Virus Detection Methods



The following techniques are used to detect viruses:
  • Scanning
  • Integrity checking with checksums
  • Interception based on a virus signature
The process of virus detection and removal is as follows:
  1. Detect the attack as a virus. Not all anomalous behavior can be attributed to a virus.
  2. Trace processes using utilities such as handle.exelistdlls.exefport.exenetstat.exe, and pslist.exe, and map commonalities between affected systems.
  3. Detect the virus payload by looking for altered, replaced, or deleted files. New files, changed file attributes, or shared library files should be checked.
  4. Acquire the infection vector and isolate it. Then, update your antivirus definitions and rescan all systems.
In Exercise 1, we will create a test virus.
Exercise 1: Creating a Test Virus

A test virus can be created by typing the following code in Notepad and saving the file as EICAR.COM. Your antivirus program should respond when you attempt to open, run, or copy it.
      X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Worms can be prevented from infecting systems in much the same way as viruses. Worms can be more difficult to stop because they spread on their own, meaning they do not need user intervention to install and continue to propagate the malware. Worms can be detected with the use of antimalware software that contains definitions for worms. Worms, most importantly, need to be stopped from spreading. In order to do this, an administrator may need to take systems off line. The best practice for cleaning worms off networked systems is to first remove the computer from the network and then run the security software to clean the worm.

No comments:

Post a Comment

Popular Posts