Antivirus Software

Antivirus software has understandably become very popular, so much so that nearly every organization requires its use on all its desktop and server systems, and many manufacturers and integrators of personal computers sold at retail include an antivirus program as standard equipment.

Antivirus software (commonly known as AV software) operates by intercepting operating system routines that store files and open files. The AV software compares the contents of the file being opened or stored against a list of virus signatures. If the AV software detects a virus, it prevents the file from being opened or saved, usually alerts the user via a pop-up window (which is like a jack-in-the-box). Enterprise versions of the AV software send an alert to a central monitoring console so that the company’s Antivirus Bureau is alerted and can take evasive action if needed.

As the number of viruses grew, the antivirus software vendors designed a way for users to update their AV software’s list of signatures so that they can defend against the latest viruses. AV software automatically contacts the AV vendor’s central computer and downloads a new signature file if the vendor’s version is newer than the user’s. Enterprise versions of AV software now have the ability to push new signature files to all desktop systems and even invoke new scans in real time. It is now a common practice for AV software to look for updates one or more times per day.

Heuristics

AV software’s new problem is that more than 200,000 known viruses exist, and it’s expected that there will be over one million viruses by 2008. This has led AV software vendors to consider a new approach to defending against viruses called heuristics. With heuristics, the AV software detects certain kinds of anomalous behavior (for instance, the replacement of an . EXE file with a newer version) rather than the brute force method of checking against all the virus signatures. Most AV products today use both the signature method and the heuristics method for detecting viruses; everyone (except the virus writers) hopes that someday heuristics will become the primary method for virus detection.

Heuristics solves a number of problems:

• Conservation of space: As the number of viruses grows, signature files grow ever larger, taking more time to download and consuming more space on systems. This isn’t much of an issue when PC hard drives cost under $5 per gigabyte, but AV software is making its way onto resourcelimited personal digital assistants (PDAs), smartphones, and other lightweight devices where it may not be feasible to store tens of thousands of virus signatures.

• Decreased download time: The rate of virus creation means that signature files need to be downloaded more and more frequently. Pretty soon the Internet will only have enough capacity to support AV signature file downloads, My Space, and porn sites.

AV popping up everywhere

Antivirus software is found on more than just PC desktops. It’s also found on e-mail servers that scan attachments, as well as on Web proxy servers, file servers, and application servers. Even firewalls and spam blockers are getting into the act.

Antivirus software is available for UNIX systems, too, but ironically, the UNIX versions check for PC viruses (not UNIX viruses). Why put antivirus on UNIX systems? Well, oftentimes UNIX systems are used as file servers or Web servers - in other words, they’re part of the information conduit between PCs, so why not try to block them there, too?