Appendix B. Fighting Computer Threats

There are many methods of detecting and averting computer threats. All Dr.Web products combine these methods for the most reliable protection of computers and networks using flexible user-friendly settings and comprehensive approach towards security assurance.

Detection methods

Signature checksum scanning

This method is a type of signature analysis. A signature is a continuous finite byte sequence unique to a certain computer threat. If a signature from the virus database is found in a program's code which is being scanned, then a detection occurs.

Signature checksum scanning implies comparison of signature checksums rather then signatures themselves. This helps to reduce the size of the virus databases considerably and maintain reliability of traditional signature analysis.

Execution emulation

The program code execution emulation method is used to detect polymorphic and encrypted viruses in cases when implementation of signature checksum analysis is impracticable or extremely difficult (due to impossibility of extracting a reliable signature from a sample). This is how the method is performed: an emulator, which is a software model of the CPU, simulates execution of an analyzed code sample; instructions are executed in protected memory space (emulation buffer) and are not passed on to the CPU for actual execution; when an infected file is processed by the emulator, the result is a decrypted virus body, which can be easily defined via signature checksum analysis.

Heuristic analysis

Heuristic analysis is used to detect newly created unknown computer threats, whose byte signatures have not yet been added to virus databases. Operation of the heuristic analyzer is based on defining and calculating the summary weight of certain features which are either typical for computer threats or, on the contrary, very rarely found in them. These features are characterized by their weight (a figure which defines the importance of a feature) and sign (positive sign means that the feature is typical for computer threats; negative means that the feature is not relevant for them). If the sum of these features for an object exceeds a certain operation threshold, the heuristic analyzer concludes that the object may be a threat and defines it as suspicious.

As with other hypothesis checking systems, heuristic analysis assumes the possibility of false positives (that is, type I errors when a threat is overlooked) and false negatives (that is, type II errors of a false detection).

Origins Tracing™

Origins Tracing™ is a unique non-signature threat detection algorithm developed by Dr.Web and used only in Dr.Web products. Combined with traditional signature-based scanning and heuristic analysis, it significantly improves detection of unknown threats. The .Origin extension is added to names of objects detected using the Origins Tracing algorithm.

Actions

To avert computer threats, Dr.Web products use a number of actions that can be applied to malicious objects. A user can leave the default settings, configure which actions to apply automatically, or choose actions manually upon every detection. Below is a list of possible actions:

Cure is an action that can only be applied to major threats (viruses, worms and Trojans). It implies deletion of malicious code from infected objects as well as recovery of their structure and operability to the state in which it was before the infection if possible. Sometimes malicious objects are made of malicious code only (for example, Trojans or functional copies of computer worms) and for such objects to cure the system means to remove the whole object completely. Not all files infected by viruses can be cured, but curing algorithms evolve all the time.
Quarantine (Move to Quarantine) is an action when the detected threat is moved to a special folder and isolated from the rest of the system. This action is preferable in cases when curing is impossible and for all suspicious objects. It is recommended to send copies of such files to the Dr.Web Virus Laboratory for analysis.
Delete is the most effective action for averting computer threats. It can be applied to any type of computer threat. Note that deletion will sometimes be applied to certain objects for which the Cure action was selected. This will happen in cases if the object consists of only malicious code and have no useful information (for example, curing a computer worm implies deletion of all its functional copies).
Rename is an action when the extension of an infected file is changed according to a specified mask (by default, the fist character of the extension is replaced with #). This action may be appropriate for files of other operating systems (such as MS-DOS® or Microsoft® Windows®) detected heuristically as suspicious. Renaming helps to avoid accidental startup of executable files in these operating systems and therefore prevents infection by a possible virus and its further expansion.
Ignore is an action applicable to minor threats only (that is, adware, dialers, jokes, hacktools and riskware) that instructs to skip the threat without performing any action or displaying information in report.
Report means that no action is applied to the object and the threat is only listed in results report.