Antivirus software detects known viruses by consulting a database containing virus signatures. When the antivirus software finds a virus contained in its database, it disinfects the infected files. What happens, however, if you get a virus that isn’t in the database?
The answer is that it depends. If a brand-new type of virus is released, there’s little chance that an antivirus program will be able to detect the menacing code before it does harm. For example, the Melissa and I Love You viruses both unleashed havoc all over the world because they were brand-new types of viruses that no antivirus program even knew to look for.
Defenses against new viruses
Fortunately, there is some defense against new viruses. One of the older methods involved monitoring the system for virus-like activity. For example, even today, many antivirus programs monitor to make sure that the Command.com file isn’t changed. After all, no legitimate program except for an operating system upgrade should be tampering with your machine’s Command.com file.
Some antivirus software also watches for replication code to be run. However, this isn’t an effective technique since many legitimate programs, such as Windows 2000 and Microsoft Exchange, include replication code.
The number one way to look for an unknown virus is by using the database of known virus signatures. As you may know, for every new virus that comes along, there are countless variants. For example, there are over 50 known variants of the Melissa virus. Most of these variants should be identified by signature within the signature database.
Now, suppose that a previously unknown strain of the Melissa virus happens to come into contact with your computer. Your antivirus software would use a technology known as heuristics to identify the virus.
Heuristics work on the basis of probability. The basic idea is that a variant of Melissa would still resemble one of the existing versions of Melissa. After all, if it looks like Melissa and it smells like Melissa, then it’s probably Melissa. If the heuristics algorithm causes the virus scanner to uncover a potential variant of a known virus, the scanner will alert you to the fact. When your antivirus software detects an unknown variant and alerts you to the potential virus, what it’s really telling you is that the file has a certain percentage of code in common with a known virus or that the software is a certain percentage certain that the file contains viral code.
Heuristics are great if the virus remains true to its original form, but virus programmers are smart people. Some viruses are designed to encrypt themselves. Such viruses are known as polymorphic viruses. The idea behind polymorphic viruses is that they can reorganize themselves so as to have an extremely large potential number of signatures.
Fortunately, there’s a way to protect your machine from polymorphic viruses. If the virus scanner suspects a polymorphic virus, some antivirus software packages actually test the code. To do so, they create what’s known as a virtual machine. In a nutshell, a virtual machine is an area of memory that can behave as if it existed in a separate computer.
By opening a potentially hazardous file in a virtual machine, the antivirus software can test the file in a safe and controlled environment. If the file proves to be safe, the user will never know of the test. However, if the file does contain a virus, the user is alerted to the infection and prompted to take action.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.