CompTIA A_ Certification All-In-One Exam Guide, Seventh Edition - Michael Meyers [467]
Polymorphics/Polymorphs A polymorph virus attempts to change its signature to prevent detection by antivirus programs, usually by continually scrambling a bit of useless code. Fortunately, the scrambling code itself can be identified and used as the signature—once the antivirus makers become aware of the virus. One technique used to combat unknown polymorphs is to have the antivirus program create a checksum on every file in the drive. A checksum in this context is a number generated by the software based on the contents of the file rather than the name, date, or size of that file. The algorithms for creating these checksums vary among different antivirus programs (they are also usually kept secret to help prevent virus makers from coming up with ways to beat them). Every time a program is run, the antivirus program calculates a new checksum and compares it with the earlier calculation. If the checksums are different, it is a sure sign of a virus.
Stealth The term “stealth” is more of a concept than an actual virus function. Most stealth virus programs are boot sector viruses that use various methods to hide from antivirus software. The AntiEXE stealth virus hooks on to a little-known but often-used software interrupt, for example, running only when that interrupt runs. Others make copies of innocent-looking files.
Virus Prevention Tips
The secret to preventing damage from a malicious software attack is to keep from getting a virus in the first place. As discussed earlier, all good antivirus programs include a virus shield that scans e-mail, downloads, running programs, and so on automatically (see Figure 26-21).
Figure 26-21 A virus shield in action
Use your antivirus shield. It is also a good idea to scan PCs daily for possible virus attacks. All antivirus programs include terminate-and-stay resident programs (TSRs) that run every time the PC is booted. Last but not least, know the source of any software before you load it. Although the chance of commercial, shrink-wrapped software having a virus is virtually nil (there have been a couple of well-publicized exceptions), that illegal copy of Unreal Tournament you borrowed from a local hacker should definitely be inspected with care.
Keep your antivirus program updated. New viruses appear daily and your program needs to know about them. The list of virus signatures your antivirus program can recognize is called the definition file, and you must keep that definition file up to date so your antivirus software has the latest signatures. Fortunately, most antivirus programs update themselves automatically. Further, you should periodically update the core antivirus software programming—called the engine—to employ the latest refinements the developers have included.
Virus Recovery Tips When the inevitable happens and either your computer or one of your user’s computers gets infected by a computer virus, you need to follow certain steps to stop the problem from spreading and get the computer back up safely into service. Try this five-step process.
1. Recognize
2. Quarantine
3. Search and destroy
4. Remediate
5. Educate
Recognize and Quarantine The first step is to recognize that a potential virus outbreak has occurred. If you’re monitoring network traffic and one computer starts spewing e-mail, that’s a good sign. Or users might complain that a computer that was running snappily the day before seems very sluggish.
Many networks employ software such as the open source PacketFence that automatically monitors network traffic and can cut a machine off the network if that machine starts sending suspicious packets. You can also quarantine a computer manually by disconnecting the network cable. Once you’re sure the machine isn’t capable of