welcome to techville

Learn Stuff

Anti-Virus Programs

Last month I explained what computer viruses are, what they do, and discussed some general ways to protect yourself.

This month I'll explain how anti-virus ("AV") programs protect your computer. Some of the better known AV software companies that you may have heard of are Norton, Symantec, McAfee, PC-Cillin and Trend Micro. In fact, if you have a fairly new computer, chances are a "trial" version of an AV program is already installed on it.

Jack of many trades

AV programs actually have a multitude of different components for detecting viruses, stopping them, isolating or removing them, and, finally, recovering from the damage they've done. The task you'll typically need to know about is detection.

Detection - the AV "watchdog"

The main method of detection is real-time (aka "background," "on-demand," and "on-the-fly") scanning. This piece of the AV program runs all the time (in Windows you'll see an icon for it in the Windows task bar), constantly watching what happens behind-the-scenes on your computer.

Think of it as a well-trained watch dog that sits quietly in your yard, barking loudly only when somebody comes onto your property who shouldn't be there. The dog knows not to bother you when the mail is delivered and recognizes family members, but a stranger approaching a back window would get a fierce and loud reception.

Good AV software does this too in a manner. It watches for any "bad" programs or activities on your computer and stops them immediately. But how does it differentiate the good from the bad? Through a combination of three different methods: signature checking, heuristics and change detection.

Detection methods

Signature checking: AV companies constantly update a signature list of all known viruses and how to identify them. Your AV software can periodically download this list from the AV company's website so that it can stop all known viruses.

This is extremely accurate for identifying known viruses. Unfortunately, any new, unknown virus will slip by completely undetected.

Heuristics: Heuristics is a fancy word for intelligent guesswork or self-learning logic. The point is that it makes intelligent guesses, but does NOT follow a strict formula. So, the heuristics look for general virus-like behaviors or patterns (vs. using a strict formula to identify virus-like behavior, which would be easy for virus programmers to avoid).

What's good about heuristics? It doesn't rely on a signature list that may be outdated. Unfortunately, it also sometimes mistakes "good," legitimate programs for viruses.

Change detection: The AV program records the details of selected "system" files (files that your computer must have to run). If those files are ever changed - which is something viruses like to do - the AV program notifies you.

The problem is that this can also interfere with updates to your computer's operating system (which, by definition, means changing those system files) or even installing new programs.

E-mail: To be, or not to be?

When I said that real-time scanning watches everything that your computer does, I overstated the case a bit. Most AV programs can monitor e-mail, but not all. And for those that have the ability to monitor e-mail, be sure to verify that the e-mail detection portion of the AV program is turned on.

So, just what is it about e-mail that needs to be monitored? First of all, any files that are attached to an e-mail message are suspect. This includes any documents (e.g. Word, Excel, OfficePerfect files) that can contain macros (macros are essentially "mini-programs" for documents). Those macros themselves can contain viruses.

Also, if the e-mail message contains HTML (if you receive an e-mail messages that looks like a web page it's made up of HTML) that HTML can have a virus embedded in it.

You found a virus! Now what?

What do you do when a window from your AV program suddenly pops up on the screen, announcing that it has detected a virus? The main three choices are to:

* "Quarantine" the infected file

* Delete the infected file, or

* Remove the virus from the infected file

Deciding what to do can seem overwhelming, but here's a general guideline. Unless your AV program suggests otherwise, just quarantine the infected file, especially if you've got plenty of hard disk space. If you quarantine it (meaning that the AV program places it in a special, isolated area) you'll still have the option of later deleting the file or attempting to remove the virus from it.

But, if you were to delete the file first, only to realize later that you really need it, you'd be out of luck.

Because the success rate of removing viruses is somewhat low however, you're usually better off obtaining another, uninfected file if possible, rather than wasting the time to fiddle with the AV program to remove the virus when you're not even sure it'll be successful.

Real-time scanning considerations

As helpful as real-time scanning for viruses is, there are some things to keep in mind.

One is performance degradation. Because an AV program is constantly monitoring your computer's every action, it's also constantly using up some of its power, which slows down everything else that the computer does (like your work!). Just how much it slows down the computer varies from one AV company to another. Also, on a new, fast computer you probably won't even notice the drop in speed.

Another consideration is when to update your signature list. The trick is to do this regularly (you can schedule the AV program to automatically download new lists at predetermined times) without interfering with your other work, especially if the download ties up your Internet connection.

The third consideration is that in addition to interfering with updates to the computer or the installation of other programs, there is the occasional program that just won't run at all if the real-time scanning is also running. This means that you'll have to turn off the real-time scanning while using the program. Just be sure to turn the scanning back on after you're done!

If you follow the "safe computing" practices I suggested last month, along with diligently running a good AV program (and regularly downloading the latest signature lists), you'll go a long way toward virus-proofing yourself.

Register  |  Login