Scanning

Scanning looks for known viruses by a signature or characteristics that make new viruses similar to existing viruses. This requires that anti-virus makers and users keep products up to date.

Once a virus has been detected, it is possible to write scanning programs that look for telltale code (signature strings) characteristic of the virus. The writers of the scanner extract identifying strings from the virus. The scanner uses these signature strings to search memory, files, and system sectors. If the scanner finds a match, it announces that it has found a virus. This obviously detects only known, pre-existing, viruses. Many so-called “virus writers” create “new” viruses by modifying existing viruses. This takes only a few minutes but creates what appears to be a new virus. It happens all too often that these changes are simply to fool the scanners. (Please use the above as “concept” information. Writing a scanner today is quite a bit more complex.)

Note: Newer scanners often employ several detection techniques in addition to signature recognition. Among the most common of these is a form of code analysis. The scanner will actually examine the code at various locations in an executable file and look for code characteristic of a virus (e.g., a jump to a non-standard location, etc.). A second possibility is that the scanner will set up a virtual computer in RAM and actually test programs by running them in this virtual space and observing what they do. These techniques are often lumped under the general name “heuristic” scanning. Such scanners may also key off of code fragments that appear similar to, but not exactly the same as, known viruses.

The major advantage of scanners is that they allow you to check programs before they are executed. Scanners provide the easiest way to check new software for known or suspected viruses. Since they have been aggressively marketed and since they provide what appears to be a simple painless solution to viruses, scanners are the most widely-used anti-virus product.

The major disadvantages of scanners is that they sometimes false alarm and need constant updating which, even so, is always “after-the-fact” protection.

Too many people seem to regard “anti-virus product” and “scanner” as synonymous terms. The peril here is that if too many people depend solely upon scanners, newly created viruses will spread totally unhindered causing considerable damage before the scanners catch up with the viruses. An example of this was the attack by the Maltese Amoeba (Irish) virus in the UK. This virus was not detected prior to its destructive activation on November 1, 1991. Prior to its attack, it had managed to spread quite widely and none of the existing (mostly scanner-based) products detected this virus.

According to the December 1991 Virus Bulletin:

Prior to November 2nd, 1991, no commercial or shareware scanner (of which VB has copies) detected the Maltese Amoeba virus. Tests showed that not ONE of the major commercial scanners in use … detected this virus.

This indicates the potential hazard of depending upon scanner technology for complete virus protection. (More examples have been fast-spreading viruses that also act like worms [e.g., Melissa]. Anti-virus software makers react rapidly to these threats but there is still some delay and users have to be constantly alert. The Zero Day AttackWeb Popup is always on every security person’s mind.)

Another major drawback to scanners is that it’s dangerous to depend upon an old scanner. With the dramatic increase in the number of viruses appearing, it’s risky to depend upon anything other than the most current scanner. Even that scanner is necessarily a step behind the latest crop of viruses since there’s a lot that has to happen before the scanner is ready:

  • The virus has to be detected somehow to begin with. Since the existing scanners won’t detect the new virus, it will have some time to spread before someone detects it by other means. (Note: Some virus writers politely send copies of their malware to anti-virus researchers ahead of release but don’t count on this always happening.)
  • The newly-discovered virus must be sent to programmers to analyze and extract a suitable signature string or detection algorithm. This must then be tested for false positives on legitimate programs.
  • The “string” must then be incorporated into the next release of the virus scanner.
  • The virus scanner or detection database must be distributed to the customer.

In the case of retail software, the software must be sent to be packaged, to the distributors, and then on to the retail outlets. Commercial retail software takes so long to get to the shelves, that it is almost certainly out of date. Virtually all product makers today provide some way to obtain updates via the Internet in order to help speed up the update process.

If you depend upon a scanner, be sure to get the latest version directly from the maker. Also, be sure that you boot from a clean write-protected copy of DOS before running the scanner for the first time at least; there’s a good chance that the scanner can detect a resident virus in memory, but if it misses the virus in memory, the scanner will wind up spreading the virus rather than detecting it. Every susceptible program on your disk could be infected in a matter of minutes this way! (See Fast and Slow Infectors.)

Ghost Positives

One possible defect of scanners you might run into are termed “ghost” positives.

When DOS/Windows reads from a disk it does not read exactly what is requested; it also reads a bit ahead so that when the next read request comes in DOS may just have the material needed in a memory buffer and it can be provided much faster. Likewise, when a scanner reads files it has to compare each with the detection database. These are stored in memory.

If, after scanning, the scanner does not clear its buffers in memory and you immediately run a second scanner then the second scanner may see the first scanner’s strings in memory and if it uses the same string(s) could identify that virus as being in memory.

This is why it’s important to run your scanner (or other anti-virus product) after a cold boot. One of the features of a cold boot is a complete memory check and this check overwrites all of memory, clearing out all false traces of viruses.

False Alarms

Despite the most extensive testing it is possible that a scanner will present false alarms (i.e., indicate a file as infected when it really is not). You will usually note this just after an update where a file you’ve had on your system suddenly shows up as infected. If it’s a single file, previously clean, that exhibits this characteristic you can rest a bit easier; but you should nevertheless check with your anti-virus software maker.

Another time you might see this is when, after an update, you download what would would otherwise consider safe software (e.g., a program hosted on the maker’s website that thousands before you have downloaded with no problems) and see an alert. If this happens, have the courtesy to notify that software vendor about the alert and tell them the anti-virus software and database version for it so they can get the matter settled with the anti-virus software maker.

Some of the things that can cause such false alarms include:

  • A program that has been wrapped by anti-piracy software. By its nature, this type of wrapper has to check the executable and that might appear to be the action of malware in the eyes of the anti-virus software.
  • A packed executable. To save space, an executable might be packed. While most anti-virus will recognize standard packers, some may not or the author of the program may have used their own packing routine or some non-standard routine no recognized by the anti-virus program.
  • A changed version of any of the above. If anti-virus software recognizes a program and then either it or the program changes something (e.g., in a new version you’ve just upgraded to the author has changed the packing program for the executable) a false alarm may be generated. (E.g., I have an old archive containing a compiler I used many years ago. Recently, my scanner started to false alarm on the archive calling it some sort of generic Trojan.)

False alarms are quite common and a distraction as you have to figure out if the alert is a true or false alarm.

Testing a Scanner

You don’t need a virus to test the installation of a scanner. Most good scanners today are programmed to detect a standard test file called the EICAR test file. You can easily make this test file. Simply type or copy the following string into a text editor like Notepad:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Now save that file under the name EICAR.COM. This is an actual program that, when run, will display the text EICAR-STANDARD-ANTIVIRUS-TEST-FILE! and, when scanned, should activate your anti-virus program.

Note: This is not a virus. It is simply a file designed to activate the detection routines in scanners that support it. (Some suggest you need a “good” virus to test scanners. The problem is that to adequately test a scanner you need a virus “zoo” and have to install each virus in the zoo and test against it. This is something few users would want to do. The EICAR test file tests the installation of anti-virus software and that should be sufficient.)

Summary

  • Scanning depends on prior knowledge of a virus in order to detect it. This is done by recognizing some sort of signature that represents the virus or some program characteristic that indicates a virus may be present.
  • Scanners allow you to check programs before execution. That is their main advantage.
  • Scanners need to be regularly updated. Don’t depend on an old scanner.
  • Some viruses attempt to defeat scanners by changing their code on the fly. Current scanners attempt to analyze code on the fly as a way of countering this.
  • Never run two scanners in a row without cold booting to clear memory between. If you do, you may find “ghost” positives.
Up Arrow Virus Protection Up Arrow
Prior Page Next Page
Virus Protection Integrity Checking