home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Shareware Supreme Volume 6 #1
/
swsii.zip
/
swsii
/
111
/
FP-209F.ZIP
/
ANALYSE.DOC
next >
Wrap
Text File
|
1993-07-15
|
3KB
|
71 lines
Heuristic analysis
Signature-based virus scanning is not the ultimate solution to the virus
problem. If using an up-to-date scanner (or better yet, two scanners from
different companies), one can be fairly certain that all known viruses
will be detected. The scanners may or may not detect new variants which
have been created by modifying older viruses, but if a new virus is
written entirely from scratch, it will probably not be detected by any
existing virus signature.
The virus may be detected by a generic monitoring program when it
activates - perhaps when trying to perform some suspicious action, such as
reformatting the hard disk. It may also be detected by a checksuming
program, which detects changes to files or boot secors, after they have
been infected. Nevertheless, it is preferable to try to detect the
presence of the virus without actually running a virus-infected program.
The heuristic analysis is basically a small expert-system, which has a set
of rules describing viruses, and attempts to apply them to the programs it
analyses. It is still only in an experimental stage and is not flawless -
some viruses cannot yet be detected in this way, and an occasional false
alarm ist to be expected.
Several different messages may be produced when suspicious code is found
in a program, some of which are nearly certain to indicate a virus
infection, such as the following three messages:
This program contains several features which
are normally only found in virus programs.
It is almost certainly virus-infected.
This program contains a virus which stays resident
in memory when an infected program is run.
This program contains a primitive virus,
which is located at the beginning of the file.
Other messages might indicate a virus infection, but occasionally they are
just false alarms. The less serious messages include:
This program moves itself to a different area
of memory using a method which is normally
only used by viruses.
This is a self-modifying program, which may
indicate a self-encrypting virus or just
unusual code.
Finally there are a few messages which do not indicate a virus infection,
only that something unusual has been found, such as:
This file is packed using PKLITE, LZEXE or
a similar program. It may have been infected
before it was packed, but this program is not
yet able to determine if this is the case.
Some code has been added to the end of this
file, but it does not appear to be a virus.
As this method is still under development, a false positive might be
expected occasionally, and all reports of this would be appreciated.
Currently the following programs are known to cause a false positive:
DIR1.COM
GBXIBMEL.EXE
GRAPHICS.COM
PC-CACHE.COM
WORD.COM (Microsoft Word)
XTPRO.COM