Review of antivirus programs for personal users. Classification and functions of antivirus programs Classification and types of antivirus programs

Classification.

Antivirus products can be classified according to several criteria at once, such as: anti-virus protection technologies used, product functionality, target platforms.

By the anti-virus protection technologies used:

Classic antivirus products (products that use only signature detection method)
Proactive anti-virus protection products (products that use only proactive anti-virus protection technologies);
Combined products (products using both classic, signature-based protection methods and proactive ones)

By product functionality:

Antivirus products (products that provide only antivirus protection)
Combo products (products that provide not only protection against malware, but also spam filtering, encryption and data backup, and other features)

By target platforms:

Antivirus products for Windows family OS
Antivirus products for OS * NIX family (this family includes BSD, Linux, etc.)
Antivirus products for macOS family
Antivirus products for mobile platforms (Windows Mobile, Symbian, iOS, BlackBerry, Android, Windows Phone 7, etc.)

Antivirus products for corporate users can also be classified by protection objects:

Antivirus products for protecting workstations
Antivirus products for protecting file and terminal servers
Antivirus products for protecting mail and Internet gateways
Antivirus products for protecting virtualization servers
etc.

Characteristics of antivirus programs.

Antivirus programs are divided into: programs-detectors, programs-doctors, programs-auditors, programs-filters, programs-vaccines.

Detection programs provide for the search and detection of viruses in RAM and on external media, and if detected, they issue a corresponding message. Distinguish between universal and specialized detectors.

Universal detectors in their work use the check of the immutability of files by counting and comparing with the standard checksum. The disadvantage of universal detectors is associated with the impossibility of determining the causes of file corruption.

Specialized detectors search for known viruses by their signature (a repeated piece of code). The disadvantage of such detectors is that they are unable to detect all known viruses.

A detector that detects multiple viruses is called a polydetector.

The disadvantage of such antivirus programs is that they can only find viruses that are known to the developers of such programs.

Doctor programs (phages) not only find files infected with viruses, but also "cure" them, i.e. delete the body of the virus program from the file, returning the files to their original state. At the beginning of their work, phages look for viruses in the RAM, destroying them, and only then proceed to "cure" files. Among the phages, polyphages are distinguished, i.e. Doctor programs designed to search for and destroy a large number of viruses.

Considering that new viruses are constantly appearing, detector programs and doctor programs quickly become outdated, and their versions need to be regularly updated.

Auditor programs are among the most reliable means of protection against viruses. The auditors remember the initial state of programs, directories and system areas of the disk when the computer is not infected with a virus, and then periodically or at the request of the user compare the current state with the initial one. The detected changes are displayed on the video monitor screen. As a rule, states are compared immediately after the operating system is loaded. When comparing, the file length, cyclic control code (file checksum), modification date and time, and other parameters are checked.

Auditor programs have quite advanced algorithms, detect stealth viruses, and can even distinguish changes in the version of the program being scanned from changes made by a virus.

Filters (watchdogs) are small resident programs designed to detect suspicious actions during computer operation, typical of viruses. Such actions can be:

Attempts to correct files with COM and ЕХЕ extensions;

Change of file attributes;

Direct write to disk at absolute address;

When any program tries to perform the specified actions, the "watchman" sends a message to the user and offers to prohibit or allow the corresponding action. Filters are useful because they can detect a virus at the earliest stage of its existence, before it multiplies. However, they do not "cure" files and disks. To destroy viruses, you need to use other programs, such as phages. The disadvantages of watchdog programs include their "intrusiveness" (for example, they constantly issue a warning about any attempt to copy an executable file), as well as possible conflicts with other software.

Vaccines (immunizers) are memory resident programs that prevent files from infecting. Vaccines are used if there are no doctor programs that "cure" this virus. Vaccination is possible only against known viruses. The vaccine modifies the program or disk in such a way that it does not affect their work, and the virus will perceive them as infected and therefore will not be introduced. Vaccine programs are currently of limited use.

A significant drawback of such programs is their limited ability to prevent infection from a wide variety of viruses.

Examples of antivirus programs

When choosing an anti-virus program, it is necessary to take into account not only the percentage of virus detection, but also the ability to detect new viruses, the number of viruses in the anti-virus database, the frequency of its updating, and the availability of additional functions.

Currently, a serious antivirus must be able to recognize at least 25,000 viruses. This does not mean that they are all "at will". In fact, most of them have either already ceased to exist or are in laboratories and are not distributed. In reality, you can find 200-300 viruses, and only a few dozen of them are dangerous.

There are many antivirus programs available. Let's consider the most famous of them.

Norton AntiVirus 4.0 and 5.0 (vendor: Symantec).

One of the most famous and popular antiviruses. The virus detection rate is very high (close to 100%). The program uses a mechanism that allows it to recognize new unknown viruses.

Norton AntiVirus has a LiveUpdate feature in its interface, which lets you update both the program and a set of virus signatures via the Web with the click of a button. The Anti-Virus Wizard provides detailed information about the detected virus, and also gives you a choice: to remove the virus either automatically or more carefully, through a step-by-step procedure that allows you to see each of the actions performed during the removal process.

The anti-virus databases are updated very often (sometimes updates appear several times a week). There is a resident monitor.

The disadvantage of this program is the complexity of the configuration (although the basic settings are practically not required to change).

Dr Solomon "s AntiVirus (Producer:" Dr Solomon "s Software).

It is considered one of the best antiviruses (Evgeny Kaspersky once said that this is the only competitor to his AVP). Detects almost 100% of known and new viruses. A large number of functions, a scanner, a monitor, heuristics and everything you need to successfully resist viruses.

McAfee VirusScan (manufacturer: McAfee Associates).

This is one of the most well-known anti-virus packages. It removes viruses very well, but VirusScan is worse than other packages when it comes to detecting new types of file viruses. It's quick and easy to install using the default settings, but you can customize it as you see fit. You can scan all files or only program files, distribute or not distribute the scanning procedure for compressed files. Has many functions for working with the Internet.

.Dr.Web (producer: "Dialogue Science")

Popular domestic antivirus. It recognizes viruses well, but there are much fewer of them in its database than other antivirus programs.

Antiviral Toolkit Pro (manufacturer: Kaspersky Lab).

This antivirus is recognized worldwide as one of the most reliable. Despite its ease of use, it has all the arsenal you need to fight viruses. The heuristic mechanism, redundant scanning, scanning of archives and packed files - this is not a complete list of its capabilities.

Kaspersky Lab closely monitors the emergence of new viruses and timely releases anti-virus database updates. There is a resident monitor for monitoring executable files.

Today, more than ever, anti-virus software is not only the most demanded in the security system of any "operating system", but also one of its main components. And if earlier the user had a very limited, modest choice, now you can find a lot of such programs. But if you look at the list of "Top 10 Antiviruses", you will notice that not all of them are equal in terms of functionality. Let's consider the most popular packages. At the same time, the analysis will include both paid and shareware (antivirus for 30 days), and freeware applications. But first things first.

Top 10 Antivirus for Windows: Testing Criteria

Before proceeding with the compilation of a certain rating, perhaps you should familiarize yourself with the main criteria that in most cases are used when testing such software.

Naturally, it is simply impossible to consider all known packages. However, among all those designed to ensure the protection of a computer system in the broadest sense, the most popular ones can be distinguished. At the same time, we will take into account both the official ratings of independent laboratories and the reviews of users who use this or that software product in practice. In addition, mobile programs will not be affected, we will focus on stationary systems.

As for conducting basic tests, as a rule, they include several main aspects:

availability of paid and free versions and restrictions related to functionality;
standard scanning speed;
quick identification of potential threats and the ability to remove or isolate them in quarantine using built-in algorithms;
the frequency of updating the anti-virus databases;
self-defense and reliability;
availability of additional features.

As you can see from the above list, checking the operation of antivirus software allows you to determine the strengths and weaknesses of a particular product. Next, I will consider the most popular software packages included in the Top 10 antiviruses, and also give their main characteristics, of course, taking into account the opinions of people who use them in their daily work.

Kaspersky Lab software products

To begin with, consider the software modules developed by Kaspersky Lab, which are extremely popular in the post-Soviet space.

It is impossible to single out any one program here, because among them you can find a regular Kaspersky Antivirus scanner, and modules like Internet Security, and portable utilities like the Virus Removal Tool, and even bootable disks for damaged Rescue Disc systems.

Immediately, it is worth noting two main disadvantages: firstly, judging by the reviews, almost all programs, with rare exceptions, are paid or shareware, and secondly, the system requirements are unreasonably high, which makes it impossible to use them in relatively weak configurations ... Naturally, this scares off many ordinary users, although activation keys for Kaspersky Antivirus or Internet Security can easily be found on the World Wide Web.

On the other hand, the activation situation can be corrected in another way. For example, Kaspersky keys can be generated using special applications like Key Manager. True, this approach is, to put it mildly, illegal, nevertheless, as a way out, it is used by many users.

The speed of work on modern machines is in the middle range (for some reason, more and more heavy versions are created for new configurations), but constantly updated databases, the uniqueness of technologies for detecting and removing known viruses and potentially dangerous programs are at their height. It is not surprising that Kapersky's Laboratory is today the leader among security software developers.

And two more words about the recovery disk. It is unique in its own way, because it loads the scanner with a graphical interface even before Windows starts, allowing you to remove threats even from RAM.

The same goes for the portable Virus Removal Tool, which can track any threat on an infected terminal. Only a similar utility from Dr. Web.

Protection from Dr. Web

Before us is another of their strongest representatives in the field of security - the famous "Doctor Web", who stood at the origins of the creation of all anti-virus software from time immemorial.

Among the huge number of programs, you can also find regular scanners, and protection tools for Internet surfing, and portable utilities, and recovery discs. You can't list everything.

The main factor in favor of the software of this developer is high speed, instant identification of threats with the possibility of either complete removal or isolation, as well as moderate load on the system as a whole. In general, from the point of view of most users, this is a kind of lightweight version of "Kaspersky". there is still something interesting here. In particular, this is Dr. Web Katana. It is considered to be a new generation software product. It focuses on the use of "sand" technologies, that is, placing a threat in the "cloud" or "sandbox" (call it what you want) for analysis before it penetrates the system. However, if you look at it, there is no particular innovation here, because this technique was used even in the free Panda antivirus. In addition, according to many users, Dr. Web Katana is a kind of Security Space with the same technologies. However, generally speaking, any software of this developer is quite stable and powerful. It is not surprising that many users give preference to just such packages.

ESET programs

Speaking of the Top 10 antiviruses, one cannot fail to mention another brightest representative of this area - ESET, which became famous for such a well-known product as NOD32. A little later, the ESET Smart Security module was born.

If we look at these programs, an interesting point can be noted. To activate the full functionality of any package, you can do two things. On the one hand, this is the acquisition of an official license. On the other hand, you can install a trial antivirus for free, but activate it every 30 days. There is also an interesting situation with activation.

As noted by absolutely all users, for ESET Smart Security (or for a standard antivirus) on the official website, one could find freely distributed keys in the form of a username and password. Until recently, only this data could be used. Now the process has become somewhat more complicated: first you need a login and password on a special site, convert it into a license number, and only then enter it into the registration field already in the program itself. However, if you do not pay attention to such trifles, it can be noted that this antivirus is one of the best. Pros noted by users:

virus signature databases are updated several times a day,
identification of threats at the highest level,
there are no conflicts with system components (firewall),
the package has the strongest self-defense,
there are no false alarms, etc.

Separately, it should be noted that the load on the system is minimal, and the use of the "Anti-theft" module even allows you to protect data from theft or illegal use for personal gain.

AVG antivirus

AVG Antivirus is a paid software designed to provide comprehensive security of computer systems (there is also a free cut version). And although today this package is no longer included in the top five, it nevertheless demonstrates a fairly high speed and stability.

In principle, it is ideal for home use, because, in addition to the speed of work, it has a convenient Russian interface and more or less stable behavior. True, as some users note, sometimes he is able to miss threats. And this is not about viruses as such, but rather spyware or adware "junk" called Malware and Adware. The program's own module, although widely advertised, nevertheless, according to users, looks somewhat unfinished. And the additional firewall is often capable of causing conflicts with the "native" Windows firewall if both modules are active.

Avira package

Avira is another member of the antivirus family. In principle, it does not differ from most of similar packages. However, if you read user reviews about him, you can find quite interesting posts.

Many in no way recommend using the free version, since some modules are simply missing in it. To provide reliable protection, you will have to purchase a paid product. But such an antivirus is suitable for the 8th and 10th versions, in which the system itself uses a lot of resources, and the package uses them at the lowest level. In principle, Avira is best suited for, say, budget laptops and weak computers. A network installation, however, is out of the question.

Cloud service Panda Cloud

Free at one time became almost a revolution in the field of antivirus technology. The use of the so-called "sandbox" for sending suspicious content for analysis before it penetrates into the system has made this application especially popular among users of all levels.

And it is with the "sandbox" that this antivirus is associated today. Yes, indeed, this technology, unlike other programs, allows you not to let a threat into the system. For example, any virus first saves its body on the hard drive or in RAM, and only then starts its activity. Here, the matter does not come to preservation. First, the suspicious file is sent to the cloud service, where it is checked, and only then can it be saved in the system. True, according to eyewitnesses, alas, this can take a lot of time and unreasonably heavily loads the system. On the other hand, it’s worth asking yourself which is more important: safety or increased check time? However, for modern computer configurations with an Internet connection speed of 100 Mbps and higher, it can be used without problems. By the way, its own protection is provided precisely through the "cloud", which sometimes gives rise to criticism.

Avast Pro Antivirus Scanner

Now a few words about one more outstanding representative. It is quite popular with many users, however, despite the presence of the same "sandbox", anti-spyware, network scanner, firewall and virtual office, unfortunately, Avast Pro Antivirus is in the main indicators of performance, functionality and reliability clearly loses to such giants as Kaspersky Lab software or applications using Bitdefender technologies, although it demonstrates high scanning speed and low resource consumption.

Users in these products are attracted mainly by the fact that the free version of the package is the most functional and does not differ much from the paid software. In addition, this antivirus works on all versions of Windows, including the top ten, and behaves perfectly even on outdated machines.

360 Security Packs

Before us is probably one of the fastest antiviruses of our time - 360 Security, developed by Chinese specialists. In general, all products marked "360" are distinguished by an enviable speed of operation (the same Internet browser 360 Safety Browser).

Despite its main purpose, the program has additional modules for eliminating operating system vulnerabilities and optimizing it. But neither speed nor free distribution can compare to false alarms. In the list of programs that have the highest rates by this criterion, this software takes one of the first places. According to many experts, conflicts arise at the system level due to additional optimizers, the action of which overlaps with the execution of the tasks of the OS itself.

Software products based on Bitdefender technologies

Another "old man" among the most famous defenders of "operating systems" is Bitdefender. Unfortunately, in 2015, he lost the palm to Kaspersky Lab products, nevertheless, in the anti-virus fashion, so to speak, he is one of the trendsetters.

If you look a little more closely, you will notice that many modern programs (the same 360 Security package) in different variations are based on these technologies. Despite the rich functional base, there are also some drawbacks here. Firstly, you will not find the Russian antivirus (Russified) Bitdefender, since it does not exist in nature at all. Secondly, despite the use of the latest technological developments in terms of system protection, alas, it shows too high a number of false positives (by the way, according to experts, this is typical for the entire group of programs based on Bitdefender). The presence of additional optimizer components and their own firewalls in general affects the behavior of such antiviruses not for the better. But you can't deny the speed of this application. In addition, P2P is used for verification, but there is no real-time email verification at all, which many do not like.

Microsoft antivirus

Another application that has an enviable response with or without reason is Microsoft's own Security Essentials product.

In the Top 10 antiviruses, this package is included, most likely, only because it is developed exclusively for Windows systems, which means that it does not cause absolutely any conflicts at the system level. Besides, who, if not experts from Microsoft, know all the security holes and vulnerabilities of their own operating systems. By the way, it is interesting that the initial assemblies of Windows 7 and Windows 8 had MSE as standard, but then, for some reason, this kit was abandoned. However, it is for Windows that it can become the simplest solution in terms of protection, although there is no need to count on special functionality.

McAfee app

As for this application, it looks quite interesting. True, it has earned the greatest popularity in the field of application on mobile devices with all kinds of locks, nevertheless, this antivirus behaves no worse on stationary computers.

The program has low-level support for P2P networks when sharing Instant Messenger files, and also offers 2-level protection, in which the WormStopper and ScriptStopper modules play the main role. But in general, according to consumers, the functional set is at an average level, and the program itself is focused more on detecting spyware, computer worms and Trojans and preventing executable scripts or malicious codes from entering the system.

Combined antivirus and optimizers

Naturally, only those included in the Top 10 antiviruses were considered here. If we talk about the rest of the software of this kind, we can note some packages containing anti-virus modules in their sets.

Which one to prefer?

Naturally, all antiviruses have certain similarities and differences. What to install? Here you need to proceed from the needs and the level of protection provided. As a rule, corporate clients should buy something more powerful with the ability to install network (Kaspersky, Dr. Web, ESET). As for home use, here the user chooses what he needs (if desired, you can even find an antivirus for a year - without registration or purchase). But if you look at user reviews, it is better to install Panda Cloud, even despite some additional load on the system and the time it takes to check in the sandbox. But it is here that there is a complete guarantee that the threat will not penetrate the system in any way. However, everyone is free to choose what exactly he needs. If activation is easy, please: ESET products work fine on home systems. But it is highly undesirable to use optimizers with antivirus modules as the main means of protection. Well, it is also impossible to say which program takes the first place: how many users, so many opinions.

The most popular and effective antivirus programs are antivirus scanners (detectors), CRC scanners (auditors). There are also antivirus blockers and immunizers.

Scanners... The principle of operation of antivirus scanners is based on scanning files, sectors and system memory and searching them for known and new (unknown to the scanner) viruses. So-called "masks" are used to search for known viruses. A virus mask is a certain constant sequence of code specific to that particular virus. If the virus does not contain a permanent mask or the length of this mask is not long enough, then other methods are used. An example of such a method is an algorithmic language that describes all possible variants of the code that can be encountered when infected with this type of virus. This approach is used by some antiviruses to detect polymorphic viruses.

Many scanners also use "heuristic scanning" algorithms, that is, analysis of the sequence of commands in the scanned object, collecting some statistics and making a decision for each scanned object. Since heuristic scanning is largely a probabilistic method of searching for viruses, many laws of the theory of probability apply to it. For example, the higher the percentage of detected viruses, the greater the number of false positives.

Scanners can also be divided into two categories - "general-purpose" and "specialized". Universal scanners are designed to search for and neutralize all types of viruses, regardless of the operating system in which the scanner is designed to work. Specialized scanners are designed to neutralize a limited number of viruses or only one class of them, for example, macro viruses.

Scanners are also divided into "resident" (monitors), which perform scanning "on the fly", and "non-resident", which provide a system scan only on demand. As a rule, "memory resident" scanners provide more reliable system protection, since they immediately respond to a virus, while a "non-memory resident" scanner is able to recognize a virus only during its next launch.

The advantages of all types of scanners include their versatility, the disadvantages are the size of the anti-virus databases that scanners have to store and replenish, and the relatively low speed of scanning for viruses.

CRC scanners... The principle of operation of CRC-scanners is based on the calculation of CRC-sums (checksums) for files / system sectors present on the disk. These CRC-sums are then saved in the anti-virus database, as well as some other information: file lengths, the date of their last modification, etc. At the next launch, the CRC scanners check the data contained in the database with the actually calculated values ... If the information about a file recorded in the database does not match the real values, then CRC scanners signal that the file has been modified or infected with a virus.

CRC scanners using anti-stealth algorithms react to almost 100% of viruses as soon as changes appear on the computer. A characteristic drawback of these antiviruses is the impossibility of detecting a virus from the moment it appears and until changes are made on the computer. CRC scanners cannot detect a virus in new files (in e-mail, on floppy disks, in recoverable files, or when unpacking files from an archive), because their databases do not have information about these files.

Detector programs they search for a signature characteristic of a particular virus in RAM and in files and, if detected, issue a corresponding message. The disadvantage of such antivirus programs is that they can only find viruses that are known to the developers of such programs.

Blockers... Antivirus blockers are memory resident programs that intercept "virus-dangerous" situations and notify the user about it. Virus-prone calls include calls to open for writing to executable files, write to the boot sector of the disk, etc., which are typical for viruses at the time of their multiplication.

The advantages of blockers include their ability to detect and block a virus at the earliest stage of its reproduction, which, by the way, is very useful in cases when a well-known virus is constantly being activated.

Immunizers... Immunizers are divided into two types: immunizers that report an infection, and immunizers that block infection with any type of virus.

Doctor programs or phages, and vaccine programs not only find files infected with viruses, but also "cure" them, i.e. delete the body of the virus program from the file, returning the files to their original state. At the beginning of their work, phages look for viruses in the RAM, destroying them, and only then proceed to "cure" files. Among the phages, polyphages are distinguished, i.e. Doctor programs designed to search for and destroy a large number of viruses. The most famous of them: Aidstest, Scan, Norton AntiVirus, Doctor Web.

Considering that new viruses are constantly appearing, detector programs and doctor programs quickly become outdated, and regular version updates are required.

Auditor programs are among the most reliable means of protection against viruses. The auditors remember the initial state of programs, directories and system areas of the disk when the computer is not infected with a virus, and then periodically or at the request of the user compare the current state with the initial one. The detected changes are displayed on the monitor screen. As a rule, states are compared immediately after the operating system is loaded. When comparing, the file length, cyclic control code (file checksum), modification date and time, and other parameters are checked. Auditor programs have quite advanced algorithms, detect stealth viruses, and can even clean the changes in the version of the program being scanned from the changes introduced by the virus. The Adinf program, which is widely used in Russia, is one of the auditor programs.

Filters or "Watchman" are small resident programs designed to detect suspicious actions during computer operation, typical of viruses. Such actions can be:

Attempts to correct files with COM, EXE extensions

Changing file attributes

Direct write to disk at absolute address

Writing to the boot sectors of the disk

Vaccines or immunizers are TSR programs that prevent file infection. Vaccines are used if there are no doctor programs that "treat" this virus. Vaccination is possible only against known viruses. The vaccine modifies the program or disk in such a way that it does not affect their work, and the virus will perceive them as infected and therefore will not be introduced. Vaccine programs are currently of limited use.

Timely detection of virus-infected files and disks, complete elimination of detected viruses on each computer help to avoid the spread of a virus outbreak to other computers.

Eugene Kaspersky in 1992 used the following classification of antiviruses depending on their operating principle (which determines functionality):

1. Scanners (outdated version - "polyphages") - determine the presence of a virus by the signature database, which stores signatures (or their checksums) of viruses. Their effectiveness is determined by the relevance of the virus database and the presence of a heuristic analyzer (see: Heuristic scanning).

2. Auditors (a class similar to IDS) - remember the state of the file system, which makes it possible to analyze changes in the future.

3. Watchmen (monitors) - monitor potentially dangerous operations, giving the user an appropriate request for permission / prohibition of the operation.

4. Vaccines - modify the file to be vaccinated so that the virus against which the vaccine is being vaccinated already considers the file to be infected. In modern (2007) conditions, when the number of possible viruses is measured in hundreds of thousands, this approach is inapplicable.

Modern antiviruses combine all of the above functions.

Antiviruses can also be divided into:

1. Products for home users:

2. Actually antiviruses;

3. Combined products (for example, anti-spam, firewall, anti-rootkit, etc. have been added to the classic anti-virus);

4. Corporate products:

5. Server antiviruses;

6. Antiviruses on workstations ("endpoint").

Antiviruses on SIM, flash cards and USB devices

Mobile phones produced today have a wide range of interfaces and data transfer capabilities. Consumers should carefully study the protection methods before connecting any small devices.

Protection methods such as hardware, perhaps antiviruses on USB devices or on SIM, are more suitable for consumers of mobile phones. A technical assessment and an overview of how to install an antivirus program on a cell phone should be considered a scanning process that could affect other legitimate applications on that phone.

SIM antivirus software with built-in antivirus in the small memory zone provides anti-malware / virus protection by protecting the PIN and phone user information. Antiviruses on flash cards enable the user to exchange information and use these products with various hardware devices, as well as send this data to other devices using various communication channels.

Antiviruses, mobile devices and innovative solutions

In the future, it is possible for mobile phones to become infected with a virus. More and more developers in this area are offering antivirus software to combat viruses and protect mobile phones. There are the following types of virus fighting in mobile devices.

Although general information security and preventive measures are very important to protect against viruses, specialized software is required. These programs can be divided into several types:

? Detection programs check if files on disk contain a specific byte pattern (signature) for a known virus and report this to the user (VirusScan / SCAN / McAfee Associates).
? Doctor programs or phages “cure” infected programs by “biting out” the virus body from the infected programs, both with and without restoring the environment (infected file) - the curing module of the SCAN program is the CLEAN program.
? Doctor detectors programs (Lozinsky's Aidstest, Danilov's Doctor Web, MSAV, Norton Antivirus, Kaspersky AVP) are able to detect the presence of a known virus on the disk and heal the infected file. The most widespread group of anti-virus programs today.

In the simplest case, the command to check the contents of the disk for viruses is: aidstest / key1 / key 2 / key 3 / ---

? Filter programs (watchmen) are resident in the PC's RAM and intercept those calls to the operating system that are used by viruses to multiply and harm and report them to the user:
- an attempt to spoil the main OS COMMAND.COM file;
- an attempt to write directly to the disk (the previous record is deleted), while a message is displayed that some program is trying to copy to the disk;
- disk formatting,
- resident placement of the program in memory.

Having detected an attempt at one of these actions, the filter program gives the user a description of the situation and requires him to confirm. The user can enable or disable this operation. Control of actions typical for viruses is carried out by replacing the appropriate interrupt handlers. The disadvantages of these programs include intrusiveness (the watchdog, for example, issues a warning about any attempt to copy an executable file), possible conflicts with other software, bypassing the watchdog by some viruses. Examples of filters: Anti4us, Vsafe, Disk Monitor.

It should be noted that today many programs of the doctor-detector class also have a resident module - a filter (watchman), for example, DR Web, AVP, Norton Antivirus. Thus, such programs can be classified as doctor-detector-guard.

? Hardware and software anti-virus tools (Hardware and software complex Sheriff). Along with the watchdog programs, there are hardware and software antivirus tools that provide more reliable protection against virus penetration into the system. Such complexes consist of two parts: hardware, which is installed in the form of a microcircuit on the motherboard, and software, which is written to disk. The hardware part (controller) monitors all disk write operations, the software part, being resident in RAM, monitors all information input / output operations. However, the applicability of these tools requires careful consideration in terms of the configuration of the additional equipment used on the PC, such as disk controllers, modems, or network cards.
? Auditor programs (Adinf / Advanced Disk infoscope / with ADinf Cure Module Mostovoy). Auditor programs have two stages of work. First, they remember information about the state of programs and system areas of disks (boot sector and sectors with the partition table of the hard disk into logical partitions). It is assumed that at this point the programs and system areas of the disks are not infected. Then, when comparing the system areas and disks with the original, if a mismatch is found, it is reported to the user. Auditor programs are able to detect invisible (STEALTH) viruses. The file length check is insufficient; some viruses do not change the length of the infected files. A more reliable check is to read the entire file and calculate its checksum (bit by bit). It is almost impossible to change the entire file so that its checksum remains the same. Minor disadvantages of auditors include the fact that for security purposes they must be used regularly, for example, daily called from the AUTOEXEC.BAT file. But their undoubted advantages are the high speed of checks and the fact that they do not require frequent version updates. Even half a year old versions of the auditor reliably detect and remove modern viruses.
? Vaccine or immunization programs (CPAV). Vaccine programs modify programs and disks in such a way that this does not affect the operation of the programs, but the virus that is vaccinated against considers these programs and disks already infected. The work of these programs is not effective enough.

Conventionally, the strategy of defense against the virus can be defined as a multi-level "layered" defense. Structurally, it might look like this. Reconnaissance tools in the "defense" against viruses are matched by software detectors that allow you to determine the newly received software for the presence of viruses. At the forefront of the defense are filter programs that are resident in the computer's memory. These programs can be the first to report on the operation of the virus. The second echelon of "defense" is made up of audit programs. The auditors detect the attack of the virus even when it has managed to "seep" through the front line of the defense. Doctor programs are used to restore infected programs if a copy of the infected program is not in the archive, but they do not always treat correctly. Doctors-examiners detect a virus attack and treat infected programs, and control the correctness of the treatment. The deepest echelon of defense is the means of differentiating access. They do not allow viruses and malfunctioning programs, even if they have entered the PC, from spoiling important data. The "strategic reserve" contains archived copies of information and "reference" floppy disks with software products. They allow you to recover information if it is damaged.

The harmful actions of each type of virus can be very diverse. This includes the removal of important files or even "firmware" BIOS, and the transfer of personal information, such as passwords, to a specific address, the organization of unauthorized mailings and attacks on some sites. It is also possible to start dialing through a cell phone to paid numbers. Utilities of hidden administration (backdoor) are even capable of giving the attacker full control of the computer. Fortunately, all these troubles can be successfully combated, and the main weapon in this fight will, of course, be antivirus software.

Kaspersky Anti-Virus. Perhaps, "Kaspersky Anti-Virus" is the most famous product of this type in Russia, and the surname "Kaspersky" has become synonymous with the fighter against malicious codes. The laboratory of the same name not only constantly releases new versions of its security software, but also conducts educational work among computer users. The latest, ninth version of Kaspersky Anti-Virus, like previous releases, has a simple and transparent interface that combines all the necessary utilities in one window. With an installation wizard and intuitive menu options, even a novice user can configure this product. The power of the algorithms used will satisfy professionals too. A detailed description of each of the detected viruses can be found by calling the corresponding page on the Internet directly from the program.

Dr. Web. Another popular Russian antivirus competing in popularity with Kaspersky Anti-Virus is Dr. Web. Its trial version has an interesting feature: it requires mandatory registration via the Internet. On the one hand, this is very good - immediately after registration, the anti-virus databases are updated and the user receives the latest signature data. On the other hand, it is impossible to install the trial version autonomously, and, as experience has shown, problems are inevitable with an unstable connection.

Panda Antivirus + Firewall 2007. A comprehensive solution in the field of computer security - the Panda Antivirus + Firewall 2007 package - includes, in addition to the anti-virus program, a firewall that monitors network activity. The interface of the main window of the program is designed in "natural" green tones, but, despite the visual appeal, the system of transitions through the menu is built inconveniently, and a novice user may well get confused in the settings.

The Panda package contains several original solutions at once, such as the proprietary TruePrevent technology for searching for unknown threats, based on the most modern heuristic algorithms. It is worth paying attention to the utility for searching computer vulnerabilities - it assesses the danger of "holes" in the security system and offers to download the necessary updates.

Norton Antivirus 2005. The main impression of the product of the famous company Symantec - the antivirus complex Norton Antivirus 2005 - is its focus on powerful computing systems. The response of the Norton Antivirus 2005 interface to user actions is noticeably delayed. In addition, during installation, it makes rather strict requirements for the versions of the operating system and Internet Explorer. Unlike Dr.Web, Norton Antivirus does not require updating the virus databases during installation, but it will remind you that they are outdated during the entire operation time.

McAfee VirusScan. McAfee VirusScan, a curious antivirus product that, according to the developers, is the world's # 1 scanner - we chose for testing because it stood out among similar applications with a large distribution kit (over 40 MB). Assuming that this value is due to the wide functionality, we proceeded to the installation and found that, in addition to the antivirus scanner, it includes a firewall, as well as utilities for cleaning the hard disk and guaranteed deletion of objects from the hard drive (file shredder).

Questions for chapters 6 and 7

1. Stages of development of information security tools and technologies.
2. Components of the standard security model.
3. Sources of security threats and their classification.
4. Unintentional threats to information security.
5. Intentional threats to information security.
6. Classification of information leakage channels.
7. Regulation of information security problems.
8. The structure of the state information protection system.
9. Methods and means of information protection.
10. Classification of data security threats.
11. Methods for protecting information from viruses.
12. Methods of integrity control.
13. Classification of computer viruses.
14. Means of protection against viruses.
15. Preventive anti-virus measures.
16. Classification of software anti-virus products.