Computer Security Basics

4.5. Remedies

There are many programs that can help you keep viruses and other wildlife away from your systemand can wipe out the critters if they gain access. Known as virus protection programs, these programs are available from both commercial and public domain sources. These products, and the system administration procedures that go along with them, have two overlapping goals: they don't let you run a program that's infected, and they keep infected programs from damaging your system.

4.5.1. Firewalls

A firewall protects your computer by examining each information packet that travels over the network. Clues to a packet's purpose can be read from its destination address. Firewalls contain a list of allowed and disallowed destinations and functions. If a packet is heading for a forbidden address or comes from one, the firewall stops it. If a packet is heading for a valid address, but its port identifier (the clue to packet function) is unknown or disallowed, the firewall stops that packet as well. Advanced firewalls even keep track of outgoing packets, and open up only if a packet is expected and returning.

The role of a packet in stopping the prevention of active threats such as worms and viruses is that these pests often attempt to enter a computer using forbidden paths, such as port numbers that are unmonitored or unusual. The firewall examines each packet, and it quashes those that are unexpected or disallowed.

4.5.2. Antivirus

Virus protection software uses two main techniques. The first uses signatures, which are snapshots of the code patterns of the virus. The antivirus program lurks in the background watching files come and go until it detects a pattern that aligns with one of its stored signatures, and then it sounds the alarm and maybe isolates or quarantines the code. Alternatively, the virus protection program can go looking for trouble. It can periodically scan the various disks and memories of the computer, detecting and reporting suspicious code segments, and placing them in quarantine.

One problem with signature-based virus protection programs is that they require a constant flow of new signatures in response to evolving attacks. Their publishers stay alert for new viruses, determine the signatures, and then make them available as updated virus definition tables to their users. To access the new tables, users typically download them from the World Wide Web.

Of course, as the number of viruses increases (and it shows no signs of abating), the tables get progressively larger, making frequent updates somewhat of a chore. This is particularly a problem in the case of memory-limited devices such as palm-top computers or intelligent cell phones.

Another problem is called the Zero Day problem. Basically, this occurs when a user trips over a new virus before the publisher discovers it and can issue an updated signature.

A third problem is that, just as with biological pathogens, viruses can mutate. Sometimes this happens accidentally; other times, it happens because a clever programmer uses file compression software to change the signature of the virus when it is not active or even gives it the ability to be self-garbling. This means it can change its own form by introducing extra statements or adding random numbers, to elude signature detection. (A similar technique is sometimes used by bulk emailers to elude subject line scanners.)

To counter these worries, virus protection publishers are adding what is called heuristic detection features to their wares. Basically, a heuristic is a rule or behavior. If a virus exhibits that behavior, the antivirus software tries to stop it in the act. For instance, a code snippet that suddenly accesses a critical operating system area or file, such as a file table definition sector on a hard drive, is likely up to no good, and should be stopped. Other risk indicators include unexplained changes in file size, particularly in system files, sudden decreases in available hard disk space, or changes in file time or date stamps.

Категории