perhaps after the user has left the organization. 7.3.4 Anti-Virus Technologies Without control of the "human element" and proper implementation, anti-virus software alone cannot provide full protection. However, it is still the critical element in the fight against viruses. As stated before, non-virus problems may appear to be virus related, even to sophisticated users. Without anti-virus software, there is no conclusive way to rule out viruses as the source of such problems and then arrive at solutions. Effective anti-virus software must be capable of performing three main tasks: Virus Detection, Virus Removal (File Cleaning) and Preventive Protection. Of course, detection is the primary task ad the anti-virus software industry has developed a number of different detection methods, as follows. Five Major Virus Detection Methods: • Integrity Checking (aka Checksumming) - Based on determining, by comparison, whether virus-attacked code modified a program's file characteristics. As it is not dependent on virus signatures, this method does not require software updates at specific intervals. • Limitations - Does require maintenance of a virus-free Checksum database; allows the possibility of registering infected files; Unable to detect passive and active stealth viruses; Cannot identify detected viruses by type or name. • Interrupt Monitoring - Attempts to locate and prevent a virus "interrupt calls" (function requests through the system's interrupts).
195 195 • Limitations - Negative effect on system resource utilization; May flag "legal" system calls and therefore be obtrusive; Limited success facing the gamut of virus types and legal function calls. • Memory Detection - Depends on recognition of a known virus' location and code while in memory; Generally successful. • Limitations - As in Interrupt Monitoring, can impose impractical resource requirements; Can interfere with valid operations. • Signature Scanning - Recognizes a virus' unique "signature," a pre-identified set of hexadecimal code, making it highly successful at virus identification. • Limitations - Totally dependent on maintaining current signature files (as software updates from vendor) and scanning engine refinements; May make false positive detection in valid file. • Heuristic/Rules-based Scanning - Faster than traditional scanners, method uses a set of rules to efficiently parse through files and quickly identify suspect code (aka Expert Systems, Neural Nets, etc.). • Limitations - Can be obtrusive; May cause false alarms; Dependent on the currency of the rules set. All five techniques can usually perform on-access or on-demand scans, for both network servers and work-stations. On-access scanning is analogous to a building'' automatic sprinkler system –virus scanning is automatically initiated on file access, such as when a disk is inserted, a file is copied or a program is executed. On-demand scanning is more like a fire extinguisher - requiring user initiation (but may also be set up to continue scanning at regular intervals or at system startup).