ghh

INFORMATION TECHNOLOGY
SUPPORT SERVICE
Level I

LEARNING GUIDE # 11
Unit of Competence : Protect Software or System
Application
Module Title : Protecting Software or System
Application
LG Code : ICT ITS1 M04 L02 11
TTLM Code : ICT ITS1 TTLM04 0511

LO 2: Detect and removed destructive software

Infolink College 1
This learning guide is developed to provide you the necessary information regarding the following content coverage and
topics –
• Computer Viruses
• Virus Origin, History and Evolution
• Virus Infection, Removal and Prevention
• Anti-virus Software
•

This guide will also assist you to attain the learning outcome stated in the cover page.
Specifically, upon completion of this Learning Guide, you will be able to –
•

• Define and identify common types of destructive software

• Select and install virus protection compatible with the operating system in use
• Describe advanced systems of protection in order to understand further options
• Install Software updates on a regular basis
• Configure software security settings to prevent destructive software from infecting computer
• Run and/or schedule virus protection software on a regular basis
• Report detected destructive software to appropriate person and remove the destructive software
Learning Activities
1. Read the specific objectives of this Learning Guide.
2. Read the information written in the “Information Sheets 1” in pages 3-4.
3. Accomplish the “Self-check” in page 5.
4. If you earned a satisfactory evaluation proceed to “Information Sheet 2”. However, if your rating is unsatisfactory, see
your teacher for further instructions or go back to Learning Act. #1.
5. Read the information written in the “Information Sheets 2” in pages 6-9.
6. Accomplish the “Self-check” in page 10.
7. If you earned a satisfactory evaluation proceed to “Information Sheet 3”. However, if your rating is unsatisfactory, see
your teacher for further instructions or go back to Learning Act. #2.
8. Read the information written in the “Information Sheets 3” in pages 11-12.
9. Accomplish the “Self-check” in page 13.
10. If you earned a satisfactory evaluation proceed to “Information Sheet 4”. However, if your rating is unsatisfactory, see
your teacher for further instructions or go back to Learning Act. #3.
11. Read the information written in the “information Sheet 4” in pages 14-24.
12. Accomplish the “Self-check” in page 25.
13. If you earned a satisfactory evaluation proceed to “Operation Sheet” on pages 26-27. However, if your rating is
unsatisfactory, see your teacher for further instructions or go back to Learning Activity # 4.
14. If you earned a satisfactory evaluation proceed to “Lap Test” on page 28. However, if your rating is unsatisfactory, see
your teacher for further instructions or go back to Learning Activity Operation Sheet.
15. Do the “LAP test” (if you are ready) and show your output to your teacher. Your teacher will evaluate your output either
satisfactory or unsatisfactory. If unsatisfactory, your teacher shall advice you on additional work. But if satisfactory you
can proceed to Learning Guide 12.

• Your teacher will evaluate your output either satisfactory or unsatisfactory. If unsatisfactory, your teacher shall
advice you on additional work. But if satisfactory you can proceed to the next topic.

Information Sheet 1 Computer Viruses

What is a Virus?

Definition

Infolink College 2
 A computer virus is a small software program that is specifically designed to spread between computers
and hinder basic computer functions.

Viruses are commonly spread through email attachments or instant messages, so it's never a good idea to
open an attachment from a sender that you are not familiar with. They can also be inadvertently downloaded
through the Internet, as part of a file or program that might have come from a questionable website.

Computer viruses can cause serious damage to a computer system. They can slow down the computer's
overall performance and lead to a loss of data that could range from one single file to your entire hard drive.
These viruses have kept pace with new computer technology, evolving rapidly and increasing in complexity;
however, there are still many easy and often free ways to eliminate these destructive programs, while keeping new
ones from invading.

Here are the different kinds of viruses:

• Virus - Can replicate and spread to other computers. Also attacks other program
• Worm - A special type of virus that can replicate and spread, but generally doesn't attack other programs
• Trojan - Doesn't replicate, but can spread. Doesn't attack other programs. Usually just a way of recording
and reporting what you do on your PC

Viruses are split into different categories, depending on what they do. Here are a few categories of
viruses:

• Boot Sector Virus

The Boot Sector of a PC is a part of your computer that gets accessed first when you turn it on. It
tells Windows what to do and what to load. It's like a "Things To Do" list. The Boot Sector is also known
as the Master Boot Record. A boot sector virus is designed to attack this, causing your PC to refuse to
start at all!

• File Virus
A file virus, as its name suggests, attacks files on your computer. Also attacks entire programs,
though.

• Macro Virus
These types of virus are written specifically to infect Microsoft Office documents (Word, Excel
PowerPoint, etc.) A Word document can contain a Macro Virus. You usually need to open a document in
an Microsoft Office application before the virus can do any harm.

• Multipartite Virus
A multipartite virus is designed to infect both the boot sector and files on your computer

• Polymorphic Virus
This type of virus alter their own code when they infect another computer. They do this to try and
avoid detection by anti-virus programs.

Infolink College 3
 Self-Check 1 Written Test
Name:____________________ Date:_________________

Please ask your teacher for the questionnaire for this Self-Check.

Infolink College 4
 Information Sheet 2 Virus Origin, History and Evolution

Virus Origins

Computer viruses are called viruses because they share some of the traits of biological viruses. A
computer virus passes from computer to computer like a biological virus passes from person to person.
Unlike a cell, a virus has no way to reproduce by itself. Instead, a biological virus must inject its DNA
into a cell. The viral DNA then uses the cell's existing machinery to reproduce itself. In some cases, the cell fills
with new viral particles until it bursts, releasing the virus. In other cases, the new virus particles bud off the cell
one at a time, and the cell remains alive.
A computer virus shares some of these traits. A computer virus must piggyback on top of some other
program or document in order to launch. Once it is running, it can infect other programs or documents.
Obviously, the analogy between computer and biological viruses stretches things a bit, but there are enough
similarities that the name sticks.

People write computer viruses. A person has to write the code, test it to make sure it spreads properly
and then release it. A person also designs the virus's attack phase, whether it's a silly message or the destruction of
a hard disk.

Why do they do it?

Infolink College 5
 There are at least three reasons.

• The first is the same psychology that drives vandals and arsonists. Why would someone want
to break a window on someone's car, paint signs on buildings or burn down a beautiful forest?
For some people, that seems to be a thrill. If that sort of person knows computer programming,
then he or she may funnel energy into the creation of destructive viruses.
• The second reason has to do with the thrill of watching things blow up. Some people have a
fascination with things like explosions and car wrecks. When you were growing up, there might
have been a kid in your neighborhood who learned how to make gunpowder. And that kid
probably built bigger and bigger bombs until he either got bored or did some serious damage to
himself. Creating a virus is a little like that -- it creates a bomb inside a computer, and the more
computers that get infected the more "fun" the explosion.

• The third reason involves bragging rights, or the thrill of doing it. Sort of like Mount Everest --
the mountain is there, so someone is compelled to climb it. If you are a certain type of
programmer who sees a security hole that could be exploited, you might simply be compelled to
exploit the hole yourself before someone else beats you to it.
Of course, most virus creators seem to miss the point that they cause real damage to real people with
their creations. Destroying everything on a person's hard disk is real damage. Forcing a large company to waste
thousands of hours cleaning up after a virus is real damage. Even a silly message is real damage because someone
has to waste time getting rid of it. For this reason, the legal system is getting much harsher in punishing the people
who create viruses.

Virus History

Traditional computer viruses were first widely seen in the late 1980s, and they came about because of
several factors.
The first factor was the spread of personal computers (PCs). Prior to the 1980s, home computers were
nearly non-existent or they were toys. Real computers were rare, and they were locked away for use by "experts."
During the 1980s, real computers started to spread to businesses and homes because of the popularity of the IBM
PC (released in 1982) and the Apple Macintosh (released in 1984). By the late 1980s, PCs were widespread in
businesses, homes and college campuses.
The second factor was the use of computer bulletin boards. People could dial up a bulletin board with
a modem and download programs of all types. Games were extremely popular, and so were simple word
processors, spreadsheets and other productivity software. Bulletin boards led to the precursor of the virus known
as the Trojan horse. A Trojan horse is a program with a cool-sounding name and description. So you download
it. When you run the program, however, it does something uncool like erasing your disk. You think you are
getting a neat game, but it wipes out your system. Trojan horses only hit a small number of people because they
are quickly discovered, the infected programs are removed and word of the danger spreads among users.

Infolink College 6
 Floppy disks were factors in the spread of computer viruses.

The third factor that led to the creation of viruses was the floppy disk. In the 1980s, programs were
small, and you could fit the entire operating system, a few programs and some documents onto a floppy disk or
two. Many computers did not have hard disks, so when you turned on your machine it would load the operating
system and everything else from the floppy disk. Virus authors took advantage of this to create the first self-
replicating programs.

Early viruses were pieces of code attached to a common program like a popular game or a popular word
processor. A person might download an infected game from a bulletin board and run it. A virus like this is a small
piece of code embedded in a larger, legitimate program. When the user runs the legitimate program, the virus
loads itself into memory and looks around to see if it can find any other programs on the disk. If it can find one, it
modifies the program to add the virus's code into the program. Then the virus launches the "real program." The
user really has no way to know that the virus ever ran. Unfortunately, the virus has now reproduced itself, so two
programs are infected. The next time the user launches either of those programs, they infect other programs, and
the cycle continues.
If one of the infected programs is given to another person on a floppy disk, or if it is uploaded to a
bulletin board, then other programs get infected. This is how the virus spreads.
The spreading part is the infection phase of the virus. Viruses wouldn't be so violently despised if all they
did was replicate themselves. Most viruses also have a destructive attack phase where they do damage. Some
sort of trigger will activate the attack phase, and the virus will then do something -- anything from printing a silly
message on the screen to erasing all of your data. The trigger might be a specific date, the number of times the
virus has been replicated or something similar.

Virus Evolution

Other Threats
Viruses and worms get a lot of publicity, but they aren't the only threats to your computer's health. Malware is
just another name for software that has an evil intent. Here are some common types of malware and what they
might do to your infected computer:
• Adware puts ads up on your screen.
• Spyware collects personal information about you, like your passwords or other
information you type into your computer.
• Hijackers turn your machine into a zombie computer.
• Dialers force your computer to make phone calls. For example, one might call toll
900-numbers and run up your phone bill, while boosting revenue for the owners of
the 900-numbers.

As virus creators became more sophisticated, they learned new tricks. One important trick was the ability
to load viruses into memory so they could keep running in the background as long as the computer remained on.
This gave viruses a much more

Infolink College 7
effective way to replicate themselves. Another trick was the ability to infect the boot sector on floppy disks and
hard disks. The boot sector is a small program that is the first part of the operating system that the computer loads.
It contains a tiny program that tells the computer how to load the rest of the operating system. By putting its code
in the boot sector, a virus can guarantee it is executed. It can load itself into memory immediately and run
whenever the computer is on. Boot sector viruses can infect the boot sector of any floppy disk inserted in the
machine, and on college campuses, where lots of people share machines, they could spread like wildfire.
In general, neither executable nor boot sector viruses are very threatening any longer. The first reason for
the decline has been the huge size of today's programs. Nearly every program you buy today comes on a compact
disc. Compact discs (CDs) cannot be modified, and that makes viral infection of a CD unlikely, unless the
manufacturer permits a virus to be burned onto the CD during production. The programs are so big that the only
easy way to move them around is to buy the CD. People certainly can't carry applications around on floppy disks
like they did in the 1980s, when floppies full of programs were traded like baseball cards. Boot sector viruses
have also declined because operating systems now protect the boot sector.
Infection from boot sector viruses and executable viruses is still possible. Even so, it is a lot harder, and
these viruses don't spread nearly as quickly as they once did. Call it "shrinking habitat," if you want to use a
biological analogy. The environment of floppy disks, small programs and weak operating systems made these
viruses possible in the 1980s, but that environmental niche has been largely eliminated by huge executables,
unchangeable CDs and better operating system safeguards.

E-mail Viruses

Virus authors adapted to the changing computing environment by creating the e-mail virus. For example,
the Melissa virus in March 1999 was spectacular. Melissa spread in Microsoft Word documents sent via e-mail,
and it worked like this:
Someone created the virus as a Word document and uploaded it to an Internet newsgroup. Anyone who
downloaded the document and opened it would trigger the virus. The virus would then send the document (and
therefore itself) in an e-mail message to the first 50 people in the person's address book. The e-mail message
contained a friendly note that included the person's name, so the recipient would open the document, thinking it
was harmless. The virus would then create 50 new messages from the recipient's machine. At that rate, the
Melissa virus quickly became the fastest-spreading virus anyone had seen at the time. As mentioned earlier, it
forced a number of large companies to shut down their e-mail systems.

Self-Check 2 Written Test

Name:____________________ Date:_________________

Please ask your teacher for the questionnaire for this Self-Check.

Infolink College 8
 Information Sheet 3 Virus Infection, Removal and Prevention

How do Viruses get on my computer?

The most common way that a virus gets on your computer is by an email attachment. If you open the
attachment, and your anti-virus program doesn't detect it, then that is enough to infect your computer. Some
people go so far as NOT opening attachments at all, but simply deleting the entire message as soon as it comes in.
While this approach will greatly reduce your chances of becoming infected, it may offend those relatives of yours
who have just sent you the latest pictures of little Johnny!

Infolink College 9
 You can also get viruses by downloading programs from the internet. That great piece of freeware you
spotted from an obscure site may not be so great after all. It could well be infecting your PC as the main program
is installing.

If your PC is running any version of Windows, and it hasn't got all the latest patches and updates, then
your computer will be attacked a few minutes after going on the internet! (Non Windows users can go into smug
mode!)

Nowadays, they utilized the use of removable storage devices to spread viruses. The most common is
the use of flash drive. Since removable drives like flash drive, CD/DVDs have the autorun functionality, a
simple command that enables the executable file to run automatically, they exploited and altered it so it will
automatically run the virus (normally with .exe, .bat, .vbs format) when you insert your flash drive or CD/DVDs.

Virus infected Symptoms

Common symptoms of a virus-infected computer include

• unusually slow running speeds

• failure to respond to user input
• system crashes and constant system restarts that are triggered
automatically.
• Individual applications also might stop working correctly,
• disk drives might become inaccessible,
• unusual error messages may pop up on the screen,
• menus and dialog boxes can become distorted and peripherals like printers
might stop responding.
• You can't access your disk drives Other symptoms to look out for are strange
error messages, documents not printing correctly, and distorted menus and dialogue boxes. Try
not to panic if your computer is exhibiting one or two items on the list.

Keep in mind that these types of hardware and software problems are not always caused by
viruses, but infection is certainly a strong possibility that is worth investigating.

• Removal

The first step in removing computer viruses is installing any updates that are available for your
operating system; modern operating systems will automatically look for updates if they are connected to
the Internet. If you do not already have anti-virus software on your computer, subscribe to a service and
use the software to do a complete scan of your computer. Since new computer viruses are constantly
being created, set your anti-virus program to automatically check for updates regularly.

• Prevention

In order to prevent future computer infections:

Infolink College 10
 • use an Internet firewall,
• check for operating system and anti-virus program updates,
• scan your computer regularly and exercise caution when handling email and Internet files.

A firewall is a program or piece of hardware that helps screen out viruses, worms and hackers
which are attempting to interact with your computer via the Internet. On modern computers, firewalls
come pre-installed and are turned on by default, so you probably already have one running in the
background. When opening email attachments, don't assume they are safe just because they come from a
friend or reliable source; the sender may have unknowingly forwarded an attachment that contains a virus.

Self-Check 3 Written Test

Name:____________________ Date:_________________

Please ask your teacher for the questionnaire for this Self-Check.

Infolink College 11
 Information Sheet 4 Anti-virus Software

Antivirus software

Antivirus or anti-virus software is used to prevent, detect, and remove malware, including but not
limited to computer viruses, computer worm, trojan horses, spyware and adware. This page talks about the
software used for the prevention and removal of such threats, rather than computer security implemented by
software methods.

A variety of strategies are typically employed. Signature-based detection involves searching for known
patterns of data within executable code. However, it is possible for a computer to be infected with new malware
for which no signature is yet known.

To counter such so-called zero-day threats, heuristics can be used. One type of heuristic approach,
generic signatures, can identify new viruses or variants of existing viruses by looking for known malicious code,
or slight variations of such code, in files. Some antivirus software can also predict what a file will do by running it
in a sandbox and analyzing what it does to see if it performs any malicious actions.

No matter how useful antivirus software can be, it can sometimes have drawbacks. Antivirus software can
impair a computer's performance. Inexperienced users may also have trouble understanding the prompts and
decisions that antivirus software presents them with. An incorrect decision may lead to a security breach. If the
antivirus software employs heuristic detection, success depends on achieving the right balance between false
positives and false negatives. False positives can be as destructive as false negatives.

Infolink College 12
 False positives are wrong detection by an anti-virus where legitimate files were mistakenly identified as
viruses while False negatives are wrong detection by an anti-virus where legitimate viruses were not detected as
viruses.

Finally, antivirus software generally runs at the highly trusted kernel level of the operating system,
creating a potential avenue of attack.

An example of free antivirus software: ClamTk 3.08.

Most of the computer viruses written in the early and mid 1980s were limited to self-reproduction and
had no specific damage routine built into the code. That changed when more and more programmers became
acquainted with virus programming and created viruses that manipulated or even destroyed data on infected
computers.

There are competing claims for the innovator of the first antivirus product. Possibly the first publicly
documented removal of a computer virus in the wild was performed by Bernd Fix in 1987.

Fred Cohen, who published one of the first academic papers on computer viruses in 1984, began to
develop strategies for antivirus software in 1988 that were picked up and continued by later antivirus software
developers.

Also in 1988 a mailing list named VIRUS-L was started on the BITNET/EARN network where new
viruses and the possibilities of detecting and eliminating viruses were discussed. Some members of this mailing
list like John McAfee or Eugene Kaspersky later founded software companies that developed and sold
commercial antivirus software.

Before internet connectivity was widespread, viruses were typically spread by infected floppy disks.
Antivirus software came into use, but was updated relatively infrequently. During this time, virus checkers

Infolink College 13
essentially had to check executable files and the boot sectors of floppy disks and hard disks. However, as internet
usage became common, viruses began to spread online.

Over the years it has become necessary for antivirus software to check an increasing variety of files,
rather than just executables, for several reasons:

• Powerful macros used in word processor applications, such as Microsoft Word, presented a risk.
Virus writers could use the macros to write viruses embedded within documents. This meant
that computers could now also be at risk from infection by opening documents with hidden
attached macros.
• Later email programs, in particular Microsoft's Outlook Express and Outlook,
were vulnerable to viruses embedded in the email body itself. A user's computer could be
infected by just opening or previewing a message.

As always-on broadband connections became the norm, and more and more viruses were released, it
became essential to update virus checkers more and more frequently. Even then, a new zero-day virus could
become widespread before antivirus companies released an update to protect against it.

Malwarebytes' Anti-Malware version 1.46 - a proprietary freeware antimalware product

There are several methods which antivirus software can use to identify malware.

• Signature based detection is the most common method. To identify viruses and other malware, antivirus
software compares the contents of a file to a dictionary of virus signatures. Because viruses can
embed themselves in existing files, the entire file is searched, not just as a whole, but also in pieces.

Infolink College 14
 • Heuristic-based detection, like malicious activity detection, can be used to identify unknown viruses.

• File emulation is another heuristic approach. File emulation involves executing a program in a virtual
environment and logging what actions the program performs. Depending on the actions logged, the
antivirus software can determine if the program is malicious or not and then carry out the appropriate
disinfection actions.

Signature-based detection

Traditionally, antivirus software heavily relied upon signatures to identify malware. This can be very
effective, but cannot defend against malware unless samples have already been obtained and signatures created.
Because of this, signature-based approaches are not effective against new, unknown viruses.

As new viruses are being created each day, the signature-based detection approach requires frequent
updates of the virus signature dictionary. To assist the antivirus software companies, the software may allow the
user to upload new viruses or variants to the company, allowing the virus to be analyzed and the signature added
to the dictionary.

Although the signature-based approach can effectively contain virus outbreaks, virus authors have tried to
stay a step ahead of such software by writing "oligomorphic", "polymorphic" and, more recently,
"metamorphic" viruses, which encrypt parts of themselves or otherwise modify themselves as a method of
disguise, so as to not match virus signatures in the dictionary.

Heuristics

Some more sophisticated antivirus software uses heuristic analysis to identify new malware or variants of
known malware.

Many viruses start as a single infection and through either mutation or refinements by other attackers,
can grow into dozens of slightly different strains, called variants. Generic detection refers to the detection and
removal of multiple threats using a single virus definition.

For example, the Vundo trojan has several family members, depending on the antivirus vendor's
classification. Symantec classifies members of the Vundo family into two distinct categories, Trojan.Vundo and
Trojan.Vundo.B.

While it may be advantageous to identify a specific virus, it can be quicker to detect a virus family
through a generic signature or through an inexact match to an existing signature. Virus researchers find common
areas that all viruses in a family share uniquely and can thus create a single generic signature. These signatures
often contain non-contiguous code, using wildcard characters where differences lie. These wildcards allow the
scanner to detect viruses even if they are padded with extra, meaningless code. A detection that uses this method
is said to be "heuristic detection."

Infolink College 15
Rootkit detection

Anti-virus software can also scan for rootkits; a rootkit virus is a type of malware that is designed to gain
administrative-level control over a computer system without being detected. Rootkits can change how the
operating system functions and in some cases can tamper with the anti-virus program and render it ineffective.
Rootkits are also difficult to remove, in some cases requiring a complete re-installation of the operating system.

Unexpected renewal costs

Some commercial antivirus software end-user license agreements include a clause that
the subscription will be automatically renewed, and the purchaser's credit card automatically billed, at the renewal
time without explicit approval. For example, McAfee requires users to unsubscribe at least 60 days before the
expiration of the present subscription while BitDefender sends notifications to unsubscribe 30 days before the
renewal. Norton Antivirus also renews subscriptions automatically by default.

Rogue security applications

Some apparent antivirus programs are actually malware masquerading as legitimate software, such
as WinFixer and MS Antivirus.

Problems caused by false positives

A "false positive" is when antivirus software identifies a non-malicious file as a virus. When this happens,
it can cause serious problems. For example, if an antivirus program is configured to immediately delete or
quarantine infected files, a false positive in an essential file can render the operating system or some applications
unusable. In May 2007, a faulty virus signature issued by Symantec mistakenly removed essential operating
system files, leaving thousands of PCs unable to boot. Also in May 2007, the executable file required by Pegasus
Mail was falsely detected by Norton AntiVirus as being a Trojan and it was automatically removed, preventing
Pegasus Mail from running. Norton anti-virus had falsely identified three releases of Pegasus Mail as malware,
and would delete the Pegasus Mail installer file when that happened. In response to this Pegasus Mail stated:

Infolink College 16
 “On the basis that Norton/Symantec has done this for every one of the last three releases of Pegasus Mail,
we can only condemn this product as too flawed to use, and recommend in the strongest terms that our
users cease using it in favor of alternative, less buggy anti-virus packages.”

In April 2010, McAfee VirusScan detected svchost.exe, a normal Windows binary, as a virus on
machines running Windows XP with Service Pack 3, causing a reboot loop and loss of all network access.

In December 2010, a faulty update on the AVG anti-virus suite damaged 64-bit versions of Windows 7,
rendering it unable to boot, due to an endless boot loop created.

When Microsoft Windows becomes damaged by faulty anti-virus products, fixing the damage to
Microsoft Windows incurs technical support costs and businesses can be forced to close whilst remedial action is
undertaken.

System and interoperability related issues

Running multiple antivirus programs concurrently can degrade performance and create conflicts.
However, using a concept called multi-scanning, several companies (including G Data and Microsoft) have
created applications which can run multiple engines concurrently.

It is sometimes necessary to temporarily disable virus protection when installing major updates
such as Windows Service Packs or updating graphics card drivers. Active antivirus protection may partially or
completely prevent the installation of a major update.

A minority of software programs are not compatible with anti-virus software. For example,
the TrueCrypt troubleshooting page reports that anti-virus programs can conflict with TrueCrypt and cause it to
malfunction.

Effectiveness

Studies in December 2007 showed that the effectiveness of antivirus software had decreased in the
previous year, particularly against unknown or zero day attacks. The computer magazine c't found that detection
rates for these threats had dropped from 40-50% in 2006 to 20-30% in 2007. At that time, the only exception was
the NOD32 antivirus, which managed a detection rate of 68 percent.

The problem is magnified by the changing intent of virus authors. Some years ago it was obvious when a
virus infection was present. The viruses of the day, written by amateurs, exhibited destructive behavior or pop-
ups. Modern viruses are often written by professionals, financed by criminal organizations.

Infolink College 17
 Independent testing on all the major virus scanners consistently shows that none provide 100% virus
detection. The best ones provided as high as 99.6% detection, while the lowest provided only 81.8% in tests
conducted in February 2010. All virus scanners produce false positive results as well, identifying benign files as
malware.

Although methodologies may differ, some notable independent quality testing agencies include AV-
Comparatives, ICSA Labs, West Coast Labs, VB100 and other members of the Anti-Malware Testing Standards
Organization.

New viruses

Anti-virus programs are not always effective against new viruses, even those that use non-signature-based
methods that should detect new viruses. The reason for this is that the virus designers test their new viruses on
the major anti-virus applications to make sure that they are not detected before releasing them into the wild.

Some new viruses, particularly ransomware, use polymorphic code to avoid detection by virus scanners.
Jerome Segura, a security analyst with ParetoLogic, explained:

“It's something that they miss a lot of the time because this type of [ransomware virus] comes from sites
that use a polymorphism, which means they basically randomize the file they send you and it gets by well-
known antivirus products very easily. I've seen people firsthand getting infected, having all the pop-ups
and yet they have antivirus software running and it's not detecting anything. It actually can be pretty hard
to get rid of, as well, and you're never really sure if it's really gone. When we see something like that
usually we advise to reinstall the operating system or reinstall backups.”

A proof of concept virus has used the Graphics Processing Unit (GPU) to avoid detection from anti-
virus software. The potential success of this involves bypassing the CPU in order to make it much harder for
security researchers to analyze the inner workings of such malware.

Rootkits

Detecting rootkits is a major challenge for anti-virus programs. Rootkits have full administrative access to
the computer and are invisible to users and hidden from the list of running processes in the task manager.
Rootkits can modify the inner workings of the operating system and tamper with antivirus programs.

Infolink College 18
Damaged files

Files which have been damaged by computer viruses are normally damaged beyond recovery. Anti-
virus software removes the virus code from the file during disinfection, but this does not always restore the file to
its undamaged state. In such circumstances, damaged files can only be restored from existing backups; installed
software that is damaged requires re-installation.

Firmware issues

Active anti-virus software can interfere with a firmware update process. Any writeable firmware in the
computer can be infected by malicious code. This is a major concern, as an infected BIOS could require the
actual BIOS chip to be replaced to ensure the malicious code is completely removed. Anti-virus software is not
effective at protecting firmware and the motherboard BIOS from infection.

A command-line virus scanner, Clam AV 0.95.2, running a virus signature definition update, scanning a
file and identifying a Trojan

Installed antivirus software running on an individual computer is only one method of guarding against
viruses. Other methods are also used, including cloud-based antivirus, firewalls and on-line scanners.

Cloud antivirus

Cloud antivirus is a technology that uses lightweight agent software on the protected computer, while
offloading the majority of data analysis to the provider's infrastructure.

One approach to implementing cloud antivirus involves scanning suspicious files using multiple antivirus
engines. This approach was proposed by an early implementation of the cloud antivirus concept called CloudAV.

Infolink College 19
CloudAV was designed to send programs or documents to a network cloud where multiple antivirus and
behavioral detection programs are used simultaneously in order to improve detection rates. Parallel
scanning of files using potentially incompatible antivirus scanners is achieved by spawning a virtual machine per
detection engine and therefore eliminating any possible issues. CloudAV can also perform "retrospective
detection," whereby the cloud detection engine rescans all files in its file access history when a new threat is
identified thus improving new threat detection speed. Finally, CloudAV is a solution for effective virus scanning
on devices that lack the computing power to perform the scans themselves.

Network firewall

Network firewalls prevent unknown programs and processes from accessing the system. However, they
are not antivirus systems and make no attempt to identify or remove anything. They may protect against infection
from outside the protected computer or network, and limit the activity of any malicious software which is present
by blocking incoming or outgoing requests on certain TCP/IP ports. A firewall is designed to deal with broader
system threats that come from network connections into the system and is not an alternative to a virus protection
system.

Online scanning

Some antivirus vendors maintain websites with free online scanning capability of the entire computer,
critical areas only, local disks, folders or files. Periodic online scanning is a good idea for those that run
antivirus applications on their computers because those applications are frequently slow to catch threats. One of
the first things that malicious software does in an attack is disable any existing antivirus software and
sometimes the only way to know of an attack is by turning to an online resource that isn't already installed on the
infected computer.

Specialist tools

Using rkhunter to scan for rootkits on anUbuntu Linux computer.

Virus removal tools are available to help remove stubborn infections or certain types of infection.
Examples include Trend Micro's Rootkit Buster, and rkhunter for the detection of rootkits, Avira's AntiVir
Removal Tool, PCTools Threat Removal Tool, and AVG's Anti-Virus Free 2011.

Infolink College 20
 A rescue disk that is bootable, such as a CD or USB storage device, can be used to run antivirus
software outside of the installed operating system, in order to remove infections while they are dormant. A
bootable antivirus disk can be useful when, for example, the installed operating system is no longer
bootable or has malware that is resisting all attempts to be removed by the installed antivirus software.

Examples of some of these bootable disks include the Avira AntiVir Rescue System, PCTools Alternate
Operating System Scanner, and AVG Rescue CD. The AVG Rescue CD software can also be installed onto a
USB storage device, that is bootable on newer computers.

A survey by Symantec in 2009 found that a third of small to medium sized business did not use antivirus
protection at that time, whereas more than 80% of home users had some kind of antivirus installed.

Self-Check 4 Written Test

Name:____________________ Date:_________________

Please ask your teacher for the questionnaire for this Self-Check.

Infolink College 21
 Operation Sheet 1 Protecting your computer from Viruses

You can protect yourself against viruses with a few simple steps:
• If you are truly worried about traditional (as opposed to e-mail) viruses, you should be
running a more secure operating system like UNIX. You never hear about viruses on these
operating systems because the security features keep viruses (and unwanted human visitors)
away from your hard disk.
• If you are using an unsecured operating system, then buying virus protection software is a
nice safeguard.
• If you simply avoid programs from unknown sources (like the Internet), and instead stick
with commercial software purchased on CDs, you eliminate almost all of the risk from
traditional viruses.

Infolink College 22
 • You should make sure that Macro Virus Protection is enabled in all Microsoft applications,
and you should NEVER run macros in a document unless you know what they do. There is
seldom a good reason to add macros to a document, so avoiding all macros is a great policy.
• You should never double-click on an e-mail attachment that contains an
executable. Attachments that come in as Word files (.DOC), spreadsheets (.XLS), images
(.GIF), etc., are data files and they can do no damage (noting the macro virus problem in Word
and Excel documents mentioned above). However, some viruses can now come in through
.JPG graphic file attachments. A file with an extension like EXE, COM or VBS is an
executable, and an executable can do any sort of damage it wants. Once you run it, you have
given it permission to do anything on your machine. The only defense is never to run
executables that arrive via e-mail.

Open the Options dialog from the

Tools menu in Microsoft Word and make
sure that Macro Virus Protection is enabled.
Newer versions of Word allow you to
customize the level of macro protection you
use.

Setting Automatic Updates in your computer

• Ask the trainer for the copy of the video on how to set Automatic Updates.

Turn the firewall on

• Ask the trainer for the copy of the video on how to turn on the firewall.

Setting Internet Level of Security

• Ask the trainer for the copy of the video on how to set Internet Level Security.

Setting Macro Level of Security

• Ask the trainer for the copy of the video on how to set Macro Level Security.

Infolink College 23
 Lap Test Practical Demonstration

Name: _________________________ Date: ________________

Time started: ________________________ Time finished: ________________

Please ask your teacher for the instruction for this Lap Test

Infolink College 24
Infolink College 25