Virus Detection
Several types of antiviral software can be used to detect the presence of a virus. Scanning software can recognize the characteristics of a virus’s computer code and look for these characteristics in the computer’s files. Because new viruses must be analyzed as they appear, scanning software must be updated periodically to be effective. Other scanners search for common features of viral programs and are usually less reliable. Most antiviral software uses both on-demand and on-access scanners.
On-demand scanners are launched only when the user activates them. On-access scanners, on the other hand, are constantly monitoring the computer for viruses but are always in the background and are not visible to the user. The on-access scanners are seen as the proactive part of an antivirus package and the on-demand scanners are seen as reactive. On-demand scanners usually detect a virus only after the infection has occurred and that is why they are considered reactive.
Antivirus software is usually sold as packages containing many different software programs that are independent of one another and perform different functions.
When installed or packaged together, antiviral packages provide complete protection against viruses. Within most antiviral packages, several methods are used to detect viruses. Checksumming, for example, uses mathematical calculations to compare the state of executable programs before and after they are run. If the checksum has not changed, then the system is uninfected. Checksumming software can detect an infection only after it has occurred, however. As this technology is dated and some viruses can evade it, checksumming is rarely used today.
Most antivirus packages also use heuristics (problem- solving by trial and error) to detect new viruses. This technology observes a program’s behavior and evaluates how closely it resembles a virus. It relies on experience with previous viruses to predict the likelihood that a suspicious file is an as-yet unidentified or unclassified new virus. Other types of antiviral software include monitoring software and integrity-shell software. Monitoring software is different from scanning software. It detects illegal or potentially damaging viral activities such as overwriting computer files or reformatting the computer’s hard drive.
Integrity-shell software establishes layers through which any command to run a program must pass. Checksumming is performed automatically within the integrity shell, and infected programs, if detected, are not allowed to run.