disk so as not to lose precious data.
3. Detect and remove viruses form infected program files. This is usually done in two ways :
(a) By performing a signature scan for all known strains of viruses. Should the scanner detect one or more of such viruses, it proceeds to remove them. However, such a scanner cannot detect a polymorphic virus with its ever-changing encryption routines.
(b) By performing a rule-based heuristic scan; to detect unusual changes being made to system resources and files. Such a scan is genetic in nature and is helpful in removing a vast array of viruses.
However, for optimum security (at satisfactory scanning speeds), most anti-virus programs use a combination of both types of scanning.
As you must have notices by now, there is a constant cat-and-mouse game between the virus writers and the antivirus developers. There have been times when a virus writer has purposely written a virus to mislead a particular antivirus product.
LIMITATIONS OF ANTI-VIRUS PROGRAMS
Even if you regularly use anti-virus programs to scan your systems, you should be aware of their limitations in providing you with complete security. These limitations are:
1. Most signature based anti-virus scanners have a limited in-built database of virus signatures. Hence, such scanners are unable to detect of the unusual viruses.
2. Since anti-virus programs do not provide 100% safety, they tend to inculcate a false sense of security among users.
3. Most scanners are unable to keep up with the new and sophisticated viruses.
4. Previous versions of an anti-virus scanner will not be able to detect new viruses; hence, regular upgrades are necessary.
5. Most scanners do not automatically scan on-line information for viruses. Hence if you regularly download files from on-line sources, you are open to virus attacks.
6. A virus scanner opens other files to check for viruses. Some viruses are designed to infect all open files. Should you computer be infected with such a virus, on running you computer be infected with such a virus, on running a scanner , all you files may inadvertently be infected.
7. At times, even if an anti-virus scanner detects an activated virus, most of the damage to your program and data files is already done.
8. Most anti-virus scanners may not always be able to track sophisticated self-altering virus programs (Such as a polymorphic virus).
If sufficient numbers of anti-virus software developers are able to develop programs that detect and eradicate the virus; and if adequate numbers of users are able to buy and use these programs, then, the virus ceases to be a major threat and is considered to be eradicated.
While, no virus has been known to disappear completely, however, due to constant progress made in improving the effectiveness of the various anti-virus programs, quite a few viruses have ceased to be major threats to the average computer users.
We would like to bring to the notice of our readers the fact that just because a virus has been eradicated, it is not the end of the story. An adamant virus developer can once again use his ingenuity to develop a different 'strain' of the same virus or a different virus altogether. And then, the entire cycle is repeated. There have been numerous cases where a harmless virus has been fine-tuned by successive virus developers, to develop into an intelligent, but dangerous program.
You can well imagine the extent of the virus problem if you think about thousands of virus writers churning out a variety of new viruses or modifying existing viruses; for introduction to the outside world.
SYMPTOMS OF A VIRUS INFECTION
Viruses by nature are designed to spread unnoticed as much as possible; before carrying their payload (that is, before carrying out their activities). However, before those happens, there are a variety of symptomatic indications, there are a variety of symptomatic indications that can be used to spot the infection. An eye trained to judge these early warning signs can notice the following subtle and not-so-subtle changes:
1. Unusual messages and graphics and graphics appear on your screen for inexplicable reasons.
2. Music, not associated with any of the current programs, begins to play for no reason at all.
3. You suddenly find that some of your program and/or data files have either been corrupted, or they have become difficult to locate.
4. Your disk volume label has been changed mysteriously.
5. Unknown files or sub-directories have been created.
6. Your computer begins to run rather slowly.
7. Your hardware devices begin to exhibit unusual behavior.
8. Some of your executable files have had the sizes and/or dates changed.
9. Some of the interrupt vectors have changed.
10. The sizes of total and free system memory have changed unexpectedly.
While these are some of the common indications confirming a virus infection, the only foolproof way and expert can actually analyze the infection is to study the assembly code containing in all programs and systems areas, using utilities such as, Debug.exe.
A non-expert user if DOS-5.0 and above, can also try his/her hand at playing the detective; by using a combination of the SCANDISK/CHKDSK and MEM programs to analyze the various program files (for more details, face to face with Viruses).
Mac users can use the ‘info’ options, along with the ResEdit for more details about the memory use. However the least risky way to go about detecting the virus infection is by using the latest risky way to go about detecting the virus infection is by using the latest upgrade of a good quality anti-virus software.
QUALITIES OF A VIRUS :-
While creating a virus, the developer generally pay attention to the following qualities that every viruses have. The below is the list of the qualities that every viruses have :
1. A virus must incorporate a replicating routine so as to duplicate itself and spread infection or multiple carriers. These carriers are usually hard disk and floppy-disk data structures (boot sectors, partition tables, program and data files).
2. A virus should be able to install itself in the memory (RAM), from where it can keep an eye on the various systems resources and carry out its activities; without being hindered or detected by routine system functions (for example, while booting, an MBR virus will let the original boot sector start the computer, and then, take control).
3. A virus has a trademark trigger routine (also called as its payload), which is essentially a collection of coded instructions that direct the virus to carry out a certain virus activity (or a series of activities) after a certain time period, or after a certain system events. For example, the Raindrop starts to randomly drop characters on the screen. Some viruses carry out more sinister actions such as, destroying hard disk data.
4. Some viruses have an encryption routine that is programmed to scramble the actual virus code. This is done to escape detection by signature based antivirus scanners. Usually, masking the actual code does this and making it seems as a harmless program.
5. Polymorphic viruses are particularly hard to detect since in addition to normal virus qualities, they also have a mutation engine that creates different encryption in routines after every infection. Hence, ordinarily signature based scanners, due to their limited storehouse of virus signatures, cannot detect such viruses.
6. Most viruses are designed to exhibit some sort of stealth characteristics, to avoid detection. For example, a virus may employ certain techniques to avoid returning the actual memory values after the user has run CHKDSK or MEM programs. Other viruses may let the user view the original uninfected potions of a file, stored elsewhere; thus, avoiding detection portions as possible. Yet other viruses are designed to hide behind TSR and Device Driver programs loaded through AUTOEXEXC.BAT and/ or CONFIG.SYS files (it is due to this, that you are at times asked to start your systems using a clean, bootable system Disk).
HOW VIRUS WORKS?
Computer viruses are the "common cold" of modern technology. They can spread swiftly across open networks such as the Internet, causing billions of dollars worth of damage in a short amount of time. Five years ago, the chance you'd receive a virus over a 12-month period was about 1 in 1000; today, your chances have dropped to about 1 in 10. The vital statistics:
• Viruses enter your system via e-mail, downloads, infected floppy disks, or (occasionally) hacking.
• By definition, a virus must be able to self-replicate (make copies of itself) to spread.
• Thousands of viruses exist, but few are found "in the wild" (roaming, unchecked, across networks) because most known viruses are laboratory-made, never released variations of common "wild" viruses.
• Virus behavior can range from annoying to destructive, but even relatively benign viruses tend to be destructive due to bugs introduced by sloppy programming.
• Antivirus software can detect nearly all types of known viruses, but it must be updated regularly to maintain effectiveness.
HOW VIRUSES SPREAD QUICKLY?
A verity of complex, inter-linked factors are responsible for making a virus spread quickly and widely. Chiefly, the factors responsible for propagation of viruses are :
1. The number of target computer users influences the spread of viruses. The larger the users base, the more widespread and quicker the virus infection would be.
2. Usually, a virus is introduced to the outside world bundled with popular software programs. The more popular software programs, the faster are the spread of the virus.
3. The level of software piracy also influences the spread of viruses. The greater the incidents of piracy, the quicker the proliferation of viruses.
4. The level of ignorance (about good computing practices) among computer users also influences the spread pf viruses.
5. The complexity and characteristics of the virus code also helps spread a virus effectively. Some viruses due to their code, are able to spread unchecked for a long time.
6. The effectiveness of good quality anti-virus software help in solving down the spread by viruses.
7. More and more computer users these days are linked to one another through networks, BBSs and on-line services such as the internet. While such.
ANTI-VIRUS: -
In the above topics we have learned about the different viruses, their qualities, their work, spreading techniques etc. Now in this topic we are going to learn about the Anti-Virus technology. This is very important to read and learn to save our computer and our important data from the different types of viruses.
1.1) DEFINITION:-
“A specialized utility program, which is used to detect, eradicate and prevent viruses”
Now what actually anti-virus is? As I stated above in the definition that it is also a user made program, which is not harmful as the virus, but it is totally opposite to the virus. It prevent us from the viruses and other malicious codes that are harmful to our computer as well as our data.
DIFFERENT ANTIVIRUS TECHNOLOGIES FOR SERVER
There are currently two technologies used by antivirus products for servers in corporate Notes/Domino environments: Hook Driver and the new Extension Manager.
This document aims to analyze the differences in functionality and implementation of these technologies in corporate Notes/Domino environments.
HOOK DRIVER: -
Hook Driver is the first and oldest antivirus technology provided for scanning and disinfecting document databases in Notes and Domino environments. Antivirus products based on Hook Driver technology hook onto the Notes system and monitor its tasks. The antivirus has to recognize when the server has performed a task and intercept this task and its content (mail or document) in order to scan and, if necessary, disinfect it. Although Hook Driver technology has a way of hooking onto the server databases, the fact that it does not offer a functional interface integrated with the Router (MAIL.BOX) represents an important limitation. In the case of antivirus products that scan the document and Router (MAIL.BOX) databases, the antivirus based on Hook Driver needs to extract documents and mail from the Notes system, scan and disinfect them and then reinsert them in the Notes / Domino environment mail flow.
Another limitation of this technology is that the antivirus can only hook the task that manages the normal user databases and not other tasks such as:
• Mail Router
• Replication between servers tasks
• HTTP (Domino) server
• Other server tasks
In order to scan these tasks, in particular the mail Router, it is necessary to create procedures that are not recommended by the manufacturer Lotus. The commercial antivirus solutions for Notes/Domino servers that use Hook Driver technology are: McAfee, Symantec, Trend Micro and Sybari. We are now going to examine the consequences of using an antivirus product based on Hook Driver technology.
The risks involved in using Hook Driver technology in antivirus products for Notes or Domino servers are quite significant, above all because of the load and limitations this technology presents when natively accessing server tasks. The main risks are as follows:
Difficult to install: one of the characteristics of using Hook Driver technology is that the clients (network administrators) need to manually create a Cross Certificate for each server in which they want to install the antivirus. A Cross Certificate is a digital authorization that a company generates in order to allow another entity to access its Notes servers. In other words, the antivirus manufacturer needs authorization to be able to access the company’s servers, with the security problem that this involves. In addition, creating cross certificates is not an easy task and as this process must be carried out in each server, it makes the task of installing the antivirus in servers more difficult.
Unnecessary load on the server: the antivirus solutions that use the Hook Driver technology extract documents from the Notes system, copy them to a temporary file in the hard disk, scan and disinfect them in the hard disk and then reinsert them in the Notes system flow. All of these read and write disk operations significantly slow down the performance of the Notes / Domino servers.
Corrupt messages in the Router: as the Hook Driver technology does not have an antivirus interface integrated with the Router, the antivirus solutions based on this technology need to create an additional task that accesses the MAIL.BOX in the Notes system. This additional task searches for new messages in the original MAIL.BOX queue every portion of a second. If it finds one, it scans and disinfects the message using the following process:
• Marks the message as ‘dead’ in the original MAIL.BOX.
• Figures out that the message must be scanned.
• Extracts the attached file to a temporary file in the hard disk.
• Scans the file in the hard disk, where it will also be disinfected if necessary.
• Reinserts the file in the MAIL.BOX document.
• Removes the ‘dead’ mark.
Figuring out that there´s a new message in the Router and marking it as dead has to be done quickly (faster than the Router) so that the antivirus can get to it before the Router hooks it in order to send it. There is a risk that the Router could hook the message from the queue before the antivirus can mark it as dead.
The Router (MAIL.BOX) is not designed to be accessed by several tasks at the same time, which means that Hook Driver antiviruses are breaking this ‘rule’ of Notes / Domino functionality, therefore the probability of the database being corrupted is quite high, as there are two tasks modifying the database and they could corrupt the indexes. Below is an example of a typical scenario:
• The Router recognizes the message as ‘live’.
• At the same time, the antivirus marks it as ‘dead’.
• As the Router thinks that it is live it tries to route it, but it has already been marked as dead, which means that a message marked as dead reaches the next server. This message will be permanently blocked in the next server.
Altering the process of the Router like this could result in queue backlog problems.
Difficult to manage: the antivirus solutions for Notes / Domino environments based on the Hook Driver technology cannot truly be managed remotely and centrally, as the antivirus must be installed in each server one by one, in the majority of cases from the server console itself. In addition, some of them do not have an administration interface and in order to make simple changes to the antivirus configuration, files such as NOTES.INI must be modified manually.
Reliability: if an antivirus based on Hook Driver has a problem with the databases (not only because of the antivirus, but also because of corruption, due to a problem with cross certification, etc), the Hook Driver technology will cause the whole server to block. In other words, the antivirus operations are not independent of the Notes server.
EXTENSION MANAGER
‘Extension Manager’ is the most modern system developed by Lotus that allows a program to be run natively in a Notes or Domino server. The main difference between Extension Manager technology and Hook Driver is the high level of integration that Extension Manager allows in server tasks (in databases, Router and other server tasks). In the case of antivirus programs, the Notes/Domino server itself informs the antivirus when to carry out its tasks. An antivirus that uses Extension Manager technology allows all databases and all of the other server tasks to be protected natively, while those that use Hook Driver technology can only protect the task that manages the user databases, but not the task of the Router, Replication, etc. The access of Hook Driver technology is limited to three events, while Extension Manager accesses more than 160 events.
An antivirus that uses Extension Manager integrates perfectly in the Notes / Domino system, acting as another system thread rather than an external application that has to monitor and interrupt the Notes operations and processes every time it needs to act.
There are significant advantages to using this new technology in antivirus products for servers. We will look at some of the main advantages in more detail:
Easy to install: with Extension Manager technology it is not necessary to manually create cross certificates for each server that needs protecting. Thanks to this advancement, it is possible to install, configure and manage the server antivirus in a way that is truly centralized and remote.
Optimized performance: thanks to the combined use of Panda Software’s Virtual File technology and Extension Manager technology, the antivirus can scan absolutely all traffic (documents and mail) in memory. Hook Driver technology however, needs to extract the files to a temporary file in the hard disk, which significantly slows down the server. The antivirus based on Extension Manager optimizes server performance by quickly scanning in memory.
Native integration in the Router: Extension Manager technology natively integrates external applications in the Router, which is non-existent in Hook Driver technology. The difference is huge, above all in terms of server performance and mail scan efficiency.
Centralized and remote administration: as cross certificates do not need to be created manually between each server and with the antivirus manufacturer, the solution based on Extension Manager allows the antivirus to be managed (installed, configured, updated, monitored, etc.) in a way that is truly automatic, centralized and remote.
“Panda Antivirus for Notes / Domino is, as of today, the first and only antivirus on the market to use Extension Manager technology, recommended by Lotus.”
Index
ANTIVIRUS TECHNOLOGIES FOR EXCHANGE SERVER
ANTIVIRUS API (AVAPI 1.0)-MCAFEE, TREND, SYMENTEC
ScanMail and Norton use both AntiVirusAPI (AVAPI 1.0) and MAPI technologies. Although they market this as an advantage, they are actually loading two residents (Services under Windows NT) in each server instead of one. This considerably reduces server performance. Although the antivirus can be managed remotely through these products, it can only be managed in one server at a time. These products are not designed for large scale installation with remote offices and WAN links. Neither of these products can scan the content of RTF, HTML or RTFHTML messages, nested messages or embedded OLE objects. As these products rely on the first version of the AntiVirusAPI (AVAPI 1.0), these antivirus products cause many problems not only when detecting viruses, but also limiting functionality and performance of the Exchange server. Many of the problems that these antivirus products can cause are documented in the Knowledge Base on the Microsoft web site, for example:
• Information Store Crashes When Using Antivirus Application Programming (AVAPI)
• Internet Mail Service Does Not Deliver Message After You Install Virus Scan Software
• Inaccessible attachments
• Messages that seem to be stuck in the Outbox
• Autoforward Rules May Be Disabled When Using Antivirus API
• Increased latency of directory and public folder replication
• Offline folder (*.ost) synchronization time-outs
• Move Mailbox Utility Does Not Work When Antivirus API Is In Use
If you are considering a move to third-party products that use the antivirus API, you must be aware that issues may arise that may seem related to performance of the information store. Based on the architecture of the antivirus API, the speed at which attachments are scanned is bound by the vendor's implementation of the scanning DLL. In addition, because third-party vendor's solutions run in process with the information store service, issues (such as memory or processor use and access violations in the Store.exe program) may become harder to troubleshoot because there is no way to distinguish between the information store and the vendor's DLL.
ESE API –SYBARI,TREND
Sybari and Trend use a series of undocumented calls to the Microsoft ESE API. What they do is to hook the Exchange server .EDB file. Although this method has its advantages by scanning the read and write methods of files, it also runs more risks than other antivirus products. Curiously the biggest criticism of this technology comes from Microsoft, who say in one of their web pages on antivirus strategies for Exchange server: No software or hardware should preempt or modify the Exchange Server services´method of reading to and writing from the data files. This might cause the Exchange Server
services to stop working or corrupt the data files. Sybari is not an antivirus manufacturer. It uses third party antivirus scan engines, which means that the client indirectly depends on other companies for updates, virus alerts and technical support for problems with the scan engine. For obvious reasons, there have been rumors that Microsoft will not support Exchange clients who have Sybari Antigen installed.
MAPI - PANDA ANTIVIRUS FOR EXCHANGE SERVERINDEX
It is the most effective and best performing antivirus solution for companies and institutions of all sizes. Panda has implemented advanced antivirus functionalities and techniques that offer stability and performance required by the most demanding corporate Exchange installations.
Our antivirus is optimized for better server performance. Through the use of MAPI, it achieves better server performance than other antivirus solutions. This is due to the fact that antivirus solutions based on AVAPI 1.0 completely stop the functioning of the Exchange server until the antivirus returns the messages. The Panda Antivirus for Exchange Server solution offers the most centralized management of Exchange servers available on the market. From Panda Administrator it is possible to remotely install, configure and update multiple Exchange servers at the same time from the network administrator’s workstation. Other solutions can only manage the antivirus protection of Exchange servers one by one. Panda detects viruses in places other antivirus solutions can’t reach: body of messages in any format (such as RTF, HTML y RTFHTML), embedded OLE objects, and many more compressed formats and nested messages at all levels. There is a mistaken concept in the market about antivirus products based on MAPI, as it is often said that outgoing messages slip past them. Although this may be true for other antivirus solutions based on MAPI, this is not true for Panda, as we offer the only antivirus based on MAPI that as well as disinfecting the Information Store, also scans and disinfects the Internet Mail Connector (the SMTP stack), protecting both incoming and outgoing mail in real-time. Panda Antivirus for Exchange Server includes a heuristic scan engine for detecting unknown DOS, Win32 and Macro viruses. Other products do not include a heuristic scan or only scan one of these three types of files. In their web site Microsoft refers to a model installation of Exchange Server in a large organization. About the antivirus solution for the installation they say: “The solution suggested [...] is to install the Panda corporate anti-virus system, because of its level of integration with Microsoft Exchange.” Panda Antivirus integrates its own technology for intelligent CPU monitoring, called AutoTuning. Thanks to this technology we optimize server performance to the maximum during on-demand scans, without interfering in the slightest way with the normal operations of Exchange.Panda Software works in collaboration with Microsoft on many occasions, providing antivirus know-how to Microsoft developments, such as Virus Scanning API (VSAPI 2.0), which Microsoft is going to launch with Service Pack 1 for Exchange 2000. This collaboration offers clients Panda solutions that are totally compatible and perfectly integrated in Exchange environments.
VIRUS SCANNING API (VSAPI) – PANDA ANTIVIRUS FOR EXCHANGE 2000
Panda Software has been working in collaboration with Microsoft for over a year, promoting the new technology Virus Scanning API (VSAPI 2.0) available with Service Pack 1 of Exchange 2000.
Panda Software is using VSAPI 2.0 in the new Panda Antivirus for Exchange 2000, whose Beta version release will be announced soon. In this way and by responding to market demand, we provide administrators with the two antivirus solutions that use the most advanced technology, thereby demonstrating the continuous commitment to antivirus protection for e-mail of Panda Software:
Panda Antivirus for Exchange Server (MAPI): Exchange 4.0/5.0/5.5
Panda Antivirus for Exchange Server (VSAPI 2.0): Exchange 2000*
HOW EFFECTIVE IS AN ANTI-VIRUS SOFTWARE IS?
A good quality anti-virus is certainly and effective may to safeguard your system against virus attacks. However, even the best of such programs suffer from the following disadvantages:
1. An anti-virus software is only as good as the methodology used by it to detect virus and virus-like activities. If your anti-virus program does not incorporate the latest virus detection techniques, your may leave yourself open to virus attacks.
2. Most anti-virus programs, among other criteria store a database of virus strings. These strings are used to detect the presence of a virus. Should the program come across a virus string it does not detect, then, there are chances that you may not be forewarned of an actual virus attack.
3. An exceptionally ‘intelligent, virus may succeed in breaching your anti-virus software defenses.
4. To ensure that your anti-virus software provides you with the best possible security, please keep in mind the following facts :
5. Use good quality anti-virus software packages that incorporate exhaustive virus detection modules.
6. Use only licensed copies of anti-virus programs.
7. Use anti-virus software that provides you with regular and timely upgrades.
8. If possible, use anti-virus software from more than one developers, to regularly scan your hard disk. However, beware of the possible false virus detection messages that one virus scanner may display while scanning another.
9. Make use of the rest of the useful anti-virus utilities that might come packed with the software, Each utility is designed to increase your data security.
10. Rather than using your anti-virus software as a standalone line of defense, for maximum effectiveness. Make to a part of the overall data security strategy.
COULD ANTI-VIRUS PROGRAM ITSELF BE INFECTED?
Surprisingly The executable code of an anti-virus program can be infected by an exceptionally clever virus. However, since such a happening is rate, you must be very sure about the true by nature of the infection before sounding an alarm about your anti-virus program.
You must make sure that your have obtained your program from an authentic source. Use a clean. Bootable system. Now, use the original, write protected anti-virus floppy disk to
Check the installed copy of the program on your hard disk (make sure that the anti-virus program on the floppy disk is of the same version as that being checked on the hard disk).
Alternately, your can use another anti-virus scanner (from another developer) to check for infection in the program under investigation, When you use one anti-virus scanner to check another for infections, you have to take into account the following facts:
1. Since anti-virus scanners contain database of virus signature strings while using two different anti-virus scanners, each now might falsely indicate the other to be infected. This is particularly so if the signature strings are not encrypted.
2. Should a scanner fail to remove strings from memory, after it terminates its operation; another anti-virus scanner might raise an alarm while scanning the system memory.
3. Some anti-virus programs add a special; code or data to a program to protect its integrity. Another anti-virus scanner might detect this additional data as a virus attack on the file and thus raise an incorrect alarm. Hence, while it is good practice to use anti-virus scanners from two different developers, you must be aware of the pitfalls in the practice.
4. The best course of action, should you suspect anti-virus program to be infected, is to send a copy if the program on a floppy disk, to the developer if the program for confirmation.
QUALITIES OF AN ANTI-VIRUS PROGRAM
Just as a virus developer aims at incorporating certain characteristics in a virus, an anti-virus program developer also attempts to compile d\certain properties in their virus detection and removal software.
Among some of the qualities that anti-virus programs are expected to have are :
1. An anti-virus program should be able to disable a virus that is resident in system memory. This is extremely important because should an anti-virus program succeed in removing a virus directly from the storage media only, it should subsequently reemerges and continue the infection process, Pardon the analogy, but a virus attack is like cancer, you leave an infected cell in the body and soon you leave an infected cell in the body and soon you find that the disease has spread to other organs.
2. Detect and remove viruses form system partition table and boot sector (should you computer be infected by an MBR of a boot sector virus). Some viruses (that is, multipartite viruses) infect the system partition table and program files. An anti-virus program must be able to first disinfect the partition table and restore disk partition information, and later, clean program files too. As if this were not enough, during an attack by a particular mischievous virus such as, one half, the software is also required to decrypt the hard disk so as not to lose precious data.
3. Detect and remove viruses form infected program files. This is usually done in two ways :
(a) By performing a signature scan for all known strains of viruses. Should the scanner detect one or more of such viruses, it proceeds to remove them. However, such a scanner cannot detect a polymorphic virus with its ever-changing encryption routines.
(b) By performing a rule-based heuristic scan; to detect unusual changes being made to system resources and files. Such a scan is genetic in nature and is helpful in removing a vast array of viruses.
However, for optimum security (at satisfactory scanning speeds), most anti-virus programs use a combination of both types of scanning.
As you must have notices by now, there is a constant cat-and-mouse game between the virus writers and the antivirus developers. There have been times when a virus writer has purposely written a virus to mislead a particular antivirus product.
LIMITATIONS OF ANTI-VIRUS PROGRAMS
Even if you regularly use anti-virus programs to scan your systems, you should be aware of their limitations in providing you with complete security. These limitations are:
1. Most signature based anti-virus scanners have a limited in-built database of virus signatures. Hence, such scanners are unable to detect of the unusual viruses.
2. Since anti-virus programs do not provide 100% safety, they tend to inculcate a false sense of security among users.
3. Most scanners are unable to keep up with the new and sophisticated viruses.
4. Previous versions of an anti-virus scanner will not be able to detect new viruses; hence, regular upgrades are necessary.
5. Most scanners do not automatically scan on-line information for viruses. Hence if you regularly download files from on-line sources, you are open to virus attacks.
6. A virus scanner opens other files to check for viruses. Some viruses are designed to infect all open files. Should you computer be infected with such a virus, on running you computer be infected with such a virus, on running a scanner , all you files may inadvertently be infected.
7. At times, even if an anti-virus scanner detects an activated virus, most of the damage to your program and data files is already done.
8. Most anti-virus scanners may not always be able to track sophisticated self-altering virus programs (Such as a polymorphic virus).
CONCLUSION
From this seminar we conclude that we have to take care while using different types of external data storage devices like CDs and floppy disks, the sentence is “PREVENTION IS ALWAYS BETTER THAN CURE”. before inserting or extracting some data from the devices first of all, we have to scan it properly with the help of upgraded and standard anti-virus software. Because virus is most injurious for the entire system we can also able to understand the hazard ness cause by virus to our system for which we have to take care, in order to keep our system free from any inconvenience
From this seminar we conclude that we have to take care while using different types of external data storage devices like CDs and floppy disks, the sentence is “PREVENTION IS ALWAYS BETTER THAN CURE”. before inserting or extracting some data from the devices first of all, we have to scan it properly with the help of upgraded and standard anti-virus software. Because virus is most injurious for the entire system we can also able to understand the hazard ness cause by virus to our system for which we have to take care, in order to keep our system free from any inconvenience
I believe what you said made a great deal of sense. But, think on
this, suppose you were to create a awesome headline?
I am not saying your content is not good, but suppose you added a title to possibly
get folk's attention? I mean "Virus Technology" is a little vanilla. You might look at Yahoo's front page and watch how they write article titles to get people to click. You might add a video or a related pic or two to grab readers interested about everything've got to say. Just my opinion, it would make your blog a little bit more interesting.
my site :: extract edb to PST
What's up to every one, the contents present at this web site are truly awesome for people knowledge, well, keep up the nice work fellows.
My webpage :: open ost
It's amazing for me to have a site, which is valuable in support of my knowledge. thanks admin
my website :: open Outlook OST file