A logic bomb is a program that performs an action

This preview shows page 32 - 34 out of 40 pages.

A logic bomb is a program that performs an action that violates the security policy whensome external event occurs.Disaffected employees who plant Trojan horses in systems use logic bombs. The eventsthat cause problems are related to the troubles the employees have, such as deleting thepayroll roster when that user's name is deleted.DEFENSES AGAINST VIRUSES.Defending against malicious logic takes advantage of several different characteristics ofmalicious logic to detect, or to block, its execution. The defenses inhibit the suspectbehavior. The mechanisms are imprecise. They may allow malicious logic that does notexhibit the given characteristic to proceed, and they may prevent programs that are notmalicious but do exhibit the given characteristic from proceeding.Anti-Virus TechnologiesWithout control of the "human element" and proper implementation, anti-virussoftware alone cannot provide full protection. However, it is still the critical element inthe fight against viruses. As stated before, non-virus problems may appear to be virusrelated, even to sophisticated users.Without anti-virus software, there is no conclusive way to rule out viruses as thesource of such problems and then arrive at solutions.Effective anti-virus software must be capable of performing three main tasks:Virus Detection,Virus Removal (File Cleaning)Preventive Protection.Of course, detection is the primary task ad the anti-virus software industry has developeda number of different detection methods, as follows.Five Major Virus Detection Methods:Integrity Checking (aka Checksumming) - Based on determining, by comparison,whether virus-attacked code modified a program's file characteristics. As it is notdependent on virus signatures, this method does not require software updates atspecific intervals.32
Limitations - Does require maintenance of a virus-free Checksum database;allows the possibility of registering infected files; Unable to detect passive andactive stealth viruses; Cannot identify detected viruses by type or name.Interrupt Monitoring - Attempts to locate and prevent a virus "interrupt calls"(function requests through the system's interrupts).Limitations - Negative effect on system resource utilization; May flag "legal"system calls and therefore be obtrusive; Limited success facing the gamut ofvirus types and legal function calls.Memory Detection - Depends on recognition of a known virus' location and codewhile in memory; Generally successful.Limitations - As in Interrupt Monitoring, can impose impractical resourcerequirements; Can interfere with valid operations.Signature Scanning - Recognizes a virus' unique "signature," a pre-identified setof hexadecimal code, making it highly successful at virus identification.Limitations - Totally dependent on maintaining current signature files (assoftware updates from vendor) and scanning engine refinements; May makefalse positive detection in valid file.Heuristic/Rules-based Scanning - Faster than traditional scanners, method uses

Upload your study docs or become a

Course Hero member to access this document

Upload your study docs or become a

Course Hero member to access this document

End of preview. Want to read all 40 pages?

Upload your study docs or become a

Course Hero member to access this document

Term
Winter
Professor
NoProfessor

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture