28-06-2012, 04:38 PM
Working principle of Antivirus
Working principle of Antivirus .docx (Size: 133.57 KB / Downloads: 30)
How does an Antivirus work?
Antivirus is thus the prime line of defense which operates to eliminate and destroy malwares. Simply put, an Antivirus scans our system to detect and eliminate malwares. Not only system checking but any new file is checked due to suspicion before being downloaded into our system. There are Two major approaches on which an antivirus works. They are
• Dictionary based approach
• Suspicious behavior approach
• Emulation approach
• Sandbox approach
Dictionary based approach
Dictionary is a book where we generally look out for meanings and definitions of things. Similarly an Antivirus Dictionary is a file which contains Virus definitions. During a system scan by the Antivirus, system file codes are compared to virus definitions in the dictionary to find out if it is a virus. If the file contains a virus code then the user is intimated about it. Then the user has to decide on to whether the file has to deleted or quarantined or repaired.
Suspicious Behavior approach
As the name suggests, this method is based on suspecting the behavior. For example let's say an unknown process running in our system is trying to modify the FAT or writing data into some executable. This definitely triggers suspicion. Thus this method can provide protection against new viruses. In case of Dictionary approach the virus has to list in the dictionary.
But the major problem with this approach is the number of False positives. Thus with more and more warnings the user tends to ignore them and thereby occasionally allowing viruses to destroy our systems.
Emulation approach
Some Ant viruses emulate the beginning of the code of each new executable found that is going to get executed before transferring the entire control to that executable itself. If the program has any self modifying or self replicating code or trying to find out other executables then we can say that the executable has been infected. But even this method has a lot of false positives.
Sandbox approach
In computer security, a sandbox is a security mechanism for isolation of running programs.
It's for testing an untested piece of code which can be an untrusted program. It does this by tightly controlling the resources given to this untrusted program to run. In other words it just acts like Our Operating system and runs the untrusted guest programs. After running the program, the sand box is examined for any changes having nature of viruses. This method has a high performance overhead thereby limiting their usage to On-Demand scans.