|
By now, most savvy computer users have anti-virus software (AV) installed on their machines and use it as part of their regular computing routine. However, most average users do not know how anti-virus software works. This two-part series will offer a brief overview of a particular type of anti-virus mechanism know as on-access virus scanners. These programs are loaded at during the operation system start-up and interact with programs in the background until the system is shut down. In the Microsoft Windows world, which this article will focus on, they must function reliably and speedily across a range of Windows flavors. They must also be able to correctly identify and disinfect thousands of viruses - known and unknown. On-access scanners must stand in the gap, ensuring that nothing passes the ground they defend.
The Basics
Anti-virus programs protect a computer system from viruses by examining the computer's memory and file system for signs of virus infestation. This examination process is called scanning. Anti-virus programmers use two main scanning strategies - on demand and on access scanning. In on-demand scanning, users voluntarily activate a virus-scanning program each time they want to examine the computer for viruses. In on-access virus scanning, the virus scanner that continually examines the computers memory and file system automatically activates each time one of these resources is accessed by a program.
While on-access and on-demand scanners may have some similarities, including some of the same programming code, the on-access scanner must do more that just examine files: it shoulders most of the active anti-virus burden for the user. The on-access scanner places itself between programs and the operating system. It examines programs as they interact with files, memory areas and network functions. It has to examine a suspicious program's behavior and halt malevolent software before the software executes. Viruses, trojan horses, and other malevolent Web applications are all part of the on-access scanner's patrol. Part of the challenge of an effective on-access scanner is that it must be diligent and capable of scanning each accessed file while not interfering with the functionality of the machine.
Design challenges
On-access scanners are expected to be thrifty with system resources while preserving system speed. Furthermore, it should be installable on everything from Windows 95 to Windows XP. This is difficult because there are vast differences in the power and functionality of the various Microsoft operating systems. The scanner must be able to function in all these environments equally effectively.
The Microsoft operating systems are characterized by complex interactions of different applications such as word processing and web browsing. This complexity can create tremendous difficulties for AV developers. Furthermore, Microsoft products tend to evolve quickly, with a new OS being released every couple of years. Thus, the AV programmer has to acquire an intimate knowledge of operating systems that have market lifetimes of only a few years. AV programmers must strive to uncover and protect vulnerabilities before virus writers can exploit them.
Not only does an on-access scanner have to function reliably, it has to work around the limitations imposed on it by operating system weaknesses. On-access virus scanners must be able to examine system processes without it becoming a security risk itself. Peter Szor, Chief Researcher for Symantec Security Response, states that: "it is not easy to put something like this together which will work with most systems," adding that, "a good on-access scanner needs a fast scanning engine and very stable code."
This is very apparent in the wide range of Windows operating systems. On access scanners depend upon file system application programming interfaces (APIs) to monitor file access. In Windows 95 and 98 systems, file operations are controlled through a set of virtual device (.vxd) drivers that control regular file operations, network operations, and CD-ROM media operations. In the NT world, file system drivers control file operations. So, while the strategy used by an on-access scanner will remain the same, the tactics it uses may change depending on the particular version of Windows.
At the basic level, the on-access scanner examines files each time a file open (OpenFile API for the Windows world) or file close (CloseFile API for the Windows world) programming call is made by a program. During the file open operation, the on-access virus scanner examines the file contents, searching for signs of virus infection. Problems can surface because of differences how the file operations drivers handle files. This became apparent when some on-access scanners could not detect viruses such as Funlove or LoveLetter when they infected files on network shares.
The problem lies in how the files are accessed. It is easiest for on-access scanners to identify a complete file as it is being opened. The CloseFile API is not only used for files but for also other objects as well. This makes working with file closures more difficult. A network-bases virus might never have to open a file to infest a system. Instead, it could reach out across the LAN, create a file, write to it and then close it. On-access scanners that favor using the OpenFile API may not able to detect the infestation until after the tainted file is opened.
Vessilin Bontchev, anti-virus researcher at Frisk Software International acknowledges this design challenge. "In order to catch them at the infection stage, the on-access scanner must be able to scan on close; not just on open," Bontchev said, adding that "this is not trivial. Doable; just not easy."
Action and Reaction - Heuristics and Virus signatures
When virus scanners examine files, they can use either virus signatures or heuristics scanning to identify viruses. Virus signatures, which are unique to each computer virus, act as static references the scanner can consult. This is a reactive method, similar to asking the license plate number of the car that just hit you. The heuristics scanner examines the behavior of the program code to anticipate malevolent actions. It asks the question, "Could this car be trying to run over me?" The obvious problem with this technique is that it must know beforehand the signature of the virus, which is fine for attacks that have been seen previously, but does little to protect against new or unknown attacks.
Virus signatures offer a quick way to identify the virus, but their usefulness is diminished or rendered useless when a new virus is discovered. "Generic" virus detection routines can be used to work around this shortcoming. Generic virus detectors identify virus families by unique characteristics found within the viral code that is common to a larger group of viruses. For instance, the Internet worms, such as the Ana Kournikova and HomePage were created under Visual Basic Script Worm Generator (VBSWG). This fill-in-the-blanks worm construction kit, designed by the Argentinean virus writer (K)alimar, ensures that all of the worms created by it have a unique signature identifying it as a VBSWG-made worm. With this readily identifiable characteristic, it becomes a trivial task to detect them.
In the heuristic scanning method, the scanner proactively examines computer code before it is executed. The heuristic scanner looks for signs that it has deviated from being good code to being malevolent code, or that it contains code that indicates that it may trigger malicious functions. Originally, heuristic scanners focused on viruses created in assembly language. This method, called static heuristics, used a list of suspect programming calls that could indicate viral activity. For instance, a programming call to identify if a file was an executable would be regarded by the scanner as viral behavior. Also a static heuristics scanner could examine a Windows PE file to see if it contained tell tale entries in its sections showing viral tampering.
While some types of virus activities can be identified this way, static heuristics scanning may create a high number of false alarms, called false positives. Anti-virus developers work around this shortcoming through a newer method called dynamic heuristics. In this method, anti-virus programs create safe places for virus code to be examined. Previously, anti-virus programs used to employ debugging routines to examine the execution of a program one instruction at a time. On-access virus scanners now create a virtual PC in memory to evaluate program code before it actually executes in the real operating system. With this newer method, the execution of the program is delayed while the on-access scanner examines the code instructions in a virtual copy of the operating system for signs of malevolent intent. This virtual copy of the computer is either called a CPU emulator or a code emulator.
However, code emulators may not be used in all situations. According to Grisoft virus researcher Petr Odehnal, Grisoft uses traditional heuristic scanning for assembly language viruses. For high-level language viruses, macro viruses and script viruses, the Czech Republic-based firm employs generic detection and static heuristics, which is not based on code emulation. "It's faster, needs less memory and results are not bad," Odehnal said.
Conclusion
This concludes the first article of our two-part series looking at on-access AV scanning. Now that we have explored some of the basic concepts behind this AV technique, the next article will look at some of the strategies that virus writers have adopted to circumvent them and the ways that anti-virus developers are reacting to those changes.
|