Comparative characteristics of anti-virus software. Comparative characteristics of antivirus programs

As expected, it is impossible to name the best antivirus program among the considered programs, because there are many criteria that users can use when choosing. One thing is certain - all solutions deserve the attention of users and are among the worthy ones. At the same time, the most functional among them is Kaspersky Anti-Virus, which provides comprehensive protection against the widest range of threats and has impressive customization options. But in terms of combining high functionality and ease of use (that is, ease of use and minimal "visibility" in the process of background work), we liked Eset NOD32 to a greater extent. Antivirus Avast! AntiVirus and Avira AntiVir are also undemanding to system resources and therefore behave modestly when running in the background, but their capabilities will not suit all users. In the first, for example, the level of heuristic analysis is insufficient, in the second there is no Russian-language localization yet and, in our opinion, the management of modules is not very conveniently organized. As for Norton AntiVirus and Dr.Web, despite the popularity of the former in the world and the well-deserved recognition for the former merits of the latter, the palm in the perspective we are considering is clearly not on their side. Norton AntiVirus, despite the fact that its latest version is much faster (compared to the previous ones) in operation and has a better thought-out interface, still noticeably loads the system and reacts rather slowly to the launch of certain functions. Although in fairness, it should be noted that it scans itself quickly. And Dr.Web, compared to other antiviruses, is not very impressive, because its capabilities are limited to protecting files and mail, but it has its own plus - it is the simplest among the considered antiviruses.

Table 1. Comparison of the functionality of antivirus solutions

It is no less interesting, of course, to compare the reviewed antiviruses in terms of their effectiveness in detecting malicious software. This parameter is evaluated in special and internationally recognized centers and laboratories, such as ICSA Labs, West Сoast Labs, Virus Bulletin, etc. The first two issue special certificates to those antiviruses that have passed a certain level of tests, only one caveat - all known packages today have such certificates (this is a certain minimum). The antivirus magazine Virus Bulletin tests a large number of antiviruses several times a year and, based on the results, assigns them VB100% awards. Alas, today all popular viruses also have such awards, including, of course, the ones we have reviewed. Therefore, we will try to analyze the results of other tests. We will focus on the tests of the reputable Austrian laboratory Av-Comparatives.org, which tests antiviruses, and the Greek company Virus.gr, which specializes in tests antivirus programs and compiling ratings of antiviruses and the famous one of the largest collections of viruses. According to Av-Comparatives.org's latest On-Demand Scan test in August 2009 (Table 2), Avira AntiVir Premium and Norton AntiVirus performed best among those reviewed. But Kaspersky Anti-Virus was able to detect only 97.1% of viruses, although it is, of course, completely unfair to call such a level of virus detection low. For more information, we note that the volume of virus databases involved in this test amounted to more than 1.5 million malicious codes, and the difference is only 0.1% - this is neither more nor less, but 1.5 thousand malicious programs. As for speed, it is even more difficult to objectively compare solutions in this aspect, because the speed of scanning depends on many factors - in particular, whether the antivirus product uses emulation code, whether it is able to recognize complex polymorphic viruses, whether deep analysis of heuristic scanning is carried out, and active scanning of rootkits, etc. All of the above points are directly related to the quality of virus recognition, so in the case of antivirus solutions, scanning speed is not the most important indicator of their performance. Nevertheless, the specialists of Av-Comparatives.org considered it possible to evaluate the solutions, and according to this indicator, as a result, Avast turned out to be on top among the antivirus programs under consideration! AntiVirus and Norton AntiVirus.

table 2. Comparison of antivirus solutions in terms of malware detection (source - Av-Comparatives.org, August 2009)

Name		Scan speed
Avira AntiVir Premium 8.2	99,7	Medium
Norton AntiVirus 16.2	98,7	Fast
	98,2	Fast
ESET NOD32 Antivirus 3.0	97,6	Medium
Kaspersky Anti-Virus 8.0	97,1	Medium
AVG Anti-Virus 8.0.234	93	slow
Dr.Web anti-virus for Windows	Not tested	No data
PANDA Antivirus Pro 2010	Not tested	No data

According to the results of the August testing of Virus.gr, presented in Table. 3, the data is somewhat different. The leaders here are Kaspersky Anti-Virus 2010 with 98.67% and Avira AntiVir Premium 9.0 with 98.64%. Incidentally, it is worth noting here that free program Avira AntiVir Personal, which uses the same signature bases and the same testing methods as the paid Avira AntiVir Premium, is quite a bit behind the commercial solution. Differences in the results are due to the fact that different laboratories use different virus databases - of course, all such databases are based on the "In the Wild" collection of wild viruses, but it is supplemented by other viruses. It depends on what kind of viruses they are and what percentage of them are in the total database, which of the packages will take the lead.

Table 3. Comparison of antivirus solutions in terms of malware detection (source - Virus.gr, August 2009)

Name	Percentage of detection of different types of malware
Kaspersky Anti-Virus 2010	98,67
Avira AntiVir Premium 9.0	98,64
Avira AntiVir Personal 9.0	98,56
AVG Anti-Virus Free 8.5.392	97
ESET NOD32 Antivirus 4.0	95,97
Avast! AntiVirus Free 4.8	95,87
Norton AntiVirus Norton 16.5	87,37
Dr. Web 5.00	82,89
Panda 2009 9.00.00	70,8

It is also worth paying attention to the extent to which antiviruses can practically cope with unknown threats - that is, the effectiveness of the proactive methods used in them. antivirus protection. This is extremely important, since all leading experts in this field have long agreed that this particular area is the most promising on the anti-virus market. Similar testing was carried out by Anti-Malware.ru specialists from December 3, 2008 to January 18, 2009. To conduct the test, they collected a collection of 5166 unique codes of the latest malicious programs during the freezing of anti-virus databases. Among the antiviruses considered in this article, the best results were demonstrated by Avira AntiVir Premium and Dr.Web (Table 4), which managed to detect a relatively high number of malicious codes missing from their databases, however, the number of false positives for these antiviruses turned out to be high. Therefore, the laurels of championship in the form of the "Gold Proactive Protection Award" were given by experts to completely different solutions. These are Kaspersky Anti-Virus, ESET NOD32 AntiVirus and BitDefender Antivirus, which turned out to be the best in terms of the balance of proactive detection and false positives. Their results were almost identical - the level of heuristic detection in 60% and the level of false positives in the region of 0.01-0.04%.

Table 4. Comparison of anti-virus solutions in terms of the effectiveness of proactive anti-virus protection (source - Anti-Malware.ru, January 2009)

Name	Percentage of detected viruses	Percentage of false positives
Avira AntiVir Premium 8.2	71	0,13
Dr.Web 5.0	61	0,2
Kaspersky Anti-Virus 2009	60,6	0,01
ESET NOD32 AntiVirus 3.0	60,5	0,02
AVG AntiVirus 8.0	58,1	0,02
Avast! AntiVirus Professional 4.8	53,3	0,03
Norton AntiVirus 2009	51,5	0
Panda Antivirus 2009	37,9	0,02

From the above data, only one conclusion can be drawn - all the considered anti-virus solutions can really be classified as worthy of attention. However, when working in any of them, one should never forget about the timely updating of signature databases, since the level of proactive protection methods in any of the programs is still far from ideal.

The main evaluation criteria, which included 200 indicators, were:

• virus protection;
• Ease of use;
• impact on computer speed.

Malware protection is the most important evaluation criterion: indicators within this group of parameters accounted for 65% of the overall antivirus score. Ease of use and impact on computer speed accounted for 25% and 10% of the overall score, respectively.

Anti-virus programs were selected for research on the basis of popularity among consumers and affordability. For this reason, the list of antivirus programs studied included:

• Free programs - both built-in and offered separately.
• Paid programs from leading antivirus brands. Based on the principles of selection, the study did not include the most expensive versions of software products from these brands.
• From one brand for one operating system, only one paid product could be presented in the rating. The second product could get into the rating only if it is free.

This time, products developed by Russian companies were included in the category in the international study. As a rule, the list of products for international testing includes products with a sufficient market share and high recognition among consumers, so the inclusion of Russian developments in the study indicates their wide representation and demand abroad.

Top Ten for Windows

All antiviruses in the top ten cope with protection against spyware and protect against phishing - attempts to gain access to confidential data. But there are differences between antiviruses in the level of protection, as well as in the presence or absence of a particular function in the tested versions of the antivirus.

The pivot table shows ten the best programs by overall rating. It also takes into account the features of the packages in terms of the set of functions.

How good is standard Windows 10 security?

As of February 2018, the share of Windows PC users with Windows 10 operating systems installed on their desktops was 43%. On such computers, the antivirus is installed by default - it protects the system Windows program Defender, which is included with the operating system.

The standard antivirus, which, judging by the statistics, most people use, was only on the 17th line of the rating. Overall, Windows Defender scored 3.5 out of a possible 5.5.

The built-in protection of recent versions of Windows has only gotten better over the years, but it still doesn't match the level of many specialized antivirus programs, including those that are distributed for free. Windows Defender showed satisfactory results in terms of online protection, but completely failed the test for phishing and ransomware. By the way, protection against phishing is declared by antivirus manufacturers. It also turned out that he does a poor job of protecting your computer in offline mode.

Windows Defender is quite simple in terms of design. It clearly communicates the presence of a particular threat, clearly demonstrates the degree of protection and has a “parental control” function that limits children from visiting unwanted resources.

The standard protection of Windows 10 can only be called decent. Based on the overall rating, 16 programs for protecting a personal computer on Windows turned out to be better than it. Including four free ones.

Theoretically, you can only rely on Windows Defender if the user has regular updates turned on, their computer is connected to the Internet most of the time, and they are advanced enough not to consciously visit suspicious sites. However, Roskachestvo recommends installing a specialized anti-virus package for greater confidence in the security of the PC.

How We Tested

Testing was carried out in the world's most qualified laboratory specializing in anti-virus programs for six months. A total of four groups of anti-malware tests were conducted: the general online protection test, the offline test, the false positive rate test, and the automatic and on-demand scan test. To a lesser extent, the final rating was influenced by checking the usability of the antivirus and its impact on the speed of the computer.

• General protection

Each antivirus package was tested online for a set of viruses, totaling more than 40,000. It also tested how well the antivirus copes with phishing attacks - when someone tries to access the user's confidential data. Ransomware has been tested to protect against ransomware that restricts access to a computer and data on it in order to obtain a ransom. In addition, an online test of a USB drive with malware is carried out. It is needed to find out how well the antivirus copes with the search and elimination of viruses when neither the presence of malicious files nor their origin is known in advance.

• USB offline test

Detection of malware residing on a USB drive connected to a computer. Before the scan, the computer was disconnected from the Internet for several weeks so that the anti-virus packages were not 100% up to date.

• False alarm

We tested how effective the antivirus is in identifying real threats and skipping files that are actually safe, but which are classified as dangerous by the product.

• Auto-scan and on-demand scan test

It was tested how well the scan function works when it automatically checks the computer for malware and when it is started manually. Also during the study, it was checked whether it is possible to schedule scans for a certain time when the computer is not in use.

Antivirus programs exist to protect your computer from malware, viruses, trojans, worms, and spyware that can delete your files, steal your personal information, and make your computer and web connection extremely slow and problematic. Hence, choosing a good antivirus program is an important priority for your system.

There are over 1 million computer viruses in the world today. Due to the prevalence of viruses and other malware, there are many different options for computer users in the field of antivirus software. software.

Antivirus programs quickly became big business, and the first commercial antiviruses hit the market in the late 1980s. Today you can find many free and paid antivirus programs to protect your computer.

What do antivirus programs do

Antivirus programs will regularly scan your computer for viruses and other malware that may be on your PC. If the software detects a virus, it usually quarantines it, cures it, or removes it.

You choose how often the scan will occur, although it is generally recommended that you run it at least once a week. In addition, most antivirus programs will protect you during your daily activities, such as checking email and surfing the web.

Whenever you download any file to your computer from the Internet or from e-mail, the antivirus will check it and make sure that the file is OK (virus-free or “clean”).

Antivirus programs will also update what are called “antivirus definitions”. These definitions are updated as often as new viruses and malware appear and are discovered.

New viruses appear every day, so you should regularly update the anti-virus database on the website of the anti-virus program manufacturer. After all, as you know, any anti-virus program can recognize and neutralize only those viruses that the manufacturer “trained” it with. And it's no secret that several days may pass from the moment the virus is sent to the program developers until the update of the anti-virus databases. During this period, thousands of computers around the world can be infected!

So, make sure you have one of the best antivirus packages installed and update it regularly.

FIREWALL (FIREWALL)

Protecting your computer from viruses depends on more than just one antivirus program. Most users are mistaken in believing that the antivirus installed on the computer is a panacea for all viruses. A computer can still become infected with a virus, even with a powerful antivirus program. If your computer has Internet access, one antivirus is not enough.

An antivirus can remove a virus when it is directly on your computer, but if the same virus enters your computer from the Internet, for example, by downloading a web page, then the antivirus program will not be able to do anything with it - until it will not show its activity on the PC. Therefore, full computer protection from viruses is impossible without a firewall - a special protective program that will notify you of suspicious activity when a virus or worm tries to connect to your computer.

Using a firewall on the Internet allows you to limit the number of unwanted connections from the outside to your computer, and significantly reduces the likelihood of infection. In addition to protecting against viruses, it also makes it much more difficult for intruders (hackers) to access your information and attempt to download a potentially dangerous program to your computer.

When a firewall is used in conjunction with an antivirus program and operating system updates, computer protection is maintained at the highest possible level of security.

OPERATING SYSTEM AND SOFTWARE UPDATES

An important step in protecting your computer and data is to keep your operating system up to date with the latest security patches. It is recommended to do this at least once a month. The latest updates for the OS and programs will create conditions under which computer protection against viruses will be at a sufficiently high level.

Updates are fixes for bugs found over time in software. A large number of viruses use these bugs (“holes”) in system and program security to spread. However, if you close these “holes”, then you will not be afraid of viruses and computer protection will be at a high level. An additional plus of regular updates is more reliable system operation due to bug fixes.

LOGIN PASSWORD

Password to log into your system, especially for account"Administrator" will help protect your information from unauthorized access locally or over the network, and will also create an additional barrier to viruses and spyware. Make sure you use a complex password - as many viruses use simple passwords for their spread, for example 123, 12345, starting with empty passwords.

SAFE WEB SURFING

Protecting your computer from viruses will be complicated if, while browsing sites and surfing the Internet, you agree to everything and install everything. For example, under the guise of updating Adobe Flash Player, one of the varieties of the virus is being distributed - “Send sms to a number”. Practice safe web surfing. Always read what exactly you are offered to do, and only then agree or refuse. If you are offered something in a foreign language, try to translate it, otherwise feel free to refuse.

Many viruses are contained in e-mail attachments and begin to spread as soon as the attachment is opened. We strongly recommend that you do not open attachments without prior agreement to receive them.

Antiviruses on SIM, flash cards and USB devices

Mobile phones produced today have a wide range of interfaces and data transfer capabilities. Users should carefully study the protection methods before connecting any small devices.

Protection methods such as hardware, perhaps antiviruses on USB devices or on SIM, are more suitable for consumers mobile phones. A technical evaluation and review of how to install an antivirus program on a cellular mobile phone should be considered as a scanning process that may affect other legitimate applications on that phone.

SIM-based anti-virus software with anti-virus built into the small memory area provides anti-malware/virus protection to protect PIM and phone user information. Antiviruses on flash cards allow the user to exchange information and use these products with various hardware devices.

Antiviruses, mobile devices and innovative solutions

It will not surprise anyone when viruses that infect personal and laptop computers will move to mobile devices. More and more developers in this field offer anti-virus programs to fight viruses and protect mobile phones. IN mobile devices There are the following types of virus control:

• § CPU limitations
• § memory limit
• § identifying and updating the signatures of these mobile devices

Antivirus companies and programs

• § AOL® Virus Protection as part of the AOL Safety and Security Center
• § ActiveVirusShield by AOL (based on KAV 6, free)
• § AhnLab
• § Aladdin Knowledge Systems
• § ALWIL Software (avast!) from the Czech Republic (free and paid versions)
• § ArcaVir from Poland
• § AVZ from Russia (free)
• § Avira from Germany (available free version classic)
• § Authentium from UK
• § BitDefender from Romania
• § BullGuard from Denmark
• § Computer Associates from USA
• § Comodo Group from USA
• § ClamAV -- GPL license -- free and open source program
• § ClamWin -- ClamAV for Windows
• § Dr.Web from Russia
• § Eset NOD32 from Slovakia
• § Fortinet
• § Frisk Software from Iceland
• § F-Secure from Finland
• § GeCAD from Romania (Microsoft bought the company in 2003)
• § GFI Software
• § GriSoft (AVG) from the Czech Republic (free and paid versions)
• § Hauri
• § H+BEDV from Germany
• § Kaspersky Anti-Virus from Russia
• § McAfee from USA
• § MicroWorld Technologies from India
• § NuWave Software from Ukraine
• § MKS from Poland
• § Norman from Norway
• § Outpost from Russia
• § Panda Software from Spain
• § Quick Heal AntiVirus from India
• § rising
• § ROSE SWE
• § Sophos from UK
• § Spyware Doctor
• § Stiller Research
• § Sybari Software (Microsoft bought the company in early 2005)
• § Symantec from the US or UK
• § Trojan hunter
• § Trend Micro of Japan (nominally Taiwan-US)
• § Ukrainian National Antivirus from Ukraine
• § VirusBlockAda (VBA32) from Belarus
• § VirusBuster from Hungary
• § ZoneAlarm AntiVirus (American)

• § Checking a file with several antiviruses
• § Checking a file with several antiviruses
• § Checking files for viruses before downloading
• § virusinfo.info Information security portal (virology conference) where help can be requested.
• § antivse.com Another portal where you can download the most common antivirus programs, both paid and free.
• § www.viruslist.ru Internet virus encyclopedia created by Kaspersky Lab

Antivirus

Avast! * AVS * Ashampoo Antivirus * AVG * Avira AntiVir * BitDefender * Clam Antivirus * ClamWin * Comodo Antivirus * Dr. Web * F-Prot *F-Secure Antivirus * Kaspersky Anti-Virus * McAfee VirusScan * NOD32 * Norton Antivirus * Outpost Antivirus * Panda Antivirus * PC-cillin * Windows Live OneCare

Introduction

1. Theoretical part

1.1 The concept of information security

1.2 Types of threats

1.3 Information security methods

2. Design part

2.1 Classification of computer viruses

2.2 The concept of an anti-virus program

2.3 Types of antivirus tools

2.4 Comparison of antivirus packages

Conclusion

List of used literature

Application

Introduction

The development of new information technologies and general computerization have led to the fact that information security is not only becoming mandatory, it is also one of the characteristics of information systems. There is a rather extensive class of information processing systems in the development of which the security factor plays a primary role.

The mass use of personal computers is associated with the emergence of self-reproducing virus programs that prevent normal operation computer, destroying the file structure of disks and damaging the information stored in the computer.

Despite the laws adopted in many countries to combat computer crime and the development of special programs new virus protection tools, the number of new software viruses is constantly growing. This requires the user of a personal computer to be knowledgeable about the nature of viruses, how to infect and protect against viruses.

Every day, viruses become more sophisticated, which leads to a significant change in the threat profile. But the anti-virus software market is not standing still, offering a variety of products. Their users, presenting the problem only in general terms, often miss important nuances and end up with the illusion of protection instead of protection itself.

The purpose of this course work is to conduct a comparative analysis of anti-virus packages.

To achieve this goal, the following tasks are solved in the work:

To study the concepts of information security, computer viruses and anti-virus tools;

Determine the types of threats to information security, methods of protection;

To study the classification of computer viruses and anti-virus programs;

Conduct a comparative analysis of anti-virus packages;

Create an antivirus program.

The practical significance of the work.

The results obtained, the course work material can be used as a basis for self-comparison of anti-virus programs.

The structure of the course work.

This course work consists of Introduction, two sections, Conclusion, list of references.

computer virus security antivirus

1. Theoretical part

In the process of conducting a comparative analysis of anti-virus packages, it is necessary to define the following concepts:

1 Information security.

2 Types of threats.

3 Information security methods.

Let's take a closer look at these concepts:

1.1 The concept of information security

Despite the ever-increasing efforts to create data protection technologies, their vulnerability in modern conditions not only does not decrease, but is constantly increasing. Therefore, the urgency of the problems associated with the protection of information is increasingly increasing.

The problem of information security is multifaceted and complex and covers a number of important tasks. For example, data confidentiality, which is ensured by the use of various methods and means. The list of similar tasks for information security can be continued. The intensive development of modern information technologies, and in particular network technologies, creates all the prerequisites for this.

Information protection is a set of measures aimed at ensuring the integrity, availability and, if necessary, confidentiality of information and resources used to enter, store, process and transmit data.

To date, two basic principles for information security have been formulated:

1 data integrity - protection against failures leading to the loss of information, as well as protection against unauthorized creation or destruction of data;

2 confidentiality of information.

Protection against failures leading to loss of information is carried out in the direction of increasing the reliability of individual elements and systems that input, store, process and transmit data, duplication and redundancy of individual elements and systems, the use of various, including autonomous, power sources, increasing the level qualification of users, protection against unintentional and intentional actions leading to equipment failure, destruction or modification (modification) of software and protected information.

Protection against unauthorized creation or destruction of data is provided by physical protection of information, differentiation and restriction of access to elements of protected information, closing of protected information in the process of its direct processing, development of software and hardware systems, devices and specialized software to prevent unauthorized access to protected information.

Information confidentiality is ensured by identification and authentication of access subjects when entering the system by ID and password, identification of external devices by physical addresses, identification of programs, volumes, directories, files by name, encryption and decryption of information, differentiation and control of access to it.

Among the measures aimed at protecting information, the main ones are technical, organizational and legal.

Technical measures include protection against unauthorized access to the system, redundancy of especially important computer subsystems, organization of computer networks with the possibility of redistributing resources in the event of a malfunction of individual links, installation backup systems power supply, equipping rooms with locks, installation of alarm systems and so on.

Organizational measures include: protection of the computer center (informatics rooms); conclusion of a contract for the maintenance of computer equipment with a reputable organization with a good reputation; exclusion of the possibility of work on computer equipment by strangers, random persons, and so on.

Legal measures include the development of rules establishing responsibility for the destruction of computer equipment and the destruction (change) of software, public control over developers and users of computer systems and programs.

It should be emphasized that no hardware, software or any other solutions can guarantee the absolute reliability and security of data in computer systems. At the same time, it is possible to minimize the risk of losses, but only with an integrated approach to information protection.

1.2 Types of threats

Passive threats are mainly aimed at the unauthorized use of information resources of an information system without affecting its functioning. For example, unauthorized access to databases, eavesdropping on communication channels, and so on.

Active threats are aimed at disrupting the normal functioning of the information system by purposefully influencing its components. Active threats include, for example, the destruction of a computer or its operating system, the destruction of computer software, disruption of communication lines, and so on. The source of active threats can be the actions of hackers, malware, and the like.

Deliberate threats are also divided into internal (arising within the managed organization) and external.

Internal threats are most often determined by social tension and a difficult moral climate.

External threats can be determined by the malicious actions of competitors, economic conditions, and other causes (for example, natural disasters).

The main threats to the security of information and the normal functioning of the information system include:

Leakage of confidential information;

Information compromise;

Unauthorized use of information resources;

Erroneous use of information resources;

Unauthorized exchange of information between subscribers;

Refusal of information;

Violation of information service;

Illegal use of privileges.

Leakage of confidential information is the uncontrolled release of confidential information outside the information system or the circle of persons to whom it was entrusted in the service or became known in the course of work. This leak may be due to:

Disclosure of confidential information;

Leaving information through various, mainly technical, channels;

Unauthorized access to confidential information in various ways.

Disclosure of information by its owner or possessor is the intentional or careless actions of officials and users to whom the relevant information was duly entrusted in the service or work, which led to familiarization with it by persons who were not admitted to this information.

Uncontrolled care of confidential information via visual-optical, acoustic, electromagnetic and other channels is possible.

Unauthorized access is an unlawful deliberate possession of confidential information by a person who does not have the right to access protected information.

The most common ways of unauthorized access to information are:

Interception of electronic radiation;

The use of listening devices;

Remote photography;

Interception of acoustic emissions and restoration of the text of the printer;

Copying media with overcoming protection measures;

Disguise as a registered user;

Disguise under system requests;

Using software traps;

Exploiting shortcomings of programming languages ​​and operating systems;

Illegal connection to equipment and communication lines of specially designed hardware that provides access to information;

Malicious disabling of protection mechanisms;

Decryption of encrypted information by special programs;

information infections.

The listed ways of unauthorized access require quite a lot of technical knowledge and appropriate hardware or software developments on the part of the cracker. For example, technical leak channels are used - these are physical paths from the source of confidential information to the attacker, through which it is possible to obtain protected information. The reason for the occurrence of leakage channels is the design and technological imperfections of circuit solutions or the operational wear of the elements. All this allows hackers to create converters operating on certain physical principles, forming an information transmission channel inherent in these principles - a leakage channel.

However, there are quite primitive ways of unauthorized access:

Theft of information carriers and documentary waste;

Proactive collaboration;

Declining to cooperate on the part of the burglar;

probing;

Eavesdropping;

Observation and other ways.

Any methods of leakage of confidential information can lead to significant material and moral damage both for the organization where the information system operates and for its users.

There is and is constantly being developed a huge variety of malicious programs, the purpose of which is to corrupt information in databases and computer software. A large number of varieties of these programs does not allow the development of permanent and reliable remedies against them.

It is believed that the virus is characterized by two main features:

The ability to self-reproduce;

The ability to interfere in the computational process (to gain control).

Unauthorized use of information resources, on the one hand, is the consequences of its leakage and a means of compromising it. On the other hand, it has an independent value, since it can cause great damage to the managed system or its subscribers.

The erroneous use of information resources, while authorized, may nevertheless lead to the destruction, leakage or compromise of these resources.

Unauthorized exchange of information between subscribers may lead to the receipt by one of them of information, access to which is prohibited to him. The consequences are the same as with unauthorized access.

1.3 Information security methods

The creation of information security systems is based on the following principles:

1 A systematic approach to building a protection system, meaning the optimal combination of interrelated organizational, program,. Hardware, physical and other properties, confirmed by the practice of creating domestic and foreign protection systems and used at all stages of the technological cycle of information processing.

2 The principle of continuous development of the system. This principle, which is one of the fundamental for computer information systems, is even more relevant for information security systems. Methods for implementing information threats are constantly being improved, and therefore ensuring the security of information systems cannot be a one-time act. This is a continuous process, which consists in substantiating and implementing the most rational methods, methods and ways to improve information security systems, continuous monitoring, identifying its bottlenecks and weaknesses, potential information leakage channels and new methods of unauthorized access,

3 Ensuring the reliability of the protection system, that is, the impossibility of reducing the level of reliability in the event of failures, failures, intentional actions of an intruder or unintentional errors of users and maintenance personnel in the system.

4 Ensuring control over the functioning of the protection system, that is, the creation of means and methods for monitoring the performance of protection mechanisms.

5 Providing all kinds of anti-malware tools.

6 Ensuring the economic feasibility of using the system. Protection, which is expressed in the excess of the possible damage from the implementation of threats over the cost of developing and operating information security systems.

As a result of solving information security problems, modern information systems should have the following main features:

Availability of information of varying degrees of confidentiality;

Ensuring cryptographic protection of information of varying degrees of confidentiality during data transmission;

Mandatory information flow management, as in local networks, and when transmitting over communication channels over long distances;

The presence of a mechanism for registering and accounting for unauthorized access attempts, events in the information system and documents printed;

Mandatory ensuring the integrity of software and information;

Availability of means of restoring the information protection system;

Mandatory accounting of magnetic media;

The presence of physical protection of computer equipment and magnetic media;

The presence of a special information security service of the system.

Methods and means of ensuring information security.

Obstacle - a method of physically blocking the path of an attacker to protected information.

Access control - methods of protecting information by regulating the use of all resources. These methods must resist all possible ways of unauthorized access to information. Access control includes the following security features:

Identification of users, personnel and resources of the system (assignment of a personal identifier to each object);

Identification of an object or subject by the identifier presented to them;

Permission and creation of working conditions within the established regulations;

Registration of calls to protected resources;

Responding to attempts of unauthorized actions.

Encryption mechanisms - cryptographic closing of information. These methods of protection are increasingly used both in the processing and storage of information on magnetic media. When transmitting information over long distance communication channels, this method is the only reliable one.

Countering malware attacks involves a set of various organizational measures and the use of anti-virus programs.

The whole set of technical means is divided into hardware and physical.

Hardware - devices that are built directly into computer technology, or devices that interface with it via a standard interface.

Physical means include various engineering devices and structures that prevent the physical penetration of intruders into protected objects and protect personnel (personal security equipment), material assets and finances, and information from illegal actions.

Software tools are special programs and software systems designed to protect information in information systems.

From the software of the protection system, it is necessary to single out more software that implements encryption mechanisms (cryptography). Cryptography is the science of ensuring the secrecy and / or authenticity (authenticity) of transmitted messages.

Organizational means carry out by their complex the regulation of production activities in information systems and the relationship of performers on a legal basis in such a way that disclosure, leakage and unauthorized access to confidential information becomes impossible or significantly hampered by organizational measures.

Legislative remedies are determined by the laws of the country, which regulate the rules for the use, processing and transmission of information limited access and penalties for violating these rules are established.

Moral and ethical means of protection include all kinds of norms of behavior that have traditionally developed earlier, are formed as information spreads in the country and in the world, or are specially developed. Moral and ethical standards can be unwritten or drawn up in a certain set of rules or regulations. These norms, as a rule, are not legally approved, but since their non-compliance leads to a decrease in the prestige of the organization, they are considered mandatory.

2. Design part

In the design part, the following steps must be completed:

1 Define the concept of a computer virus and the classification of computer viruses.

2 Define the concept of an anti-virus program and the classification of anti-virus tools.

3 Conduct a comparative analysis of anti-virus packages.

2.1 Classification of computer viruses

A virus is a program that can infect other programs by including in them a modified copy that has the ability to further reproduce.

Viruses can be divided into classes according to the following main features:

Destructive possibilities

Features of the work algorithm;

Habitat;

According to their destructive capabilities, viruses can be divided into:

Harmless, that is, not affecting the operation of the computer in any way (except for reducing free disk space as a result of its distribution);

Non-dangerous, the impact of which is limited to a decrease in free disk space and graphic, sound and other effects;

Dangerous viruses that can cause serious computer malfunctions;

Very dangerous, the algorithm of which is deliberately based on procedures that can lead to the loss of programs, destroy data, erase the information necessary for the operation of the computer, recorded in system memory areas

Features of the virus algorithm can be characterized by the following properties:

Residence;

Use of stealth algorithms;

polymorphism;

Resident viruses.

The term "residency" refers to the ability of viruses to leave their copies in system memory, intercept certain events and, in doing so, call procedures for infecting detected objects (files and sectors). Thus, resident viruses are active not only while the infected program is running, but also after the program has finished its work. Resident copies of such viruses remain viable until the next reboot, even if all infected files are destroyed on the disk. It is often impossible to get rid of such viruses by restoring all copies of files from distribution disks or backup copies. The resident copy of the virus remains active and infects newly created files. The same is true for boot viruses - formatting a drive while there is a resident virus in memory does not always cure the drive, as many resident viruses re-infect the drive after it has been formatted.

non-resident viruses. Non-resident viruses, on the contrary, are active for a rather short time - only at the moment the infected program is launched. For their distribution, they look for uninfected files on the disk and write to them. After the virus code transfers control to the host program, the effect of the virus on the operation of the operating system is reduced to zero until the next launch of any infected program. Therefore, files infected with non-resident viruses are much easier to remove from the disk and at the same time not allow the virus to infect them again.

Stealth viruses. Stealth viruses in one way or another hide the fact of their presence in the system. The use of stealth algorithms allows viruses to completely or partially hide themselves in the system. The most common stealth algorithm is to intercept operating system requests to read (write) infected objects. At the same time, stealth viruses either temporarily cure them, or “substitute” uninfected pieces of information in their place. In the case of macro viruses, the most popular method is to disable calls to the macro view menu. Stealth viruses of all types are known, with the exception of Windows viruses - boot viruses, DOS file viruses, and even macro viruses. The emergence of stealth viruses that infect Windows files, is most likely a matter of time.

Polymorphic viruses. Self-encryption and polymorphicity are used by almost all types of viruses in order to complicate the virus detection procedure as much as possible. Polymorphic viruses are rather difficult-to-detect viruses that do not have signatures, that is, they do not contain a single permanent piece of code. In most cases, two samples of the same polymorphic virus will not have a single match. This is achieved by encrypting the main body of the virus and modifying the decryptor program.

Polymorphic viruses include those that cannot be detected using the so-called virus masks - sections of a permanent code specific to a particular virus. This is achieved in two main ways - by encrypting the main virus code with a non-permanent call and a random set of decryptor commands, or by changing the actual virus code being executed. Polymorphism of varying degrees of complexity is found in viruses of all types, from boot and file DOS viruses to Windows viruses.

By habitat, viruses can be divided into:

File;

Boot;

Macroviruses;

Network.

File viruses. File viruses either infiltrate executable files in various ways, or create duplicate files (companion viruses), or use file system organization features (link viruses).

The introduction of a file virus is possible in almost all executable files of all popular operating systems. To date, viruses are known that infect all types of standard DOS executable objects: batch files (BAT), loadable drivers (SYS, including special files IO.SYS and MSDOS.SYS) and executable binary files (EXE, COM). There are viruses that infect executable files of other operating systems - Windows 3.x, Windows95/NT, OS/2, Macintosh, UNIX, including Windows 3.x and Windows95 VxD drivers.

There are viruses that infect files that contain source code programs, library or object modules. It is possible for a virus to write to data files, but this happens either as a result of a virus error or when its aggressive properties are manifested. Macro viruses also write their code to data files such as documents or spreadsheets, but these viruses are so specific that they are placed in a separate group.

boot viruses. Boot viruses infect the boot sector of a floppy disk and the boot sector or Master Boot Record (MBR) of a hard drive. The principle of operation of boot viruses is based on the algorithms for starting the operating system when the computer is turned on or rebooted - after the necessary tests of the installed equipment (memory, disks, etc.), the system boot program reads the first physical sector boot disk(A:, C: or CD-ROM, depending on the options set in BIOS Setup) and transfers control to it.

In the case of a floppy disk or CD, the boot sector receives control, which analyzes the disk parameter table (BPB - BIOS Parameter Block), calculates the addresses of the operating system system files, reads them into memory and launches them for execution. System files are usually MSDOS.SYS and IO.SYS, or IBMDOS.COM and IBMBIO.COM, or others depending on installed version DOS, Windows or other operating systems. If there are no operating system files on the boot disk, the program located in the boot sector of the disk displays an error message and suggests replacing the boot disk.

In the case of a hard drive, control is received by a program located in the MBR of the hard drive. This program analyzes the disk partition table (Disk Partition Table), calculates the address of the active boot sector (usually this sector is the boot sector of disk C), loads it into memory and transfers control to it. Having received control, the active boot sector of the hard drive does the same actions as the floppy boot sector.

When infecting disks, boot viruses “substitute” their code for some program that takes control when the system boots. Thus, the principle of infection is the same in all the methods described above: the virus “forces” the system, when it is restarted, to read into memory and give control not to the original bootloader code, but to the virus code.

Floppy disks are infected by the only known method - the virus writes its own code instead of the original boot sector code of the diskette. The hard drive is infected in three possible ways - the virus is written either instead of the MBR code, or instead of the boot sector code of the boot disk (usually drive C, or it modifies the address of the active boot sector in the Disk Partition Table located in the MBR of the hard drive.

Macro viruses. Macro viruses infect files - documents and spreadsheets of several popular editors. Macro viruses are programs in languages ​​(macro languages) built into some data processing systems. For their reproduction, such viruses use the capabilities of macro languages ​​and with their help transfer themselves from one infected file to others. Macro-viruses for Microsoft Word, Excel and Office97 have received the greatest distribution. There are also macro viruses that infect Ami Pro documents and Microsoft Access databases.

network viruses. Network viruses include viruses that actively use the protocols and capabilities of local and global networks for their spread. The main principle of a network virus is the ability to independently transfer its code to remote server or workstation. At the same time, “full-fledged” network viruses also have the ability to run their own code on a remote computer or, at least, “push” the user to launch the infected file. An example of network viruses is the so-called IRC worms.

IRC (Internet Relay Chat) is a special protocol designed for real-time communication between Internet users. This protocol provides them with the ability to "talk" on the Internet using specially designed software. In addition to attending general conferences, IRC users have the ability to chat one-on-one with any other user. In addition, there are a fairly large number of IRC commands with which the user can get information about other users and channels, change some settings of the IRC client, and so on. There is also the ability to send and receive files, which is what IRC worms are based on. The powerful and extensive command system of IRC clients makes it possible, based on their scripts, to create computer viruses that transfer their code to the computers of users of IRC networks, the so-called "IRC worms". The principle of operation of such IRC worms is approximately the same. With the help of IRC commands, a work script file (script) is automatically sent from an infected computer to each user who has joined the channel again. The sent script file replaces the standard one, and during the next session, the newly infected client will send out the worm. Some IRC worms also contain a Trojan component: they perform destructive actions on the affected computers using specified keywords. For example, the "pIRCH.Events" worm erases all files on the user's disk on a specific command.

There are a large number of combinations - for example, file-boot viruses that infect both files and boot sectors of disks. Such viruses, as a rule, have a rather complex algorithm of work, often use original methods of penetrating the system, use stealth and polymorphic technologies. Another example of such a combination is a network macro virus that not only infects edited documents, but also sends copies of itself by e-mail.

In addition to this classification, a few words should be said about other malware that is sometimes confused with viruses. These programs do not have the ability to self-propagate like viruses, but they can do just as devastating damage.

Trojan horses (logic bombs or time bombs).

Trojan horses include programs that cause any destructive actions, that is, depending on any conditions or at each launch, destroying information on disks, “hovering” the system, and so on. As an example, one can cite such a case - when such a program, during a session on the Internet, sent its author identifiers and passwords from the computers where it lived. Most of the well-known Trojan horses are programs that "spoof" some kind of useful programs, new versions of popular utilities or additions to them. Very often they are sent to BBS-stations or electronic conferences. Compared to viruses, "Trojan horses" are not widely used for the following reasons - they either destroy themselves along with the rest of the data on the disk, or unmask their presence and destroy the affected user.

2.2 The concept of an anti-virus program

Ways to counteract computer viruses can be divided into several groups:

Prevention of viral infection and reduction of the expected damage from such infection;

Methodology for using anti-virus programs, including the neutralization and removal of a known virus;

Ways to detect and remove an unknown virus.

Prevention of computer infection.

One of the main methods of combating viruses is, as in medicine, timely prevention. Computer prevention involves following a small number of rules, which can significantly reduce the likelihood of a virus infection and loss of any data.

In order to determine the basic rules of computer “hygiene”, it is necessary to find out the main ways in which a virus enters a computer and computer networks.

The main source of viruses today is the global Internet. The greatest number of virus infections occurs when exchanging letters in Word/Office97 formats. The user of an editor infected with a macro virus, without suspecting it, sends infected letters to recipients, who in turn send new infected letters, and so on. Contact with suspicious sources of information should be avoided and only legal (licensed) software products should be used.

Recovery of damaged objects.

In most cases of virus infection, the procedure for recovering infected files and disks comes down to running a suitable antivirus that can neutralize the system. If the virus is unknown to any antivirus, then it is enough to send the infected file to antivirus manufacturers and after a while receive an “update” medicine against the virus. If time does not wait, then the virus will have to be neutralized on its own. Most users need to have backups your information.

General information security tools are useful for more than just protecting against viruses. There are two main types of these funds:

1 Copying information - creating copies of files and system areas of disks.

2 Access control prevents unauthorized use of information, in particular, protection against changes to programs and data by viruses, malfunctioning programs and erroneous actions of users.

Timely detection of virus-infected files and disks, complete destruction of detected viruses on each computer helps to avoid the spread of a virus epidemic to other computers.

The main weapon in the fight against viruses are anti-virus programs. They allow not only to detect viruses, including viruses that use various masking methods, but also to remove them from the computer.

There are several basic virus scanning methods that are used by antivirus programs. The most traditional method for finding viruses is scanning.

To detect, remove and protect against computer viruses, several types of special programs have been developed that allow you to detect and destroy viruses. Such programs are called antivirus programs.

2.3 Types of antivirus tools

Programs-detectors. Detector programs search for a signature characteristic of a particular virus in RAM and in files and, if detected, issue a corresponding message. The disadvantage of such anti-virus programs is that they can only find viruses that are known to the developers of such programs.

Doctor programs. Doctor programs or phages, as well as vaccine programs, not only find virus-infected files, but also “cure” them, that is, they remove the body of the virus program from the file, returning the files to their original state. At the beginning of their work, phages look for viruses in RAM, destroying them, and only then proceed to “treatment” of files. Among phages, polyphages are distinguished, that is, doctor programs designed to search for and destroy a large number of viruses. The most famous of them are: AVP, Aidstest, Scan, Norton AntiVirus, Doctor Web.

Given that new viruses are constantly appearing, detection programs and doctor programs quickly become outdated, and regular updates are required.

Auditor programs (inspectors) are among the most reliable means of protecting against viruses.

Auditors (inspectors) check the data on the disk for invisible viruses. Moreover, the inspector may not use the means of the operating system to access disks, which means that an active virus will not be able to intercept this access.

The fact is that a number of viruses, infiltrating files (that is, appending to the end or to the beginning of the file), replace the entries about this file in the file allocation tables of our operating system.

Auditors (inspectors) remember the initial state of programs, directories and system areas of the disk when the computer is not infected with a virus, and then periodically or at the request of the user compare the current state with the original one. The detected changes are displayed on the monitor screen. As a rule, states are compared immediately after the operating system is loaded. When comparing, the file length, cyclic control code (file checksum), date and time of modification, and other parameters are checked. Program-auditors (inspectors) have sufficiently developed algorithms, detect stealth viruses and can even clear changes in the version of the program being checked from changes made by the virus.

It is necessary to launch the auditor (inspector) when the computer is not yet infected, so that it can create a table in the root directory of each disk, with all the necessary information about the files that are on this disk, as well as about its boot area. Permission will be requested to create each table. At the next launches, the auditor (inspector) will look through the disks, comparing the data about each file with its own records.

If infections are detected, the auditor (inspector) will be able to use his own curing module, which will restore the file corrupted by the virus. To restore files, the inspector does not need to know anything about a specific type of virus, it is enough to use the data about the files stored in the tables.

In addition, if necessary, a virus scanner can be called.

Filter programs (monitors). Filter programs (monitors) or "watchmen" are small resident programs designed to detect suspicious actions during computer operation that are characteristic of viruses. Such actions may be:

Attempts to correct files with COM, EXE extensions;

Changing file attributes;

Direct write to disk at absolute address;

Writing to disk boot sectors;

When any program tries to perform the specified actions, the "watchman" sends a message to the user and offers to prohibit or allow the corresponding action. Filter programs are very useful, as they are able to detect a virus at the earliest stage of its existence before reproduction. However, they do not "heal" files and disks. To destroy viruses, you need to use other programs, such as phages.

Vaccines or immunizers. Vaccines are resident programs that prevent file infection. Vaccines are used if there are no doctor programs that "treat" this virus. Vaccination is possible only against known viruses. The vaccine modifies the program or disk in such a way that it does not affect their work, and the virus will perceive them as infected and therefore will not take root. Vaccine programs are currently of limited use.

Scanner. The principle of operation of anti-virus scanners is based on scanning files, sectors and system memory and searching for known and new (unknown to the scanner) viruses in them. So-called "masks" are used to search for known viruses. A virus mask is some constant code sequence specific to that particular virus. If the virus does not contain a permanent mask, or the length of this mask is not large enough, then other methods are used. An example of such a method is an algorithmic language that describes all possible code variants that can be encountered when this type of virus is infected. This approach is used by some antiviruses to detect polymorphic viruses. Scanners can also be divided into two categories - "universal" and "specialized". Universal scanners are designed to search for and neutralize all types of viruses, regardless of the operating system in which the scanner is designed to work. Specialized scanners are designed to neutralize a limited number of viruses or only one class of them, such as macro viruses. Specialized scanners designed only for macro viruses often turn out to be the most convenient and reliable solution for protecting workflow systems in MSWord and MSExcel environments.

Scanners are also divided into "resident" (monitors, watchmen), which scan "on the fly", and "non-resident", which provide system checks only on request. As a rule, "resident" scanners provide more reliable system protection, since they immediately respond to the appearance of a virus, while a "non-resident" scanner is able to identify a virus only during its next launch. On the other hand, a resident scanner can slow down the computer somewhat, including due to possible false positives.

The advantages of scanners of all types include their versatility, the disadvantages are the relatively low speed of virus search.

CRC scanners. The principle of operation of CRC scanners is based on the calculation of CRC sums (checksums) for files / system sectors present on the disk. These CRC sums are then stored in the antivirus database, as well as some other information: file lengths, dates of their last modification, and so on. The next time CRC scanners are run, they check the data contained in the database with the actual counted values. If the file information recorded in the database does not match the real values, then CRC scanners signal that the file has been modified or infected with a virus. CRC scanners using anti-stealth algorithms are a pretty strong weapon against viruses: almost 100% of viruses are detected almost immediately after they appear on a computer. However, this type of antivirus has an inherent flaw, which significantly reduces their effectiveness. This disadvantage is that CRC scanners are not able to catch a virus at the moment of its appearance in the system, but do it only after some time, after the virus has spread throughout the computer. CRC scanners cannot detect a virus in new files (in e-mail, on floppy disks, in files restored from a backup or when unpacking files from an archive), because their databases do not have information about these files. Moreover, viruses periodically appear that use this “weakness” of CRC scanners, infect only newly created files and thus remain invisible to them.

Blockers. Blockers are resident programs that intercept "virus-dangerous" situations and notify the user about it. “Virus-dangerous” include calls to open for writing to executable files, writing to the boot sectors of disks or the MBR of a hard drive, attempts by programs to remain resident, and so on, that is, calls that are typical for viruses at the moments of reproduction. Sometimes some blocker functions are implemented in resident scanners.

The advantages of blockers include their ability to detect and stop the virus at the earliest stage of its reproduction. The disadvantages include the existence of ways to bypass the protection of blockers and a large number of false positives.

It is also necessary to note such a direction of anti-virus tools as anti-virus blockers, made in the form of computer hardware components. The most common is the write protection built into the BIOS in the MBR of the hard drive. However, as in the case of software blockers, such protection can be easily bypassed by direct writing to the ports of the disk controller, and running the FDISK DOS utility immediately causes a “false positive” of protection.

There are several more universal hardware blockers, but to the disadvantages listed above, there are also compatibility problems with standard computer configurations and difficulties in installing and configuring them. All this makes hardware blockers extremely unpopular compared to other types of anti-virus protection.

2.4 Comparison of antivirus packages

Regardless of which information system needs to be protected, the most important parameter when comparing antiviruses is the ability to detect viruses and other malicious programs.

However, although this parameter is important, it is by no means the only one.

The fact is that the effectiveness of an anti-virus protection system depends not only on its ability to detect and neutralize viruses, but also on many other factors.

An anti-virus should be easy to use, without distracting the computer user from performing his direct duties. If the antivirus annoys the user with persistent requests and messages, sooner or later it will be disabled. The antivirus interface should be friendly and understandable, since not all users have extensive experience with computer programs. Without understanding the meaning of the message that appears on the screen, you can unwittingly allow a virus infection even with an antivirus installed.

The most convenient mode of anti-virus protection is when all opened files are scanned. If the antivirus is not able to work in this mode, the user will have to run a scan of all disks every day to detect newly emerging viruses. This procedure can take tens of minutes or even hours if we are talking about large disks installed, for example, on a server.

Since new viruses appear every day, it is necessary to update the antivirus database periodically. Otherwise, the effectiveness of anti-virus protection will be very low. Modern anti-viruses, after appropriate configuration, can automatically update anti-virus databases via the Internet, without distracting users and administrators to perform this routine work.

When protecting a large corporate network, such an antivirus comparison parameter as the presence of a network control center comes to the fore. If a corporate network unites hundreds and thousands of workstations, tens and hundreds of servers, it is practically impossible to organize effective anti-virus protection without a network control center. One or more system administrators will not be able to bypass all workstations and servers by installing and configuring anti-virus programs on them. This requires technologies that allow centralized installation and configuration of antiviruses on all computers in a corporate network.

Protecting Internet hosts such as mail servers and messaging servers requires the use of specialized antivirus tools. Conventional file-scanning antiviruses will not be able to find malicious code in the databases of messaging servers or in the data stream passing through mail servers.

Usually, when comparing antiviral agents, other factors are taken into account. State institutions may, other things being equal, prefer domestically produced antiviruses that have all the necessary certificates. The reputation received by one or another antivirus tool among computer users and system administrators also plays a significant role. Personal preference can also play a significant role in the choice.

To prove the benefits of their products, antivirus developers often use the results of independent tests. At the same time, users often do not understand what exactly and how was checked in this test.

In this work, the most popular anti-virus programs at the moment have been subjected to a comparative analysis, namely: Kaspersky Anti-Virus, Symantec/Norton, Doctor Web, Eset Nod32, Trend Micro, McAfee, Panda, Sophos, BitDefender, F-Secure, Avira, Avast!, AVG, Microsoft.

One of the first to test anti-virus products was the British magazine Virus Bulletin. The first tests published on their website date back to 1998. The test is based on the WildList malware collection. To successfully pass the test, it is necessary to identify all viruses in this collection and demonstrate a zero false positive rate on the collection of “clean” log files. Testing is carried out several times a year on various operating systems; Products that successfully pass the test receive the VB100% award. Figure 1 shows how many VB100% awards were received by the products of various antivirus companies.

Of course, the Virus Bulletin magazine can be called the oldest antivirus tester, but the status of the patriarch does not save him from criticism of the antivirus community. First, WildList only includes viruses and worms and is only for the Windows platform. Secondly, the WildList collection contains a small number of malicious programs and is replenished very slowly: only a few dozen new viruses appear in the collection per month, while, for example, the AV-Test collection is replenished with several tens or even hundreds of thousands of copies of malicious software during this time. .

All this suggests that in its present form, the WildList collection is obsolete and does not reflect the real situation with viruses on the Internet. As a result, tests based on the WildList collection become increasingly pointless. They are good for advertising products that have passed them, but they do not really reflect the quality of anti-virus protection.

Figure 1 - The number of successfully passed VB tests 100%

Independent research labs such as AV-Comparatives, AV-Tests test antivirus products twice a year for on-demand malware detection. At the same time, the collections on which testing is carried out contain up to a million malicious programs and are regularly updated. The test results are published on the websites of these organizations (www.AV-Comparatives.org, www.AV-Test.org) and in well-known computer magazines PC World, PC Welt. The results of the next tests are presented below:

Figure 2 - Overall malware detection rate according to AV-Test

If we talk about the most common products, then according to the results of these tests, only solutions from Kaspersky Lab and Symantec are in the top three. Avira, the leader in the tests, deserves special attention.

Tests of research laboratories AV-Comparatives and AV-Test, as well as any tests, have their pros and cons. The upside is that testing is done on large collections of malware, and that these collections represent a wide variety of malware types. The downside is that these collections contain not only “fresh” malware samples, but also relatively old ones. As a rule, samples collected within the last six months are used. In addition, these tests analyze the results hard checks disk on demand, while in real life the user downloads infected files from the Internet or receives them as email attachments. It is important to detect such files at the very moment they appear on the user's computer.

An attempt to develop a testing methodology that does not suffer from this problem was undertaken by one of the oldest British computer magazines - PC Pro. Their test used a collection of malware that had been detected two weeks prior to the test in traffic passing through MessageLabs' servers. MessageLabs offers its customers services for filtering various types of traffic, and its collection of malicious programs really reflects the situation with the spread of computer viruses on the Web.

The PC Pro log team did not just scan infected files, but simulated user actions: infected files were attached to emails as attachments, and these emails were downloaded to a computer from installed antivirus. In addition, with the help of specially written scripts, infected files were downloaded from a Web server, that is, the user's surfing on the Internet was simulated. The conditions under which such tests are carried out are as close to real as possible, which could not but affect the results: the detection rate for most antiviruses turned out to be significantly lower than with a simple on-demand scan in the AV-Comparatives and AV-Test tests. In such tests, an important role is played by how quickly antivirus developers react to the appearance of new malware, as well as what proactive mechanisms are used when malware is detected.

The speed of release of antivirus updates with new malware signatures is one of the most important components of effective antivirus protection. The sooner the signature database update is released, the less time the user will remain unprotected.

Figure 3 - Average response time to new threats

Lately, new malware has been appearing so frequently that antivirus labs can barely keep up with new samples. In such a situation, the question arises of how an antivirus can resist not only already known viruses, but also new threats for the detection of which a signature has not yet been released.

So-called proactive technologies are used to detect unknown threats. These technologies can be divided into two types: heuristics (detect malicious programs based on the analysis of their code) and behavioral blockers (block the actions of malicious programs when they run on a computer, based on their behavior).

If we talk about heuristics, then their effectiveness has long been studied by AV-Comparatives, a research laboratory led by Andreas Clementi. The AV-Comparatives team uses a special technique: antiviruses are checked against the current virus collection, but an antivirus with three-month-old signatures is used. Thus, the antivirus has to counter malware that it knows nothing about. Antiviruses are scanned by scanning the malware collection on the hard drive, so only the efficiency of the heuristic is checked. Another proactive technology, the behavioral blocker, is not used in these tests. Even the best heuristics currently show a detection rate of only about 70%, and many of them still suffer from false positives on clean files. All this suggests that so far this proactive detection method can only be used simultaneously with the signature method.

As for another proactive technology - a behavioral blocker, no serious comparative tests have been conducted in this area. First, many anti-virus products (Doctor Web, NOD32, Avira, and others) do not have a behavioral blocker. Secondly, the conduct of such tests is fraught with some difficulties. The fact is that to test the effectiveness of a behavioral blocker, it is necessary not to scan a disk with a collection of malicious programs, but to run these programs on a computer and observe how successfully the antivirus blocks their actions. This process is very time consuming and few researchers are capable of undertaking such tests. All that is currently available to the general public is the results of individual product tests conducted by the AV-Comparatives team. If, during testing, antiviruses successfully blocked the actions of malicious programs unknown to them while they were running on a computer, then the product received the Proactive Protection Award. Currently, such awards have been received by F-Secure with DeepGuard behavioral technology and Kaspersky Anti-Virus with the Proactive Defense module.

Infection prevention technologies based on analysis of malware behavior are becoming more widespread, and the lack of comprehensive comparative tests in this area cannot but be alarming. Recently, specialists from the AV-Test research laboratory held a wide discussion on this issue, in which developers of antivirus products also participated. The result of this discussion was a new methodology for testing the ability of antivirus products to resist unknown threats.

A high level of malware detection using various technologies is one of the most important characteristics of an antivirus. However, an equally important characteristic is the absence of false positives. False positives can cause no less harm to the user than a virus infection: block the work desired programs, block access to sites and so on.

In the course of its research, AV-Comparatives, along with studying the ability of antiviruses to detect malware, also conducts tests for false positives on collections of clean files. According to the test, the largest number of false positives was found in Doctor Web and Avira antiviruses.

There is no 100% protection against viruses. From time to time, users are faced with a situation where a malicious program has penetrated a computer and the computer has become infected. This happens either because there was no antivirus on the computer at all, or because the antivirus did not detect the malware either by signature or proactive methods. In such a situation, it is important that when installing an antivirus with fresh signature databases on a computer, the antivirus can not only detect a malicious program, but also successfully eliminate all the consequences of its activity, cure an active infection. At the same time, it is important to understand that the creators of viruses are constantly improving their "skill", and some of their creations are quite difficult to remove from the computer - malicious programs can mask their presence in the system in various ways (including with the help of rootkits) and even counteract the work of anti-virus programs. In addition, it is not enough to simply delete or disinfect an infected file, you need to eliminate all changes made by a malicious process in the system and completely restore the system to working order. The team of the Russian portal Anti-Malware.ru conducted a similar test, its results are shown in Figure 4.

Figure 4 - Treatment of active infection

Above, various approaches to testing antiviruses have been considered, it has been shown what parameters of antivirus operation are considered during testing. It can be concluded that for some antiviruses one indicator turns out to be advantageous, for others it is another. At the same time, it is natural that in their promotional materials, antivirus developers focus only on those tests where their products occupy a leading position. For example, Kaspersky Lab focuses on the speed of response to the emergence of new threats, Eset on the strength of its heuristic technologies, Doctor Web describes its advantages in the treatment of active infection.

Thus, a synthesis of the results of various tests should be carried out. This is how the positions that antiviruses took in the tests considered are summarized, and an integrated assessment is derived - what place on average for all tests is occupied by a particular product. As a result, in the top three winners: Kaspersky, Avira, Symantec.

Based on the analyzed anti-virus packages, a software product was created designed to search for and disinfect files infected with the SVC 5.0 virus. This virus does not lead to unauthorized deletion or copying of files, however, it significantly interferes with the full-fledged work with computer software.

Infected programs are longer than source. However, when browsing directories on an infected machine, this will not be visible, since the virus checks whether the found file is infected or not. If the file is infected, then the length of the uninfected file is written to the DTA.

You can detect this virus in the following way. In the data area of ​​the virus there is a character string "(c) 1990 by SVC,Ver. 5.0", by which the virus, if it is on the disk, can be detected.

When writing an anti-virus program, the following sequence of actions is performed:

1 For each file being checked, the time of its creation is determined.

2 If the number of seconds is sixty, then three bytes are checked at an offset equal to "file length minus 8AH". If they are equal to 35Н, 2ЭН, 30Н, respectively, then the file is infected.

3 The first 24 bytes of the original code are decoded, which are located at the offset "file length minus 01CFH plus 0BAAH". The keys for decoding are located at the offset "file length minus 01CFH plus 0C1AN" and "file length minus 01CFH plus 0C1BH".

4 The decoded bytes are written to the beginning of the program.

5 The file is "truncated" to "file length minus 0C1F".

The program was created in the TurboPascal programming environment. The text of the program is set out in Appendix A.

Conclusion

In this course work, a comparative analysis of anti-virus packages was carried out.

In the course of the analysis, the tasks set at the beginning of the work were successfully solved. Thus, the concepts of information security, computer viruses and anti-virus tools were studied, types of information security threats, protection methods were identified, the classification of computer viruses and anti-virus programs was considered and a comparative analysis of anti-virus packages was carried out, a program was written that searches for infected files.

The results obtained during the work can be applied when choosing an anti-virus tool.

All the results obtained are reflected in the work with the help of diagrams, so the user can independently check the conclusions made in the final diagram, which reflects the synthesis of the revealed results of various tests of anti-virus tools.

The results obtained during the work can be used as a basis for self-comparison of anti-virus programs.

In light of the widespread use of IT-technologies, the presented course work is relevant and meets the requirements for it. In the process of work, the most popular anti-virus tools were considered.

List of used literature

1 Anin B. Protection of computer information. - St. Petersburg. : BHV - St. Petersburg, 2000. - 368 p.

2 Artyunov VV Protection of information: textbook. - method. allowance. M. : Liberia - Bibinform, 2008. - 55 p. – (Librarian and time. 21st century; issue No. 99).

3 Korneev I. K., E. A. Stepanov Information security in the office: textbook. - M. : Prospekt, 2008. - 333 p.

5 Kupriyanov A. I. Fundamentals of information security: textbook. allowance. - 2nd ed. erased – M.: Academy, 2007. – 254 p. – (Higher professional education).

6 Semenenko V. A., N. V. Fedorov Software and hardware information protection: textbook. allowance for students. universities. - M. : MGIU, 2007. - 340 p.

7 Tsirlov VL Fundamentals of information security: a short course. - Rostov n / D: Phoenix, 2008. - 254 p. (Professional education).

Application

Program listing

ProgramANTIVIRUS;

Uses dos,crt,printer;

Type St80 = String;

FileInfection:File Of Byte;

SearchFile:SearchRec;

Mas:Array of St80;

MasByte:Array of Byte;

Position,I,J,K:Byte;

Num,NumberOfFile,NumberOfInfFile:Word;

Flag,NextDisk,Error:Boolean;

Key1,Key2,Key3,NumError:Byte;

MasScreen:Array Of Byte Absolute $B800:0000;

Procedure Cure(St: St80);

I: Bytes; MasCure: Array Of Byte;

Assign(FileInfection,St); Reset(FileInfection);

NumError:=IOResult;

If(NumError<>

Seek(FileInfection,FileSize(FileInfection) - ($0C1F - $0C1A));

NumError:=IOResult;

If(NumError<>0) Then Begin Error:=True; exit; end;

Read(FileInfection,Key1);

NumError:=IOResult;

If(NumError<>0) Then Begin Error:=True; exit; end;

Read(FileInfection,Key2);

NumError:=IOResult;

If(NumError<>0) Then Begin Error:=True; exit; end;

Seek(FileInfection,FileSize(FileInfection) - ($0C1F - $0BAA));

NumError:=IOResult;

If(NumError<>0) Then Begin Error:=True; exit; end;

For I:=1 to 24 do

Read(FileInfection,MasCure[i]);

NumError:=IOResult;

If(NumError<>0) Then Begin Error:=True; exit; end;

Key3:=MasCure[i];

MasCure[i]:=Key3;

Seek(FileInfection,0);

NumError:=IOResult;

If(NumError<>0) Then Begin Error:=True; exit; end;

For I:=1 to 24 do Write(FileInfection,MasCure[i]);

Seek(FileInfection,FileSize(FileInfection) - $0C1F);

NumError:=IOResult;

If(NumError<>0) Then Begin Error:=True; exit; end;

Truncate(FileInfection);

NumError:=IOResult;

If(NumError<>0) Then Begin Error:=True; exit; end;

Close(FileInfection); NumError:=IOResult;

If(NumError<>0) Then Begin Error:=True; exit; end;

Procedure F1(St: St80);

FindFirst(St + "*.*", $3F, SearchFile);

While (SearchFile.Attr = $10) And (DosError = 0) And

((SearchFile.Name = ".") Or (SearchFile.Name = "..")) Do

FindNext(SearchFile);

While (DosError = 0) Do

If KeyPressed Then

If (Ord(ReadKey) = 27) Then Halt;

If (SearchFile.Attr = $10) Then

Mas[k]:=St + SearchFile.Name + "\";

If(SearchFile.Attr<>$10) Then

NumberOfFile:=NumberOfFile + 1;

UnpackTime(SearchFile.Time, DT);

For I:=18 to 70 do MasScreen:=$20;

Write(St + SearchFile.Name, " ");

If (Dt.Sec = 60) Then

Assign(FileInfection,St + SearchFile.Name);

Reset(FileInfection);

NumError:=IOResult;

If(NumError<>0) Then Begin Error:=True; exit; end;

Seek(FileInfection,FileSize(FileInfection) - $8A);

NumError:=IOResult;

If(NumError<>0) Then Begin Error:=True; exit; end;

For I:=1 to 3 do Read(FileInfection,MasByte[i]);

Close(FileInfection);

NumError:=IOResult;

If(NumError<>0) Then Begin Error:=True; exit; end;

If (MasByte = $35) And (MasByte = $2E) And

(MasByte = $30) Then

NumberOfInfFile:=NumberOfInfFile + 1;

Write(St + SearchFile.Name," infected. ",

"Remove?");

If (Ord(Ch) = 27) Then Exit;

Until (Ch = "Y") Or (Ch = "y") Or (Ch = "N")

If (Ch = "Y") Or (Ch = "y") Then

Cure(St + SearchFile.Name);

If(NumError<>0) Then Exit;

For I:=0 to 79 do MasScreen:=$20;

FindNext(SearchFile);

GoToXY(29,1); TextAttr:=$1E; GoToXY(20,2); TextAttr:=$17;

Writeln("Programma dlya poiska i lecheniya fajlov,");

Writeln("zaragennih SVC50.");

TextAttr:=$4F; GoToXY(1.25);

Write("ESC - exit");

TextAttr:=$1F; GoToXY(1,6);

Write("Kakoj disk proverit? ");

If (Ord(Disk) = 27) Then Exit;

R.Ah:=$0E; R.Dl:=Ord(UpCase(Disk))-65;

Intr($21,R); R.Ah:=$19; Intr($21,R);

Flag:=(R.Al = (Ord(UpCase(Disk))-65));

St:=UpCase(Disk) + ":\";

Writeln("Testiruetsya disk ",St," ");

Writeln("testiruetsya file");

NumberOfFile:=0;

NumberOfInfFile:=0;

If (k = 0) Or Error Then Flag:=False;

If (k > 0) Then K:=K-1;

If (k=0) Then Flag:=False;

If (k > 0) Then K:=K-1;

Writeln("Provereno fajlov - ",NumberOfFile);

Writeln("Zarageno fajlov - ",NumberOfInfFile);

Writeln("Izlecheno fajlov - ",Num);

Write("Check drugoj disk? ");

If (Ord(Ch) = 27) Then Exit;

Until (Ch = "Y") Or (Ch = "y") Or (Ch = "N") Or (Ch = "n");

If (Ch = "N") Or (Ch = "n") Then NextDisk:=False;