How an Antivirus Program Works

From the early viruses, created as experiments in the eighties, to the latest malicious code, one of the biggest worries for all computer users is the threat of viruses entering their systems.

To prevent viruses from entering a system there are basically just two options. The first of these is to place the computer in a protective ‘bubble’. This in practice means isolating the machine; disconnecting it from the Internet or any other network, not using any floppy disks, CD-ROMs or any other removable disks. This way you can be sure that no virus will get into your computer. You can also be sure that no information will enter the computer, unless it is typed in through the keyboard. So you may have a fantastic computer, the perfect data processing machine…but with no data to process. If you’re happy with that, your computer will be about as much use as a microwave oven.

The second option is to install an antivirus program. These are designed to give you the peace of mind that no malicious code can enter your PC. But how do they do it? How does the program let you install a game, but prevent a virus from copying itself to disk? Well, this is how it works….

An antivirus program is no more than a system for analyzing information and then, if it finds that something is infected, it disinfects it. The information is analyzed (or scanned) in different ways depending on where it comes from. An antivirus will operate differently when monitoring floppy disk operations than when monitoring e-mail traffic or movements over a LAN. The principal is the same but there are subtle differences.

The information is in the ‘Source system’ and must reach the ‘Destination system’. The source system could be a floppy disk and the destination system could be the hard disk of a computer, or the origin an ISP in which a message is stored and the destination, the Windows communication system in the client machine, Winsock.

The information interpretation system varies depending on whether it is implemented in operating systems, in applications or whether special mechanisms are needed.

The interpretation mechanism must be specific to each operating system or component in which the antivirus is going to be implemented. For example, in Windows 9x, a virtual driver VxD is used, which continually monitors disk activity. In this way, every time the information on a disk or floppy disk is accessed, the antivirus will intercept the read and write calls to the disk, and scan the information to be read or saved. This operation is performed through a driver in kernel mode in Windows NT/2000/XP or an NLM which intercepts disk activity in Novell.

Antivirus products that are not specially designed for operating systems, but are implemented over other applications, have a different interpretation mechanism. For example, in an antivirus for CVP Firewalls, it is the firewall that provides the antivirus with information in order to scan it through the CVP protocol and in the antivirus for SendMail, the MilterAPI filter facilitates information interpretation.

Sometimes an interpretation mechanism is not provided by the antivirus (such as a VxD) or the application (such as the CVP). In this case, special mechanisms between the application and the antivirus must be used. In other words, resources that intercept information and pass it to the antivirus, offering complete integration in order to disinfect viruses.

Once the information has been scanned, using either method, if a threat has been detected, two operations are performed:

1. The cleaned information is returned to the interpretation mechanism, which in turn will return it to the system so that it can continue towards its final destination. This means that if an e-mail message was being received, the message will be let through to the mailbox, or if a file way being copied, the copy process will be allowed to finish.
2. A warning is sent to the user interface. This user interface can vary greatly. In an antivirus for workstations, a message can be displayed on screen, but in server solutions the alert could be sent as an e-mail message, an internal network message, an entry in an activity report or as some kind of message to the antivirus management tool.

As you can see, antivirus programs do not perform miracles, nor is it a software tool that you need to be wary of. It is a very simple security ally that offers precision and advanced technology. Consider this; when you copy a few mega bytes to the hard disk of your computer, the antivirus must look for over 65,000 viruses without affecting the normal functioning of the computer and without the user realizing.

Antivirus programs offer a high level of protection and prevent any nasty surprises. It is as simple as putting XXX dollars in a box to get peace of mind. I’m sure that now you don’t have any serious doubts…

Scan Engines

Regardless of how the information to be scanned is obtained, the most important function of the antivirus now comes into play: the virus scan engine. This engine scans the information it has intercepted for viruses, and if viruses are detected, it disinfects them.

The information can be scanned in two ways. One method involves comparing the information received with a virus database (known as ‘virus signatures’). If the information matches any of the virus signatures, the antivirus concludes that the file is infected by a virus.

The other way of finding out if the information being scanned is dangerous, without knowing if it actually contains a virus or not, is the method known as ‘heuristic scanning’. This method involves analyzing how the information acts and comparing it with a list of dangerous activity patterns.

For example, if a file that can format a hard disk is detected, the antivirus will warn the user. Although it may be a new formatting system that the user is installing on the computer rather than a virus; the action is dangerous. Once the antivirus has sounded the alarm, it is up to the user whether the danger should be eliminated or not.

Both of these methods have their pros and cons. If only the virus signatures system is used, it is important to update it at least once a day. When you bear in mind that 15 new viruses are discovered everyday, an antivirus that is left for two or three days without being updated is a serious danger.

The heuristic system has the drawback that it can warn you about items that you know are not viruses. If you have to work with a lot of items that may be considered dangerous, you could soon tire of the alerts. Programmers in particular may prefer to disable this option.

Permanent and on demand scans

When describing antivirus programs, it is important to clearly distinguish between the two types of protection on offer. The first is permanent scans, which are more complex and essential. These scans constantly monitor the operations performed on the computer to prevent any kind of intrusion.

The other type of protection available is on demand scans. These use the same scan engine as the permanent protection and check any parts of the system whenever the user wants. These are normally used under special circumstances. For example, a user may want to perform an on demand scan when using a new floppy disk or to check information stored on the computer that hasn’t been used for a while.