ANTIVIRUS
Amardeep singh patel Shambhu sharan mishra
I.T. department I.T. department
Abstract- Antivirus software is used
to prevent, detect and remove malware,
including Computer viruses, worms ,and
trojon horses. Such programs may also
prevent and remove adware,spyware and
other forms of malware. Fred cohen, one
of the first academic Papers on computer
viruses in 1984,started to develop
strategies for antivirus software in 1988
that were picked up and continued by
later antivirus software developers. By
using different methods it can detect the
different types of malware.some of them
are signature based detection,heuristics,
rootkit detection. A virus might corrupt
or delete data on your computer, use
your e-mail program to spread itself to
other computers or even erase anything
on your hard disk. Computer viruses are
often spread by Attachments in e-mail
messages or instant messaging messages
That is why it is essential that you never
open e-mail attachments unless youknow
who it’s from and you are expecting it.
There are different types of viruses for
which antiviruses are made to detect
these viruses . worms ,trojon horses and
logic bombs are different viruses and
Kaspersky,Trend micro,McAfee,AVG,
avast!,G Data,Avira etc.are some
antivirusessoftwares.
Introduction- antivirus software is
used to prevent ,detect,and remove
malware,including computer viruses,
worms and Trojan horses. Such
programs may also prevent and remove
Gaurav pandey
I.T. department
adware, spyware,and other forms of
malware. A variety of strategies are
typically employed.signature based
detection involves searching for known
malicious patterns in executable code
However, it is possible for a user to be
infected with new malware for which no
signature exists yet. To counter such so-
called zero-day threats, heuristics can be
used. One type of heuristic approach,
generic signatures, can identify new
viruses or variants of existing viruses by
looking for known malicious code (or
slight variations of such code) in files.
Some antivirus software can also predict
what a file will do if opened/run by
emulating it in a sandbox and analyzing
what it does to see if it performs any
malicious actions. If it does, this could
mean the file is malicious.
However, no matter how useful antivirus
software is, it can sometimes have
drawbacks. Antivirus software can
degrade computer performance.
Inexperienced users may have trouble
understanding the prompts and decisions
that antivirus software presents them
with. An incorrect decision may lead to a
security breach. If the antivirus software
employs heuristic detection (of any
kind), success depends on achieving the
right balance between false positives and
false negatives. False positives can be as
destructive as false negatives. Finally,
antivirus software generally runs at the
highly trusted kernel level of the
operating system, creating a potential
avenue of attack.
In addition to the drawbacks mentioned
above, the effectiveness of antivirus
software has also been researched and
debated. One study found that the
detection success of major antivirus
software dropped over a one-year period.
History- Most of the computer viruses
that were written in the early and mid
'80s were limited to self-reproduction
and had no specific damage routine built
into the code (research viruses). That
changed when more and more
programmers became acquainted with
virus programming and released viruses
that manipulated or even destroyed data
on infected computers. It then became
necessary to think about antivirus
software to fight these malicious
viruses.There are competing claims for
the innovator of the first antivirus
product. Possibly the first publicly
documented removal of a computer virus
in the wild was performed by Bernd Fix
in 1987.
Fred Cohen, who published one of the
first academic papers on computer
viruses in 1984, started to develop
strategies for antivirus software in 1988
that were picked up and continued by
later antivirus software developers.
Also in 1988 a mailing list named
VIRUS-L was initiated on the
BITNET/EARN network where new
viruses and the possibilities of detecting
and eliminating viruses were discussed.
Some members of this mailing list like
John McAfee or Eugene Kaspersky later
founded software companies that
developed and sold commercial antivirus
software.
Before Internet connectivity was
widespread, viruses were typically
spread by infected floppy disks.
Antivirus software came into use, but
was updated relatively infrequently.
During this time, virus checkers
essentially had to check executable files
and the boot sectors of floppy and hard
disks. However, as internet usage
became common, initially through the
use of modems, viruses spread
throughout the Internet.
Identification methods- There are
several methods which antivirus
software can use to identify malware.
Signature based detection is the most
common method. To identify viruses and
other malware, antivirus software
compares the contents of a file to a
dictionary of virus signatures. Because
viruses can embed themselves in
existing files, the entire file is searched,
not just as a whole, but also in pieces.
Heuristic-based detection like
malicious activity detection, can be used
to identify unknown viruses.
File emulation is another heuristic
approach. File emulation involves
executing a program in a virtual
environment and logging what actions
the program performs. Depending on the
actions logged, the antivirus software
can determine if the program is
malicious or not and then carry out the
appropriate disinfection actions.
Rootkit detection Anti-virus software
now scans for rootkits; a rootkit
is a type of malware that is
designed to gain administrative-
level control over a computer
system without being detected.
Rootkits can change how the
operating system functions and in
 some cases, rootkits can tamper
with the anti-virus program and
render it ineffective. Rootkits are
also very difficult to remove, in
some cases requiring a complete
re-installation of the operating
system.
Viruses - Introduction to viruses
A virus is a small computer program
found within the body of another
program which, when run, loads itself
into the memory and carries out the
instructions programmed by its
author.Memory-resident viruses (also
called TSR for Terminate and Stay
Resident) load in the computer's RAM in
order to infect executable files opened
by the user. Non-resident viruses, once
run, infect programs found on the hard
drive.
The effects of a virus may range from
simply displaying a ping-pong ball
ricocheting across the screen to wiping
out data, which is the most destructive
kind of virus there is. As there is a broad
range of viruses with widely varied
effects, viruses are not classified based
on what kind of damage they do, but on
how they spread and infect computers.
Types of viruses-
Worms are viruses which can spread
over a network .
Trojan horses(trojans) are viruses
which create a security hole in the
computer (generally for their designer to
gain entry to the infect system and take
control of it)
Logic bombs are viruses which can
trigger on a specific event (like the
system's date, or remote activation).
Bounty hunters is a virus which can
modify signatures stored by an antivirus
program in order to render them
inoperable.
Polymorphic viruses
Since antivirus programs mainly detect
viruses using their signature (the series
of bits which identifies it), certain virus
creators have thought to give them the
ability to automatically change their
appearance, like a chameleon, by giving
the virus a signature encrypt-decrypt
function, so that only the virus can
recognise its own signature. This kind of
virus is called a "polymorphic virus"
(from the Greek for "which can take
multiple forms").
Boot sector viruses
A "boot sector virus" (or boot virus) is
a virus when can infect the boot sector of
a hard drive (MBR, the master boot
record). This sector is an area on the
hard drive stores the operating system
processes which are run when the
computer starts up.
Issues of concern-
Unexpected renewal costs
Some commercial antivirus software
end-user license agreements include a
clause that the subscription will be
automatically renewed, and the
purchaser's credit card automatically
billed, at the renewal time without
explicit approval. For example, McAfee
requires users to unsubscribe at least 60
days before the expiration of the present
subscription while BitDefender sends
notifications to unsubscribe 30 days
before the renewal.Norton Antivirus also
renews subscriptions automatically by
default.

Rogue security applications
Some antivirus programs are actually
malware masquerading as antivirus
software, such as WinFixer and MS
Antivirus. A recent surge in such
software has deceived more than a
million Microsoft Windows internet
users and prompted the FTC to initiate
court proceedings.
Problems caused by false positives
A false positive is identifying a file as a
virus when it is not a virus. If an
antivirus program is configured to
immediately delete or quarantine
infected files (or does this by default),
false positives in essential files can
render the operating system or some
applications unusable. In May 2007, a
faulty virus signature issued by
Symantec mistakenly removed essential
operating system files, leaving thousands
of PCs unable to boot. Also in May 2007
the executable file required by Pegasus
Mail was falsely detected by Norton
AntiVirus as being a Trojan and it was
automatically removed, preventing
Pegasus Mail from running. Norton anti-
virus has falsely identified three releases
of Pegasus Mail as malware; Norton
anti-virus can delete the Pegasus Mail
installer file when this happens.
In April 2010 McAfee VirusScan
detected svchost.exe, a normal Windows
binary, as a virus on machines running
XP SP3 and removed it, causing a reboot
loop and loss of all network access.
Spotify has been flagged as a false
positive by Symantec and McAfee
products. Even when the false positive is
rectified by an update, users may have to
re-install Spotify.
System and interoperability related
issues
Running multiple antivirus programs
concurrently can degrade performance
and create conflicts.
It is sometimes necessary to temporarily
disable virus protection when installing
major updates such as Windows Service
Packs or updating graphics card
drivers.Active antivirus protection may
partially or completely prevent the
installation of a major update.
Support issues also exist around
antivirus application interoperability
with common solutions like SSL VPN
remote access and network access
control products.Often, these technology
solutions have policy assessment
applications which require that 1. an
antivirus is installed 2. that the product is
running and 3. that the application's
signatures are up to date. If the antivirus
application is not recognized by the
policy assessment, whether because the
antivirus application has been updated or
because it is not part of the policy
assessment library, the user will be
unable to connect. Interoperability
testing and certification for antivirus
applications is offered by the OESIS OK
Program.
Effectiveness
Studies in December 2007 have shown
that the effectiveness of antivirus
software has decreased in recent years,
particularly against unknown or zero day
attacks. The German computer magazine
c't found that detection rates for these
threats had dropped from 40-50% in
2006 to 20-30% in 2007. At that time,
the only exception was the NOD32
antivirus, which managed a detection
rate of 68 percent.
The problem is magnified by the (Anti-Malware Testing Standards
changing intent of virus authors. Some Organization).
years ago it was obvious when a virus
infection was present. The viruses of the
day, written by amateurs, exhibited
destructive behavior or pop-ups. Modern
viruses are often written by
professionals, financed by criminal
organizations.

Traditional antivirus software solutions

run virus scanners on schedule, on
demand and some run scans in real time.
If a virus or malware is located the
suspect file is usually placed into a
quarantine to terminate its chances of
disrupting the system. Traditional
antivirus solutions scan and compare
against a publicised and regularly
updated dictionary of malware otherwise
known as a blacklist. Some antivirus
solutions have additional options that
employ an heuristic engine which further
examines the file to see if it is behaving
in a similar manner to previous examples
of malware. A new technology utilized
by a few antivirus solutions is
whitelisting, this technology first checks
if the file is trusted and only questioning
those that are not.
References-
Independent testing on all the major
virus scanners consistently shows that [1] http://www.google.co.in/
none provide 100% virus detection. The http://www.wikipedia.com/
best ones provided as high as 99.6% http://www.avast.com/
detection, while the lowest provide only http://www.microsoft.com/
81.8% in tests conducted in February
2010. All virus scanners produce false
positive results as well, identifying
benign files as malware.

Although methodologies may differ,

some notable independent quality testing
agencies include AV-Comparatives,
ICSA Labs, West Coast Labs, VB100
and other members of the AMTSO