Protection of information in local computer networks, anti-virus protection. Antivirus protection of information networks

Plan:

Introduction……………………………………………………………………….…..3

The concept of anti-virus information protection…………...…5

Classification of anti-virus programs……………………...…….6

Scanners………………………………………………………….…6
CRC Scanners…………………………………………………..…..7
Blockers……………………………………………………..8
Immunizers……………………………….………………….…9

The main functions of the most common antiviruses…..10

Dr. antivirus Web………………………………………...……10

Kaspersky Anti-Virus……………………………………...10

Antiviral Toolkit Pro…………………………………12

Norton AntiVirus 2000…………………………………………13

Conclusion………………………………………………………………………….15

List of used literature………………………………………………...16

Introduction.

Information security means is a set of engineering, electrical, electronic, optical and other devices and devices, devices and technical systems, as well as other proprietary elements used to solve various problems of information protection, including preventing leakage and ensuring the security of the protected information.

In general, the means of ensuring information security in terms of preventing deliberate actions, depending on the method of implementation, can be divided into groups:

Technical (hardware) means. These are devices of various types (mechanical, electromechanical, electronic, etc.), which solve the problems of information protection with hardware. They either prevent physical penetration, or, if penetration did take place, access to information, including through its disguise. The first part of the task is solved by locks, window bars, guards, security alarms, etc. The second part is noise generators, surge protectors, scanning radios and many other devices that “block” potential information leakage channels or allow them to be detected. The advantages of technical means are related to their reliability, independence from subjective factors, and high resistance to modification. Weaknesses - lack of flexibility, relatively large volume and mass, high cost;

Software tools include programs for user identification, access control, information encryption, deletion of residual (working) information such as temporary files, test control of the protection system, etc. The advantages of software tools are versatility, flexibility, reliability, ease of installation, ability to modify and develop. Disadvantages - limited network functionality, use of part of the resources of the file server and workstations, high sensitivity to accidental or deliberate changes, possible dependence on the types of computers (their hardware);

Mixed hardware and software implement the same functions as hardware and software separately, and have intermediate properties;

Organizational means consist of organizational and technical (preparation of premises with computers, laying a cable system, taking into account the requirements for restricting access to it, etc.) and organizational and legal (national laws and work rules established by the management of a particular enterprise). The advantages of organizational tools are that they allow you to solve many heterogeneous problems, are easy to implement, quickly respond to unwanted actions in the network, and have unlimited possibilities for modification and development. Disadvantages - high dependence on subjective factors, including the overall organization of work in a particular unit.

In my work, I will consider one of the software tools for protecting information - antivirus programs. So, the purpose of my work is to analyze anti-virus information protection tools. Achieving this goal is mediated by solving the following tasks:

Studying the concept of anti-virus information protection tools;

Consideration of the classification of anti-virus information protection tools;

Familiarization with the main functions of the most popular antiviruses.

The concept of anti-virus information protection.

Antivirus program (antivirus) - a program for detecting computer viruses, as well as unwanted (considered malicious) programs in general, and recovering files infected (modified) by such programs, as well as for prevention - preventing infection (modification) of files or the operating system with malicious code (for example, through vaccination).

Antivirus software consists of routines that attempt to detect, prevent and remove computer viruses and other malicious software.

Classification of antivirus programs.

Antivirus programs are the most effective in combating computer viruses. However, I would immediately like to note that there are no antiviruses that guarantee one hundred percent protection against viruses, and statements about the existence of such systems can be regarded as either unfair advertising or unprofessionalism. Such systems do not exist, since for any antivirus algorithm it is always possible to offer a counter-algorithm of a virus that is invisible to this antivirus (the reverse, fortunately, is also true: an antivirus can always be created for any virus algorithm).

The most popular and effective anti-virus programs are anti-virus scanners (other names: phage, polyphage, doctor program). Following them in terms of efficiency and popularity are CRC scanners (also: auditor, checksumer, integrity checker). Often, both of these methods are combined into one universal anti-virus program, which significantly increases its power. Various types of blockers and immunizers are also used.

2.1 Scanners.

The principle of operation of anti-virus scanners is based on scanning files, sectors and system memory and searching for known and new (unknown to the scanner) viruses in them. So-called "masks" are used to search for known viruses. A virus mask is some constant code sequence specific to that particular virus. If the virus does not contain a permanent mask, or the length of this mask is not large enough, then other methods are used. An example of such a method is an algorithmic language that describes all possible code variants that can be encountered when this type of virus is infected. This approach is used by some antiviruses to detect polymorphic viruses. Scanners can also be divided into two categories - “universal” and “specialized”. Universal scanners are designed to search for and neutralize all types of viruses, regardless of the operating system in which the scanner is designed to work. Specialized scanners are designed to neutralize a limited number of viruses or only one class of them, such as macro viruses. Specialized scanners designed only for macro viruses often turn out to be the most convenient and reliable solution for protecting workflow systems in MS Word and MS Excel environments.

Scanners are also divided into “resident” (monitors, watchmen), which perform on-the-fly scanning, and “non-resident”, which check the system only on request. As a rule, "resident" scanners provide more reliable system protection, since they immediately react to the appearance of a virus, while a "non-resident" scanner is able to identify a virus only during its next launch. On the other hand, a resident scanner can slow down the computer somewhat, including due to possible false positives.

The advantages of scanners of all types include their versatility, the disadvantages are the relatively low speed of searching for viruses. The following programs are most common in Russia: AVP - Kaspersky, Dr.Weber - Danilov, Norton Antivirus by Semantic.

2.2 CRC-scanners.

The principle of operation of CRC scanners is based on the calculation of CRC sums (checksums) for files / system sectors present on the disk. These CRC sums are then stored in the antivirus database, as well as some other information: file lengths, dates of their last modification, etc. The next time CRC scanners are run, they check the data contained in the database with the actual counted values. If the file information recorded in the database does not match the real values, then CRC scanners signal that the file has been modified or infected with a virus. CRC scanners using anti-stealth algorithms are a pretty strong weapon against viruses: almost 100% of viruses are detected almost immediately after they appear on a computer. However, this type of antivirus has an inherent flaw, which significantly reduces their effectiveness. This drawback is that CRC scanners are not able to catch a virus at the moment of its appearance in the system, but do it only after some time, after the virus has spread throughout the computer. CRC scanners cannot detect a virus in new files (in e-mail, on floppy disks, in files restored from a backup or when unpacking files from an archive), because their databases do not contain information about these files. Moreover, viruses periodically appear that use this “weakness” of CRC scanners, infect only newly created files and thus remain invisible to them. The most used programs of this kind in Russia are ADINF and AVP Inspector.

2.3 Blockers.

Anti-virus blockers are resident programs that intercept "virus-dangerous" situations and notify the user about it. “Virus-dangerous” calls include calls to open for writing to executable files, writing to the boot sectors of disks or the MBR of a hard drive, attempts by programs to remain resident, etc., that is, calls that are typical for viruses at the moments of reproduction. Sometimes some blocker functions are implemented in resident scanners.

The advantages of blockers include their ability to detect and stop the virus at the earliest stage of its reproduction, which, by the way, is very useful in cases where a long-known virus constantly “creeps out of nowhere”. The disadvantages include the existence of ways to bypass the protection of blockers and a large number of false positives, which, apparently, was the reason for the almost complete refusal of users from this kind of anti-virus programs (for example, not a single blocker for Windows95 / NT is known - there is no demand, there is no supply ).

It is also necessary to note such a direction of anti-virus tools as anti-virus blockers, made in the form of computer hardware components (“hardware”). The most common is the write protection built into the BIOS in the MBR of the hard drive. However, as in the case of software blockers, such protection can be easily bypassed by direct writing to the ports of the disk controller, and running the FDISK DOS utility immediately causes a “false positive” of protection.

There are several more universal hardware blockers, but the disadvantages listed above are also accompanied by compatibility problems with standard computer configurations and difficulties in installing and configuring them. All this makes hardware blockers extremely unpopular compared to other types of anti-virus protection.

2.4 Immunizers.

Immunizers are programs that write codes to other programs that report infection. They usually write these codes to the end of files (like a file virus) and each time they run the file, they check it for changes. They have only one drawback, but it is lethal: the absolute inability to report infection with a stealth virus. Therefore, such immunizers, as well as blockers, are practically not used at present. In addition, many recently developed programs check themselves for integrity and may mistake the codes embedded in them for viruses and refuse to work.

The main functions of the most common antiviruses.

Dr. antivirus Web.

Dr. Web is an old and deservedly popular antivirus in Russia that has been helping users in the fight against viruses for several years. New versions of the program (DrWeb32) work on several operating systems, protecting users from more than 17,000 viruses.

The set of functions is quite standard for an antivirus - scanning files (including compressed special programs and archived), memory, boot sectors of hard drives and floppy disks. Trojan programs, as a rule, are not subject to cure, but to removal. Unfortunately, mail formats are not checked, so immediately after receiving an e-mail, it is impossible to find out if there is a virus in the attachment. The attachment will have to be saved to disk and checked separately. However, the "Spider Guard" resident monitor supplied with the program allows you to solve this problem on the fly.

Dr. Web is one of the first programs in which heuristic analysis was implemented, which allows you to detect viruses that are not listed in the anti-virus database. The analyzer detects virus-like instructions in a program and marks such a program as suspicious. The anti-virus database is updated via the Internet at the click of a button. The free version of the program does not perform heuristic analysis and does not disinfect files.

Kaspersky Anti-Virus.

The Inspector monitors all changes in your computer and, if unauthorized changes are detected in files or in the system registry, it allows you to restore the contents of the disk and remove malicious codes. Inspector does not require updates to the anti-virus database: integrity control is carried out on the basis of taking original file fingerprints (CRC-sums) and their subsequent comparison with modified files. Unlike other auditors, Inspector supports all the most popular executable file formats.

The heuristic analyzer makes it possible to protect your computer even from unknown viruses.

The Monitor background virus interceptor, permanently present in the computer's memory, performs anti-virus scanning of all files immediately at the moment they are launched, created or copied, which allows you to control all file operations and prevent infection even by the most technologically advanced viruses.

Antivirus email filtering prevents viruses from entering your computer. The Mail Checker plug-in not only removes viruses from the body of an email, but also completely restores the original content of emails. A comprehensive scan of mail correspondence prevents a virus from hiding in any of the elements of an email by scanning all sections of incoming and outgoing messages, including attached files (including archived and packaged) and other messages of any nesting level.

The Scanner anti-virus scanner makes it possible to carry out a full-scale scan of the entire contents of local and network drives on demand.

The Script Checker interceptor provides anti-virus checks of all running scripts before they are executed.

Support for archived and compressed files provides the ability to remove malicious code from an infected compressed file.

Isolation of infected objects provides isolation of infected and suspicious objects with their subsequent transfer to a specially organized directory for further analysis and recovery.

Automation of anti-virus protection allows you to create a schedule and order of the program components; automatically download and connect new anti-virus database updates via the Internet; send warnings about detected virus attacks by e-mail, etc.

Antivirus Antiviral Toolkit Pro.

Antiviral Toolkit Pro is a Russian product that has earned popularity abroad and in Russia due to its widest capabilities and high reliability. There are versions of the program for most popular operating systems, the anti-virus database contains about 34,000 viruses.

There are several delivery options - AVP Lite, AVP Gold, AVP Platinum. The most complete version comes with three products - a scanner, a resident monitor and a control center. The scanner allows you to check files and memory for viruses and Trojans. This scans packaged programs, archives, mail databases (Outlook folders, etc.) and performs heuristic analysis to look for new viruses not included in the database. The on-the-fly monitor checks each opened file for viruses and warns of virus dangers, while blocking access to the infected file. The Control Center allows you to schedule anti-virus scans and update databases via the Internet. The demo version lacks the ability to disinfect infected objects, scan packed and archived files, and heuristic analysis.

Norton AntiVirus 2000.

Norton AntiVirus is based on another popular product - the personal firewall AtGuard (@guard) from WRQ Soft. As a result of applying the technological power of Symantec to it, an integrated product with significantly expanded functionality has turned out. The core of the system is still the firewall. It works very effectively without configuration, practically without interfering with daily network use, but blocking attempts to restart or "hang" the computer, access files and printers, and establish contact with Trojans on the computer.

Norton AntiVirus is the only firewall we have reviewed that implements the capabilities of this method of protection (which) is 100%. Filtering of all types of packets traveling through the network is carried out, incl. service (ICMP), the rules for the firewall can take into account which application is working with the network, what kind of data is transmitted and to which computer, at what time of day it happens.

To preserve confidential data, the firewall can block the sending of e-mail addresses to web servers, such as the browser, it is also possible to block cookies. The Confidential Information Filter warns of an attempt to send unencrypted information to the network that the user has entered and marked as confidential.

Active content on web pages (Java applets, scripts, etc.) can also be blocked by Norton AntiVirus - the content filter can cut insecure elements from the text of web pages before they reach the browser.

As an additional service that is not directly related to security issues, Norton AntiVirus offers a very convenient filter for advertising banners (these annoying pictures are simply cut out of the page, which speeds up its loading), as well as a parental control system. By prohibiting visits to certain categories of sites and the launch of certain types of Internet applications, you can be quite calm about the content of the network that is available to children.

In addition to the firewall capabilities, Norton AntiVirus offers the user the protection of the Norton Antivirus program. This popular anti-virus application with regularly updated anti-virus databases allows you to quite reliably detect viruses at the earliest stages of their appearance. All files downloaded from the network, files attached to e-mail, active elements of web pages are scanned for viruses. In addition, Norton Antivirus has a virus scanner and monitor that provides system-wide virus protection without being tied to network access.

Conclusion:

Getting acquainted with the literature, I achieved my goal and made the following conclusions:

there are no antiviruses that guarantee 100% protection against viruses;

Protection information and information security (2)
Abstract >> Informatics
... protection information(legal protection information, technical protection information, protection economic information etc.). Organizational Methods protection information and protection information in Russia have the following properties: Methods and funds protection information ...

One of the conditions for safe work in the information system is the user's compliance with a number of rules that have been tested in practice and have shown their high efficiency. There are several of them:

Use of software products obtained by legal official means. The probability of having a virus in a pirated copy is many times higher than in officially obtained software.
duplication of information. First of all, you need to save the software distribution media. In this case, writing to media that allows this operation should be blocked, if possible. Special care should be taken to preserve working information. It is preferable to regularly create copies of work files on write-protected removable storage media. Either the entire file is copied, or only the changes being made. The latter option is applicable, for example, when working with databases.
Regular system software updates. The operating system must be regularly updated and all security patches from Microsoft and other vendors installed to address existing software vulnerabilities.
Restricting user access to operating system settings and system data. To ensure the stable operation of the system, it is often necessary to limit the capabilities of users, which can be done either using the built-in Windows tools or using specialized programs designed to control access to a computer.
In corporate networks, it is possible to apply group policies in a Windows domain network.
For the most efficient use of network resources, it is necessary to introduce restrictions on the access of authorized users to internal and external network resources and block access to unauthorized users.
Regular use of antivirus tools. Before starting work, it is advisable to run scanner programs and auditor programs. Anti-virus databases must be updated regularly. In addition, it is necessary to carry out anti-virus control of network traffic.
Protection against network intrusions is provided by the use of software and hardware, including: the use of firewalls, intrusion detection / prevention systems IDS / IPS (Intrusion Detection / Prevention System), the implementation of VPN (Virtual Private Network) technologies.
Use of authentication tools and cryptography - the use of passwords (simple / complex / non-repetitive) and encryption methods. It is not recommended to use the same password on different resources and disclose information about passwords. When writing a password on sites, you should be especially careful not to allow your password to be entered on a fraudulent duplicate site.
Special care should be taken when using new (unknown) removable media and new files. New removable media must be checked for the absence of boot and file viruses, and the received files - for the presence of file viruses. When working in distributed systems or in systems for collective use, it is advisable to check new removable media and files entered into the system on computers specially allocated for this purpose that are not connected to local network. Only after a comprehensive anti-virus scan of disks and files can they be transferred to users of the system.
When working with documents and tables received (for example, via e-mail) it is advisable to prohibit the execution of macro commands by means built into text and spreadsheet editors (MS Word, MS Excel) until a full scan of these files is completed.
If you do not intend to write information to external media, then you must block this operation, for example, by programmatically disabling USB ports.
When working with shared resources on open networks (for example, the Internet), use only verified network resources that do not have malicious content. You should not trust all the information that comes to your computer - e-mails, links to Web sites, messages to Internet pagers. It is strictly not recommended to open files and links coming from an unknown source.

Constant adherence to the above recommendations can significantly reduce the likelihood of infection with software viruses and protects the user from irretrievable loss of information. However, even with scrupulous implementation of all prevention rules, the possibility of PC infection with computer viruses cannot be completely excluded, therefore, methods and means of counteracting malware must be constantly improved and maintained in working order.

Antivirus information protection tools

The mass distribution of malicious software, the severity of the consequences of its impact on information systems and networks have necessitated the development and use of special antivirus tools and methods of their application.

It should be noted that there are no antivirus tools that guarantee the detection of all possible virus programs.

Antivirus tools are used to solve the following tasks:

detection of malware in information systems;
blocking the operation of malware;
elimination of the consequences of exposure to malware.

It is desirable to detect malware at the stage of its introduction into the system, or at least before it starts performing destructive actions. If such software or its activities are detected, the virus program must be terminated immediately in order to minimize the damage from its impact on the system.

Elimination of the consequences of exposure to viruses is carried out in two directions:

virus removal;
recovery (if necessary) of files, memory areas.

The procedure for removing detected malicious code from an infected system must be carried out very carefully. Viruses and Trojans often take special steps to hide their presence in a system, or embed themselves so deeply into it that the task of destroying it becomes quite non-trivial.

System recovery depends on the type of virus, as well as on the time of its detection in relation to the onset of destructive actions. In the event that a virus program is already running in the system and its activity involves changing or deleting data, restoring information (especially if it is not duplicated) may be impossible. To combat viruses, software and firmware are used that are used in a certain sequence and combination, forming methods of protection against malware.

The following virus detection methods are widely used by modern antivirus tools:

scanning;
change detection;
heuristic analysis;
use of resident watchmen;
use of software and hardware protection against viruses.

Scanning- one of the simplest methods for detecting viruses, is carried out by a scanner program that scans files in search of the recognizing part of the virus - signatures. A signature is a unique sequence of bytes that belongs to a particular virus and is not found in other programs.

The program detects the presence of already known viruses for which the signature is defined. To effectively use anti-virus programs that use the scanning method, it is necessary to regularly update information about new viruses.

Method change detection is based on the use of auditor programs that monitor changes in files and disk sectors on a computer. Any virus somehow changes the data system on the disk. For example, the boot sector may change, a new executable file may appear, or an existing one may change, and so on.

As a rule, anti-virus audit programs determine and store in special files images of the master boot record, boot sectors of logical disks, characteristics of all monitored files, directories, and numbers of defective disk clusters. Periodically, the auditor checks the current state of the disk areas and the file system, compares it with the previous state, and immediately issues messages about all suspicious changes.

The main advantage of the method is the ability to detect viruses of all types, as well as new unknown viruses.

This method also has disadvantages. With the help of audit programs, it is impossible to detect a virus in files that enter the system already infected. Viruses will be detected only after they multiply in the system.

Heuristic Analysis, like the change detection method, allows you to detect unknown viruses, but does not require the preliminary collection, processing and storage of information about the file system.

Heuristic analysis in anti-virus programs is based on signatures and a heuristic algorithm, designed to improve the ability of scanner programs to apply signatures and recognize modified versions of viruses in cases where the code of an unknown program does not completely match the signature, but more general signs of a virus are clearly expressed in a suspicious program, or his behavior pattern. If such codes are detected, a message about a possible infection is displayed. After receiving such messages, it is necessary to carefully check the supposedly infected files and boot sectors with all available anti-virus tools.

The disadvantage of this method is a large number of false positives of anti-virus tools in cases where a legitimate program contains code fragments that perform actions and/or sequences characteristic of some viruses.

Method use of resident watchmen is based on the use of programs that are constantly in the RAM of the device (computer) and monitor all the actions performed by other programs. If any program performs suspicious actions typical of viruses (access to write to boot sectors, placing resident modules in RAM, attempts to intercept interrupts, etc.), the resident watchman issues a message to the user.

The use of anti-virus programs with a resident watchdog reduces the likelihood of viruses running on the computer, but keep in mind that the constant use of RAM resources for resident programs reduces the amount of memory available to other programs.

To date, one of the most reliable mechanisms for protecting information systems and networks are software and hardware, as a rule, including not only anti-virus systems, but also providing additional services. This topic is discussed in detail in the section "Software and hardware to ensure the security of information networks".

Data protection - this is the use of various means and methods, the use of measures and the implementation of measures in order to ensure the reliability of the transmitted, stored and processed information.

The problem of information security in electronic data processing systems arose almost simultaneously with their creation. It was caused by specific facts of malicious actions with information.

If in the first decades of active use of a PC, the main danger was posed by hackers who connected to computers mainly through the telephone network, then in the last decade, the violation of information reliability has been progressing through programs, computer viruses, and the global Internet.

There are enough methods of unauthorized access to information, including: viewing; copying and substitution of data; input of false programs and messages as a result of connection to communication channels; reading the remnants of information on its media; reception of signals of electromagnetic radiation and wave character; use of special programs.

1. Means of identification and differentiation of access to information

One of the most intensively developed areas for ensuring information security is the identification and authentication of documents based on electronic digital signature.

2. Cryptographic method of information protection

The most effective means of improving security is cryptographic transformation.

3. Computer viruses

Destruction of the file structure;

Turn on the drive indicator light when it is not being accessed.

Removable disks (floppy disks and CD-ROMs) and computer networks are usually the main ways to infect computers with viruses. Infection hard drive computer can occur if the computer is booted from a floppy disk containing a virus.

According to the type of habitat viruses have, they are classified into boot, file, system, network and file-boot (multifunctional).

Boot viruses are embedded in the boot sector of the disk or in the sector that contains the boot program of the system disk.

File viruses are placed mainly in executable files with the extension .COM and .EXE.

System viruses embedded in system modules and peripheral device drivers, file allocation tables and partition tables.

Network viruses are in computer networks, and file-boot - infect disk boot sectors and application program files.

Viruses are divided into resident and non-resident viruses along the way of infecting the habitat.

Resident viruses when infecting a computer, they leave their resident part in the OS, which, after infection, intercepts the OS's calls to other objects of infection, infiltrates them and performs its destructive actions, which can lead to shutdown or reboot of the computer. Non-resident viruses do not infect the computer's operating system and are active for a limited time.

The peculiarity of the construction of viruses affects their manifestation and functioning.

logic bomb is a program that is built into a large software package. It is harmless until a certain event occurs, after which its logical mechanism is implemented.

mutant programs, self-reproducing, create copies that are clearly different from the original.

invisible viruses, or stealth viruses, intercept OS calls to affected files and disk sectors and substitute uninfected objects in their place. When accessing files, these viruses use rather original algorithms that allow them to "deceive" resident anti-virus monitors.

Macroviruses use the macro language features that are built into office programs data processing (text editors, spreadsheets).

By the degree of impact on the resources of computer systems and networks, or by destructive capabilities, harmless, non-dangerous, dangerous and destructive viruses are distinguished.

Harmless viruses do not have a pathological effect on the operation of the computer. Non-dangerous viruses do not destroy files, but reduce free disk space, display graphic effects. Dangerous viruses often cause significant disruption to the computer. Destructive viruses may lead to the erasure of information, complete or partial disruption of the application programs. It is important to keep in mind that any file capable of loading and executing program code is a potential place for a virus to be placed.

4. Antivirus programs

The wide distribution of computer viruses has led to the development of anti-virus programs that allow you to detect and destroy viruses, "cure" the affected resources.

The basis of most anti-virus programs is the principle of searching for virus signatures. Virus signature name some unique characteristic of a virus program that indicates the presence of a virus in a computer system.

According to the way they work, anti-virus programs can be divided into filters, auditors, doctors, detectors, vaccines, etc.

Filter programs - these are the “watchmen” who are constantly in the OP. They are resident and intercept all requests to the OS to perform suspicious actions, i.e. operations that use viruses to reproduce and damage information and software resources on the computer, including reformatting the hard drive. Among them are attempts to change file attributes, correct executable COM or EXE files, write to disk boot sectors.

The constant presence of “watchdog” programs in the OP significantly reduces its volume, which is the main disadvantage of these programs. In addition, filter programs are not able to "treat" files or disks. This function is performed by other antivirus programs, such as AVP, Norton Antivirus for Windows, Thunder Byte Professional, McAfee Virus Scan.

Auditor programs are a reliable means of protection against viruses. They remember the initial state of programs, directories and system areas of the disk, provided that the computer has not yet been infected with a virus. Subsequently, the program periodically compares the current state with the original. If inconsistencies are found (by file length, modification date, file cycle control code), a message about this appears on the computer screen. Among the auditor programs, one can single out the Adinf program and its addition in the form of the Adinf cure Module.

Doctor program is able not only to detect, but also to "treat" infected programs or disks. In doing so, it destroys the infected programs of the virus body. Programs of this type can be divided into phages and polyphages. Phages - These are programs that are used to find viruses of a certain type. Polyphages designed to detect and destroy a wide variety of viruses. In our country, polyphages such as MS Antivirus, Aidstest, Doctor Web are most commonly used. They are continuously updated to deal with emerging new viruses.

Programs-detectors are capable of detecting files infected by one or more viruses known to software developers.

vaccine programs, or immunizers, belong to the class of resident programs. They modify programs and disks in a way that does not affect their operation. However, the virus that is being vaccinated against considers them already infected and does not infect them. At the moment, many anti-virus programs have been developed that have received wide recognition and are constantly updated with new tools to combat viruses.

5. Data security in an interactive environment

Interactive environments are vulnerable in terms of data security. An example of interactive media is any of the systems with communication capabilities, such as email, computer networks, the Internet.

In order to protect information from hooligan elements, unskilled users and criminals, the Internet system uses a system of rights, or access control.

Assignment: abstract, answer the questions of student Tsv., p. 176, question. 3, 4 and 5.

So - it happened. The new millennium is in the yard. The “age of progress and progressivism”, the time of industrialization and the first timid steps were left behind information technologies. For the first time, humanity was able to obtain more information than it was able to comprehend. Information has become one of the greatest values, shaming the despicable yellow metal, which for centuries has been a measure of a person's position in society. This has led to a major change in security concepts and has given rise to a number of very specific problems such as computer viruses.

Unlike traditional equivalents, information is very easy to steal. At the same time, the process of stealing (copying) may well go unnoticed by its rightful owner. We will leave this problem for a separate review, and today we will consider ways to protect information from external malicious influences that aim at unauthorized modification and destruction of information. In accordance with the established terminology, such malicious programs are called computer viruses. Let's leave aside the ethical aspect of the motives that moved the creators of viruses, and focus on the problem of protecting information from their harmful influence.

As you know, in order to win the battle, you must have a clear idea of the enemy and his capabilities. It is unacceptable to harbor illusions about its capabilities. If you sincerely believe in films in which the protagonist guesses a 20-character password on the third try or an inserted CD explodes when the password is incorrectly specified, the rest of this article is not addressed to you. Nevertheless, one often hears about viruses that cause physical damage to a computer, for example, resonating the hard drive heads, which leads to its destruction. I'll make a reservation right away that one such virus exists - it's the infamous Win95.CIH. It destroys the BIOS (Basic Input / Output System) memory, which determines the very working logic of the computer. At the same time, the damage caused is quite easily corrected even at home. In addition, the prevention of its main destructive function is quite simple - it is enough to set a ban on updating the BIOS in the Setup program. Fortunately, the vast majority of viruses are not so sophisticated and are content to damage information and spread further.

Let's now try to systematize all our knowledge about the enemy and designate the lines of defense. At the same time, one cannot be limited to one, even the strongest wall. The general principle of building protection can be borrowed from the military. All incoming and outgoing information must be carefully checked for infection with known viruses. It is necessary to monitor both traditional (floppy disks) and new (e-mail, Internet) ways for viruses to enter the protected area. In addition, it is necessary to conduct regular patrols in the protected area in order to search for traces of enemy activity. In case the enemy enters the protected area, it is necessary to protect all key objects (system files) separately. Additionally, you should conduct regular reconnaissance (updating the virus database) and check the readiness and operability of the system. At first glance, everything is quite simple: an anti-virus complex with the function of calculating file checksums and a resident monitor with a fairly high probability will protect us from any misfortune. Naturally, only if the list of viruses is updated regularly. If the virus still leaked through the outer perimeter, the alarm will be the change of "immutable" files. This scheme guarantees an approximately 85% probability of detecting the enemy even at the border of the protected zone and a 99% probability of detecting the fact of his penetration inside the protective perimeter. In most cases this is sufficient.

The considered situation is represented by the point of view of the "lieutenant of the anti-virus troops", whose task is to defend a small object. This approach is unacceptable when you need to secure a larger facility that includes several computers. The situation is greatly complicated by the availability of access to the Internet. Naturally, the most in a simple way The "solution" to this problem will be the boring application of the above methodology, adjusted for the increased number of "areas of responsibility". As a result, we will get North America during the wars with the Indians: fortified forts, and around - the unknown! In this case, any information transmitted between computers can be irreversibly damaged in the process of transmission over "no man's" territory. Therefore, we will try to formulate new principles of protection, based on the expanded area of responsibility and the increase in the number of invasion routes. As an example, let's consider network infrastructures, the first of which belongs to one of the largest publishing holdings, and the second is deployed in the ComputerPress Publishing House (see sidebar).

As usual, we first make an assessment of the likely routes of penetration of viruses. For many years, the most common way to infect a computer was a floppy disk. With the growth of global networks, the palm has moved to the Internet and the e-mail system. Nevertheless, you should not discount the "classic" way to pick up an infection. Thus, the virus can enter local computer user in the following ways:

Directly via a floppy disk, CD, remote mailbox - the classic way.
Through the corporate email system.
Through a corporate channel of access to the Internet system.
From a corporate server.

Now let's try to formulate the principles of our defensive strategy: it is possible to block all directions of infection penetration or only part of them. For example, you can protect workstations and servers (option A), leaving the Internet access channel and the e-mail system uncovered. And this will not greatly reduce the overall security of the system - just the penetration will be determined and stopped directly at the workstations. However, at the same time, the load on "intelligence" increases sharply - all workstations must regularly receive updates to the anti-virus program and virus database. In the case of organizing full protection (option B), the load is distributed more evenly between all protective subsystems.

Now that the general strategy has been outlined, let's consider the issue of managing the system as a whole. For all its seeming simplicity, this question is one of the defining ones. There are only two possible options: centralized control of the entire system and local control. Each of them has its own advantages and disadvantages. The insets show practical examples of centralized and local anti-virus protection management, on the basis of which one can conclude that centralized management is advantageous in cases of a large number of workstations, as well as the presence of a noticeable flow of incoming information that needs to be checked. In addition, there is such a thing as additional dangers caused by factors such as the presence of confidential information and the presence of incoming employees, as well as the level of computer literacy of the latter. My experience in both government and commercial structures quickly dispelled any hopes in this regard - in front of my eyes, employees tried to run FDISK.EXE in order to increase the speed of the computer, following the instructions sent by unknown people via e-mail. At the same time, all attempts to stop a person caused a stream of caustic remarks about my professional skills and the breadth of my horizons. Naturally, all these factors increase the requirements both for the system as a whole and for its organization. However, the issue of organizing anti-virus protection also has a financial side. It's foolish to deploy a multi-thousand dollar system to protect five computers in a small firm. On the other hand, when management begins to save even on their own safety, a situation arises similar to that which has developed in a large publishing holding (see box 1). Therefore, common sense and a sober awareness of the situation must be present in everything.

Now let's decide on the choice of specific protective systems, on the basis of which we will build our defense. Historically, domestic developments, such as AidsTest and Adinf of the DialogNauka company, as well as the later development of Evgeny Kaspersky's group - AVP, have been popular on the domestic market. In addition, a significant share of this market in our country is occupied by foreign products such as Norton Antivirus (Symantec Co.) and MacAfee (Networks Associates Technology, Inc.). At the same time, it is impossible to clearly divide the segments of the anti-virus software market between them due to their significant versatility, as well as personal preferences of users. Nevertheless, some trends can still be identified. Thus, most users of operating systems of the MS-DOS family and early versions of MS Windows (up to 3.11) use the anti-virus "tandem" of DialogScience, and happy users of older versions of MS Windows opt for anti-virus systems from the Kaspersky group and Symantec. In this case, the choice is often based on personal preferences and previous experience. For example, when the problem of organizing anti-virus protection of the information system of the ComputerPress Publishing House was solved, the issue of software was not even raised. The choice would be obvious - Norton Antivirus Corporate Edition.

The prehistory of this choice dates back to 1994, when domestic anti-virus developments gave in to a foreign infection brought into a home computer by a floppy disk that arrived from the States. In a fit of desperation, the only foreign healer was bought at the Biblio-Globus store (which is on Myasnitskaya), which turned out to be Norton Antivirus 2.0. In the following years, I witnessed the evolution of this product with my own eyes. However, since it did not always react to domestic viruses, it was not possible to immediately part with AidsTest, Adinf and AVP. This led to a five-year joint use of these antiviruses, providing an opportunity for their comparative testing. To be brief, the distinctive features of the products can be described as follows:

Adinf. Ideal (almost) disk guard. Allows you to calculate the checksums of both files and system areas of the hard disk. Paired with the recovery module (Adinf Cure Module), it allowed (not always) to recover files infected with an unknown virus. In practice, such a restoration was not always correct. However, the value of this product cannot be overestimated.
AidsTest. The first Russian antivirus. Quickly and reliably searches for and in most cases correctly cures known viruses. Among his merits is the cessation of the epidemic of viruses of the Stone family (1991-1993) and a number of others, smaller in volume. For many years (until the advent of Adinf in 1991) it remained the only protection for domestic users from viruses.
AVP. Development of Evgeny Kaspersky's group (1993). It became famous for its ability to restore the vast majority of infected files, including those that Russian and foreign counterparts refused to restore.

Against the backdrop of such a brilliant domestic anti-virus triad, Symantec's development initially did not stand out in any way. However, starting from version 3.0, the product began to acquire new features with each new version, expanding and improving the existing ones. It was in it that such revolutionary features as a mechanism for heuristic data analysis for "virus-like" instructions and updating the anti-virus database via the Internet (Live Update) were first used. By the way, such a function was included in domestic developments relatively recently. It was Symantec who was the first to achieve almost complete removal of the need to control its operation in its complex. All that was required from the user was an Internet access channel for automatic updates. That is why, being a student of Moscow State University and at the same time the administrator of the "cathedral" network (consisting, by the way, of five computers, the best of which was P-PRO), I used this particular software product to ensure the protection of scientific data, articles and my diploma from viral infection. Naturally, I did not refuse Adinf and performed regular AidsTest checks. However, the function of controlling opened files and data was assigned to the anti-virus monitor from Norton Antivirus 3.0. The turning point came in 1998, when, as a system administrator of one of the largest publishing holdings, I stated the fact that the list of virus definitions in Norton Antivirus and in domestic developments completely corresponded. All this, taking into account faster operation and fewer failures compared to available analogues, led to the construction of the company's anti-virus protection according to scheme A (see Box 1) based on version 4.0 of Symantec's anti-virus package. Unfortunately, the management did not consider it possible to purchase a more expensive version (Corporate Edition) of this package, which made it rather difficult for the service center engineers to protect against viruses and reduced the effectiveness of the built protection. Further experience has proven that Norton Antivirus 4.0 is not a viable solution for a large company and that our demand for a better version of antivirus software is justified. At the same time, over the entire period of use of the package described here (more than two years), not a single virus has managed to cause even a local epidemic, not to mention data loss. And this despite the fact that the anti-virus software was regularly updated exclusively on the servers. The workstations were updated only occasionally, and even during global relocations and other natural disasters. As a result, some workstations have not been updated since the antivirus was installed on them. At the same time, the e-mail system and the Internet access channel were not controlled in any way. By the way, our neighbors (another well-known publishing house) in 1999 suffered a catastrophic epidemic of the famous Win95.CIH, although they used some domestic anti-virus product.

With this, we will end our conversation about the past and turn our eyes to a bright present and a bright future.

To Symantec's credit, they did not stop there and improved their line of antivirus products, which led to the creation of new version corporate anti-virus protection systems - Norton Antivirus Corporate Edition 7.01. It was this system, after short discussions with the management, that was adopted by the ComputerPress Publishing House. However, during discussions with a Symantec employee, our choice turned to two packages that represent a complete antivirus solution within the organization, namely Norton Antivirus Solution 4.0 and Norton Antivirus Enterprise Solution 4.0. The composition of these packages is shown in the table.

The first impression of the new version of the antivirus was ambiguous. First of all, I was struck by the almost complete absence of any paper documentation. A meager description of the initial steps does not count. Nevertheless - contrary to the usual practice, first install, and then understand the documentation - it was repeatedly read. Approximately at the third reading, somewhere in the middle, a warning flashed in small print about the need for the correct sequence of installing components. Another five pages later, this sequence was discovered. To the natural question about the root cause of hiding this most valuable information among detailed descriptions There was no one to answer the steps of opening the box and the rules for launching programs under MS Windows. Therefore, a CD was printed out - and then the fun began.

First of all, the complete installation and configuration of anti-virus software throughout the network can be done from any workstation. After installing the central anti-virus console and rebooting, we proceeded to install the anti-virus on the servers. Previously, I had to allocate one of the servers for the role of "quarantine" and one more - for the role of the server for updating the list of viruses. These functions were assigned to the company's print server, which did not lead to any noticeable slowdown in their performance of their main functions. The installation process went smoothly, without any complaints or stupid questions from the installer. The only thing that was required of us was to go to two old servers and reboot them, since it was not possible to do this using the operating system due to hardware problems. All other servers were successfully rebooted remotely using the appropriate utility from the NT Resource Kit.

After that we took care of the users. Since it did not seem reasonable to install protection for everyone at the same time due to the lack of information about the possibility of software failures and conflicts, we adopted a secret list of seven users who “voluntarily-compulsorily” received the antivirus. Only three hours after this event, one employee noticed the anti-virus monitor icon, and another computer running MS Windows 2000 Professional stopped booting. The symptoms that accompanied such outrageous computer behavior were extremely strange and ambiguous. First, the boot time of the operating system has increased dramatically. Secondly, restarting the system in safe mode caused it to freeze. Finally (and this is the worst), the NetLogon service stopped starting, which is one of the most terrible errors in the Windows NT family of operating systems. Since the reinstallation of the system was unacceptable due to the planned prospect of installing this anti-virus complex on other computers with a similar operating system, a post-mortem examination of the “dead man” was undertaken in order to establish the root cause of such a misfortune. Already a short autopsy revealed the most interesting thing, namely, the lines in the registry, according to appearance suggestive of their kinship with the domestic AVP anti-virus complex. After an interrogation with prejudice, the employee admitted to having an anti-virus monitor from the AVP complex on his machine. Further actions were reduced to the elimination of this software with a minor cleaning of the registry, after which the workstation booted up and continued to work as if nothing had happened. As a result, it was decided that the workstations had to be pre-cleaned of other anti-virus programs, which was done.

The installation of the appropriate components for the protection of the email system and the corporate firewall went very smoothly and almost imperceptibly for users. In addition, the speed of downloading files from the Internet has decreased (by 5-7%). Working with e-mail consisted of "cutting" an incurable attachment from the letter, sending it to quarantine and sending a warning to the responsible employee. The only thing that can be recommended when installing an antivirus is to pay attention to the protection settings. Unfortunately, they are not always optimal.

After installing the whole complex on a part of the computers of the ComputerPress Publishing House allocated to a virtual test network, an active test of the entire system began. The experience gained can be summarized as follows:

The general organization of protection with default settings can be rated at 5 points - for security, and a solid "three" - for rationality. The default protection settings are not the best in terms of both speed and security. It is reasonable to check "on the fly" a certain minimum of file types (and certainly not tiff - images of about 100-500 MB), but checking on the mail server and firewall should be carried out by all available methods.
Security settings for workstations and servers should complement each other, but not duplicate. By default, the requested file is first tested on the server when requested, and then on the workstation when opened. Since the virus definition databases are identical, this is a waste of time.
Carry out regular checks of the “combat readiness” of the complex. The easiest way is to periodically "throw" known infected data into different parts of the network and analyze the speed and quality of the system's response to their appearance.
The less the user can do, the better! No virus detection messages needed. If there is a virus and it is curable, then it should be cured "on the fly" and given to the user a "healthy" version. If not, "access denied". And no liberalism - viruses pose too much of a threat.
And finally, do not be lazy to conduct a regular maniacal check of server disks. This will not take you much time, but will increase the overall level of protection.

To summarize absolutely everything, then the whole complex deserves (with a slight stretch) the highest rating. Now, if the documentation were a little more logical... It's not very pleasant when, because of a grain of valuable information, you have to shovel a huge amount of empty instructions.

In conclusion, I would like to mention a new feature of the anti-virus package, announced, but, unfortunately (or fortunately), not tested by us, namely, the on-line analysis of suspicious files and the synthesis of an antidote. This function is implemented within the quarantine server and is important not only in the absence of the possibility of obtaining updated virus definitions, but also as a last resort when an unidentified computer monster appears on your network.

Good luck, and don't let your use of this great antivirus suite slow down your backups. As you know, trust in God, but do not make a mistake yourself.

ComputerPress 2 "2001

Plan:

Introduction……………………………………………………………………….…..3

1. The concept of anti-virus information protection…………...…5

2. Classification of anti-virus programs……………………...…….6

2.1 Scanners………………………………………………………….…6

2.2 CRC scanners…………………………………………………..…..7

2.3 Blockers……………………………………………………..8

2.4 Immunizers……………………………….………………….….…9

3. The main functions of the most common antiviruses…..10

3.1 Dr. Antivirus Web………………………………………...……10

3.2 Kaspersky Anti-Virus……………………………………...10

3.3Antiviral Toolkit Pro………………………………12

3.4Norton AntiVirus 2000……………………………………………13

Conclusion………………………………………………………………………….15

List of used literature………………………………………………...16

Introduction.

In general, the means of ensuring information security in terms of preventing deliberate actions, depending on the method of implementation, can be divided into groups:

1) Technical (hardware) means. These are devices of various types (mechanical, electromechanical, electronic, etc.), which solve the problems of information protection with hardware. They either prevent physical penetration, or, if penetration did take place, access to information, including through its disguise. The first part of the task is solved by locks, window bars, guards, security alarms, etc. The second part is noise generators, surge protectors, scanning radios and many other devices that “block” potential information leakage channels or allow them to be detected. The advantages of technical means are related to their reliability, independence from subjective factors, and high resistance to modification. Weaknesses - lack of flexibility, relatively large volume and mass, high cost;

2) Software tools include programs for user identification, access control, information encryption, deletion of residual (working) information such as temporary files, test control of the protection system, etc. The advantages of software tools are versatility, flexibility, reliability, ease of installation, ability to modify and development. Disadvantages - limited network functionality, use of part of the resources of the file server and workstations, high sensitivity to accidental or deliberate changes, possible dependence on the types of computers (their hardware);

3) Mixed hardware and software implement the same functions as hardware and software separately, and have intermediate properties;

4) Organizational means consist of organizational and technical (preparation of premises with computers, laying a cable system, taking into account the requirements for restricting access to it, etc.) and organizational and legal (national laws and work rules established by the management of a particular enterprise). The advantages of organizational tools are that they allow you to solve many heterogeneous problems, are easy to implement, quickly respond to unwanted actions in the network, and have unlimited possibilities for modification and development. Disadvantages - high dependence on subjective factors, including the overall organization of work in a particular unit.

1) Studying the concept of anti-virus information protection tools;

2) Consideration of the classification of anti-virus information protection tools;

3) Familiarization with the main functions of the most popular antiviruses.

1. The concept of anti-virus information protection.

Antivirus software consists of routines that attempt to detect, prevent and remove computer viruses and other malicious software.

2. Classification of antivirus programs.

The most popular and effective anti-virus programs are anti-virus scanners (other names: phage, polyphage, doctor program). Following them in terms of efficiency and popularity are CRC scanners (also: auditor, checksumer, integritychecker). Often, both of these methods are combined into one universal anti-virus program, which significantly increases its power. Various types of blockers and immunizers are also used.

2.1 Scanners.

2.2 CRC -scanners.

2.3 Blockers.

2.4 Immunizers.

3. The main functions of the most common antiviruses.

3.1 Dr. antivirus Web.

The set of functions is quite standard for an antivirus - scanning files (including those compressed with special programs and archived), memory, boot sectors of hard drives and floppy disks. Trojan programs, as a rule, are not subject to cure, but to removal. Unfortunately, mail formats are not checked, so immediately after receiving an e-mail, it is impossible to find out if there is a virus in the attachment. The attachment will have to be saved to disk and checked separately. However, the "Spider Guard" resident monitor supplied with the program allows you to solve this problem on the fly.

3.2 Kaspersky Anti-Virus.

The heuristic analyzer makes it possible to protect your computer even from unknown viruses.

The Scanner anti-virus scanner makes it possible to carry out a full-scale scan of the entire contents of local and network drives on demand.

The Script Checker interceptor provides anti-virus checks of all running scripts before they are executed.

Support for archived and compressed files provides the ability to remove malicious code from an infected compressed file.

Isolation of infected objects provides isolation of infected and suspicious objects with their subsequent transfer to a specially organized directory for further analysis and recovery.

3.3 Antivirus Antiviral Toolkit Pro.

3.4 Norton Antivirus 2000.

Conclusion:

Getting acquainted with the literature, I achieved my goal and made the following conclusions:

1) Anti-virus program (anti-virus) - a program for detecting computer viruses, as well as unwanted (considered malicious) programs in general, and restoring files infected (modified) by such programs, as well as for prevention - preventing infection (modification) of files or the operating system with malicious code (for example, through vaccination);

2) there are no antiviruses that guarantee 100% protection against viruses;

3) The most popular and effective anti-virus programs are anti-virus scanners (other names: phage, polyphage, doctor program). Following them in terms of efficiency and popularity are CRC scanners (also: auditor, checksumer, integritychecker). Often, both of these methods are combined into one universal anti-virus program, which significantly increases its power. Various types of blockers and immunizers are also used.

Bibliography:

1) Proskurin V.G. Software and hardware for information security. Protection in operating systems. – Moscow: Radio and communication, 2000;

2) http://ru.wikipedia.org/wiki/Antivirus_program;

3) www.kasperski.ru;

4) http://www.symantec.com/sabu/nis;

Protection of information in local computer networks, anti-virus protection. Antivirus protection of information networks

Protection information and information security (2)

Antivirus information protection tools