|
Softpanorama |
May the source be with you, but remember the KISS principle ;-)
|
by Dr. Nikolai Bezroukov.
v. 25b/rev.3 (08/22/97)
| AV | CMOS | DETECTION | IDENTIFICATION | FALSE POSITIVE | Multipartite virus | MBR |
| PARTITION TABLE | RAM | SEARCH STRING | VIRUS SIGNATURE | TSR |
AV - antivirus. A commonly used shorthand, for example "AV software", "AV package", AV Web page", etc.
CMOS - Complementary Metal Oxide Semiconductor: A memory area that is used in AT class, and higher, PCs for storage of system information like boot sequence, hard drive geometry (number of cylinders, heads, tracks, etc.), RAM size, floppy type, as well as date and time. the most important setting from the point of view of antivirus defense is to have boot sequence C,A (hard drive, than floppy). That is the best protection from boot viruses. CMOS memory cannot be executed and cannot be infected by viruses. Some viruses destroy or damage information written in CMOS. In this case usually the computer cannot boot, of produce strange messages. So that's important to have a backup copy of CMOS. A lot of utilities can do this (for example Norton Utilities from Symantec).
DETECTION - The ability of an antivirus program to determine that a virus is present, without naming the virus. For example integrity checkers can recognize that file is infected by a virus, but usually cannot name it. Ability to recognize new virus ia an important advantage of integrity checkers (see also IDENTIFICATION).
IDENTIFICATION - The ability of an antivirus program to recognize virus by name. Names can differ from one antivirus program to another. Accurate recognition allows successful disinfection and is a must for scanners. Scanners that use too generic search string (search pattern) can misidentify new strain of the virus and incorrectly disinfect the file, destroying it. Cases when scanner make mistakes in identification of the virus finding the search string is a file, that is not infected by the virus are called "false positive".
FALSE POSITIVE - cases in which the program does not have the virus, but is detected as infected by the scanner. Typical case is detection of macro viruses by F-prot. F-prot does not analyze structure of MS Word documents and often list files as infected when they are not, for example when virus macro was disabled or renamed by other antivirus program (often McAfee Scan). In case of file virus false positives disinfection will fail and can even damage the file. Suspicious files could be tested by another scanner that could detect this virus (two different scanners usually use two different search strings).
Badly written scanners also detect false positibes in memory. All virus scanners check RAM each time they start execution, but sofistication of that checking vaty gratly. If search string they use is present in memory they may declare that a virus is active, even though it may only be left in a buffer area following a disk read operation. Virus search strings can also be left by antivirus software.
Multipartite virus. A virus that infects both MBR (or boot sector) on the hard drive and executable files (for example Hare, One_half, etc.).
MBR - Master Boot Record. The first absolute sector (track 0, head 0, sector 1) on a PC hard disk, that usually contains the partition table. This sector is present only on hard drives and is different from the DOS Boot Sector (logical sector 0). The latter exist on each logical partition, while MBR is one for the whole hard drive. Part of MBR is a special table called partition table (see below) that contain information about logical partitioning of the hard drive.
PARTITION TABLE - A part of MBR - 64-byte data structure that
defines the way a PC's hard disk is divided into logical sections known as partitions.
Partition list logical drive on a given hard drive and mark one of them as bootable. If no
bootable logical drive exist then PC could be booted only from floppy and will not see C:
drive after booting. The partition table is purely data, so it is not executed (MBR is
executed). If it is damaged computer can be booted from floppy only and will not the
hard drive on boot up. So it is important to backup it with some utility.
the simplest way is to use MIRROR.EXE from DOS 5.0 or IMAGE from Norton Utilities.
RAM - Random Access Memory: computer memory into which programs are loaded to execute. Most DOS viruses are resident - that mean that in order to be active, they must load themselves into the RAM.
SEARCH STRING - a
string that is used by scanner to identify the virus. In simple cases it is a sequence of
bytes that occurs in all files infected by the virus, but never in legitimate programs. To
reduce probablity of false positives scanner susually sacan only part of executable file
srating with came offset from the beginning. In complex cases search pattern is used
instead of string.
Also several strings can be used for particular virus to imrove quolity of identification.
VIRUS SIGNATURE - Synonym for search string.
TSR - Terminate but Stay Resident: DOS programs that remain in memory
and can provide pseudo-multitasking in MS DOS. This category includes pop-up
utilities(Sidekick, etc.), network software, anti-virus TSR and the majority of
viruses (all boot viruses and resident file viruses).
Copyright © 1996-2008 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
Standard disclaimer: The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Last modified: February 28, 2008