Join Lisa Bock for an in-depth discussion in this video Protecting systems with antivirus software, part of IT Security Foundations: Network Security.
- Antivirus is part of a layered security approach as there are many avenues for viruses to attack your system. Such as browsing the Internet, ActiveX, and even the operating system. Antivirus runs in the background and monitors your system as you download software, open documents, or extract files. Depending on your antivirus program, the process may be called background or real-time protection, or something similar.
Enabling an antivirus to run in the background is essential, as many viruses are written to hide in applications, or even a Word doc, which might contain malware. For example, a macro is a series of repetitive events that are recorded. Such as inserting a standard text at the beginning of every document, and then running when launched. A virus can be embedded in a macro and triggered to run if you type, say, a "Y," or even a semicolon. Antivirus checks and monitors while you are doing your work, and will check the file or executable before you open it and possibly damage your system.
Many users are unaware of this process until they get a notification that the file they downloaded was quarantined for being a known threat. Antivirus companies use a variety of tools to test viruses. They run them in Sandboxes, and release updates to protect users from newly identified malware. Virus definitions contain signatures for viruses and other malware that have been defined. Updated definitions are downloaded daily, or more often.
Once identified, the file is quarantined, and you may be able to open the file and run it anyway if you're confident it's safe. However, some programs may even delete the file. Heuristics work by how something behaves, and it can detect an unknown program such as a new, and possibly undetected virus. But let's take a look at What is a signature? I'm at the Wireshark Wiki, where I can download slammer.pcap.
If you do a search on this page, you'll see slammer.pcap, and I'm going to open it in Wireshark, a free protocol analysis tool. I have opened slammer.pcap, and I'll point out just a couple of things. We're going to take a look at it, as you see there is a single captured packet. But what is the signature for slammer? I'm at sams.org, where there is a discussion on slammer. I'll scroll down because I've highlighted it right there and there's your signature.
MS-SQL Slammer sends a 376 byte long UDP packet to port 1434. So let's take a look, and there you see your signature. Destination Port: 1434. And there's your length, 376 bytes. Antivirus is actively protecting the system by background scanning. Once identified, the file is quarantined or deleted. Scanning occurs by always protecting the system.
Antivirus is actively protecting the system by background scanning. A full system scan is setup where most antivirus programs setup full system scans, often once a week to ensure that the latest virus definitions are used to check for dormant or hidden viruses. A manual scan is not usually necessary, as antivirus should pick up a virus signature if you download malware. However, a manual scan should be run after a new antivirus program is installed to ensure that there are no dormant viruses present.
False positives sometimes occur. False positives flag a file as it's malware where it's really a safe file. Heuristics may increase the rate of false positives because the antivirus inappropriately felt the program was behaving like a virus. Despite this, false positives are fairly rare. So if your antivirus says that that file is malicious, you should generally believe it. If you're not sure, you can upload it to VirusTotal, and it will scan the file with a variety of different antivirus products and tell you what it says about it.
I'm at this website where you see VirusTotal. So if you're not sure about a file, upload it to VirusTotal, which will scan the file with a variety of different antivirus products and it will tell you what it has to say about each one. Different antivirus programs have different detection rates, both using both virus definitions and heuristics, which can result in more effective detection rates. These rates vary over time, and some organizations do tests and compare the detection rates of the different antivirus programs in real world use.
I'm at this website where we can see Independent Tests of Anti-Virus Software. I'm going to select MONTHLY RESULTS. And here you can see a fair comparison of different antivirus and protection rates. Best practices include use programs that automatically update and scan and follow safe computing practices.
Note: This training maps to a number of the exam topics on the Microsoft Technology Associate (MTA) Security Fundamentals exam (98-367). See https://www.microsoft.com/learning/en-us/exam-98-367.aspx for more information.
- Implementing secure content management (SCM)
- Implementing unified threat management (UTM)
- Introducing VLANs
- NAT addressing
- Network sniffing
- Understanding common attack methods, such as password attacks
- Protecting clients with antivirus software
- Implementing physical security