On 8 Mar 2007 at 1:37, chipo chika wrote:
> How do scanners differentiate between normal files and viruses, adware
> and spyware? What makes some scanners more efficient than others.
The vast majority of current antivirus products a;; have a similar
structure: A database of patterns ("signatures") of infections is updated
periodically, and a program searches each potentially-infected file looking
for any patterns that are in the database.
The signature should be a pattern that, for whatever reason, only appears
in infected files. Every now and then, somebody goofs, and a signature is
released which turns out to also match some non-infected files -- I think
there was a MacAfee update about a year ago that had such a problem.
One of the reasons you don't want to run two antivirus packages is that
one of them might find what it thinks is an infection, in the signature
database used by the other package....
There are a couple of ways to speed up scanning. One is to suck the whole
signature database into RAM so that disk operations are minimized; that's a
big part of the reason why the signature databse doesn't contain every
signature the vendor has ever heard of. Instead, the database on each
customer's PC contains only signatures that the vendor thinks customers are
likely to encounter.
Another is to be smart about recognizing files, or large parts thereof,
which cannot be infected. It's quite possible that some virus signature
sequences exist among my gigabytes of digital images, but there's no point
in the scanner looking at every byte of every file.
Signature-based scanning has one major drawback: It can only recognize a
virus if the vendor has seen it, has (correctly!) created a signature for it
(some viruses constantly re-encrypt themselves to make this hard!), and the
user has received the update to their local database. That often takes 48
hours from when the virus is first reported.
There are a small number of fairly expensive products which work on other
principles, monitoring system operations for "suspicious activity". This is
a much harder job than matching against a database of signatures, but it has
the advantage of often catching viruses that the AVvendors don't know about
yet. These products aren't really marketed to home users, but they're a
good choice for server administrators.
David Gillett
The NOSPIN Group Promotions is now offering
our special coffee cups and mouse pads
with the PCSOFT logo... at a great price!!!
http://freepctech.com/goodies/promotions.shtml
|