Comparative analysis of anti-virus programs for a computer. Comparative analysis of antivirus software Antivirus programs general characteristics and comparative analysis

Conduct comparative characteristic antivirus programs- a rather responsible occupation, both due to the established preferences of the majority of users, and the prospect of dissatisfaction with manufacturing companies, which, according to the test results, ended up in the bottom ranks of the rating.

It's one thing to spread on forums about the advantages and disadvantages of any antivirus, it's another thing to present the results of comparative testing of products of well-known brands to the users' judgment.

In this situation, the most optimal solution is to involve well-known specialists who are professionally involved in testing anti-virus software. One of them are experts from the independent Russian information and analytical portal on information security Anti-Malware.ru, who were involved in testing the anti-virus programs presented below.

The following antivirus programs were used for testing:

  • - Kaspersky Anti-Virus 7.0
  • - Eset Nod32 2.7
  • - DrWeb 4.44
  • - Norton AntiVirus 2007
  • - Avira AntiVir PE Classic 7.0.

To assess the main criterion of the tested programs - the quality of protection, the following parameters were taken into account:

  • - quality of heuristic analysis;
  • - reaction rate upon detection of viruses;
  • - quality of signature analysis;
  • - the quality of the behavioral blocker;
  • - ability to treat active infections;
  • - ability to detect active rootkits;
  • - the quality of self-defense;
  • - the ability to support packers;
  • - the frequency of false positives.

results

computer virus program

Criterion

Kaspersky Anti-Virus

Norton AntiVirus

resource intensity

Convenience

Functionality

Fault Tolerance

Flexibility of settings

Easy to install

Speed ​​reaction

Signature detection

Heuristic analyzer

Behavior Blocker

Treatment of active infection

Detection of active rootkits

self defense

Packer Support

False positives

According to the results of comparative testing of anti-virus programs, Kaspersky Anti-Virus 7.0 was the first, Norton Anti-Virus 2007 scored 15 points less, Eset Nod32 2.7 anti-virus program showed the third result.

The overall test results were influenced by different criteria by which anti-virus programs were evaluated, and it would be incorrect to call a program an absolute leader, if only because different anti-virus operation parameters are the most attractive for different users, although main criterion- the quality of protection is, of course, a priority.

The best results in the comparative testing of Kaspersky Anti-Virus 7.0 are determined by the speed of response to new threats, frequent updates of virus databases, the presence of a behavioral blocker that is not available in other anti-virus programs, the ability to remove rootkits and effective self-defense.

The advantages of Kaspersky Anti-Virus 7.0 include its large functional range: detection and inactivation of active rootkits, quick check HTTP traffic, the ability to change the effects of malware activity, the presence of a disaster recovery program, effective CPU load management.

The disadvantages of Kaspersky Anti-Virus 7.0 include low resistance to failures, relatively low efficiency of heuristic analysis, which prevents reliable resistance to those types of threats that are currently unknown to Kaspersky Anti-Virus 7.0. Among the negative qualities of Kaspersky Anti-Virus 7.0 is a large number of false positives, which is especially annoying for some users.

Caught in second place, Norton Anti-Virus 2007 attracts with its convenience and simplicity and user-friendliness of the interface, the effectiveness of signature detection and the low number of false alarms.

However, Norton Anti-Virus 2007 consumes a lot of system resources and has a slow reaction speed. Its proactive defense is not the strongest and support for packers is somewhat limited. The ability to configure Norton Anti-Virus 2007 is limited, which does not allow it to be adapted to a wide number of users. The strongest points of Eset Nod32 2.7, which took third place, were its effective heuristic analyzer and minimal consumption of system resources, which is especially noted by owners of not very "fast" computers.

The disadvantages of Eset Nod32 2.7 include insufficiently fast response to new threats, minimal ability to detect active rootkits and eliminate the consequences of active infection. The outdated interface also needs to be updated.

The fourth place of the Doctor Web anti-virus program is due to the absence of an active blocker, effective tools resistance to active infection and detection of rootkits. The efficiency of Doctor Web's heuristic analyzer also leaves much to be desired. With all the shortcomings of this antivirus, one cannot fail to note the rather high flexibility of settings, the reaction speed and the installation algorithm that is accessible even to the most inexperienced user.

Avira AntiVir PE Classic 7.0 showed the worst results in comparison with other test participants. And although its signature detector and analytical analyzer are relatively good, ineffective protection tools and low ability to eliminate the consequences of infection of programs moved Avira AntiVir PE Classic 7.0 to the last place.

The only advantage of Avira AntiVir PE Classic 7.0 over the rest of the test participants is that it is free. Other anti-virus programs have approximately the same cost (within 1000 rubles), although the domestic Kaspersky Anti-Virus and Doctor Web, which have a better level of technical support, look somewhat more attractive.

Introduction

1. Theoretical part

1.1 The concept of information security

1.2 Types of threats

1.3 Information security methods

2. Design part

2.1 Classification of computer viruses

2.2 The concept of an anti-virus program

2.3 Types of antivirus tools

2.4 Comparison of antivirus packages

Conclusion

List of used literature

Application

Introduction

Development of new information technologies and general computerization have led to the fact that information security is not only becoming mandatory, it is also one of the characteristics of information systems. There is a rather extensive class of information processing systems in the development of which the security factor plays a primary role.

The mass use of personal computers is associated with the emergence of self-reproducing virus programs that prevent the normal operation of a computer, destroy the file structure of disks and damage the information stored in a computer.

Despite the laws adopted in many countries to combat computer crimes and the development of special software tools protection against viruses, the number of new software viruses is constantly growing. This requires the user personal computer knowledge about the nature of viruses, methods of infection and protection against viruses.

Every day, viruses become more sophisticated, which leads to a significant change in the threat profile. But the anti-virus software market is not standing still, offering a variety of products. Their users, presenting the problem only in general terms, often miss important nuances and end up with the illusion of protection instead of protection itself.

The purpose of this course work is to conduct a comparative analysis of anti-virus packages.

To achieve this goal, the following tasks are solved in the work:

To study the concepts of information security, computer viruses and anti-virus tools;

Determine the types of threats to information security, methods of protection;

To study the classification of computer viruses and anti-virus programs;

Conduct a comparative analysis of anti-virus packages;

Create an antivirus program.

The practical significance of the work.

The results obtained, the course work material can be used as a basis for self-comparison of anti-virus programs.

The structure of the course work.

This course work consists of Introduction, two sections, Conclusion, list of references.

computer virus security antivirus

1. Theoretical part

In the process of conducting a comparative analysis of anti-virus packages, it is necessary to define the following concepts:

1 Information security.

2 Types of threats.

3 Information security methods.

Let's take a closer look at these concepts:

1.1 The concept of information security

Despite the ever-increasing efforts to create data protection technologies, their vulnerability in modern conditions not only does not decrease, but is constantly increasing. Therefore, the urgency of the problems associated with the protection of information is increasingly increasing.

The problem of information security is multifaceted and complex and covers a number of important tasks. For example, data confidentiality, which is ensured by the use of various methods and means. The list of similar tasks for information security can be continued. The intensive development of modern information technologies, and in particular network technologies, creates all the prerequisites for this.

Information protection is a set of measures aimed at ensuring the integrity, availability and, if necessary, confidentiality of information and resources used to enter, store, process and transmit data.

To date, two basic principles for information security have been formulated:

1 data integrity - protection against failures leading to the loss of information, as well as protection against unauthorized creation or destruction of data;

2 confidentiality of information.

Protection against failures leading to the loss of information is carried out in the direction of increasing reliability individual elements and systems that input, store, process and transmit data, duplication and redundancy of individual elements and systems, the use of various, including autonomous, power sources, improving user skills, protection against unintentional and deliberate actions leading to equipment failure , destruction or change (modification) of software and protected information.

Protection against unauthorized creation or destruction of data is provided by physical protection of information, differentiation and restriction of access to elements of protected information, closing of protected information in the process of its direct processing, development of software and hardware systems, devices and specialized software to prevent unauthorized access to protected information.

Information confidentiality is ensured by identification and authentication of access subjects when entering the system by ID and password, identification of external devices by physical addresses, identification of programs, volumes, directories, files by name, encryption and decryption of information, differentiation and control of access to it.

Among the measures aimed at protecting information, the main ones are technical, organizational and legal.

Technical measures include protection against unauthorized access to the system, redundancy of critical computer subsystems, organization computer networks with the possibility of redistributing resources in the event of a malfunction of individual links, installation backup systems power supply, equipping rooms with locks, installation of alarm systems and so on.

Organizational measures include: protection of the computer center (informatics rooms); conclusion of a service contract computer technology with a solid, reputable organization; exclusion of the possibility of work on computer equipment by strangers, random persons, and so on.

Legal measures include the development of rules establishing responsibility for the destruction of computer equipment and the destruction (change) of software, public control over developers and users of computer systems and programs.

It should be emphasized that no hardware, software or any other solutions can guarantee the absolute reliability and security of data in computer systems. At the same time, it is possible to minimize the risk of losses, but only if integrated approach to information protection.

1.2 Types of threats

Passive threats are mainly aimed at the unauthorized use of information resources of an information system without affecting its functioning. For example, unauthorized access to databases, eavesdropping on communication channels, and so on.

Active threats are aimed at disrupting the normal functioning of the information system by purposefully influencing its components. Active threats include, for example, the destruction of a computer or its operating system, the destruction of computer software, disruption of communication lines, and so on. The source of active threats can be the actions of hackers, malware, and the like.

Deliberate threats are also divided into internal (arising within the managed organization) and external.

Internal threats are most often determined by social tension and a difficult moral climate.

External threats can be determined by the malicious actions of competitors, economic conditions, and other causes (for example, natural disasters).

The main threats to the security of information and the normal functioning of the information system include:

Leakage of confidential information;

Information compromise;

Unauthorized use of information resources;

Erroneous use of information resources;

Unauthorized exchange of information between subscribers;

Refusal of information;

Violation of information service;

Illegal use of privileges.

Leakage of confidential information is the uncontrolled release of confidential information outside the information system or the circle of persons to whom it was entrusted in the service or became known in the course of work. This leak may be due to:

Disclosure of confidential information;

Leaving information through various, mainly technical, channels;

Unauthorized access to confidential information in various ways.

Disclosure of information by its owner or possessor is the intentional or careless actions of officials and users to whom the relevant information was duly entrusted in the service or work, which led to familiarization with it by persons who were not admitted to this information.

Uncontrolled care of confidential information via visual-optical, acoustic, electromagnetic and other channels is possible.

Unauthorized access is an unlawful deliberate possession of confidential information by a person who does not have the right to access protected information.

The most common ways of unauthorized access to information are:

Interception of electronic radiation;

The use of listening devices;

Remote photography;

Interception of acoustic emissions and restoration of the text of the printer;

Copying media with overcoming security measures;

Disguise as a registered user;

Disguise under system requests;

Using software traps;

Exploiting shortcomings of programming languages ​​and operating systems;

Illegal connection to equipment and communication lines of specially designed hardware that provides access to information;

Malicious disabling of protection mechanisms;

Decryption of encrypted information by special programs;

information infections.

The listed ways of unauthorized access require quite a lot of technical knowledge and appropriate hardware or software development by the burglar. For example, technical leak channels are used - these are physical paths from the source of confidential information to the attacker, through which it is possible to obtain protected information. The reason for the occurrence of leakage channels is the design and technological imperfections of circuit solutions or the operational wear of the elements. All this allows hackers to create converters operating on certain physical principles, forming an information transmission channel inherent in these principles - a leakage channel.

However, there are quite primitive ways of unauthorized access:

Theft of information carriers and documentary waste;

Proactive collaboration;

Declining to cooperate on the part of the burglar;

probing;

Eavesdropping;

Observation and other ways.

Any methods of leakage of confidential information can lead to significant material and moral damage both for the organization where the information system operates and for its users.

There is and is constantly being developed a huge variety of malicious programs, the purpose of which is to corrupt information in databases and computer software. A large number of varieties of these programs does not allow the development of permanent and reliable remedies against them.

It is believed that the virus is characterized by two main features:

The ability to self-reproduce;

The ability to interfere in the computational process (to gain control).

Unauthorized use of information resources, on the one hand, is the consequences of its leakage and a means of compromising it. On the other hand, it has an independent value, since it can cause great damage to the managed system or its subscribers.

The erroneous use of information resources, while authorized, may nevertheless lead to the destruction, leakage or compromise of these resources.

Unauthorized exchange of information between subscribers may lead to the receipt by one of them of information, access to which is prohibited to him. The consequences are the same as with unauthorized access.

1.3 Information security methods

The creation of information security systems is based on the following principles:

1 A systematic approach to building a protection system, meaning the optimal combination of interrelated organizational, program,. Hardware, physical and other properties, confirmed by the practice of creating domestic and foreign protection systems and used at all stages of the technological cycle of information processing.

2 The principle of continuous development of the system. This principle, which is one of the fundamental for computer information systems, is even more relevant for information security systems. Methods for implementing information threats are constantly being improved, and therefore ensuring the security of information systems cannot be a one-time act. This is a continuous process, which consists in substantiating and implementing the most rational methods, methods and ways to improve information security systems, continuous monitoring, identifying its bottlenecks and weaknesses, potential information leakage channels and new methods of unauthorized access,

3 Ensuring the reliability of the protection system, that is, the impossibility of reducing the level of reliability in the event of failures, failures, intentional actions of an intruder or unintentional errors of users and maintenance personnel in the system.

4 Ensuring control over the functioning of the protection system, that is, the creation of means and methods for monitoring the performance of protection mechanisms.

5 Providing all kinds of anti-malware tools.

6 Ensuring the economic feasibility of using the system. Protection, which is expressed in the excess of the possible damage from the implementation of threats over the cost of developing and operating information security systems.

As a result of solving information security problems, modern information systems should have the following main features:

Availability of information of varying degrees of confidentiality;

Provision cryptographic protection information of varying degrees of confidentiality during data transfer;

Mandatory information flow management, as in local networks, and when transmitting over communication channels over long distances;

The presence of a mechanism for registering and accounting for unauthorized access attempts, events in the information system and documents printed;

Mandatory ensuring the integrity of software and information;

Availability of means of restoring the information protection system;

Mandatory accounting of magnetic media;

The presence of physical protection of computer equipment and magnetic media;

The presence of a special information security service of the system.

Methods and means of ensuring information security.

Obstacle - a method of physically blocking the path of an attacker to protected information.

Access control - methods of protecting information by regulating the use of all resources. These methods must resist all possible ways of unauthorized access to information. Access control includes the following security features:

Identification of users, personnel and resources of the system (assignment of a personal identifier to each object);

Identification of an object or subject by the identifier presented to them;

Permission and creation of working conditions within the established regulations;

Registration of calls to protected resources;

Responding to attempts of unauthorized actions.

Encryption mechanisms - cryptographic closing of information. These methods of protection are increasingly used both in the processing and storage of information on magnetic media. When transmitting information over long distance communication channels, this method is the only reliable one.

Countering malware attacks involves a set of various organizational measures and the use of anti-virus programs.

The whole set of technical means is divided into hardware and physical.

Hardware - devices that are built directly into computer technology, or devices that interface with it via a standard interface.

Physical means include various engineering devices and structures that prevent the physical penetration of intruders into protected objects and protect personnel (personal security equipment), material assets and finances, and information from illegal actions.

Software tools are special programs and software systems designed to protect information in information systems.

From the software of the protection system, it is necessary to single out more software that implements encryption mechanisms (cryptography). Cryptography is the science of ensuring the secrecy and / or authenticity (authenticity) of transmitted messages.

Organizational means carry out by their complex the regulation of production activities in information systems and the relationship of performers on a legal basis in such a way that disclosure, leakage and unauthorized access to confidential information becomes impossible or significantly hampered by organizational measures.

Legislative means of protection are determined by the legislative acts of the country, which regulate the rules for the use, processing and transmission of restricted access information and establish liability for violation of these rules.

Moral and ethical means of protection include all kinds of norms of behavior that have traditionally developed earlier, are formed as information spreads in the country and in the world, or are specially developed. Moral and ethical standards can be unwritten or drawn up in a certain set of rules or regulations. These norms, as a rule, are not legally approved, but since their non-compliance leads to a decrease in the prestige of the organization, they are considered mandatory.

2. Design part

In the design part, the following steps must be completed:

1 Define the concept of a computer virus and the classification of computer viruses.

2 Define the concept of an anti-virus program and the classification of anti-virus tools.

3 Conduct a comparative analysis of anti-virus packages.

2.1 Classification of computer viruses

A virus is a program that can infect other programs by including in them a modified copy that has the ability to further reproduce.

Viruses can be divided into classes according to the following main features:

Destructive possibilities

Features of the work algorithm;

Habitat;

According to their destructive capabilities, viruses can be divided into:

Harmless, that is, not affecting the operation of the computer in any way (except for reducing free disk space as a result of its distribution);

Non-dangerous, the impact of which is limited to a decrease in free disk space and graphic, sound and other effects;

Dangerous viruses that can cause serious computer malfunctions;

Very dangerous, the algorithm of which is deliberately based on procedures that can lead to the loss of programs, destroy data, erase the information necessary for the operation of the computer, recorded in system memory areas

Features of the virus algorithm can be characterized by the following properties:

Residence;

Use of stealth algorithms;

polymorphism;

Resident viruses.

The term "residency" refers to the ability of viruses to leave their copies in system memory, intercept certain events and, in doing so, call procedures for infecting detected objects (files and sectors). Thus, resident viruses are active not only while the infected program is running, but also after the program has finished its work. Resident copies of such viruses remain viable until the next reboot, even if all infected files are destroyed on the disk. It is often impossible to get rid of such viruses by restoring all copies of files from distribution disks or backup copies. The resident copy of the virus remains active and infects again generated files. The same is true for boot viruses - formatting a drive while there is a resident virus in memory does not always cure the drive, as many resident viruses re-infect the drive after it has been formatted.

non-resident viruses. Non-resident viruses, on the contrary, are active for a rather short time - only at the moment the infected program is launched. For their distribution, they look for uninfected files on the disk and write to them. After the virus code transfers control to the host program, the effect of the virus on the operation of the operating system is reduced to zero until the next launch of any infected program. Therefore, files infected with non-resident viruses are much easier to remove from the disk and at the same time not allow the virus to infect them again.

Stealth viruses. Stealth viruses in one way or another hide the fact of their presence in the system. The use of stealth algorithms allows viruses to completely or partially hide themselves in the system. The most common stealth algorithm is to intercept operating system requests to read (write) infected objects. At the same time, stealth viruses either temporarily cure them, or “substitute” uninfected pieces of information in their place. In the case of macro viruses, the most popular method is to disable calls to the macro view menu. Stealth viruses of all types are known, with the exception of Windows viruses - boot viruses, DOS file viruses, and even macro viruses. The emergence of stealth viruses that infect Windows files, is most likely a matter of time.

Polymorphic viruses. Self-encryption and polymorphicity are used by almost all types of viruses in order to complicate the virus detection procedure as much as possible. Polymorphic viruses are rather difficult-to-detect viruses that do not have signatures, that is, they do not contain a single permanent piece of code. In most cases, two samples of the same polymorphic virus will not have a single match. This is achieved by encrypting the main body of the virus and modifying the decryptor program.

Polymorphic viruses include those that cannot be detected using the so-called virus masks - sections of a permanent code specific to a particular virus. This is achieved in two main ways - by encrypting the main virus code with a non-permanent call and a random set of decryptor commands, or by changing the actual virus code being executed. Polymorphism of varying degrees of complexity is found in viruses of all types, from boot and file DOS viruses to Windows viruses.

By habitat, viruses can be divided into:

File;

Boot;

Macroviruses;

Network.

File viruses. File viruses either infiltrate executable files in various ways, or create duplicate files (companion viruses), or use file system organization features (link viruses).

The introduction of a file virus is possible in almost all executable files of all popular operating systems. To date, viruses are known that infect all types of standard DOS executable objects: batch files(BAT), loadable drivers (SYS, including special files IO.SYS and MSDOS.SYS), and executable binaries (EXE, COM). There are viruses that infect executable files of other operating systems - Windows 3.x, Windows95/NT, OS/2, Macintosh, UNIX, including Windows 3.x and Windows95 VxD drivers.

There are viruses that infect files that contain source code programs, library or object modules. It is possible for a virus to write to data files, but this happens either as a result of a virus error or when its aggressive properties are manifested. Macro viruses also write their code to data files such as documents or spreadsheets, but these viruses are so specific that they are placed in a separate group.

boot viruses. Boot viruses infect the boot sector of a floppy disk and the boot sector or Master Boot Record (MBR) of a hard drive. The principle of operation of boot viruses is based on the algorithms for starting the operating system when the computer is turned on or restarted - after the necessary tests of the installed equipment (memory, disks, etc.), the system boot program reads the first physical sector of the boot disk (A:, C: or CD-ROM depending on the parameters set in BIOS Setup) and transfers control to it.

In the case of a floppy disk or CD, the boot sector receives control, which analyzes the disk parameter table (BPB - BIOS Parameter Block), calculates the addresses of the operating system system files, reads them into memory and launches them for execution. System files are usually MSDOS.SYS and IO.SYS, or IBMDOS.COM and IBMBIO.COM, or others depending on installed version DOS, Windows or other operating systems. If there are no operating system files on the boot disk, the program located in the boot sector of the disk displays an error message and suggests replacing the boot disk.

In the case of a hard drive, control is received by a program located in the MBR of the hard drive. This program analyzes the disk partition table (Disk Partition Table), calculates the address of the active boot sector (usually this sector is the boot sector of disk C), loads it into memory and transfers control to it. Having received control, the active boot sector of the hard drive does the same actions as the floppy boot sector.

When infecting disks, boot viruses “substitute” their code for some program that takes control when the system boots. Thus, the principle of infection is the same in all the methods described above: the virus “forces” the system, when it is restarted, to read into memory and give control not to the original bootloader code, but to the virus code.

Floppy disks are infected by the only known method - the virus writes its own code instead of the original boot sector code of the diskette. The hard drive is infected in three possible ways - the virus is written either instead of the MBR code, or instead of the boot sector code of the boot disk (usually drive C, or it modifies the address of the active boot sector in the Disk Partition Table located in the MBR of the hard drive.

Macro viruses. Macro viruses infect files - documents and spreadsheets of several popular editors. Macro viruses are programs in languages ​​(macro languages) built into some data processing systems. For their reproduction, such viruses use the capabilities of macro languages ​​and with their help transfer themselves from one infected file to others. Macro viruses are the most widely used Microsoft Word, Excel and Office97. There are also macro viruses that infect Ami Pro documents and Microsoft Access databases.

network viruses. Network viruses include viruses that actively use the protocols and capabilities of local and global networks for their spread. The main principle of a network virus is the ability to independently transfer its code to a remote server or workstation. At the same time, “full-fledged” network viruses also have the ability to run their own code on a remote computer or, at least, “push” the user to launch the infected file. An example of network viruses is the so-called IRC worms.

IRC (Internet Relay Chat) is a special protocol designed for real-time communication between Internet users. This protocol provides them with the ability to "talk" on the Internet using specially designed software. In addition to attending general conferences, IRC users have the ability to chat one-on-one with any other user. In addition, there are a fairly large number of IRC commands with which the user can get information about other users and channels, change some settings of the IRC client, and so on. There is also the ability to send and receive files, which is what IRC worms are based on. The powerful and extensive command system of IRC clients makes it possible, based on their scripts, to create computer viruses that transfer their code to the computers of users of IRC networks, the so-called "IRC worms". The principle of operation of such IRC worms is approximately the same. With the help of IRC commands, a work script file (script) is automatically sent from an infected computer to each user who has joined the channel again. The sent script file replaces the standard one, and during the next session, the newly infected client will send out the worm. Some IRC worms also contain a Trojan component: keywords perform destructive actions on affected computers. For example, the "pIRCH.Events" worm a specific team erases all files on the user's drive.

There are a large number of combinations - for example, file-boot viruses that infect both files and boot sectors of disks. Such viruses, as a rule, have a rather complex algorithm of work, often use original methods of penetrating the system, use stealth and polymorphic technologies. Another example of such a combination is a network macro virus that not only infects edited documents, but also sends copies of itself by e-mail.

In addition to this classification, a few words should be said about other malware that is sometimes confused with viruses. These programs do not have the ability to self-propagate like viruses, but they can do just as devastating damage.

Trojan horses (logic bombs or time bombs).

Trojan horses include programs that cause any destructive actions, that is, depending on any conditions or at each launch, destroying information on disks, “hovering” the system, and so on. As an example, one can cite such a case - when such a program, during a session on the Internet, sent its author identifiers and passwords from the computers where it lived. Most of the well-known Trojan horses are programs that "spoof" some kind of useful programs, new versions of popular utilities or additions to them. Very often they are sent to BBS-stations or electronic conferences. Compared to viruses, "Trojan horses" are not widely used for the following reasons - they either destroy themselves along with the rest of the data on the disk, or unmask their presence and destroy the affected user.

2.2 The concept of an anti-virus program

Ways to counteract computer viruses can be divided into several groups:

Prevention of viral infection and reduction of the expected damage from such infection;

Methodology for using anti-virus programs, including the neutralization and removal of a known virus;

Ways to detect and remove an unknown virus.

Prevention of computer infection.

One of the main methods of combating viruses is, as in medicine, timely prevention. Computer prevention involves following a small number of rules, which can significantly reduce the likelihood of a virus infection and loss of any data.

In order to determine the basic rules of computer “hygiene”, it is necessary to find out the main ways in which a virus enters a computer and computer networks.

The main source of viruses today is global network Internet. Largest number Virus infections occur when exchanging letters in Word/Office97 formats. The user of an editor infected with a macro virus, without suspecting it, sends infected letters to recipients, who in turn send new infected letters, and so on. Contact with suspicious sources of information should be avoided and only legal (licensed) software products should be used.

Recovery of damaged objects.

In most cases of virus infection, the procedure for recovering infected files and disks comes down to running a suitable antivirus that can neutralize the system. If the virus is unknown to any antivirus, then it is enough to send the infected file to antivirus manufacturers and after a while receive an “update” medicine against the virus. If time does not wait, then the virus will have to be neutralized on its own. Most users need to have backups your information.

General information security tools are useful for more than just protecting against viruses. There are two main types of these funds:

1 Copying information - creating copies of files and system areas of disks.

2 Access control prevents unauthorized use of information, in particular, protection against changes to programs and data by viruses, malfunctioning programs and erroneous actions of users.

Timely detection of virus-infected files and disks, complete destruction of detected viruses on each computer helps to avoid the spread of a virus epidemic to other computers.

The main weapon in the fight against viruses are anti-virus programs. They allow not only to detect viruses, including viruses that use various masking methods, but also to remove them from the computer.

There are several basic virus scanning methods that are used by antivirus programs. The most traditional method for finding viruses is scanning.

To detect, remove and protect against computer viruses, several types of special programs have been developed that allow you to detect and destroy viruses. Such programs are called antivirus programs.

2.3 Types of antivirus tools

Programs-detectors. Detector programs search for a signature characteristic of a particular virus in RAM and in files and, if detected, issue a corresponding message. The disadvantage of such anti-virus programs is that they can only find viruses that are known to the developers of such programs.

Doctor programs. Doctor programs or phages, as well as vaccine programs, not only find virus-infected files, but also “cure” them, that is, they remove the body of the virus program from the file, returning the files to their original state. At the beginning of their work, phages look for viruses in RAM, destroying them, and only then proceed to “treatment” of files. Among phages, polyphages are distinguished, that is, doctor programs designed to search for and destroy a large number of viruses. The most famous of them are: AVP, Aidstest, Scan, Norton AntiVirus, Doctor Web.

Given that new viruses are constantly appearing, detection programs and doctor programs quickly become outdated, and regular updates are required.

Auditor programs (inspectors) are among the most reliable means of protecting against viruses.

Auditors (inspectors) check the data on the disk for invisible viruses. Moreover, the inspector may not use the means of the operating system to access disks, which means that an active virus will not be able to intercept this access.

The fact is that a number of viruses, infiltrating files (that is, appending to the end or to the beginning of the file), replace the entries about this file in the file allocation tables of our operating system.

Auditors (inspectors) remember the initial state of programs, directories and system areas of the disk when the computer is not infected with a virus, and then periodically or at the request of the user compare the current state with the original one. The detected changes are displayed on the monitor screen. As a rule, states are compared immediately after the operating system is loaded. When comparing, the file length, cyclic control code (file checksum), date and time of modification, and other parameters are checked. Program-auditors (inspectors) have sufficiently developed algorithms, detect stealth viruses and can even clear changes in the version of the program being checked from changes made by the virus.

It is necessary to launch the auditor (inspector) when the computer is not yet infected, so that it can create a table in the root directory of each disk, with all the necessary information about the files that are on this disk, as well as about its boot area. Permission will be requested to create each table. At the next launches, the auditor (inspector) will look through the disks, comparing the data about each file with its own records.

If infections are detected, the auditor (inspector) will be able to use his own curing module, which will restore the file corrupted by the virus. To restore files, the inspector does not need to know anything about a specific type of virus, it is enough to use the data about the files stored in the tables.

In addition, if necessary, a virus scanner can be called.

Filter programs (monitors). Filter programs (monitors) or "watchmen" are small resident programs designed to detect suspicious actions during computer operation that are characteristic of viruses. Such actions may be:

Attempts to correct files with COM, EXE extensions;

Changing file attributes;

Direct write to disk at absolute address;

Writing to disk boot sectors;

When any program tries to perform the specified actions, the "watchman" sends a message to the user and offers to prohibit or allow the corresponding action. Filter programs are very useful, as they are able to detect a virus at the earliest stage of its existence before reproduction. However, they do not "heal" files and disks. To destroy viruses, you need to use other programs, such as phages.

Vaccines or immunizers. Vaccines are resident programs that prevent file infection. Vaccines are used if there are no doctor programs that "treat" this virus. Vaccination is only available from known viruses. The vaccine modifies the program or disk in such a way that it does not affect their work, and the virus will perceive them as infected and therefore will not take root. Vaccine programs are currently of limited use.

Scanner. The principle of operation of anti-virus scanners is based on scanning files, sectors and system memory and searching for known and new (unknown to the scanner) viruses in them. So-called "masks" are used to search for known viruses. A virus mask is some constant code sequence specific to that particular virus. If the virus does not contain a permanent mask, or the length of this mask is not large enough, then other methods are used. An example of such a method is algorithmic language describing everything possible options code that can be encountered when infected with this type of virus. This approach is used by some antiviruses to detect polymorphic viruses. Scanners can also be divided into two categories - "universal" and "specialized". Universal scanners are designed to search for and neutralize all types of viruses, regardless of the operating system in which the scanner is designed to work. Specialized scanners are designed to neutralize a limited number of viruses or only one class of them, such as macro viruses. Specialized scanners designed only for macro viruses often turn out to be the most convenient and reliable solution for protecting workflow systems in MSWord and MSExcel environments.

Scanners are also divided into "resident" (monitors, watchmen), which scan "on the fly", and "non-resident", which provide system checks only on request. As a rule, "resident" scanners provide more reliable system protection, since they immediately respond to the appearance of a virus, while a "non-resident" scanner is able to identify a virus only during its next launch. On the other hand, a resident scanner can slow down the computer somewhat, including due to possible false positives.

The advantages of scanners of all types include their versatility, the disadvantages are the relatively low speed of virus search.

CRC scanners. The principle of operation of CRC scanners is based on the calculation of CRC sums (checksums) for files / system sectors present on the disk. These CRC sums are then stored in the antivirus database, as well as some other information: file lengths, dates of their last modification, and so on. The next time CRC scanners are run, they check the data contained in the database with the actual counted values. If the file information recorded in the database does not match the real values, then CRC scanners signal that the file has been modified or infected with a virus. CRC scanners using anti-stealth algorithms are a pretty strong weapon against viruses: almost 100% of viruses are detected almost immediately after they appear on a computer. However, this type of antivirus has an inherent flaw, which significantly reduces their effectiveness. This disadvantage is that CRC scanners are not able to catch a virus at the moment of its appearance in the system, but do it only after some time, after the virus has spread throughout the computer. CRC scanners cannot detect a virus in new files (in e-mail, on floppy disks, in files restored from a backup or when unpacking files from an archive), because their databases do not have information about these files. Moreover, viruses periodically appear that use this “weakness” of CRC scanners, infect only newly created files and thus remain invisible to them.

Blockers. Blockers are resident programs that intercept "virus-dangerous" situations and notify the user about it. “Virus-dangerous” include calls to open for writing to executable files, writing to the boot sectors of disks or the MBR of a hard drive, attempts by programs to remain resident, and so on, that is, calls that are typical for viruses at the moments of reproduction. Sometimes some blocker functions are implemented in resident scanners.

The advantages of blockers include their ability to detect and stop the virus at the earliest stage of its reproduction. The disadvantages include the existence of ways to bypass the protection of blockers and a large number of false positives.

It is also necessary to note such a direction of anti-virus tools as anti-virus blockers, made in the form of computer hardware components. The most common is the write protection built into the BIOS in the MBR of the hard drive. However, as in the case of software blockers, such protection can be easily bypassed by direct writing to the ports of the disk controller, and running the FDISK DOS utility immediately causes a “false positive” of protection.

There are several more universal hardware blockers, but to the disadvantages listed above, there are also compatibility problems with standard computer configurations and difficulties in installing and configuring them. All this makes hardware blockers extremely unpopular compared to other types of anti-virus protection.

2.4 Comparison of antivirus packages

Regardless of which information system needs to be protected, the most important parameter when comparing antiviruses is the ability to detect viruses and other malicious programs.

However, although this parameter is important, it is by no means the only one.

The fact is that the effectiveness of an anti-virus protection system depends not only on its ability to detect and neutralize viruses, but also on many other factors.

An anti-virus should be easy to use, without distracting the computer user from performing his direct duties. If the antivirus annoys the user with persistent requests and messages, sooner or later it will be disabled. The antivirus interface should be friendly and understandable, since not all users have extensive experience with computer programs. Without understanding the meaning of the message that appears on the screen, you can unwittingly admit viral infection even with antivirus installed.

The most convenient mode of anti-virus protection is when all opened files are scanned. If the antivirus is not able to work in this mode, the user will have to run a scan of all disks every day to detect newly emerging viruses. This procedure can take tens of minutes or even hours if we are talking about large disks installed, for example, on a server.

Since new viruses appear every day, it is necessary to update the antivirus database periodically. Otherwise, the effectiveness of anti-virus protection will be very low. Modern anti-viruses, after appropriate configuration, can automatically update anti-virus databases via the Internet, without distracting users and administrators to perform this routine work.

When protecting a large corporate network, such an antivirus comparison parameter as the presence of a network control center comes to the fore. If corporate network unites hundreds and thousands of workstations, tens and hundreds of servers, it is practically impossible to organize effective anti-virus protection without a network control center. One or more system administrators will not be able to bypass all workstations and servers by installing and configuring anti-virus programs on them. This requires technologies that allow centralized installation and configuration of antiviruses on all computers in a corporate network.

Protecting Internet hosts such as mail servers, and messaging servers requires the use of specialized antivirus tools. Conventional file-scanning antiviruses will not be able to find malicious code in the databases of messaging servers or in the data stream passing through mail servers.

Usually, when comparing antiviral agents, other factors are taken into account. State institutions may, other things being equal, prefer domestically produced antiviruses that have all the necessary certificates. The reputation received by one or another antivirus tool among computer users and system administrators also plays a significant role. Personal preference can also play a significant role in the choice.

To prove the benefits of their products, antivirus developers often use the results of independent tests. At the same time, users often do not understand what exactly and how was checked in this test.

In this work, the most popular anti-virus programs at the moment have been subjected to a comparative analysis, namely: Kaspersky Anti-Virus, Symantec/Norton, Doctor Web, Eset Nod32, Trend Micro, McAfee, Panda, Sophos, BitDefender, F-Secure, Avira, Avast!, AVG, Microsoft.

One of the first to test anti-virus products was the British magazine Virus Bulletin. The first tests published on their website date back to 1998. The test is based on the WildList malware collection. To successfully pass the test, it is necessary to identify all viruses in this collection and demonstrate a zero false positive rate on the collection of “clean” log files. Testing is carried out several times a year on various operating systems; Products that successfully pass the test receive the VB100% award. Figure 1 shows how many VB100% awards were received by the products of various antivirus companies.

Of course, the Virus Bulletin magazine can be called the oldest antivirus tester, but the status of the patriarch does not save him from criticism of the antivirus community. First, WildList only includes viruses and worms and is only for the Windows platform. Secondly, the WildList collection contains a small number of malicious programs and is replenished very slowly: only a few dozen new viruses appear in the collection per month, while, for example, the AV-Test collection is replenished with several tens or even hundreds of thousands of copies of malicious software during this time. .

All this suggests that in its present form, the WildList collection is obsolete and does not reflect the real situation with viruses on the Internet. As a result, tests based on the WildList collection become increasingly pointless. They are good for advertising products that have passed them, but they do not really reflect the quality of anti-virus protection.

Figure 1 - The number of successfully passed VB tests 100%

Independent research labs such as AV-Comparatives, AV-Tests test antivirus products twice a year for on-demand malware detection. At the same time, the collections on which testing is carried out contain up to a million malicious programs and are regularly updated. The test results are published on the websites of these organizations (www.AV-Comparatives.org, www.AV-Test.org) and in well-known computer magazines PC World, PC Welt. The results of the next tests are presented below:


Figure 2 - Overall malware detection rate according to AV-Test

If we talk about the most common products, then according to the results of these tests, only solutions from Kaspersky Lab and Symantec are in the top three. Avira, the leader in the tests, deserves special attention.

Tests of research laboratories AV-Comparatives and AV-Test, as well as any tests, have their pros and cons. The upside is that testing is done on large collections of malware, and that these collections represent a wide variety of malware types. The downside is that these collections contain not only “fresh” malware samples, but also relatively old ones. As a rule, samples collected within the last six months are used. In addition, during these tests, the results of the check are analyzed hard drive on demand, while in real life the user downloads infected files from the Internet or receives them as email attachments. It is important to detect such files at the very moment they appear on the user's computer.

An attempt to develop a testing methodology that does not suffer from this problem was undertaken by one of the oldest British computer magazines - PC Pro. Their test used a collection of malware that had been detected two weeks prior to the test in traffic passing through MessageLabs' servers. MessageLabs offers filtering services to its clients various kinds traffic, and its collection of malware really reflects the situation with the spread of computer viruses on the Web.

The PC Pro log team did not just scan infected files, but simulated user actions: infected files were attached to emails as attachments, and these emails were downloaded to a computer with antivirus installed. In addition, with the help of specially written scripts, infected files were downloaded from a Web server, that is, the user's surfing on the Internet was simulated. The conditions under which such tests are carried out are as close to real as possible, which could not but affect the results: the detection rate for most antiviruses turned out to be significantly lower than with a simple on-demand scan in the AV-Comparatives and AV-Test tests. In such tests, an important role is played by how quickly antivirus developers react to the appearance of new malware, as well as what proactive mechanisms are used when malware is detected.

The speed of release of antivirus updates with new malware signatures is one of the most important components of effective antivirus protection. The sooner the signature database update is released, the less time the user will remain unprotected.


Figure 3 - Average response time to new threats

Lately, new malware has been appearing so frequently that antivirus labs can barely keep up with new samples. In such a situation, the question arises of how an antivirus can resist not only already known viruses, but also new threats for the detection of which a signature has not yet been released.

So-called proactive technologies are used to detect unknown threats. These technologies can be divided into two types: heuristics (detect malicious programs based on the analysis of their code) and behavioral blockers (block the actions of malicious programs when they run on a computer, based on their behavior).

If we talk about heuristics, then their effectiveness has long been studied by AV-Comparatives, a research laboratory led by Andreas Clementi. The AV-Comparatives team uses a special technique: antiviruses are checked against the current virus collection, but an antivirus with three-month-old signatures is used. Thus, the antivirus has to counter malware that it knows nothing about. Antiviruses are scanned by scanning the malware collection on the hard drive, so only the efficiency of the heuristic is checked. Another proactive technology, the behavioral blocker, is not used in these tests. Even the best heuristics currently show a detection rate of only about 70%, and many of them still suffer from false positives on clean files. All this suggests that so far this proactive detection method can only be used simultaneously with the signature method.

As for another proactive technology - a behavioral blocker, no serious comparative tests have been conducted in this area. First, many anti-virus products (Doctor Web, NOD32, Avira, and others) do not have a behavioral blocker. Secondly, the conduct of such tests is fraught with some difficulties. The fact is that to test the effectiveness of a behavioral blocker, it is necessary not to scan a disk with a collection of malicious programs, but to run these programs on a computer and observe how successfully the antivirus blocks their actions. This process is very time consuming and few researchers are capable of undertaking such tests. All that is currently available to the general public is the results of individual product tests conducted by the AV-Comparatives team. If, during testing, antiviruses successfully blocked the actions of malicious programs unknown to them while they were running on a computer, then the product received the Proactive Protection Award. Currently, such awards have been received by F-Secure with DeepGuard behavioral technology and Kaspersky Anti-Virus with the Proactive Defense module.

Infection prevention technologies based on analysis of malware behavior are becoming more widespread, and the lack of comprehensive comparative tests in this area cannot but be alarming. Recently, specialists from the AV-Test research laboratory held a wide discussion on this issue, in which developers of antivirus products also participated. The result of this discussion was a new methodology for testing the ability of antivirus products to resist unknown threats.

A high level of malware detection using various technologies is one of the most important characteristics of an antivirus. However, an equally important characteristic is the absence of false positives. False positives can cause no less harm to the user than a virus infection: block the work desired programs, block access to sites and so on.

In the course of its research, AV-Comparatives, along with studying the ability of antiviruses to detect malware, also conducts tests for false positives on collections of clean files. According to the test, the largest number of false positives was found in Doctor Web and Avira antiviruses.

There is no 100% protection against viruses. From time to time, users are faced with a situation where a malicious program has penetrated a computer and the computer has become infected. This happens either because there was no antivirus on the computer at all, or because the antivirus did not detect the malware either by signature or proactive methods. In such a situation, it is important that when installing an antivirus with fresh signature databases on a computer, the antivirus can not only detect a malicious program, but also successfully eliminate all the consequences of its activity, cure an active infection. At the same time, it is important to understand that the creators of viruses are constantly improving their "skill", and some of their creations are quite difficult to remove from the computer - malware can different ways mask their presence in the system (including with the help of rootkits) and even counteract the work of anti-virus programs. In addition, it is not enough to simply delete or disinfect an infected file, you need to eliminate all changes made by a malicious process in the system and completely restore the system to working order. The team of the Russian portal Anti-Malware.ru conducted a similar test, its results are shown in Figure 4.

Figure 4 - Treatment of active infection

Above, various approaches to testing antiviruses have been considered, it has been shown what parameters of antivirus operation are considered during testing. It can be concluded that for some antiviruses one indicator turns out to be advantageous, for others it is another. At the same time, it is natural that in their promotional materials, antivirus developers focus only on those tests where their products occupy a leading position. For example, Kaspersky Lab focuses on the speed of response to the emergence of new threats, Eset on the strength of its heuristic technologies, Doctor Web describes its advantages in the treatment of active infection.

Thus, a synthesis of the results of various tests should be carried out. This is how the positions that antiviruses took in the tests considered are summarized, and an integrated assessment is derived - what place on average for all tests is occupied by a particular product. As a result, in the top three winners: Kaspersky, Avira, Symantec.


Based on the analyzed anti-virus packages, a software product was created designed to search for and disinfect files infected with the SVC 5.0 virus. This virus does not lead to unauthorized deletion or copying of files, however, it significantly interferes with the full-fledged work with computer software.

Infected programs are longer than the source code. However, when browsing directories on an infected machine, this will not be visible, since the virus checks whether the found file is infected or not. If the file is infected, then the length of the uninfected file is written to the DTA.

You can detect this virus in the following way. In the data area of ​​the virus there is a character string "(c) 1990 by SVC,Ver. 5.0", by which the virus, if it is on the disk, can be detected.

When writing an anti-virus program, the following sequence of actions is performed:

1 For each file being checked, the time of its creation is determined.

2 If the number of seconds is sixty, then three bytes are checked at an offset equal to "file length minus 8AH". If they are equal to 35Н, 2ЭН, 30Н, respectively, then the file is infected.

3 The first 24 bytes of the original code are decoded, which are located at the offset "file length minus 01CFH plus 0BAAH". The keys for decoding are located at the offset "file length minus 01CFH plus 0C1AN" and "file length minus 01CFH plus 0C1BH".

4 The decoded bytes are written to the beginning of the program.

5 The file is "truncated" to "file length minus 0C1F".

The program was created in the TurboPascal programming environment. The text of the program is set out in Appendix A.

Conclusion

In this course work, a comparative analysis of anti-virus packages was carried out.

In the course of the analysis, the tasks set at the beginning of the work were successfully solved. Thus, the concepts of information security, computer viruses and anti-virus tools were studied, types of information security threats, protection methods were identified, the classification of computer viruses and anti-virus programs was considered and a comparative analysis of anti-virus packages was carried out, a program was written that searches for infected files.

The results obtained during the work can be applied when choosing an anti-virus tool.

All the results obtained are reflected in the work with the help of diagrams, so the user can independently check the conclusions made in the final diagram, which reflects the synthesis of the revealed results of various tests of anti-virus tools.

The results obtained during the work can be used as a basis for self-comparison of anti-virus programs.

In light of the widespread use of IT-technologies, the presented course work is relevant and meets the requirements for it. In the process of work, the most popular anti-virus tools were considered.

List of used literature

1 Anin B. Protection of computer information. - St. Petersburg. : BHV - St. Petersburg, 2000. - 368 p.

2 Artyunov VV Protection of information: textbook. - method. allowance. M. : Liberia - Bibinform, 2008. - 55 p. – (Librarian and time. 21st century; issue No. 99).

3 Korneev I. K., E. A. Stepanov Information security in the office: textbook. - M. : Prospekt, 2008. - 333 p.

5 Kupriyanov A. I. Fundamentals of information security: textbook. allowance. - 2nd ed. erased – M.: Academy, 2007. – 254 p. – (Higher professional education).

6 Semenenko V. A., N. V. Fedorov Software and hardware information protection: textbook. allowance for students. universities. - M. : MGIU, 2007. - 340 p.

7 Tsirlov V. L. Fundamentals of information security: short course. - Rostov n / D: Phoenix, 2008. - 254 p. (Professional education).


Application

Program listing

ProgramANTIVIRUS;

Uses dos,crt,printer;

Type St80 = String;

FileInfection:File Of Byte;

SearchFile:SearchRec;

Mas:Array of St80;

MasByte:Array of Byte;

Position,I,J,K:Byte;

Num,NumberOfFile,NumberOfInfFile:Word;

Flag,NextDisk,Error:Boolean;

Key1,Key2,Key3,NumError:Byte;

MasScreen:Array Of Byte Absolute $B800:0000;

Procedure Cure(St: St80);

I: Bytes; MasCure: Array Of Byte;

Assign(FileInfection,St); Reset(FileInfection);

NumError:=IOResult;

If(NumError<>

Seek(FileInfection,FileSize(FileInfection) - ($0C1F - $0C1A));

NumError:=IOResult;

If(NumError<>0) Then Begin Error:=True; exit; end;

Read(FileInfection,Key1);

NumError:=IOResult;

If(NumError<>0) Then Begin Error:=True; exit; end;

Read(FileInfection,Key2);

NumError:=IOResult;

If(NumError<>0) Then Begin Error:=True; exit; end;

Seek(FileInfection,FileSize(FileInfection) - ($0C1F - $0BAA));

NumError:=IOResult;

If(NumError<>0) Then Begin Error:=True; exit; end;

For I:=1 to 24 do

Read(FileInfection,MasCure[i]);

NumError:=IOResult;

If(NumError<>0) Then Begin Error:=True; exit; end;

Key3:=MasCure[i];

MasCure[i]:=Key3;

Seek(FileInfection,0);

NumError:=IOResult;

If(NumError<>0) Then Begin Error:=True; exit; end;

For I:=1 to 24 do Write(FileInfection,MasCure[i]);

Seek(FileInfection,FileSize(FileInfection) - $0C1F);

NumError:=IOResult;

If(NumError<>0) Then Begin Error:=True; exit; end;

Truncate(FileInfection);

NumError:=IOResult;

If(NumError<>0) Then Begin Error:=True; exit; end;

Close(FileInfection); NumError:=IOResult;

If(NumError<>0) Then Begin Error:=True; exit; end;

Procedure F1(St: St80);

FindFirst(St + "*.*", $3F, SearchFile);

While (SearchFile.Attr = $10) And (DosError = 0) And

((SearchFile.Name = ".") Or (SearchFile.Name = "..")) Do

FindNext(SearchFile);

While (DosError = 0) Do

If KeyPressed Then

If (Ord(ReadKey) = 27) Then Halt;

If (SearchFile.Attr = $10) Then

Mas[k]:=St + SearchFile.Name + "\";

If(SearchFile.Attr<>$10) Then

NumberOfFile:=NumberOfFile + 1;

UnpackTime(SearchFile.Time, DT);

For I:=18 to 70 do MasScreen:=$20;

Write(St + SearchFile.Name, " ");

If (Dt.Sec = 60) Then

Assign(FileInfection,St + SearchFile.Name);

Reset(FileInfection);

NumError:=IOResult;

If(NumError<>0) Then Begin Error:=True; exit; end;

Seek(FileInfection,FileSize(FileInfection) - $8A);

NumError:=IOResult;

If(NumError<>0) Then Begin Error:=True; exit; end;

For I:=1 to 3 do Read(FileInfection,MasByte[i]);

Close(FileInfection);

NumError:=IOResult;

If(NumError<>0) Then Begin Error:=True; exit; end;

If (MasByte = $35) And (MasByte = $2E) And

(MasByte = $30) Then

NumberOfInfFile:=NumberOfInfFile + 1;

Write(St + SearchFile.Name," infected. ",

"Remove?");

If (Ord(Ch) = 27) Then Exit;

Until (Ch = "Y") Or (Ch = "y") Or (Ch = "N")

If (Ch = "Y") Or (Ch = "y") Then

Cure(St + SearchFile.Name);

If(NumError<>0) Then Exit;

For I:=0 to 79 do MasScreen:=$20;

FindNext(SearchFile);

GoToXY(29,1); TextAttr:=$1E; GoToXY(20,2); TextAttr:=$17;

Writeln("Programma dlya poiska i lecheniya fajlov,");

Writeln("zaragennih SVC50.");

TextAttr:=$4F; GoToXY(1.25);

Write("ESC - exit");

TextAttr:=$1F; GoToXY(1,6);

Write("Kakoj disk proverit? ");

If (Ord(Disk) = 27) Then Exit;

R.Ah:=$0E; R.Dl:=Ord(UpCase(Disk))-65;

Intr($21,R); R.Ah:=$19; Intr($21,R);

Flag:=(R.Al = (Ord(UpCase(Disk))-65));

St:=UpCase(Disk) + ":\";

Writeln("Testiruetsya disk ",St," ");

Writeln("testiruetsya file");

NumberOfFile:=0;

NumberOfInfFile:=0;

If (k = 0) Or Error Then Flag:=False;

If (k > 0) Then K:=K-1;

If (k=0) Then Flag:=False;

If (k > 0) Then K:=K-1;

Writeln("Provereno fajlov - ",NumberOfFile);

Writeln("Zarageno fajlov - ",NumberOfInfFile);

Writeln("Izlecheno fajlov - ",Num);

Write("Check drugoj disk? ");

If (Ord(Ch) = 27) Then Exit;

Until (Ch = "Y") Or (Ch = "y") Or (Ch = "N") Or (Ch = "n");

If (Ch = "N") Or (Ch = "n") Then NextDisk:=False;

Course work

"Comparative analysis of modern anti-virus programs"


INTRODUCTION

CHAPTER 1. General information about computer viruses

1.1 The concept of computer viruses

1.2 Varieties of computer viruses

1.3 Ways of penetration of viruses, signs of appearance in the computer

1.4 Antivirus tools

CHAPTER 2. Comparative analysis of antivirus programs

CONCLUSION

List of sources used


Introduction

We live at the turn of two millennia, when humanity has entered the era of a new scientific and technological revolution. By the end of the twentieth century, people had mastered many of the secrets of the transformation of matter and energy and were able to use this knowledge to improve their lives. But in addition to matter and energy, another component plays a huge role in human life - information. This is a wide variety of information, messages, news, knowledge, skills. In the middle of our century, special devices appeared - computers focused on storing and converting information, and a computer revolution took place. In connection with the rapid development of information technologies and their penetration into all spheres of human activity, the number of crimes against information security has increased. Today, the mass use of personal computers, unfortunately, turned out to be associated with the emergence of self-reproducing virus programs that prevent the normal operation of a computer, destroy the file structure of disks and damage the information stored in a computer. Despite the laws adopted in many countries to combat computer crimes and the development of special software to protect against viruses, the number of new software viruses is constantly growing. This requires the user of a personal computer to be knowledgeable about the nature of viruses, how to infect and protect against viruses.

Every day, viruses become more sophisticated, which leads to a significant change in the threat profile. But the market for anti-virus software does not stand still, offering many seemingly identical products. Their users, presenting the problem only in general terms, often miss important nuances and end up with the illusion of protection instead of protection itself.

The following sources were used to write the term paper: Bezrukov N.N. "Computer viruses", Mostovoy D.Yu. "Modern technologies for fighting viruses", Mogilev A.V. "Computer science: a textbook for students of pedagogical universities." study guide Mogilev contains extensive information on theoretical foundations informatics, software, programming languages ​​and methods, computer technology, information systems, computer networks and telecommunications, computer modeling. It is clear and accessible about various computer viruses, their varieties and means of dealing with them.

On the basis of the studied literature, we will try to figure out what needs to be protected, how to do it, and what should be paid special attention to.


CHAPTER 1. GENERAL INFORMATION ABOUT COMPUTER VIRUSES

1.1 The concept of computer viruses.

A computer virus is a program, usually small in size (from 200 to 5000 bytes), which runs independently, copies its code many times, attaching it to the codes of other programs (“multiplies”) and interferes with correct operation computer and/or destroys information stored on magnetic disks (programs and data).

There are also viruses that are less “malignant”, causing, for example, resetting the date on the computer, musical ones (playing some kind of melody), leading to the appearance of an image on the display screen or to distortions in the display of information, “shedding of letters”, etc. .d.

The creation of computer viruses can be qualified from a legal point of view as a crime.

The reasons that make skilled programmers create computer viruses are interesting, because this work is not paid and cannot bring fame. Apparently, for the creators of viruses, this is a way of self-affirmation, a way to prove their qualifications and abilities. Computer viruses are created by qualified programmers who, for one reason or another, have not found a place for themselves in useful activities, in the development application programs suffering from painful self-importance or an inferiority complex. Become the creators of viruses and those young programmers who have difficulty in communicating with people around them do not meet with recognition from specialists who are alien to the concept of morality and ethics in the computer field of activity. Also, the manufacturers of anti-virus programs themselves can create viruses for profit. Having created new virus or modifying the old one, manufacturers immediately release anti-virus tools to combat them, thereby overtaking their competitors.

There are also specialists who give their strength and talent to the fight against computer viruses. In Russia, these are well-known programmers D. Lozinsky, D. Mostovoy, I. A. Danilov, N. Bezrukov and others. They have investigated many computer viruses, developed anti-virus programs, recommendations on measures to prevent the destruction of computer information by viruses and the spread of epidemics of computer viruses. .

The main danger, in their opinion, is not computer viruses themselves, but computer users and computer programs, unprepared to deal with viruses, behaving unskillfully when faced with the symptoms of a computer infection, easily falling into a panic that paralyzes normal work.

1.2 Varieties of computer viruses

Let us consider in more detail the main features of computer viruses, the characteristics of anti-virus programs and the measures to protect programs and data from computer viruses in the most common MSDOS system.

According to approximate estimates in these days there are more than ten thousand different viruses. Their calculation is complicated by the fact that many viruses do not differ much from each other, they are variants of the same virus and, conversely, the same virus can change its appearance, encode itself. In fact, there are not very many basic fundamental ideas underlying viruses (a few dozen).

Among the variety of computer viruses, the following groups should be distinguished:

- boot ( boot ) viruses infect the program bootstrap computer, stored in the boot sector of a floppy disk or hard drive, and launched when the computer boots;

- file viruses in the simplest case, they infect replenished files, but they can also spread through document files (WordforWindows systems) and do not even modify files at all, but only have something to do with them;

- boot-file viruses have signs of both boot and file viruses;

-driver viruses infect computer device drivers or start themselves by including an extra line in the configuration file.

Of the viruses that do not operate on personal computers under the MSDOS operating system, we should mention network viruses distributed in networks that unite many tens and hundreds of thousands of computers.

Consider the principles of operation boot viruses. Each floppy disk or hard drive has service sectors used by the operating system for its own needs, including the boot sector. In addition to information about the diskette (number of tracks, number of sectors, etc.), it stores a small boot program.

The simplest boot viruses, resident in the memory of an infected computer, detect an uninfected floppy disk in the drive and perform the following actions:

They allocate some area of ​​the diskette and make it inaccessible to the operating system (marking, for example, as bad - bad);

Replace the boot program in the floppy boot sector by copying the correct boot program, as well as their code, into the allocated area of ​​the floppy disk;

They organize the transfer of control so that the virus code would be executed first and only then the bootstrap program.

The magnetic disks of hard drive computers are usually divided into several logical partitions. At the same time, bootstrap programs are also available in the MBR (MasterBootRecord - the main boot record) and in the boot partition of a hard drive, which can be infected in the same way as the boot sector of a floppy disk. However, the boot program in the MBR uses the so-called partition table (Partitiontable) containing information about the position of the boot partition on the disk when switching to the boot program for the boot partition of the hard drive. A virus can corrupt Partitiontable information and thus transfer control to its code written to disk without formally changing the boot program.

Now consider the principles of operation file viruses. A file virus is not necessarily resident; it can, for example, infiltrate the code of an executable file. When an infected file is launched, the virus takes control, performs some actions, and returns control to the code into which it was injected. The actions that the virus performs include searching for a file suitable for infecting, injecting into it so as to gain control of the file, producing some effect, for example, sound or graphic. If a file virus is resident, then it is installed in memory and is able to infect files and manifest itself independently of the original infected file.

When infecting a file, a virus will always change its code, but not always make other changes. In particular, the beginning of the file and its length may not change (which was previously considered a sign of infection). For example, viruses can distort information about files stored in the service area of ​​magnetic disks - the file allocation table (Fat - fileallocationtable), thus making it impossible to work with files. This is how viruses of the Dir family behave.

Today, more than ever, anti-virus software is not only the most in-demand security system of any operating system, but also one of its main components. And if earlier the user had a very limited, modest choice, now there are a lot of such programs. But if you look at the list of "Top 10 antiviruses", you will notice that not all of them are equal in terms of functionality. Consider the most popular packages. At the same time, the analysis will include both paid and shareware (anti-virus for 30 days), and freely distributed applications. But first things first.

Top 10 Antiviruses for Windows: Testing Criteria

Before starting to compile some kind of rating, perhaps, you should familiarize yourself with the main criteria that in most cases are used when testing such software.

Naturally, it is simply impossible to consider all known packages. However, among all those designed to protect a computer system in the broadest sense, the most popular ones can be distinguished. At the same time, we will take into account both the official ratings of independent laboratories and the reviews of users who use this or that software product in practice. Besides, mobile programs will not be affected, we will focus on stationary systems.

As for the conduct of basic tests, as a rule, they include several main aspects:

  • availability of paid and free versions and restrictions related to functionality;
  • regular scan speed;
  • the speed of identifying potential threats and the ability to remove or isolate them in quarantine using built-in algorithms;
  • frequency of updating anti-virus databases;
  • self-defense and reliability;
  • availability of additional features.

As you can see from the above list, checking the operation of antivirus software allows you to determine the strengths and weaknesses of a particular product. Next, I will consider the most popular software packages included in the Top 10 antiviruses, and also give their main characteristics, of course, taking into account the opinions of people who use them in their daily work.

Kaspersky Lab software products

To begin with, let's consider the software modules developed by Kaspersky Lab, which are extremely popular in the post-Soviet space.

It is impossible to single out any one program here, because among them you can find both a regular Kaspersky Antivirus scanner and modules like internet security, and portable utilities like Virus Removal Tool, and even boot disks for damaged Rescue Disc systems.

Immediately it is worth noting two main disadvantages: firstly, judging by the reviews, almost all programs, with rare exceptions, are paid or shareware, and secondly, system requirements are unreasonably high, which makes it impossible to use them in relatively weak configurations. Naturally, this scares off many ordinary users, although activation keys for Kaspersky Antivirus or Internet Security can easily be found on the World Wide Web.

On the other hand, the situation with activation can be corrected in another way. For example, Kaspersky keys can be generated using special applications like Key Manager. True, this approach is, to put it mildly, illegal, however, as a way out, it is used by many users.

The speed of work on modern machines is average (for some reason, more and more heavy versions are created for new configurations), but constantly updated databases, the uniqueness of technologies for detecting and removing known viruses and potentially dangerous programs are on top here. It is not surprising that Kapersky Lab is today a leader among developers of security software.

And two more words about the recovery disk. It is unique in its own way, because it loads a scanner with a graphical interface even before the start of Windows itself, allowing you to remove threats even from RAM.

The same goes for the portable Virus Removal Tool, which can track down any threat on an infected terminal. It can only be compared with a similar utility from Dr. Web.

Protection from Dr. web

Before us is another of their strongest representatives in the field of security - the famous "Doctor Web", who stood at the origins of the creation of all anti-virus software from time immemorial.

Among the huge number of programs, you can also find regular scanners, and protection tools for Internet surfing, and portable utilities, and recovery disks. You can't list everything.

The main factor in favor of the software of this developer can be called high speed work, instant detection of threats with the possibility of either complete removal or isolation, as well as a moderate load on the system as a whole. In general, from the point of view of most users, this is a kind of lightweight version of Kaspersky. there is still something interesting here. In particular, this is Dr. web katana. It is believed that this is a new generation software product. It is focused on the use of "sand" technologies, i.e. placing a threat in the "cloud" or "sandbox" (whatever you want to call it) for analysis before it penetrates the system. However, if you look, there are no special innovations here, because this technique was used in the free Panda antivirus. In addition, according to many users, Dr. Web Katana is a kind of Security Space with the same technologies. However, speaking in general, any software from this developer is quite stable and powerful. It is not surprising that many users prefer just such packages.

ESET software

Speaking about the Top 10 antiviruses, one cannot fail to mention another brightest representative of this area - ESET, which became famous for such a well-known product as NOD32. A little later, the ESET module was born smart security.

If we consider these programs, we can note an interesting point. To activate the full functionality of any package, you can do two things. On the one hand, this is the acquisition of an official license. On the other hand, you can install trial antivirus free, but activate it every 30 days. With activation, too, an interesting situation.

As noted by absolutely all users, for ESET Smart Security (or for a regular antivirus) on the official website, one could find freely distributed keys in the form of a login and password. Until recently, only this data could be used. Now the process has become somewhat more complicated: first you need a login and password on a special site, convert it into a license number, and only then enter it in the registration field already in the program itself. However, if you do not pay attention to such trifles, it can be noted that this antivirus is one of the best. Benefits reported by users:

  • virus signature databases are updated several times a day,
  • definition of threats at the highest level,
  • there are no conflicts with system components (firewall),
  • the package has the strongest self-protection,
  • no false alarms, etc.

Separately, it is worth noting that the load on the system is minimal, and the use of the Anti-Theft module even allows you to protect data from theft or misuse for personal gain.

AVG Antivirus

AVG Antivirus is paid software designed to provide comprehensive security for computer systems (there is also a free truncated version). And although today this package is no longer among the top five, nevertheless, it demonstrates a fairly high speed and stability.

In principle, it is ideal for home use, because, in addition to the speed of work, it has a convenient Russified interface and more or less stable behavior. True, as some users note, sometimes it is able to skip threats. And this does not apply to viruses as such, but rather to spyware or advertising junk called Malware and Adware. The program's own module, although widely advertised, still, according to users, looks somewhat unfinished. Yes, and an additional firewall can often cause conflicts with the "native" Windows firewall if both modules are in the active state.

Avira package

Avira is another member of the antivirus family. Fundamentally, it does not differ from most similar packages. However, if you read user reviews about it, you can find quite interesting posts.

Many in no case recommend using the free version, since some modules are simply missing in it. To ensure reliable protection, you will have to purchase a paid product. But such an antivirus is suitable for the 8th and 10th versions, in which the system itself uses a lot of resources, and the package uses them at the lowest level. In principle, Avira is best suited, say, for budget laptops and weak computers. On a network installation, however, there can be no question.

Cloud service Panda Cloud

Free at one time became almost a revolution in the field of antivirus technology. The use of the so-called "sandbox" to send suspicious content for analysis before it enters the system has made this application especially popular among users of all levels.

And it is with the "sandbox" that this antivirus is associated today. Yes, indeed, this technology, unlike other programs, allows you to keep the threat out of the system. For example, any virus first saves its body on the hard drive or in RAM, and only then begins its activity. Here, the matter does not come to preservation. First, a suspicious file is sent to the cloud service, where it is checked, and only then can it be saved in the system. True, according to eyewitnesses, alas, this can take quite a lot of time and unnecessarily heavily loads the system. On the other hand, here it is worth asking yourself what is more important: security or increased scan time? However, for modern computer configurations with an Internet connection speed of 100 Mbps or higher, it can be used without problems. By the way, its own protection is provided precisely through the "cloud", which sometimes causes criticism.

Scanner Avast Pro Antivirus

Now a few words about another bright representative. It is quite popular with many users, however, despite the presence of the same “sandbox”, anti-spyware, network scanner, firewall and virtual office, unfortunately, Avast Pro Antivirus is in terms of the main indicators of performance, functionality and reliability clearly loses to such giants as Kaspersky Lab software products or applications using Bitdefender technologies, although it demonstrates high scanning speed and low resource consumption.

Users in these products are attracted mainly by the fact that free version package is as functional as possible and does not differ much from paid software. In addition, this antivirus works on all versions of Windows, including Windows 10, and behaves perfectly even on outdated machines.

360 Security Packages

Before us is probably one of the fastest antiviruses of our time - 360 Security, developed by Chinese specialists. In general, all products labeled "360" are distinguished by an enviable speed of work (the same Internet browser 360 Safety Browser).

Despite the main purpose, the program has additional modules for eliminating operating system vulnerabilities and optimizing it. But neither the speed of work nor the free distribution can be compared with false alarms. In the list of programs that have the highest indicators for this criterion, this software occupies one of the first places. According to many experts, conflicts arise at the system level due to additional optimizers, the action of which intersects with the tasks of the OS itself.

Software products based on Bitdefender technologies

Another "old man" among the most famous defenders of "OSes" is Bitdefender. Unfortunately, in 2015 he lost the palm to Kaspersky Lab products, nevertheless, in the antivirus fashion, so to speak, he is one of the trendsetters.

If you look a little more closely, you can see that many modern programs (the same 360 ​​Security package) in different variations are made on the basis of these technologies. Despite the rich functional base, it also has its shortcomings. Firstly, you will not find the Russian antivirus (Russified) Bitdefender, since it does not exist in nature at all. Secondly, despite the use of the latest technological developments in terms of system protection, alas, it shows too high a number of false positives (by the way, according to experts, this is typical for the entire group of programs created on the basis of Bitdefender). The presence of additional optimizer components and their own firewalls generally affects the behavior of such antiviruses not in better side. But you can't refuse the speed of this application. In addition, P2P is used for verification, but real-time email verification is completely absent, which many do not like.

Antivirus from Microsoft

Another app that scores enviably well with and without reason is Microsoft's own product called Security Essentials.

This package is included in the Top 10 antiviruses, apparently, only because it was developed exclusively for Windows systems, which means that it does not cause absolutely no conflicts at the system level. Besides, who, if not specialists from Microsoft, should know all the security holes and vulnerabilities of their own operating systems. By the way, an interesting fact is that the initial builds of Windows 7 and Windows 8 had MSE in the basic configuration, but then for some reason this kit was abandoned. However, it is for Windows that it can become the simplest solution in terms of protection, although you can’t count on special functionality.

McAfee app

As for this application, it looks quite interesting. True, it has earned the greatest popularity in the field of application on mobile devices with all kinds of blocking, nevertheless, this antivirus behaves no worse on stationary computers.

The program has low-level support for P2P networks when sharing Instant Messenger files, and also offers 2-level protection, in which the main role is assigned to the WormStopper and ScriptStopper modules. But in general, according to consumers, the functional set is at an average level, and the program itself is focused more on detecting spyware, computer worms and trojans and preventing executable scripts or malicious codes from penetrating the system.

Combined antiviruses and optimizers

Naturally, only those included in the Top 10 antiviruses were considered here. If we talk about the rest of the software of this kind, we can note some packages that contain anti-virus modules in their sets.

What to prefer?

Naturally, all antiviruses have certain similarities and differences. What to install? Here you need to proceed from the needs and the level of protection provided. Usually, to corporative clients it is worth buying something more powerful with the possibility of network installation (Kaspersky, Dr. Web, ESET). As for home use, here the user chooses what he needs (if you wish, you can even find an antivirus for a year - without registration or purchase). But, if you look at user reviews, it is better to install Panda Cloud, even with some additional system load and sandboxing time. But it is here that there is a full guarantee that the threat will not penetrate the system in any way. However, everyone is free to choose what he needs. If activation does not make it difficult, please: ESET products work fine in home systems. But using optimizers with anti-virus modules as the main means of protection is highly undesirable. Well, it’s also impossible to say which program takes the first place: how many users, so many opinions.

The main evaluation criteria, which included 200 indicators, were:

  • virus protection;
  • Ease of use;
  • impact on computer speed.

Malware protection is the most important evaluation criterion: indicators within this group of parameters accounted for 65% of the overall antivirus score. Ease of use and impact on computer speed accounted for 25% and 10% of the overall score, respectively.

Anti-virus programs were selected for research on the basis of popularity among consumers and affordability. For this reason, the list of antivirus programs studied included:

  • Free programs - both built-in and offered separately.
  • Paid programs from leading antivirus brands. Based on the principles of selection, the study did not include the most expensive versions of software products from these brands.
  • From one brand for one operating system, only one paid product could be presented in the rating. The second product could get into the rating only if it is free.

This time, products developed by Russian companies were included in the category in the international study. As a rule, the list of products for international testing includes products with a sufficient market share and high recognition among consumers, so the inclusion of Russian developments in the study indicates their wide representation and demand abroad.

Top Ten for Windows

All antiviruses in the top ten cope with protection against spyware and protect against phishing - attempts to gain access to confidential data. But there are differences between antiviruses in the level of protection, as well as in the presence or absence of a particular function in the tested versions of the antivirus.

The pivot table shows ten the best programs by overall rating. It also takes into account the features of the packages in terms of the set of functions.

How good is standard Windows 10 security?

As of February 2018, the percentage of Windows PC users with desktop computers installed OS Windows 10 accounted for 43%. On such computers, the antivirus is installed by default - the program protects the system Windows Defender, which is included with the operating system.

The standard antivirus, which, judging by the statistics, most people use, was only on the 17th line of the rating. Overall, Windows Defender scored 3.5 out of a possible 5.5.

Built-in last-minute protection Windows versions it only gets better every year, but it still doesn't match the level of many specialized antivirus programs, including those that are distributed for free. Windows Defender showed satisfactory results in terms of online protection, but completely failed the test for phishing and ransomware. By the way, protection against phishing is declared by antivirus manufacturers. It also turned out that he does a poor job of protecting your computer in offline mode.

Windows Defender is quite simple in terms of design. It clearly communicates the presence of a particular threat, clearly demonstrates the degree of protection and has a “parental control” function that limits children from visiting unwanted resources.

Standard Windows protection 10 can only be called decent. Based on the overall rating, 16 programs for protecting a personal computer on Windows turned out to be better than it. Including four free ones.

Theoretically, you can only rely on Windows Defender if the user has regular updates turned on, their computer is connected to the Internet most of the time, and they are advanced enough not to consciously visit suspicious sites. However, Roskachestvo recommends installing a specialized anti-virus package for greater confidence in the security of the PC.

How We Tested

Testing was carried out in the world's most qualified laboratory specializing in anti-virus programs for six months. A total of four groups of anti-malware tests were conducted: the general online protection test, the offline test, the false positive rate test, and the automatic and on-demand scan test. To a lesser extent, the final rating was influenced by checking the usability of the antivirus and its impact on the speed of the computer.

  • General protection

Each antivirus package was tested online for a set of viruses, totaling more than 40,000. It also tested how well the antivirus copes with phishing attacks - when someone tries to access the user's confidential data. Ransomware has been tested to protect against ransomware that restricts access to a computer and data on it in order to obtain a ransom. In addition, an online test of a USB drive with malware is carried out. It is needed to find out how well the antivirus copes with the search and elimination of viruses when neither the presence of malicious files nor their origin is known in advance.

  • USB offline test

Detection of malware residing on a USB drive connected to a computer. Before the scan, the computer was disconnected from the Internet for several weeks so that the anti-virus packages were not 100% up to date.

  • False alarm

We tested how effective the antivirus is in identifying real threats and skipping files that are actually safe, but which are classified as dangerous by the product.

  • Auto-scan and on-demand scan test

It was tested how effectively the scanning function works with automatic check computer for malware and when manually started. The study also tested whether it is possible to schedule scans for certain time when the computer is not in use.