Computer Virus and Anti-Viruses
Sarvesh Srriram B
B.Tech(Information Technology)
Mepco Schlenk Engineering College, Sivakasi
Mail : sarveshsrriram@gmail.com
Abstract: This paper describes the clear
explanation of mechanism of an anti-virus
software which we are using in our day-to-day
life. In early 90/s, Windows Operating system
was just an interface between User and
hardware. Now, present windows OS contains
default Anti-virus software Today, all Personal
Computers (including Mac and Mobile OS like
android) have mandated Anti-virus software for
protection of our system. Since 2010, Many anti-
virus software like Kaspersky, McAfee, Avast,
etc., are available in markets. The main purpose
of antivirus is to protect PC from unwanted
instructions or Apps. It also saves PC while
surfing through Internet. In this paper,
Algorithms used in a common antivirus, different
types of virus, stages of execution of malicious
programs, Mechanisms and the importance of
antivirus in a system is clearly described and
extra details are given for further reference via
links.
What is a Computer Virus :
A computer virus is the set of
instructions causes malfunctioning on the system. It’ll
affect the system by modifying the defaults of the coding
by itself. It is mostly transmitted or spread via Internet as
well as intranet and also through Removable storage
devices. Based on the attacking parts of our computer,
these viruses are classified into three namely
 Resident and Non- resident virus
 Boot
 Macro
 E-mail Viruses
 Stealth Virus
TYPES OF VIRUSES:
Resident and Non- Resident:
A resident virus is a software which installs as a
part of Operating System. This types of Viruses remains
in RAM after rebooting of system while shutting down
PC. Since this type of viruses are present in Memory, it is
also said to be Memory-Resident Virus. This type of
Viruses overwrite interrupt handling or code or other
functions, and when the operating system attempts to
access the target file or disk sector, the virus code
intercepts the request and redirects the Control flow to the
replication module, infecting the target.
1|Page
A Non-memory-resident virus (or "non-resident virus"),
when executed, scans the disk for targets, infects them,
and then exits (i.e. it does not remain in memory after it is
done executing). It is Non- resident virus since it affects
the disk storage and not exists in the disk and exits.
Boot Virus:
Boot Viruses specifically targets the boot sector.
The host for this type of viruses is the Secondary storage
devices such as Hard Disk Drive (HDD), Solid State Drive
(SSD), and other external storage devices.
Macro Virus:
A macro virus is a special type of computer
virus which was specially written in Macro languages and
embedded in documents so that when the users open the
file, the virus code will get executed.
Macro viruses have become common since the
mid-1990s. Most of these viruses are written in the
scripting languages for Microsoft programs such as
Microsoft Word and Microsoft Excel and spread
throughout Microsoft Office by infecting documents and
spreadsheets. Since Word and Excel were also available
for Mac OS, most could also spread to Macintosh
computers. Although most of these viruses did not have
the ability to send infected email messages, those viruses
which did take advantage of the Microsoft Outlook
Component Object Model (COM) interface Some old
versions of Microsoft Word allow macros to replicate
themselves with additional blank lines. If two macro
viruses simultaneously infect a document, the
combination of the two, if also self-replicating, can appear
as a "mating" of the two and would likely be detected as a
virus unique from the "parents".
Ex: Many Windows apps such as Word and Outlook
allows macro programs to embed in e-mails and other
medium.
E-Mail Virus:
Email virus – A virus that intentionally, rather
than accidentally, uses the email system to spread. While
virus infected files may be accidentally sent as e-mail
attachments, email viruses are aware of email system
functions. They generally target a specific type of email
system (Microsoft's Outlook is the most commonly used),
harvest email addresses from various sources, and may
append copies of themselves to all email sent, or may
generate email messages containing copies of themselves
as attachments.
Stealth Virus:
In order to avoid detection by users, some
viruses employ different kinds of deception. Some old
viruses, especially on the DOS platform, make sure that
the "last modified" date of a host file stays the same when
the file is infected by the virus. This approach does not
fool antivirus software, however, especially those which
maintain and date cyclic redundancy checks on file
changes. Some viruses can infect files without increasing
their sizes or damaging the files. They accomplish this by
overwriting unused areas of executable files. These are
called cavity viruses. For example, the CIH virus, or
Chernobyl Virus, infects Portable Executable files.
Because those files have many empty gaps, the virus,
which was 1 KB in length, did not add to the size of the
file. Some viruses try to avoid detection by killing the
tasks associated with antivirus software before it can
detect them (for example, Conficker). In the 2010s, as
computers and operating systems grow larger and more
complex, old hiding techniques need to be updated or
replaced. Defending a computer against viruses may
demand that a file system migrate towards detailed and
explicit permission for every kind of file access, but need
Citation.
The only reliable method to avoid "stealth" viruses is to
"reboot" from a medium that is known to be "clear".
Security software can then be used to check the dormant
operating system files. Most security software relies on
virus signatures, or they employ heuristics Security
software may also use a database of file "hashes" for
Windows OS files, so the security software can identify
altered files, and request Windows installation media to
replace them with authentic versions. In older versions of
Windows, file cryptographic hash functions of Windows
OS files stored in Windows—to allow file
integrity/authenticity to be checked—could be overwritten
so that the System File Checker would report that altered
system files are authentic, so using file hashes to scan for
altered files would not always guarantee finding an
infection.
HISTORY OF COMPUTER VIRUS:
In 1982, a program called "Elk
Cloner" was the first personal computer virus to appear "in
the wild" that is, outside the single computer or [computer]
lab where it was created. Written in 1981 by Richard
Skrenta while in the ninth grade at Mount Lebanon High
School near Pittsburgh, it attached itself to the Apple DOS
3.3 operating system and spread via floppy disk. This
virus, created as a practical joke when Skrenta was still in
high school, was injected in a game on a floppy disk. On
its 50th use the Elk Cloner virus would be activated,
infecting the personal computer and displaying a short
poem beginning "Elk Cloner: The program with a
personality.". In 1987, Fred Cohen published a
demonstration that there is no algorithm that can perfectly
detect all possible viruses. Fred Cohen's theoretical
2|Page
compression virus was an example of a virus which was
not malicious software (malware), but was putatively
benevolent (well-intentioned). However, antivirus
professionals do not accept the concept of "benevolent
viruses", as any desired function can be implemented
without involving a virus (automatic compression, for
instance, is available under the Windows operating system
at the choice of the user). Any virus will by definition
make unauthorised changes to a computer, which is
undesirable even if no damage is done or intended. On
page one of Dr Solomon's Virus Encyclopaedia, the
undesirability of viruses, even those that do nothing but
reproduce, is thoroughly explained.
The MacMag virus 'Universal Peace',
as displayed on a Mac in March 1988
The Creeper virus was first detected
on ARPANET, the forerunner of the Internet, in the early
1970s Creeper was an experimental self-replicating
program written by Bob Thomas at BBN Technologies in
1971. Creeper used the ARPANET to infect DEC PDP-10
computers running the TENEX operating system. Creeper
gained access via the ARPANET and copied itself to the
remote system where the message, "I'm the creeper, catch
me if you can!" was displayed. The Reaper program was
created to delete Creeper. In fiction, the 1973 Michael
Crichton sciBoot Viruses specifically targets the boot
sector. The host for this type of viruses is the Secondary
storage devices such as Hard Disk Drive (HDD), Solid
State Drive (SSD), and other external storage devices.
A macro virus is a special type of computer virus which
was specially written in Macro languages and embedded
in documents so that when the users open the file, the virus
code will get executed.
Macro viruses have become common since the
mid-1990s. Most of these viruses are written in the
scripting languages for Microsoft programs such as
Microsoft Word and Microsoft Excel and spread
throughout Microsoft Office by infecting documents and
spreadsheets. Since Word and Excel were also available
for Mac OS, most could also spread to Macintosh
computers. Although most of these viruses did not have
the ability to send infected email messages, those viruses
which did take advantage of the Microsoft Outlook
Component Object Model (COM) interface Some old
versions of Microsoft Word allow macros to replicate
themselves with additional blank lines. If two macro
viruses simultaneously infect a document, the
combination of the two, if also self-replicating, can appear
as a "mating" of the two and would likely be detected as a
virus unique from the "parents".
Ex: Many Windows apps such as Word and Outlook
which allows macro programs to embed in e-mails and
other medium.
Email virus – A virus that intentionally, rather than
accidentally, uses the email system to spread. While virus
infected files may be accidentally sent as e-mail
attachments, email viruses are aware of email system
functions. They generally target a specific type of email
system (Microsoft's Outlook is the most commonly used),
harvest email addresses from various sources, and may
append copies of themselves to all email sent, or may
generate email messages containing copies of themselves
as attachments.
In order to avoid detection by users, some viruses employ
different kinds of deception. Some old viruses, especially
on the DOS platform, make sure that the "last modified"
date of a host file stays the same when the file is infected
by the virus. This approach does not fool antivirus
software, however, especially those which maintain and
date cyclic redundancy checks on file changes. Some
viruses can infect files without increasing their sizes or
damaging the files. They accomplish this by overwriting
unused areas of executable files. These are called cavity
viruses. For example, the CIH virus, or Chernobyl Virus,
infects Portable Executable files. Because those files have
many empty gaps, the virus, which was 1 KB in length,
did not add to the size of the file. Some viruses try to avoid
detection by killing the tasks associated with antivirus
software before it can detect them (for example,
Conficker). In the 2010s, as computers and operating
systems grow larger and more complex, old hiding
techniques need to be updated or replaced. Defending a
computer against viruses may demand that a file system
migrate towards detailed and explicit permission for every
kind of file access, but need Citation.
The only reliable method to avoid "stealth" viruses is to
"reboot" from a medium that is known to be "clear".
Security software can then be used to check the dormant
operating system files. Most security software relies on
virus signatures, or they employ heuristics Security
software may also use a database of file "hashes" for
Windows OS files, so the security software can identify
altered files, and request Windows installation media to
replace them with authentic versions. In older versions of
Windows, file cryptographic hash functions of Windows
OS files stored in Windows—to allow file
integrity/authenticity to be checked—could be overwritten
so that the System File Checker would report that altered
system files are authentic, so using file hashes to scan for
altered files would not always guarantee finding an
infection.
In 1982, a program called "Elk Cloner" was the first
personal computer virus to appear "in the wild" that is,
outside the single computer or [computer] lab where it was
created. Written in 1981 by Richard Skrenta while in the
ninth grade at Mount Lebanon High School near
Pittsburgh, it attached itself to the Apple DOS 3.3
operating system and spread via floppy disk. This virus,
created as a practical joke when Skrenta was still in high
school, was injected in a game on a floppy disk. On its
50th use the Elk Cloner virus would be activated, infecting
the personal computer and displaying a short poem
beginning "Elk Cloner: The program with a personality."
In 1984 Fred Cohen from the University of Southern
California wrote his paper "Computer Viruses – Theory
and Experiments". It was the first paper to explicitly call a
self-reproducing program a "virus", a term introduced by
Cohen's mentor Leonard Adleman. In 1987, Fred Cohen
3|Page
published a demonstration that there is no algorithm that
can perfectly detect all possible viruses. Fred Cohen's
theoretical compression virus was an example of a virus
which was not malicious software (malware), but was
putatively benevolent (well-intentioned). However,
antivirus professionals do not accept the concept of
"benevolent viruses", as any desired function can be
implemented without involving a virus (automatic
compression, for instance, is available under the Windows
operating system at the choice of the user). Any virus will
by definition make unauthorised changes to a computer,
which is undesirable even if no damage is done or
intended. On page one of Dr Solomon's Virus
Encyclopaedia, the undesirability of viruses, even those
that do nothing but reproduce, is thoroughly explained.
The MacMag virus 'Universal Peace',
as displayed on a Mac in March 1988
The Creeper virus was first detected
on ARPANET, the forerunner of the Internet, in the early
1970s Creeper was an experimental self-replicating
program written by Bob Thomas at BBN Technologies in
1971. Creeper used the ARPANET to infect DEC PDP-10
computers running the TENEX operating system. Creeper
gained access via the ARPANET and copied itself to the
remote system where the message, "I'm the creeper, catch
me if you can!" was displayed. The Reaper program was
created to delete Creeper. In fiction, the 1973 Michael
Crichton sci
-fi movie Westworld made an early mention of the concept
of a computer virus, being a central plot theme that causes
androids to run amok. Alan Oppenheimer's character
summarizes the problem by stating that "...there's a clear
pattern here which suggests an analogy to an infectious
disease process, spreading from one...area to the next." To
which the replies are stated: "Perhaps there are superficial
similarities to disease" and, "I must confess I find it
difficult to believe in a disease of machinery."
The first IBM PC
compatible "in the wild" computer virus, and one of the
first real widespread infections, was "Brain" in 1986.
From then, the number of viruses has grown
exponentially. Most of the computer viruses written in the
early and mid-1980s were limited to self-reproduction and
had no specific damage routine built into the code. That
changed when more and more programmers became
acquainted with computer virus programming and created
viruses that manipulated or even destroyed data on
infected computers.
INFECTION MECHANISM:
We all know that there are some Steps
or Life cycle of micro-organism which causes disease.
Likewise, there are some steps or mechanism that infects
Computer also. The steps include
 Dormant Phase
 Propagation Phase
  Triggering Phase
 Execution Phase
Dormant Phase: The virus program is idle
during this stage. The virus program has managed to
access the target user's computer or software, but during
this stage, the virus does not take any action. The virus will
eventually be activated by the "trigger" which states which
event will execute the virus, such as a date, the presence
of another program or file, the capacity of the disk
exceeding some limit or the user taking a certain action
(e.g., double-clicking on a certain icon, opening an e-mail,
etc.). Not all viruses have this stage.
Propagation Phase: The virus starts
propagating, that is multiplying and replicating itself. The
virus places a copy of itself into other programs or into
certain system areas on the disk. The copy may not be
identical to the propagating version; viruses often "morph"
or change to evade detection by IT professionals and anti-
virus software. Each infected program will now contain a
clone of the virus, which will itself enter a propagation
phase.
Triggering Phase : A dormant virus moves into
this phase when it is activated, and will now perform the
function for which it was intended. The triggering phase
can be caused by a variety of system events, including a
count of the number of times that this copy of the virus has
made copies of itself.
Execution Phase: This is the actual
work of the virus, where the "payload" will be released. It
can be destructive such as deleting files on disk, crashing
the system, or corrupting files or relatively harmless such
as popping up humorous or political messages on screen.
OTHER TYPES OF VIRUSES:
Encrypted Virus:
One method of evading signature
detection is to use simple encryption to encipher (encode)
the body of the virus, leaving only the encryption module
and a static cryptographic key in cleartext which does not
change from one infection to the next. In this case, the
virus consists of a small decrypting module and an
encrypted copy of the virus code. If the virus is encrypted
with a different key for each infected file, the only part of
the virus that remains constant is the decrypting module,
which would (for example) be appended to the end. In this
case, a virus scanner cannot directly detect the virus using
signatures, but it can still detect the decrypting module,
which still makes indirect detection of the virus possible.
Since these would be symmetric keys, stored on the
infected host, it is entirely possible to decrypt the final
virus, but this is probably not required, since self-
modifying code is such a rarity that it may be reason for
virus scanners to at least "flag" the file as
suspicious.[citation needed] An old but compact way will
be the use of arithmetic operation like addition or
subtraction and the use of logical conditions such as
XORing, where each byte in a virus is with a constant, so
4|Page
that the exclusive-or operation had only to be repeated for
decryption. It is suspicious for a code to modify itself, so
the code to do the encryption/decryption may be part of
the signature in many virus definitions.[citation needed] A
simpler older approach did not use a key, where the
encryption consisted only of operations with no
parameters, like incrementing and decrementing, bitwise
rotation, arithmetic negation, and logical NOT. Some
viruses, called polymorphic viruses, will employ a means
of encryption inside an executable in which the virus is
encrypted under certain events, such as the virus scanner
being disabled for updates or the computer being rebooted.
This is called cryptovirology. At said times, the executable
will decrypt the virus and execute its hidden runtimes,
infecting the computer and sometimes disabling the
antivirus software.
Polymorphic Code:
Some viruses employ polymorphic
code in a way that constrains the mutation rate of the virus
significantly. For example, a virus can be programmed to
mutate only slightly over time, or it can be programmed to
refrain from mutating when it infects a file on a computer
that already contains copies of the virus. The advantage of
using such slow polymorphic code is that it makes it more
difficult for antivirus professionals and investigators to
obtain representative samples of the virus, because "bait"
files that are infected in one run will typically contain
identical or similar samples of the virus. This will make it
more likely that the detection by the virus scanner will be
unreliable, and that some instances of the virus may be
able to avoid detection.
Metamorphic Code :
To avoid being detected by emulation,
some viruses rewrite themselves completely each time
they are to infect new executables. Viruses that utilize this
technique are said to be in metamorphic code. To enable
metamorphism, a "metamorphic engine" is needed. A
metamorphic virus is usually very large and complex. For
example, W32/Simile consisted of over 14,000 lines of
assembly language code, 90% of which is part of the
metamorphic engine.
Malware Case:
Tribune Publishing said Saturday night that malware
affected its ability to print newspapers across its chain of
outlets, including the Chicago Tribune, the New York
Daily News, the Baltimore Sun and the Orlando Sentinel.
Many subscribers to the Los Angeles Times and San
Diego Union-Tribune, which were previously owned by
Tribune Publishing and still share some production
technology with the company, stepped into a chilly sunny
morning Saturday only to find empty doorsteps.
The computer malware was detected Friday and "impacted
some back-office systems which are primarily used to
publish and produce newspapers across our properties,"
said Marisa Kollias, Tribune communications vice
president, in a statement.
"There is no evidence that customer credit card
information or personally identifiable information has
been compromised," she said. "The personal data of our
subscribers, online users, and advertising clients has not
been compromised."
The Los Angeles Times, citing an anonymous source,
described the malware as part of a cyberattack with
foreign origins. The Times and the Union-Tribune were
sold by Tribune Publishing to Los Angeles biotech
billionaire Patrick Soon-Shiong in June.
Kollias said Tribune Publishing was putting a
"workaround" in place.
WHY ONLY WINDOWS?:
Windows is a big target because it
powers the vast majority of the world’s desktop computers
and laptops. If you’re writing malware and you want to
infect average computers users – perhaps you want to
install a key logger on their systems and steal their credit
card numbers and other financial data – you would target
Windows because that’s where the most users are.
Sad Security System in Windows:
Historically, Windows was not
designed for security. While Linux and Apple’s Mac OS
X (based on Unix) were built from the ground-up to be
multi-user operating systems that allowed users to log in
with limited user accounts, the original versions of
Windows never were.
DOS was a single-user operating
system, and the initial versions of Windows were built on
top of DOS. Windows 3.1, 95, 98, and Me may have
looked like advanced operating systems at the time, but
they were actually running on top of the single-user DOS.
DOS didn’t have proper user accounts, file permissions, or
other security restrictions.
Windows NT – the core of Windows
2000, XP, Vista, 7, and now 8 – is a modern, multi-user
operating system that supports all the essential security
settings, including the ability to restrict user account
permissions. However, Microsoft never really designed
consumer versions of Windows for security until
Windows XP SP2. Windows XP supported multiple user
accounts with limited privileges, but most people just
logged into their Windows XP systems as the
Administrator user. Much software wouldn’t work if you
did use a limited user account, anyway. Windows XP
shipped without a firewall enabled and network services
were exposed directly to the Internet, which made it an
easy target for worms. At one point, the SANS Internet
Storm Center estimated an unpatched Windows XP
system would be infected within four minutes of
connecting it directly to the Internet, due to worms like
Blaster.
5|Page
In addition, Windows XP’s autorun feature
automatically ran applications on media devices
connected to the computer. This allowed Sony to install a
rootkit on Windows systems by adding it to their audio
CDs, and savvy criminals began leaving infected USB
drives lying around near companies they wanted to
compromise. If an employee picked up the USB drive and
plugged it into a company computer, it would infect the
computer. And, because most users logged in as
Administrator users, the malware would run with
administrative privileges and have complete access to the
computer.
ANTI-VIRUS SOFTWARE:
In the era of Computer viruses , Some
failed software deleted some suspicious files accidently.
Like the evolution of Virus, anti- virus is also evolved.
Years between 1945-1980s, are said to be Pre-Antivirus
Days. Now a days, there is no Windows device without
rendered Anti-Virus Software containing Activation
duration. Anti-Virus is like a Windows Firewall System in
which firewall operates online whereas Anti-virus does
offline.
HISTORY:
The Creeper virus was eventually
deleted by a program created by Ray Tomlinson and
known as "The Reaper". Some people consider "The
Reaper" the first antivirus software ever written – it may
be the case, but it is important to note that the Reaper was
actually a virus itself specifically designed to remove the
Creeper virus. In 1987, Andreas Luning and Kai
Figge, who founded G Data Software in 1985, released
their first antivirus product for the Atari ST platform. In
1987, the Ultimate Virus Killer (UVK) was also released.
This was the de facto industry standard virus killer for the
Atari ST and Atari Falcon, the last version of which
(version 9.0) was released in April 2004.[citation needed]
In 1987, in the United States, John McAfee founded the
McAfee company (was part of Intel Security) and, at the
end of that year, he released the first version of Virus Scan.
Also in 1987 (in Czechoslovakia), Peter Paško, Rudolf
Hrubý, and Miroslav Trnka created the first version of
NOD antivirus. Finally, at the end of 1987, the first two
heuristic antivirus utilities were released: Flushot Plus by
Ross Greenberg and Anti4us by Erwin Lanting. In his
O'Reilly book, Malicious Mobile Code: Virus Protection
for Windows, Roger Grimes described Flushot Plus as
"the first holistic program to fight malicious mobile code
(MMC)." In 1988, the growth of antivirus companies
continued. In Germany, Tjark Auerbach founded Avira
(H+BEDV at the time) and released the first version of
AntiVir (named "Luke Filewalker" at the time). In
Bulgaria, Dr. Vesselin Bontchev released his first
freeware antivirus program (he later joined FRISK
Software). Also Frans Veldman released the first version
of ThunderByte Antivirus, also known as TBAV (he sold
his company to Norman Safeground in 1998). In
Czechoslovakia, Pavel Baudis and Eduard Kucera started
avast! (at the time ALWIL Software) and released their
first version of avast! antivirus. In June 1988, in South
Korea, Dr. Ahn Cheol-Soo released its first antivirus
software, called V1 (he founded AhnLab later in 1995).
Finally, in the Autumn 1988, in United Kingdom, Alan
Solomon founded S&S International and created his Dr.
Solomon's Anti-Virus Toolkit (although he launched it
commercially only in 1991 – in 1998 Dr. Solomon’s
company was acquired by McAfee). In November 1988 a
professor at the Panamerican University in Mexico City
named Alejandro E. Carriles copyrighted the first
antivirus software in Mexico under the name "Byte
Matabichos" (Byte Bugkiller) to help solve the rampant
virus infestation among students.
Algorithms used in Anti-Virus Software:
Since Virus is getting updated
because of updated Software, Anti-Virus is also getting
updated. There are Several Types of mechanisms in Virus
detection, namely
 Heuristic Based Detection
 Signature detection
 Virus Definitions
 Behaviour based Detection
 Sand Box Detection
 Data Mining
Heuristic Based Detection:
This is the most common form of
detection that uses an algorithm to compare the signature
of known viruses against a potential threat. An antivirus
packed with this type of detection can also detect viruses
that have not yet been discovered and released as a new
virus but it can also generate false positive matches which
means an antivirus scanner may report an uninfected file
as an infected one.
Signature Based Detection:
Signature detection is a method by
which antivirus keenly scans files that are brought into a
system to analyze more likely hazardous files.In essence,
antivirus applications come with a directory of already
checked-viruses and match the codes and patterns in files
and web pages to unique bits and patterns that make up the
code of a virus. If they match, the file is quarantined,
means that it is moved to a new and safe location so that it
does not infect any other files on the system.Antivirus
programs also checks for any malicious behaviour on a
system such as suspicious registry entries or executing an
unknown program automatically upon system start up thus
protecting our computer against encrypted viruses or
viruses that are still unidentified.
Virus Definitions:
6|Page
This is essentially the first method
conventional antivirus software utilize to identify
virus.The programs look for signatures to detect new
malware. The antivirus companies analyze and extract an
exact signature of the file and keep them in a database to
which threats are compared and devices are then protected
in case the signatures match.
Behavior based Detection:
Behavior detection is a signatureless
approach to detection that helps the program build a full
context around every process execution path in real time,
and identify the stealthier, more advanced malware
threats.Suspicious behavior includes unpacking of
malicious code, modifying the host files, or observing key
strokes. Noticing actions like these allows an antivirus
program to detect previously unseen malware on a system.
Sandbox Detection:
This is a behavioral based detection
technique that executes the programs in a virtual situation,
as opposed to detecting its fingerprint at run time.
Antivirus software that come with this type of detection
capabilities execute programs in a separate, virtual
environment, and log the actions it performs to determine
whether the programs are malicious or not. If found safe,
a given program is then executed in the real environment.
As you can imagine, this technique is both heavy and slow,
and its resource intensive nature means that it is rarely
used in consumer antivirus solutions. End users may not
always have the need for sandbox detection, but
enterprises do, and antivirus solutions designed for
corporate and network use offer this.
Data Mining:
This is one of the latest approaches in
malware detection that security vendors now provide with
their antivirus and antimalware products.
A series of features of files are extracted from files, and
then data mining and machine learning algorithms are
used to classify the behavior of a file and detect whether it
has malicious intent or not. This is particularly helpful in
detecting and defeating the newest forms of malware in
the wild.
VIRUS SCANNING MECHANISMS:
Though the searching algorithms are
good as well as efficient, they also need scanning
mechanism with less time complexity. There are three
main types of scanning, namely
 On- Demand Scanning
 Real-Time Protection
 Start-up Scan and
 Smart Scan
On-Demand:
A conventional scan is either run when the user requests
it, or at a scheduled instance that the antivirus sets up. This
type of scan searches the contents of the disks, directories
and files, as well as boot sectors and system components.
Conventional disk scans are used either as a preventive
maintenance activity, or when a virus is suspected.
Real Time Protection: This type of scanning refers
to the automatic protection that almost all modern
antivirus programs offer. It basically monitors the system
for any suspicious activity in real time, while data is
loaded into the active memory. For example, when a USB
drive is inserted, a browser is opened, or a downloaded file
is executed. The price of this type of scanning is
performance, but it offers increased protection, and more
chances of catching malware before it does damage.
Start-Up: Antivirus software often come with a
special program that is designed to run every time the PC
is booted up. It does a quick scan of the boot sectors and
critical system files, instead of a full disk scan that takes a
long time to finish. This comes in particularly handy to
catch boot sector viruses, before they get a chance to
spread.
Smart Scan: These refer to an approach where
an antivirus only scans selected files, that are more
suspicious to be altered or infected. Smart scanning lowers
the need of system resources, while protecting against the
more common types of viruses, threats and risks.
Applications: Anti-Virus are mostly used by
all Individuals who have Personal Computers which is
either default or rendered.Actually anti-virus is an
accidental invention which deletes Suspicious and
malicious files, folders or any system applications
KNOWN ANTIVIRUS:
 Avast!
 Windows Defender
 Kaspersky
 BitDefender
 Norton
 McAfee
 SOPHOS
 Avira
 WebRoot
 Eset
 AVG
From this detailed paper, the reader can have the
consciousness. It is a well-known fact that “If there are
any good things in this world of a type exist, there must
also be the bad things in the same type”. “Virus is also
Evolving itself since it has no life”. It is notable that virus
like Malware is also used for the purpose of Hacking and
stealing others’ personal data which could be misused. In
this era, all details including aadhar, PAN, Voter details
are linked in our mobile phone. A virus called “Universal
Cross-Site Scripting(UXSS)” is threatening all Android
users. In India, Android mobile is dominating other
devices. In this situation, this malware is used by hackers
for hacking mobile phone and data. Anti-virus in mobile
phone should be mandatory in this stage. Antivirus gives
cent percent protection anytime and anywhere.!
REFERENCE:
https://www.geeksforgeeks.org/how-an-
antivirus-works
https://www.engineersgarage.com/mygara
ge/how-antivirus-works
https://www.malwarefox.com/how-
antivirus-works
https://www.dnaindia.com/technology
https://www.nbcnews.com/news/us-
news/computer-virus-hits-southern-
california-newspapers-n953001
https://en.wikipedia.org/wiki/Antivirus_so
ftware
https://en.wikipedia.org/wiki/Virus

Online Anti-Virus:
Some antivirus vendors maintain websites with
free online scanning capability of the entire computer,
critical areas only, local disks, folders or files. Periodic
online scanning is a good idea for those that run antivirus
applications on their computers because those applications
are frequently slow to catch threats. One of the first things
that malicious software does in an attack is disable any
existing antivirus software and sometimes the only way to
know of an attack is by turning to an online resource that
is not installed on the infected computer. Total Anti-
Virus and PC Protect are the two best free anti-virus
softwares available either online or offline.

Conclusion:

7|Page