What to look for in a virus product.

Detailed descriptions of these technical attributes follow this bulleted list.

1. Battle-Tested Engine

2. Versatile Virus “Language” Detection Base

3. Advanced Heuristic Analysis

4. Expanded Scanning Capabilities

5. Auto Immune Virus Capture

Battle-Tested Engine Technology

Only through real-world testing across multiple platforms, in large-scale environments, can engines be benchmarked.

Versatile Virus “Language” Detection Base

As the nature of viruses changed, so did scanners the engine architecture should be especially geared towards the latest levels of threats. Specifically, the technical design of a virus defense engine can critically affect its ability to detect and clean new virus strains as they emerge. If too tight in design, the engine’s “language” may miss new variants of virus threats. If too open-ended, it may drain performance and affect too many components in a routine computer task list. In addition, it may generate a large number of false positives that take up system resources and distract IS personnel from mission critical activities. Especially during a virus outbreak, engine design and the language it is based upon can drastically affect time and accuracy of virus detection and cleaning.

Efficient Virus Variant Detection

Researcher can write a detector and cleaner that covers an entire family of viruses, rather than just one particular virus, usually referred to as “verbs,” provide a variety of technical suggestions for virus cures. Generating additional verbs and incorporating them into a detector an engine should be compact, and have a clean process for updates.

Encrypted Virus Detection

Earlier virus scanning designs took into consideration very few types of viruses, since very few existed. As mentioned, floppies carried the majority of viruses until a new type, macro viruses, came on the scene. Today, it is important for a virus detection engine to not only detect a wide variety of virus variants, but to detect the more difficult types of viruses as well. Look for an engine that has a clear technical advantage in this area, particularly in its detection of polymorphic viruses.

Polymorphic Virus Detection

For most viruses, it is possible to identify a virus using a specific sequence of bytes. This sequence of bytes is stored within the virus signature file. If the sequence of bytes matches the sequence in the signature, then the file is infected and the virus detected. However, a polymorphic virus is variably-encrypted; the sequence of bytes in the virus code changes with each infection. There is no constant sequence of bytes for which to search.

Heuristic Analysis

Most major anti-virus approaches today use some form of this analysis, known as heuristics, to detect new viruses that have not been seen before. This involves searching through the code in a file to determine whether that code takes actions that appear to be actions typical of a virus even if it does not specifically recognize a known, existing virus. The more virus-like code that is found, the more likely that a virus is present. Once the level of virus-like code reaches a pre-determined threshold, the scanner identifies a possible infection. While virus scanners of the past could rely on the tables of signatures to match the known variants, the significant rise in the number of new viruses developed each day prompted Network Associates to find newer ways to catch unknown viruses. Catching them before damage could be done also became a priority, as companies hooked up to the Internet and left their corporate assets vulnerable to outsiders.

Negative Heuristics

The heuristic technology deployed by most anti-virus products, unfortunately, generates many false alarms because of the inefficiencies of most heuristic detection engines. Look for a traditional heuristic analysis technique, but also look for a sophisticated “non-virus” identification approach called “negative heuristic” analysis. While the scanning engine is searching through code to determine whether it contains any virus-like commands, it also searches for code that is distinctly not like a virus. This negative heuristic analysis enables a simultaneous, bi-directional virus analysis. It is an approach that reflects the changed nature of viruses, and the realization that to be a virus defense expert, one must think like a virus writer.

False Alarm Elimination

Approaching virus detection from both angles also speeds the rate of virus recognition, again affecting the speed with which researchers can provide virus cleaners to customers to prevent virus proliferation. This double heuristics approach greatly reduces the likelihood of false alarms, which explains the high heuristic detection. Eliminating false alarms removes another disruption and works toward more seamless virus defense operations.

Macro Heuristics

Macro viruses currently represent a threat to corporate systems as the most common viruses, and often infect Microsoft Word and Excel applications by inserting unwanted words and phrases, modifying formulas, or even destroying data. A double scanning approach improves positive and negative heuristic detection and improves macro virus detection rates.

Malicious Web-Based Attacks

An emerging threat to computer users with Internet connectivity is the potential of hostile code that is automatically downloaded and executed on a user’s computer when connecting to hostile sites on the Internet. Although a comparatively small number of malicious applets have been discovered at this time, malicious code, also known as “mobile code,” has the strong potential of being the preferred vehicle of future virus writers.

Java Applets

“Java applets” typically refers to executable code written in Java, a Sun Microsystems technology, that is frequently found on Web sites in the form of animation such as a rotating stock ticker. Java is also used increasingly in corporate applications such as Lotus Notes, and intranet tools. Java applets are automatically and transparently run through a Java Virtual Machine that is part of commonly used Internet browsers such as Netscape Navigator.

ActiveX Controls

“ActiveX controls” typically refer to executable code written in ActiveX, a Microsoft technology, also found frequently throughout the World Wide Web. ActiveX controls automatically and transparently run through Web-based browsers such as Internet Explorer. The extensible and efficient Network Associates engine includes defense capability against malicious ActiveX controls, particularly important due to the lack of an advanced security model for ActiveX code.

Email Scanning

While most leading anti-virus vendors publish new updates when such viruses are discovered, end users who rely on these products have no way of knowing whether an incoming message is infected until they actually attempt to open the potentially infected message, allowing their anti-virus scanner to inspect its contents. If their scanner is not updated correctly, or the update patch improperly applied, it is unfortunately too late. The infected attachment, once opened, will begin its work immediately, spreading itself to other users and, in some cases, deleting critical files on the infected machine. Through its Email virus scanning attachments inside incoming e-mail messages before they are opened. If infected attachments are discovered, users are warned long before they attempt to open it, greatly reducing the possibility of inadvertently spreading the infection to others.

Always double check your research and checklist your conclusions.