Appendix B. Fighting Computer Threats |
There are many methods of detecting and averting computer threats. All Dr.Web products combine these methods for the most reliable protection of computers and networks using flexible user-friendly settings and comprehensive approach towards security assurance. Detection methods Signature checksum scanning This method is a type of signature analysis. A signature is a continuous finite byte sequence unique to a certain computer threat. If a signature from the virus database is found in a program's code which is being scanned, then a detection occurs. Signature checksum scanning implies comparison of signature checksums rather then signatures themselves. This helps to reduce the size of the virus databases considerably and maintain reliability of traditional signature analysis. Execution emulation The program code execution emulation method is used to detect polymorphic and encrypted viruses in cases when implementation of signature checksum analysis is impracticable or extremely difficult (due to impossibility of extracting a reliable signature from a sample). This is how the method is performed: an emulator, which is a software model of the CPU, simulates execution of an analyzed code sample; instructions are executed in protected memory space (emulation buffer) and are not passed on to the CPU for actual execution; when an infected file is processed by the emulator, the result is a decrypted virus body, which can be easily defined via signature checksum analysis. Heuristic analysis Heuristic analysis is used to detect newly created unknown computer threats, whose byte signatures have not yet been added to virus databases. Operation of the heuristic analyzer is based on defining and calculating the summary weight of certain features which are either typical for computer threats or, on the contrary, very rarely found in them. These features are characterized by their weight (a figure which defines the importance of a feature) and sign (positive sign means that the feature is typical for computer threats; negative means that the feature is not relevant for them). If the sum of these features for an object exceeds a certain operation threshold, the heuristic analyzer concludes that the object may be a threat and defines it as suspicious. As with other hypothesis checking systems, heuristic analysis assumes the possibility of false positives (that is, type I errors when a threat is overlooked) and false negatives (that is, type II errors of a false detection). Origins Tracing™ Origins Tracing™ is a unique non-signature threat detection algorithm developed by Dr.Web and used only in Dr.Web products. Combined with traditional signature-based scanning and heuristic analysis, it significantly improves detection of unknown threats. The .Origin extension is added to names of objects detected using the Origins Tracing algorithm. To avert computer threats, Dr.Web products use a number of actions that can be applied to malicious objects. A user can leave the default settings, configure which actions to apply automatically, or choose actions manually upon every detection. Below is a list of possible actions:
|