NEWS AT SEI
This article was originally published in News at SEI on: March 1, 2004
If someone rang your doorbell and wanted to come into your living space to sell you something or to use your telephone, you’d need to make a decision whether or not to let them in. If they were a neighbor or someone you knew, you’d probably let them in. If you didn’t know them but believed their story and found them to be otherwise acceptable—say they were neat and clean and not threatening—you’d probably also let them in, but you’d watch them closely while they were in your space.
What are you doing here? You are profiling this person and then deciding what to do based on that profile. It’s your responsibility to be concerned about who enters your home. Further, if you have children, you’ve probably also taught them how to deal with strangers who come to your door.
Anti-virus programs work much the same way. These programs look at the contents of each file, searching for specific patterns that match a profile—called a virus signature—of something known to be harmful. For each file that matches a signature, the anti-virus program typically provides several options on how to respond, such as removing the offending patterns or destroying the file.
To understand how anti-virus programs work, think about scam artists—people who visit your home to try to get you to buy a phony product or service, or to let them in. Once inside, they may try to steal your valuables or try to harm you in some way.
There are a variety of ways you might find out about a specific scam artist lurking in your neighborhood. Perhaps you see a television report or read a newspaper article about the person. They might include pictures and excerpts of the story the scam artist uses to persuade victims to lower their guard. The news report gives you a profile of someone you need to be on the lookout for. You watch for that person until either the story fades away or you hear that the person has been caught.
Anti-virus programs work much the same way. When the anti- virus program vendors learn about a new virus, they provide an updated set of virus signatures. Through features provided by the updated anti-virus program, your home computer also automatically learns of this new virus and begins checking each file for it, along with checking for all the older viruses. However, unlike scam artists, viruses never completely fade away. Their signatures remain part of the master version of all virus signatures.
Suppose a scam artist was at your front door. What would you do? Perhaps you might not allow him to enter or buy his product but, at the same time, you might try not to upset him. You’d politely listen to his story and then send him on his way. After you closed the door, you might call the police or the telephone number given in the report that initially brought him to your attention.
With viruses, you often have the chance to react to them when they’ve been discovered on your home computer. Depending on the specific characteristics of the virus, you might be able to clean the infected file. Or you might be forced to destroy the file and load a new copy from your backups or original distribution media. Your options depend on your choice of anti-virus program and the virus that’s been detected.
Viruses can reach your computer in many ways—through floppy disks, CD-ROMs, email, web sites, and downloaded files. All need to be checked for viruses each time you use them. In other words, when you insert a disk into the drive, check it for viruses. When you receive email, check it for viruses. When you download a file from the Internet, check it for viruses before using it. Your anti-virus program may let you specify all of these to be checked for viruses each time you operate on them. Your anti-virus program may also do this automatically. All you need to do is to open or run the file to cause it to be checked.
Just as you walk around your living space to see if everything is OK, you also need to “walk” around your home computer to see if there are any viruses lurking about. Most anti-virus programs let you schedule periodic exams of all files on your home computer on a regular basis, daily for example. If you leave your computer turned on overnight, think about scheduling a full-system review during that time.
Some anti-virus programs have more advanced features that extend their recognition capabilities beyond virus signatures. Sometimes a file won’t match any of the known signatures, but it may have some of the characteristics of a virus. This is comparable to getting that “there’s something not quite right here, so I’m not going to let them in” feeling as you greet someone at your door. These heuristic tests, as they’re called, help you to keep up with new viruses that aren’t yet defined in your list of virus signatures.
An anti-virus program is frequently an add-on to your home computer, though your newly purchased computer might include a trial version. At some point, say after 60 days, you must purchase it to continue using it. To decide whether to make that purchase or to look elsewhere, use these steps for evaluating anti-virus programs:
- The Demand test: Can you check a file on demand?
- The Update test: Can you update the virus signatures automatically? Daily is best.
- The Respond test: What are all the ways that you can respond to an infected file? Can the virus checker clean a file?
- The Check test: Can you check every file that gets to your home computer, no matter how it gets there, and can those checks be automated?
- The Heuristics test: Does the virus checker do heuristics tests? How are these defined? These tests—the DURCH tests—help you compare anti-virus programs. Once you’ve made your selection, install it and use all of its capabilities all of the time.
Intruders are the most successful in attacking all computers—not just home computers—when they use viruses and worms. Installing an anti-virus program and keeping it up to date is among the best defenses for your home computer. If your financial resources are limited, they are better spent purchasing a commercial anti-virus program than anything else.
About the Author
Lawrence R. Rogers is a senior member of the technical staff in the Networked Systems Survivability Program at the Software Engineering Institute (SEI). The CERT Coordination Center is a part of this program. Rogers’s primary focus is analyzing system and network vulnerabilities and helping to transition security technology into production use. His professional interests are in the areas of the administering systems in a secure fashion and software tools and techniques for creating new systems being deployed on the Internet. Rogers also works as a trainer of system administrators, authoring and delivering courseware. Before joining the SEI, Rogers worked for 10 years at Princeton University. Rogers co-authored the Advanced Programmer’s Guide to UNIX Systems V with Rebecca Thomas and Jean Yates. He received a BS in systems analysis from Miami University in 1976 and an MA in computer engineering in 1978 from Case Western Reserve University.
This and other columns by Larry Rogers, along with extensive information about computer and network security, can be found at http://www.cert.org.
The views expressed in this article are the author's only and do not represent directly or imply any official position or view of the Software Engineering Institute or Carnegie Mellon University. This article is intended to stimulate further discussion about this topic.