Anti-virus strategies

In fact there are many security solutions deployed to combat the risk of computer viruses.However, no solution is really a cure for panacea.The increased damage caused by viruses requires more effective solutions to protect computer systems, especially commercial and service computer systems.

Viruses, trojan horses and worms are the means of attack of hackers. Often the term 'virus' is used to refer to these types of destructive programs, but there are a few differences between them:

Attack scenario

The virus enters itself into the working computer system to carry out subsequent infections. However, the virus cannot run independently but requires another program to run at the working machine to activate it.

The worm is similar to a virus, except that it only spreads among different computer systems and usually only exists in memory. Depth is a program that can run independently, needing to use the resources of the working machine to execute.

Trojan horses (trojans) infiltrate computer systems by hiding under useful programs. However, to be activated, first trojan horses need to convince users to accept and run them.

Protection strategy

Let us imagine a scenario in which the virus tries to invade all of our computer systems. And we think of ways to fight them.

To be able to destroy a system, first the virus needs to invade that system, finding security holes or system weaknesses to deploy the attack. Obviously the virus attack scenario gives us two main strategies for prevention. It is to prevent viruses from infiltrating the system and minimizing system damage in case of compromise. In terms of access control, there are two strategies that control access from outside the system and control access within the system.

The two corresponding techniques for deploying strategies are in turn placing the blocking pins and the sandbox model. With the first strategy, we must place the interceptors at the entry points of the protected system. These barriers are essentially inspection and analysis programs to detect viruses. With the sandbox model, we focus on limiting the access of untrusted programs to system data and resources. Access to the operating system is strictly controlled according to the principle of least privilege (The Least Privilege). This means that the program is only granted minimal access to the job, thus minimizing the risk to the system when compromised.

Barricades

First of all, it is necessary to identify the paths (or entry points) from which the virus can enter the computer. At these points, we put the test program (Figure 1). For example, firewall programs are installed to control the flow of information into and out of a system. Code signing (code signing) or evidence-carrying code (proof-carrying code) is used to check the reliability and integrity of information, ensuring information from reliable sources and information itself. The news was not counterfeited during the transmission.

However, we need to note that combining the use of firewall and encryption techniques is not feasible because firewall techniques require browsing each packet and can add necessary modifications. While the signing technique does not allow information to be modified to ensure integrity.

Although new techniques are being deployed aggressively, anti-virus software plays an increasingly important role. Tens of thousands of viruses exist and new viruses appear every hour. Identifying these viruses to protect computers is extremely difficult without antivirus programs. In fact, most antivirus programs deploy heuristics to detect viruses. Experience search technology consists of two groups: static (dynamic) search and dynamic search (dynamic).

Static search browses the entire file, analyzes its structure and looks for typical patterns of the virus. Then use this information to decide whether the file is infected or not. dynamic search also establishes a virtual control environment in which files to be checked are opened (document files) or executed. The run-time behavior of the test process will be recorded and based on the established security rules, the system will make a decision.

The basic strategy for using experience search technology is to maintain a database containing virus information. However, if new virus information is not fully updated (or inadequate security rules in case of dynamic search) then anti-virus programs become useless.

Sandbox model

As mentioned, anti-virus programs cannot detect new viruses, thus failing to protect computers against these viruses. The algorithm for detecting all viruses is difficult and impossible. In this case, we only hope to minimize the damage by limiting the access of the virus to the data and resources of the system. The model that imposes these limits is known as the 'sandbox' (Figure 2). Foreign code types or untrusted programs will have to run under the control of this model.

Many people believe that a computer infected with a virus is caused by or connecting to the Internet. If you regularly browse the web you probably agree. But if we only browse the web, the possibility of a computer being infected is very low. Since most web browsers have implemented the sandbox model, the browser itself is the subject of this model's control.

The sandbox model for Java applet is probably the most famous. When a user browses a web page containing an applet, the browser automatically downloads and runs the applet under the strict control of the model.

However, the sanbox technique has limitations that require the support of the operating system to monitor and filter system calls.

Conclude

Never before has the world devoted much attention to security like this. The recent massive panic attacks in the user community. For users, viruses seem to be scary and exist anytime and anywhere. But the truth is not only the dark picture. Viruses can only infiltrate users' computers with certain routes and will be harmless if you control these roads.

Although anti-virus strategies provide certain containment results, they themselves are still limited. For example, the blocking strategy may not detect the virus, or the virus may falsify the evidence to bypass the testing program . With the sandbox model, the program access is limited so Features will be limited.

The convergence of strategies can lead to a more complete solution to the virus problem. That is also the current anti-virus trend. Indeed today we deploy many different techniques to protect computers at the same time.