PL  |  NL  |  FR  |  ES  |  PT  |  IT  |  DE  |  DK  |  NO  |  SE  |  FI  |  GR  |  JP  |  CN  |  KR  |  RU  |  AE

  Report this article

More information

Virus Propagation Mechanisms

Malware Self Preservation Techniques

An overview on Software Components of a PC

Backup Types

Software tools you should have when repairing or upgrading computers

Installing Configuring and Administering Microsoft SQL Server 2000

Advantages and Disadvantages of using IDE ~ Integrated Development Environments

Heuristics

What is BIOS ~ How does the BIOS system work

BIOS Hardware and Software

Dual booting Windows XP with other Operating Systems

Investing ~ Using Web Based Portfolio Management Programs

Investing ~ Personal finance software programs

How To Work with RAW Files

Investing ~ Portfolio management software programs

How To Stitch Together Video Clips into Short Movies

Advantages and Disadvantages of FAT and NTFS File Systems

Two Software Nags ~ Windows 95 versus Windows NT

Communication Protocols Used by Windows Systems

When defending against viruses, we are dealing with creatures that modify their host programs as they spread. Therefore, one way to detect the presence of a virus is to discover files that have been unexpectedly modified. The integrity verification process aims to achieve this goal by following these steps:

1. While the machine is in a pristine state, compute fingerprints (in the form of checksums or cryptographic hashes) of files that need to be monitored, and record them in a baseline database.

2. When scanning the file system for suspicious modifications, compute fingerprints of monitored files and compare the values to those in the baseline.

3. If unexplained differences between the current state and the baseline are detected, issue an alert.

There are several commercial and free applications that are dedicated to implementing such integrity verification procedures. The most famous of these tools is probably Tripwire (available at www.tripwire.com), which has been capable of detecting unauthorized changes to the file system since it was first released in 1992. Tripwire and other software of this type are not virus checkers per se—such programs aim at alerting administrators of suspicious changes to the machine's state regardless of whether the attack was performed by malware or was executed through some other channel. .

Integrity verification approaches can also be used by antivirus software, although vendors are rarely forthcoming about the extent to which they have implemented such mechanisms. Sophos AntiVirus is known to use checksums to help determine whether a file needs to be examined more carefully via other detection methods. When scanning a file, Sophos AntiVirus computes the file's checksum and compares it to the value calculated earlier. If the checksums do not match, then there is a chance that the file was infected, and the antivirus program might need to examine it more thoroughly.

An antivirus product trying to make the most of integrity verification techniques is likely to be selective about the portions of the file that are fingerprinted for baseline comparisons. For example, it could be okay for the contents of a Microsoft Word document to change when the user edits its text; however it is far less common for the macros embedded in the document to be modified. Therefore, antivirus software might be more suspicious of changes detected in the macros section of the document.

The main limitation of the integrity verification method is that it detects the infection only after it occurs. However, it is a useful addition to the toolkit consisting of approaches that look for signatures of known malware specimens and those that use heuristics to detect harmful code. Unfortunately, even antivirus software that implements each of these detection