Checks Memory

When you first boot up your computer, the anti-virus software will check the memory to ensure no virus is present before the computer starts opening more files.



Checks for Signature

Each virus has its own particular "signature", an identifying sequence of characters in the software code. Anti-virus software uses this signature to identify the virus and how best to delete it from your computer.



Checks Before Opening Files

Anti-virus software allows you to specify which types of files will be checked before opening them. If you don't specify, the software usually defaults to checking executable files, since these are the most common types of files to be infected. However, you can set up the software to check every file you open. By doing so, it will check for viruses before it opens the file, thus ensuring if a virus does exist, it will not be spread.



Notification of Detected Virus

If a virus is found during any of these processes, you will be notified. Most anti-virus software will present a screen asking you how you'd like to proceed, giving you choices and a suggestion of what should be done. It is best to follow what the software advises. It will usually destroy the virus and then try to repair the file. If the file cannot be repaired, it will be deleted.



http://www.dell.com/content/topics/global.aspx/solutions/en/security_solutions_basic_tutorials?c=us&cs=04&l=en&s=bsd&~tab=3

2

I'll tell you in some brief.....



Antivirus is not any necessity, it's like, the way you go.....your shadow goes......doesn't matter it sometime heads towards a different direction......

So, antivirus is not any big thing like anyone is saying here, the whole lot of publicity is only due to the big companies like norton or mcafee etc......

Infact anyone can create antivirus.



Antivirus itself is a program. Don't get diverted by it's biological name. And to execute a program we generally need an operating system, so, when you first switch onn your PC.......Operating system like Windows XP ...etc boots up.



now, under this XP Graphical enviornment most antiviruses are available like Norton, QuickHeal ...etc. This makes sure that no one except an operating system starts while booting. So, I believe Nick(above) is wrong here, saying antivirus checks something while boot time!



Indeed, an antivirus runs under an operating system always....

because it's also a program, an executable, an instruction set...... like any other program.



But remember, an antivirus is the one that starts off with the higest priority and also before anyother system service or utility is started by the operating system. If I tell you the registry operation....... there is a private key under system registry [in WinXP] named as "000000", and is kept on top due to it's alphabetical order; only for any antivirus, thus, is executed first.



The old style antivirus simply calculates the signature of any file by suilable algorithms like md5, sha1 etc, also called as checksums.....and matches it with it's virus database file..... that contains all the suspected signatures of viruses and trojans or any kinda malware program or data file. If the signature matches..... the file is declared as a virus.



What is a signature?

A signature is like some 20 character or 30 character length combination of alphanumeric symbols. In CRC2 checksums it's I think 16 characters. md5 and sha1 etc vary from 20 to 64.



How is a signature generated?

Most Antiviruses have there own signature generator, elsewise such checksum generator programs are available free on internet. The basic concept is to assign a unique ID to a particular file, like a determinant is a unique number/identifier of only one matrix element set.



What modern Antivirus programs do?

Modern antivirus programs have extended the scope of detecting any virus. like Intrusion prevention programs keep record of the running processes in memory, of each and every activity of them. If it's found malicious, it is declared as a threat to Operating system and the next suitable action is performed.



How Behavior/activity is checked and compared to viruses?

A behavioral attempt to detect viruses is very complex...... sice it rarely ever requires any update.

ok, how you will tell that your pet is not well?

simply...... you'll notice it's activities, it's body temperature and it's regular diet etc.

and if these used-to-remain-constant variables have changed significantly then you'll take it to the doctor......

Same approach is followed here...

All virus-infection symptoms are noticed and then with the help of REVERSE ENGINEERING (not by the signature, but by the activity), the virus is detected. Say, a Win.Sality virus creates multiple copies of itself....... this activity might be the unique one for Win.Sality......and so it's detected. And if it's not unique... atleast you have majority of the virust list filtered out that don't show this activity...then you apply further filters by recording the activity of virus, and finally reach the most appropriate malware.



Things that a good antivirus must take care of.....



1. Email monitor: must be able to detect any outgoing or incomming mail.



2. Internet monitor: must be able to read and sense html traffic.



3. file monitor: the most important.

4. self check: it must be able to check the integrity of it's own core files.

5. Memory monitor: I means simply go to your RAM and select random memory blocks or active memory blocks whichever good to you..... and create their signature.......match it in the dictionary and go on doing all of that if else crap until a final has come.



goodluck! and wish you some viruses!! ;-)

Antivirus is a software which you download/buy and use to remove dangerous files (viruses) and any susceptible suspiscious files can be put in Quarantine.



If you go to your Antivirus file, then click on Scan, select the folders/drives you want the antivirus to search. If you then press scan, then it will go through the folders/drives you selected, trying to match its virus definition database with files on your computer. If it is a match, it will be removed from your computer if you have 'delete on scan' or you can select and delete manually. Any files matching some of the criteria will most likely be put under quarantine

antivirus is the protection against the virus. it also indicate if any virus entered in ur computer and u can delete it by following the instruction given by antivirus programme.

Anti virus catch a virus that's on your computer or trying to enter your computer. Be careful which ones you download they can cause trouble try to use the one you have your on line program through.

Antivirus software consists of computer programs that attempt to identify, thwart and eliminate computer viruses and other malicious software (malware).



Antivirus software typically uses two different techniques to accomplish this:



Examining (scanning) files to look for known viruses matching definitions in a virus dictionary

Identifying suspicious behavior from any computer program which might indicate infection. Such analysis may include data captures, port monitoring and other methods.

Most commercial antivirus software uses both of these approaches, with an emphasis on the virus dictionary approach.



Historically, the term antivirus has also been used for benign computer viruses that spread and combated malicious viruses. This was common on the Amiga computer platform.



Contents

1 Approaches

1.1 Dictionary

1.2 Suspicious behavior

1.3 Other approaches

2 Issues of concern

3 History

4 See also

5 Notes

6 External links







Approaches



Dictionary

In the virus dictionary approach, when the antivirus software looks at a file, it refers to a dictionary of known viruses that the authors of the antivirus software have identified. If a piece of code in the file matches any virus identified in the dictionary, then the antivirus software can take one of the following actions:



attempt to repair the file by removing the virus itself from the file

quarantine the file (such that the file remains inaccessible to other programs and its virus can no longer spread)

delete the infected file

To achieve consistent success in the medium and long term, the virus dictionary approach requires periodic (generally online) downloads of updated virus dictionary entries. As civically minded and technically inclined users identify new viruses "in the wild", they can send their infected files to the authors of antivirus software, who then include information about the new viruses in their dictionaries.



Dictionary-based antivirus software typically examines files when the computer's operating system creates, opens, closes or e-mails them. In this way it can detect a known virus immediately upon receipt. Note too that a System Administrator can typically schedule the antivirus software to examine (scan) all files on the computer's hard disk on a regular basis.



Although the dictionary approach can effectively contain virus outbreaks in the right circumstances, virus authors have tried to stay a step ahead of such software by writing "oligomorphic", "polymorphic" and more recently "metamorphic" viruses, which encrypt parts of themselves or otherwise modify themselves as a method of disguise, so as to not match the virus's signature in the dictionary.





Suspicious behavior

The suspicious behavior approach, by contrast, doesn't attempt to identify known viruses, but instead monitors the behavior of all programs. If one program tries to write data to an executable program, for example, the antivirus software can flag this suspicious behavior, alert a user and ask what to do.



Unlike the dictionary approach, the suspicious behavior approach therefore provides protection against brand-new viruses that do not yet exist in any virus dictionaries. However, it can also sound a large number of false positives, and users probably become desensitized to all the warnings. If the user clicks "Accept" on every such warning, then the antivirus software obviously gives no benefit to that user. This problem has worsened since 1997, since many more nonmalicious program designs came to modify other .exe files without regard to this false positive issue. Thus, most modern antivirus software uses this technique less and less.





Other approaches

Some antivirus-software uses of other types of heuristic analysis. For example, it could try to emulate the beginning of the code of each new executable that the system invokes before transferring control to that executable. If the program seems to use self-modifying code or otherwise appears as a virus (if it immediately tries to find other executables, for example), one could assume that a virus has infected the executable. However, this method could result in a lot of false positives.



Yet another detection method involves using a sandbox. A sandbox emulates the operating system and runs the executable in this simulation. After the program has terminated, software analyzes the sandbox for any changes which might indicate a virus. Because of performance issues, this type of detection normally only takes place during on-demand scans. Also this method may fail as virus can be nondeterministic and result in different actions or no actions at all done then run - so it will be impossible to detect it from one run.



Some virus scanners can also warn a user if a file is likely to contain a virus based on the file type.



An emerging technique to deal with malware in general is whitelisting. Rather than looking for only known bad software, this technique prevents execution of all computer code except that which has been previously identified as trustworthy by the system administrator. By following this default deny approach, the limitations inherent in keeping virus signatures up to date are avoided. Additionally, computer applications that are unwanted by the system administrator are prevented from executing since they are not on the whitelist. Since modern enterprise organizations have large quantities of trusted applications, the limitations of adopting this technique rest with the system administrators' ability to properly inventory and maintain the whitelist of trusted applications. As such, viable implementations of this technique include tools for automating the inventory and whitelist maintenance processes.



Issues of concern

The spread of viruses using e-mail as their infection vector could be inhibited far more inexpensively and effectively, without the need to install additional antivirus software; if bugs in e-mail clients, which allow the unauthorized execution of code, were fixed.[citation needed]

User education can effectively supplement antivirus software. Simply training users in safe computing practices (such as not downloading and executing unknown programs from the Internet) would slow the spread of viruses and obviate the need of much antivirus software.

The ongoing writing and spreading of viruses and of panic about them gives the vendors of commercial antivirus software a financial interest in the ongoing existence of viruses. Some theorize that antivirus companies have financial ties to virus writers, to generate their own market, though there is currently no evidence for this.

Some antivirus software can considerably reduce performance. Users may disable the antivirus protection to overcome the performance loss, thus increasing the risk of infection. For maximum protection the antivirus software needs to be enabled all the time — often at the cost of slower performance (see also software bloat).

It is sometimes necessary to temporarily disable virus protection when installing major updates such as Windows Service Packs or updating graphics card drivers. Having antivirus protection running at the same time as installing a major update may prevent the update installing properly or at all.

When purchasing antivirus software, the agreement may include a clause that your subscription will be automatically renewed, and your credit card automatically billed at the renewal time without your approval. For example, McAfee requires one to unsubscribe at least 60 days before the expiration of the present subscription, yet it does not provide phone access nor a way to unsubscribe directly through their website. In that case, the subscriber's recourse is to contest the charges with the credit card issuer.



History

See Also Timeline of notable computer viruses and worms

There are competing claims for the innovator of the first antivirus product. Perhaps the first publicly known neutralization of a wild PC virus was performed by European Bernt Fix (also Bernd) in early 1987. Fix neutralized an infection of the Vienna virus.[3] Following Vienna a number of highly successful viruses appeared including Ping Pong, Lehigh, and Suriv-3 aka Jerusalem.



In January 1988, researchers in the Hebrew University developed "unvirus" and "immune", which tell users whether their disks have been infected and applies an antidote to those that have.



From 1988 onwards many companies formed with a focus on the new field of antivirus technology. One of the first breakthroughs in antivirus technology occurred in March 1988 with the release of the Den Zuk viruses created by Denny Yanuar Ramdhani of Indonesia. Den Zuk neutralized the Brain virus. April 1988 saw the Virus-L forum on Usenet created, and mid 1988 saw the development by Peter Tippett of a heuristic scanner capable of detecting viruses and Trojans which was given a small public release.Fall 1988 also saw antivirus software Dr. Solomon's Anti-Virus Toolkit released by Briton Alan Solomon. By December 1990 the market had matured to the point of nineteen separate antivirus products being on sale including Norton AntiVirus and ViruScan from McAfee.



Tippett made a number of contributions to the budding field of virus detection. He was an emergency room doctor who also ran a computer software company. He had read an article about the Lehigh virus were the first viruses to be developed, but it was Lehigh that Tippett read about and he questioned whether they would have similar characteristics to viruses that attack humans. From an epidemiological viewpoint, he was able to determine how these viruses were affecting systems within the computer (the boot-sector was affected by the Brain virus, the .com files were affected by the Lehigh virus, and both .com and .exe files were affected by the Jerusalem virus). Tippett’s company Certus International Corp. then began to create anti-virus software programs. The company was sold in 1992 to Symantec Corp, and Tippett went to work for them, incorporating the software he had developed into Symantec’s product, Norton AntiVirus.