lo2

Misrak TVET College Training, Teaching and Learning Materials Development ghh

MISRAK TVET COLLEGE under

Ethiopian TVET-System

INFOM!TION TEC"NOLO#$ %&''OT %EVICE Level I

LEARNING GUIDE # 11 &nit o( Competence) Competence ) Module Title

)

L# Code TTLM Code

) )

'rotect %o(t*are or %+stem !pplication 'rotecting %o(t*are or %+stem !pplication ICT IT% M-. L-/  ICT IT% TTLM-. -0

LO /) Detect and removed destructive so(t*are Learning #uide First Edition

Date) -01/-. !uthor) ICT, IT 3 Misrak TVET College

'age 1 o( /2

Misrak TVET College Training, Teaching and Learning Materials Development

INTRODUCTION

Learning Guide # 11

This learning guide is developed to provide +ou the necessar+ in(ormation regarding the (ollo*ing content coverage and topics 3 • • • •

Computer Viruses Virus Origin, "istor+ and Evolution Virus Infection, Removal and Prevention !nti1virus %o(t*are

•

This guide *ill also assist +ou to attain the learning outcome stated in the cover page4 %peci(icall+, %peci(icall+, upon completion o( this Learning #uide, +ou *ill 5e a5le to 3 • • • • • • • •

De(ine and identi(+ common t+pes o( destructie s!"tare %elect and install irus $r!tecti!n compati5le $r!tecti!n compati5le *ith the !$erating s%ste& in s%ste& in use Descri5e advanced s+stems o( protection in order to understand (urther options Install S!"tare u$dates on u$dates on a regular 5asis Con(igure so(t*are securit+ settings to prevent destructive so(t*are (rom in(ecting computer un and6or schedule virus protection so(t*are on a regular 5asis eport detected destructive so(t*are to appropriate person and remove the destructive so(t*are

Learning Actiities 4 ead the speci(ic o57ectives o( this Learning #uide4 /4 ead the in(ormation *ritten in the 8In(ormation %heets 9 in pages :1.4 :4 !ccomplish the 8%el(1check9 in page 04 .4 I( +ou earned a satis(actor+ evaluation proceed to 8In(ormation %heet /94 "o*ever, i( +our rating is unsatis(actor+, unsatis(actor+, see +our teacher (or (urther instructions or go 5ack to Learning !ct4 ;4 04 ead the in(ormation *ritten in the 8In(ormation %heets /9 in pages <1=4 <4 !ccomplish the 8%el(1check9 in page -4 >4 I( +ou earned a satis(actor+ evaluation proceed to 8In(ormation %heet :94 "o*ever, i( +our rating is unsatis(actor+, unsatis(actor+, see +our teacher (or (urther instructions or go 5ack to Learning !ct4 ;/4 24 ead the in(ormation *ritten in the 8In(ormation %heets :9 in pages 1/4 =4 !ccomplish the 8%el(1check9 in page :4 -4 I( +ou earned a satis(actor+ evaluation proceed to 8In(ormation %heet .94 "o*ever, i( +our rating is unsatis(actor+, unsatis(actor+, see +our teacher (or (urther instructions or go 5ack to Learning !ct4 ;:4 4 ead the in(ormation *ritten in the 8in(ormation %heet .9 in pages .1/.4 /4 !ccomplish the 8%el(1check9 in page /04 :4 I( +ou earned a satis(actor+ evaluation proceed to 8Operation %heet9 on pages /<1/>4 "o*ever, "o*ever, i( +our rating is unsatis(actor+, unsatis(actor+, see +our teacher (or (urther instructions or go 5ack to Learning !ctivit+ ; .4 .4 I( +ou earned a satis(actor+ evaluation proceed to 8Lap Test9 on page /24 "o*ever, i( +our rating is unsatis(actor+, unsatis(actor+, see +our teacher (or (urther instructions or go 5ack to Learning !ctivit+ Operation %heet4 04 Do the 8L!' test9 ?i( +ou are read+@ and sho* +our output to +our teacher4 $our teacher *ill evaluate +our output either satis(actor+ or unsatis(actor+4 I( unsatis(actor+, +our teacher shall advice +ou on additional *ork4 Aut i( satis(actor+ +ou can proceed to Learning #uide /4 •

$our teacher *ill evaluate +our output either satis(actor+ or unsatis(actor+4 I( unsatis(actor+, +our teacher shall advice +ou on additional *ork4 Aut i( satis(actor+ +ou can proceed to the neBt topic4

Learning #uide First Edition


'age ' o( /2


In"!r&ati!n Sheet 1

Computer Viruses

(hat is a Virus) De"initi!n ! computer virus is a small so(t*are program that is speci(icall+ designed to spread 5et*een computers and hinder 5asic computer (unctions4 Viruses are commonl+ spread through email attachments or instant messages, so its never a good idea to open an attachment (rom a sender that +ou are not (amiliar *ith4 The+ can also 5e inadvertentl+ do*nloaded through the Internet, as part o( a (ile or program that might have come (rom a uestiona5le *e5site4 Computer viruses can cause serious damage to a computer s+stem4 The+ can slo* do*n the computers overall per(ormance and lead to a loss o( data that could cou ld range (rom one single (ile to +our entire hard drive4 These viruses have kept pace *ith ne* computer technolog+, evolving evolving rapidl+ and increasing in compleBit+ ho*ever, there are still man+ eas+ and o(ten (ree *a+s to eliminate el iminate these destructive programs, *hile keeping ne* ones one s (rom invading4 "ere are the di((erent kinds o( viruses) •

•

•

Virus 1 Virus 1 Can replicate and spread to other computers4 !lso attacks other o ther program (!r& 1 (!r& 1 ! special t+pe o( virus that can replicate and spread, 5ut generall+ doesnt attack other programs Tr!*an 1 Tr!*an 1 Doesnt replicate, 5ut can spread4 Doesnt attack other programs4 &suall+ 7ust a *a+ o( recording recording and reporting *hat +ou +ou do on +our 'C

Viruses are split into di((erent categories, depending on *hat the+ do4 "ere are a (e* categories o( viruses) •

•

+!!t Sect!r Virus The Aoot %ector o( a 'C is a part o( +our computer that gets accessed (irst *hen +ou turn it on4 It tells indo*s *hat to do and *hat to load4 Its like a GThings To DoG DoG list4 The Aoot %ector is also kno*n as the Master Aoot ecord4 ! 5oot sector virus is designed to attack this, causing +our 'C to re(use to start at allH ,i-e Virus ! (ile virus, as its name suggests, attacks (iles on +our computer4 computer4 !lso attacks entire programs, though4



'age . o( /2


•

•

•

Macr! Virus These t+pes o( virus are *ritten speci(icall+ to in(ect Microso(t O((ice documents ?ord, EBcel 'o*er'oint, etc4@ ! ord document can contain a Macro Virus4 $ou usuall+ need to open a document in an Microso(t O((ice application 5e(ore the virus can do an+ harm4 Mu-ti$artite Virus ! multipartite virus is designed to in(ect 5oth the 5oot sector and (iles on +our computer /!-%&!r$hic Virus This t+pe o( virus alter their o*n code *hen the+ in(ect another computer4 computer4 The+ do this to tr+ and avoid detection 5+ anti1virus programs4



'age 0 o( /2


Se-"Chec2 1

(ritten Test

Name:____________________

Date:_________________

Instructi!n3 Instructi!n3 !ns*er all the uestions listed 5elo*, i( +ou have some di((icult+ doing this sel( check, (eel (ree to ask +our teacher (or clari(ications4 4 /4 :4 .4 04 <4 >4 24 =4 -4 4

It is a small so(t*a so(t*are re program program that is speci(ic speci(icall+ all+ designed designed to spread spread 5et*een 5et*een computer computers s and hinder 5asic computer (unctions4 hat hat are three three ?:@ ?:@ di((e di((eren rentt kinds kinds o( virus viruses es This This virus virus doesn doesntt replica replicate, te, 5ut 5ut can sprea spread4 d4 It can replica replicate te and spread spread to other other computers computers44 !lso attack attacks s other progra program m ! spec specia iall t+pe t+pe o( viru virus s that that can can repl replic icat ate e and and spre spread ad,, 5ut 5ut gene genera rall ll+ + does doesn ntt atta attack ck othe otherr 'rograms hat hat are the the (ive (ive ?0@ ?0@ categ categori ories es o( a viru virus s This virus attacks attacks (iles on +our +our computer computer44 Thes These e viru viruse ses s are are *rit *ritte ten n spec speci( i(ic ical all+ l+ to in(e in(ect ct Micr Micros oso( o(tt O((i O((ice ce docu docume ment nts s ?or ?ord, d, EBce EBcell 'o*er'oint, etc4@ This virus virus alters alters their their o*n code code *hen the+ the+ in(ect in(ect another another compute computerr4 This is designed to in(ect in(ect 5oth the 5oot sector and and (iles on +our computer computer44 It is design to attack 5oot sector, sector, causing causing +our 'C to re(use to start at all4



'age 4 o( /2


$ou $ou must a5le to get .points to 5e competent other*ise +ouJll take another test

In"!r&ati!n Sheet '

Virus Origin, History and Evolution

Virus Origins Comp Comput uter er viru viruse ses s are are call called ed iruses 5eca 5ecaus use e the+ the+ share some o( th the traits o( 5iological viruses4 viruses4 ! computer virus passes (rom computer to computer like a 5iological virus passes (rom person to person4 &nlike a cell cell,, a virus has no *a+ to reproduce 5+ itsel(4 Instead, a 5iological virus must in7ect its DN! into a cell4 The viral DN! then uses the cells eBisting machiner+ to reprod reproduce uce itsel( itsel(44 In some some cas cases, es, the cell cell (ills (ills *ith *ith ne* viral viral partic particles les until until it 5ursts 5ursts,, releasing releasing the virus4 In other cases, the ne* virus particles particles 5ud o(( the cell one at a time, and the cell remains alive4 ! computer virus shares some o( these traits4 ! computer virus must $igg%5ac2 on $igg%5ac2 on top o( some other program or document in order to launch4 Once it is running, it can in(ect in(ect other other progra programs ms or docume documents nts44 O5viou O5viousl+ sl+,, the analog analog+ + 5et*ee 5et*een n comput computer er and 5iological viruses stretches things a 5it, 5ut there are enough similarities that the name sticks4 /e!$-e rite c!&$uter iruses4 iruses 4 ! person has to *rite the code, test it to make sure it spreads properl+ and then release it4 ! person also designs the viruss attack phase, *hether its a sill+ message or the destruction o( a hard disk4 disk4 (h% d! the% d! it) There are at -east three reas!ns4 reas!ns 4 •

•

The (irst is the sa&e $s%ch!-!g% that dries anda-s and ars!nists ars!nists44 h+ *ould someone *ant to 5reak a *indo* on someones car, paint signs on 5uildings or 5urn do*n a 5eauti(ul (orest For some people, that seems to 5e a thrill4 I( that sort o( person kno*s computer computer programming, programming, then he or she ma+ (unnel energ+ into the creation o( destructive viruses4 The second reason has to do *ith the thri-- !" atching things 5-! u$ 4 %ome people have a (ascination *ith things like eBplosions and car *recks4 hen hen +ou *ere gro*ing ing up, ther here might hav have 5een a kid in +our neigh5orhood *ho learned ho* to make gunpo*der4 !nd that kid pro5a5l+ 5uilt 5igger and 5igger 5om5s until he either got 5ored or did some serious damage to himsel(4 Creating a virus is a little like that 11 it creates a 5om5 inside a computer, and the more computers that get in(ected the more G(unG the eBplosion4



'age 6 o( /2


•

The third reason involves 5ragging rights7 !r the thri-- !" d!ing it4 it 4 %ort o( like Mount Evere Everest st 11 11 the mountain is there, so someone is compelled to clim5 it4 I( +ou are a certain t+pe o( programmer *ho sees a securit+ hole that could 5e eBploited, +ou might simpl+ 5e compelled to eBploit the hole +oursel( 5e(ore someone else 5eats +ou to it4

O( cour course, se, most most viru virus s creat creator ors s seem seem to miss miss the the poin pointt that that the+ the+ cause cause reareada&age to da&age to real people *ith their creations4 Destro+ing ever+thing on a persons hard disk is real damage4 Forcing a large compan+ to *aste thousands o( hours cleaning up a(ter a virus is real damage4 Even a sill+ message is real damage 5ecause someone has to *aste time time gett getting ing rid rid o( it4 it4 For For this this reas reason, on, the the lega legall s+st s+stem em is gett getting ing much much hars harsher her in punishing the people *ho create viruses4 Virus 8ist!r% Traditional computer viruses *ere (irst *idel+ seen in the late =2-s, and the+ came a5out 5ecause o( several (actors4 The (irst (actor *as the s$read !" $ers!na- c!&$uters ? c!&$uters ?/Cs /Cs@4 @4 'rior to the =2-s =2-s,, home computers *ere nearl+ non1eBistent non1eBistent or the+ *ere to+s4 eal computers computers *ere rare, and the+ *ere locked a*a+ (or use 5+ GeBperts4G During the =2-s, real computers started to spread to 5usinesses and homes 5ecause o( the popularit+ o( the IAM 'C ?released in =2/ =2/@@ and and the the !ppl !pple e Ma Maci cint ntos osh h ?rele ?releas ased ed in =2. =2.@4 @4 A+ the late late =2=2-s, s, 'Cs 'Cs *ere *ere *idespread in 5usinesses, homes and college campuses4 The second (actor *as the use !" c!&$uter 5u--etin 5!ards4 5!ards 4 'eople could dial up a 5ul 5ullet letin in 5oa 5oard rd *ith *ith a modem and and do*n do*nlo load ad prog progra rams ms o( all all t+pe t+pes4 s4 #ame #ames s *ere ere eBtr eBtrem emel+ el+ popu popula larr, and and so *ere *ere simp simple le *ord *ord proc proces essor sors, s, spre spread adsh sheet eets s and and other other prod product uctiv ivit it+ + so(t so(t*a *are re44 Au Aull llet etin in 5oar 5oards ds led led to the the precu precurs rsor or o( the the viru virus s kno*n kno*n as the Tr!*an Tr!*an h!rse h!rse44 ! Tro7an o7an ho hors rse e is a prog progra ram m *ith *ith a cool cool1s 1sou ound ndin ing g name name and and description4 %o +ou do*nload do*nload it4 hen +ou run the program, ho*ever, ho*ever, it does something uncool like erasing +our disk4 $ou think +ou are getting a neat game, 5ut it *ipes out +our s+st s+stem4 em4 Tro7an o7an horse horses s on onl+ l+ hit hit a smal smalll num5 num5er er o( peop people le 5eca 5ecause use the+ the+ are are uick uickl+ l+ discovered, the in(ected programs are removed and *ord o( the danger spreads among users4

,-!$$% dis2s ere "act!rs in the s$read !" c!&$uter iruses9



'age : o( /2


The third (actor that -ed t! the creati!n !" iruses as the "-!$$% dis24 dis24 In the =2-s, programs *ere small, and +ou could (it the entire operating s+stem, s+stem, a (e* programs and some documents onto a (lopp+ disk or disk or t*o4 Man+ computers did not have hard disks, so *hen +ou turned on +our machine it *ould load the operating s+stem and ever+thing else (rom the (lopp+ disk4 Virus authors took advantage o( this to create the (irst sel(1replicating programs4 Earl+ viruses *ere pieces o( code attached to a common program like a popular game or a popular *ord processor4 ! person might do*nload an in(ected game (rom a 5ulletin 5oard and run it4 ! virus like this is a small piece o( code em5edded in a larger, legitimate program4 hen the user runs the legitimate program, the virus loads itsel( into memor+ and looks around to see i( it can (ind an+ other programs on the disk4 I( it can (ind one, it modi(ies the program to add the viruss code into the program4 Then the virus launches the Greal program4G The user reall+ has no *a+ to kno* that the virus ever ran4 &n(ortunatel+, the virus has no* reproduced itsel(, so t*o programs are in(ected4 The neBt time the user launches either o( those programs, the+ in(ect other programs, and the c+cle continues4 I( one o( the in(ected programs is given to another person on a (lopp+ disk, or i( it is uploaded to a 5ulletin 5oard, then other programs get in(ected4 This is ho* the virus spreads4 The spread spreading ing part is the in"ecti!n in"ecti!n phase o( the virus4 Viruses *ouldnt 5e so violent violentl+ l+ despised despised i( all the+ the+ did *as *as replic replicate ate themselv themselves4 es4 Mos Mostt viruses viruses also also have have a destructie attac2 phase attac2 phase *here the+ do damage4 %ome sort o( trigger *ill activate the attack attack phase, and the virus *ill *ill then then do somethi something ng 11 an+thi an+thing ng (rom (rom printin printing g a sill+ sill+ message on the screen to erasing all o( +our data4 The trigger might 5e a speci(ic date, the num5er o( times the virus has 5een replicated or something similar4 Virus E!-uti!n Other Threats Viru Viruses ses and and *orm *orms s get get a lot lot o( pu5l pu5lic icit it+ +, 5ut 5ut the+ the+ aren arent t the the on onl+ l+ thre threat ats s to +o +our ur computers computers health4 health4 Ma-are is Ma-are is 7ust another name (or so(t*are that has an evil intent4 "ere "ere are are some some comm common on t+pes t+pes o( mal* mal*ar are e and and *hat *hat the+ the+ migh mightt do to +o +our ur in(e in(ect cted ed computer) • •

• •

Adare puts Adare puts ads up on +our screen4 S$%are collects S$%are collects personal in(ormation a5out +ou, like +our pass*ords or other in(ormation +ou t+pe into +our computer4 8i*ac2ers turn 8i*ac2ers turn +our machine into a Kom5ie computer4 computer4 Dia-ers (orce Dia-ers (orce +our computer to make phone calls4 For eBample, one might call toll =--1num5ers and run up +our phone 5ill, *hile 5oosting revenue (or the o*ners o( the =--1num5ers4

!s viru virus s crea creato tors rs 5eca 5ecame me more more sophi sophist stic icat ated ed,, the+ the+ learn learned ed ne* tric tricks ks44 One One important trick *as the a5ilit+ to load viruses into memor+ so the+ could keep running in the 5ackground as long as the computer remained on4 This gave viruses a much more



'age ; o( /2


e((ective *a+ to replicate themselves4 !nother trick *as the a5ilit+ to in(ect the 5!!t sect!r on sect!r on (lopp+ disks and hard disks4 The 5oot sector is a small program that is the (irst part o( the operating s+stem that s+stem that the computer loads4 It contains a tin+ program that tells the computer ho* to load the rest o( the operating s+stem4 A+ putting its code in the 5oot sector, sector, a virus can guarantee it is e


'age = o( /2


Se-"Chec2 ' Name Name))             

(ritten Test Date Date))       

Instructi!n3 Instructi!n3 !ns*er all the uestions listed 5elo*, i( +ou have some di((icult+ doing this sel( check, (eel (ree to ask +our teacher (or clari(ications4 4 Computer viruses are called called iruses 5ecause iruses 5ecause the+ share some share some o( the traits o( traits o( *hat /4 ! computer virus must  on top o( some other program or document in order to launch :4 #ive the three ?:@ reasons *h+ people create a virus .4 hat most virus creators seem to miss *hen the+ create a virus 04 Traditional Traditional computer viruses *ere (irst *idel+ seen in the late 4 <4 The three ?:@ (actors leading to the creation o( computer viruses >4 hat do +ou call the spreading part o( the virus 24 hat phase *here the virus created damage to the computer =4 hat is another name (or so(t*are that has an evil intent -4 This mal*are turn +our machine into a Kom5ie computer4 computer4 4 4 This This Ma Mal* l*ar are e coll collec ects ts pers person onal al in(o in(orm rmat atio ion n a5ou a5outt +ou, +ou, like like +our +our pass pass*o *ord rds s or othe otherr in(ormation +ou t+pe into +our computer4 /4 This mal*are puts ads up on +our screen4 :4 This mal*are (orce +our computer to make phone calls4 .4 Melissa Virus is an eBample eBample o( *hat virus virus

$ou $ou must a5le to get .points to 5e competent other*ise +ouJll take another test



'age 1> o( 1> o( /2


In"!r&ati!n Sheet .

Virus Infection, Removal and revention

8! d! Viruses get !n &% c!&$uter) The most common *a+ that a virus gets on +our computer is 5+ an e&aiattachment4 I( +ou open the attachment, and +our anti1virus program doesnt detect it, then that is enough e nough to in(ect +our computer4 %ome people go so (ar as NOT opening attachments at all, 5ut simpl+ deleting the entire message as soon as it comes in4 hile this approach *ill greatl+ reduce +our chances o( 5ecoming in(ected, it ma+ o((end those relatives o( +ours *ho have 7ust sent +ou the latest pictures o( little ohnn+H $ou can also get viruses 5+ d!n-!ading $r!gra&s "r!& the internet4 internet 4 That great piece o( (ree*are +ou spotted (rom an o5scure site ma+ not 5e so great a(ter all4 It could *ell 5e in(ecting +our 'C as the main program is installing4 I( +our 'C is running an+ version o( indo*s, and it hasnt got all the latest patches and updates, then +our computer *ill 5e attacked a (e* minutes a(ter going on the internetH ?Non indo*s users can go into smug modeH@ No*ada+s, the+ utiliKed the use o( re&!a5-e st!rage deices to deices to spread viruses4 The most common is the the use o( (lash drive4 drive4 %ince remova5le drives like (lash drive, CD6DVDs have the aut!run the aut!run (unctionalit+, (unctionalit+, a simple command that ena5les the eBecuta5le (ile to run automaticall+, the+ eBploited and altered it so it *ill automaticall+ run the virus ?normall+ *ith 4eBe, 45at, 4v5s (ormat@ *hen +ou insert +our (lash drive or CD6DVDs4 Virus in"ected S%&$t!&s Common s+mptoms o( a virus1in(ected computer include • • •

• • • •

•

unusuall+ slo* running speeds (ailure to respond to user input s+stem crashes and constant s+stem restarts that are triggered automaticall+4 Individual applications also might stop *orking correctl+, disk drives might 5ecome inaccessi5le, unusual error messages ma+ pop up on the screen, menus and dialog 5oBes can 5ecome distorted and peripherals like printers might stop responding4 $ou cant access +our disk drives Other s+mptoms to look out (or are strange error messages, documents not printing correctl+, and distorted menus and dialogue 5oBes4 Tr+ Tr+ not to panic i( +our computer is eBhi5iting one or t*o items on the list4



'age 11 o( 11 o( /2


eep in mind that these t+pes o( hard*are and so(t*are pro5lems are not al*a+s caused 5+ viruses, 5ut in(ection is certainl+ a strong possi5ilit+ that is *orth investigating4

•

Re&!aThe (irst step in removing computer viruses is insta--ing an% u$dates that u$dates that are availa5le (or +our operating s+stem modern operating s+stems *ill automaticall+ look (or updates i( the+ are connected to the Internet4 I( +ou do not alread+ hae antiirus s!"tare on s!"tare on +our computer, computer, su5scri5e to a service and use the so(t*are to do a complete scan o( +our computer4 %ince ne* computer viruses are constantl+ 5eing created, set +our anti1virus program to automaticall+ check (or updates regularl+4

•

/reenti!n

• • •

In order to prevent (uture computer in(ections) use an Internet "irea--, "irea--, check (or operating s+stem and anti1virus program updates, scan +our computer regularl+ and eBercise caution *hen handling email and Internet (iles4

! "irea-- is "irea-- is a program or piece o( hard*are that helps screen out viruses, *orms and hackers *hich are attempting to interact *ith +our computer via the Internet4 On modern computers, (ire*alls come pre1installed and are turned on 5+ de(ault, so +ou pro5a5l+ alread+ have one runnin g in the 5ackground4 hen opening email attachments, dont assume the+ are sa(e 7ust 5ecause the+ come (rom a (riend or relia5le source the sender ma+ have unkno*ingl+ (or*arded an attachment that contains a virus4



'age 1' o( 1' o( /2


Se-"Chec2 . Name Name))             


Instructi!n3 Instructi!n3 !ns*er all the uestions listed 5elo*, i( +ou have some di((icult+ doing this sel(1 check, (eel (ree to ask +our teacher (or clari(ications4 4 hat is the most common common *a+ that that a virus can get to +our +our computer /4 $ou can also get virus 5+ *hat :4 No*ada+s *hat do the viruses utiliKe (or them to spread .4 hat is a simple command that ena5les the eBecuta5le (ile to run automaticall+ 04 #ive at least (ive?0@ Common s+mptoms o( a virus1in(ected computer <4 hat is the (irst step in removing a virus to +ou computer >4 hat is another step +ou must do to in removing a virus to +our computer 24 It is a program or piece o( hard*are that helps screen out viruses, *orms and hackers *hich are attempting to interact *ith +our computer via the Internet4 =4 hat are the : *a+s to prevent +our computer to get in(ected *ith virus

$ou $ou must a5le to get /points to 5e competent other*ise +ouJll take another test Learning #uide First Edition


'age 1. o( 1. o( /2


In"!r&ati!n Sheet 0

!nti-virus Soft"are

Antiirus s!"tare Antiirus or Antiirus or antiirus s!"tare is s!"tare is used to prevent, detect, and remove mal*are, mal*are , including 5ut not limited to computer viruses, viruses, computer *orm, *orm, tro7an horses, horses, sp+*are sp+*are and ad*are4 ad*are 4 This page talks a5out the so(t*are used (or the prevention and removal o( such threats, threats, rather than computer securit+ implemented securit+ implemented 5+ so(t*are methods4 ! variet+ o( strategies are t+picall+ emplo+ed4 Signature5ased detecti!n involves searching (or kno*n patterns o( data *ithin eBecuta5le code4 code4

"o*ever, it is

possi5le (or a computer to 5e in(ected *ith ne* mal*are (or *hich no signature is +et kno*n4 To counter such counter such so1called Kero1da+ threats, threats , heuristics can 5e used4 One t+pe o( heuristic approach, generic signatures, can identi(+ ne* viruses or variants o( eBisting viruses 5+ looking (or kno*n malicious code, or slight variations o( such code, in (iles4 %ome antivirus so(t*are can also predict *hat a (ile *ill do 5+ running it in a sand5oB and sand5oB and anal+King *hat it does to see i( it per(orms an+ malicious actions4 No matter ho* use(ul antivirus so(t*are can 5e, it can sometimes have dra*5acks4 !ntivirus !ntivirus so(t*are so(t*are can i&$air a computers per(ormance4 per(ormance4 IneBperienced users ma+ also have trou5le understanding the prompts and decisions that antivirus so(t*are presents them *ith4 !n incorrect decision ma+ lead to a securit+ 5reach4 I( the antivirus so(t*are emplo+s heuristic detection, success depends on achieving the right 5alance 5et*een (alse positives and positives and (alse negatives4 negatives4 ,a-se $!sities can $!sities can 5e as destructive as "a-se negaties4 negaties4 ,a-se $!sities are $!sities are *rong detection 5+ an anti1virus *here legitimate (iles *ere mistakenl+ mistakenl+ identi(ied identi(ied as viruses *hile ,a-se negaties are negaties are *rong detection 5+ an anti1 virus *here legitimate viruses *ere not detected as viruses4 Fina Finall ll+ +, anti antivi virus rus so(t so(t*a *are re gener general all+ l+ runs runs at the the highl+ highl+ trust trusted ed kernel level level o( the operating s+stem, s+stem, creating a potential avenue o( attack4 attack4



'age 10 o( 10 o( /2


!n eBample o( (ree antivirus so(t*are) C-a&T2 .9>;9 .9>;9

Most o( the computer viruses *ritten in the earl+ and &id 1=;>s *ere 1=;>s *ere limited to se-"re$r!ducti!n and ha had n! n! spec speci( i(ic ic da&age rout routin ine e 5uil 5uiltt into into the code code44

That That

changed *hen more and more programmers 5ecame acuainted *ith virus programming and created viruses that manipulated or o r even destro+ed data on in(ected computers4 There are competing claims (or the innovator o( the (irst antivirus product4 'ossi5l+ the (irst pu5licl+ documented removal o( a computer virus in the *ild *as per(ormed 5+ +ernd ,i< in ,i< in 1=;:4 1=;:4 ,red C!hen, C!hen, *ho pu5lished one o( the (irst academic papers on computer viruses in =2., 5egan to develop strategies (or antivirus so(t*are in =22 that *ere picked up and continued 5+ later antivirus so(t*are developers4 !lso

in

=22

a

mailing

list

named

VIRUSL *as

started

on

the AITNET 6E!N 6E!N net*o net*ork rk *her *here e ne* ne* viru viruse ses s and and the the poss possi5 i5il ilit itie ies s o( detec detecti ting ng and and elim elimin inat atin ing g viru viruse ses s *ere *ere disc discus usse sed4 d4 %o %ome me mem5 mem5er ers s o( this this mail mailin ing g list list like like ohn Mc!(ee or Mc!(ee or Eugene aspersk+ later aspersk+ later (ounded so(t*are companies that developed and sold commercial antivirus so(t*are4 Ae(ore internet connect connectivit ivit+ + *as *as *idespr *idespread ead,, viruses viruses *ere *ere t+pica t+picall+ ll+ spread spread 5+ in(ected "-!$$% "-!$$% dis2s dis2s4 !ntivi !ntivirus rus so( so(t* t*ar are e came came into use, 5ut *as *as updat updated ed relati relativel vel+ + in(reuentl+4 During this time, virus checkers essentiall+ had to check eBecuta5le (iles and the 5oot 5oot sectors sectors o( (lopp+ (lopp+ disks disks and hard hard disks4 disks4 "o*eve "o*everr, as intern internet et usage usage 5ecame 5ecame common, viruses 5egan to spread online4



'age 14 o( 14 o( /2


Over Over the the +ear +ears s it has has 5ecom 5ecome e neces necessa sar+ r+ (or (or anti antivir virus us so(t so(t*a *are re to chec2 an increasing ariet% !" "i-es, "i-es, rather than 7ust eBecuta5les, (or several reas!ns) reas!ns) •

'o*er(ul macros use used

in *ord *ord

proc process essor or appl applic icat atio ions ns,,

such such

as Microso(t

ord, ord, pres present ented ed a risk risk44 Virus riters c!u-d use the &acr!s t! rite iruses e&5edded ithin d!cu&ents9 This d!cu&ents9 This meant that computers could no* also also 5e at risk risk (rom (rom in(e in(ect ction ion 5+ openi opening ng docu docume ment nts s *ith *ith hidde hidden n attached macros4 •

L at e r

e&ai-

$r!gra& ra&s,

in

particular

Micr!s!"t?s Out-!!2

E<$ress and E<$ress and Out-!!27 Out-!!27 ere ere u-nera5-e t! iru iruse ses s e&5e e&5edd dded ed in the the e&ai- 5!d% itse-" 4 ! users computer could 5e in(ected 5+ 7ust opening or previe*ing a message4 !s al*a+s1on 5road5and connections 5ecame the norm, and more and more viruses *ere released, it 5ecame essential to update virus checkers more and more (reuentl+4 Even then, a ne* Kero1da+ virus virus could 5ecome *idespread 5e(ore antivirus companies released an update to protect against it4

Ma-are5%tes? Ma-are5%tes? AntiMa-are ers ersi! i!n n

1906 1906

1

a

propr oprieta ietar+ r+ (ree*are antimal*are (ree*are antimal*are

product There are seera- ð!ds hich antiirus s!"tare can use t! identi"% &a-are9 •

Signature 5ased detecti!n is detecti!n is the most common method4 To identi(+ identi(+ viruses and othe otherr

mal* mal*ar are, e, anti antivi viru rus s so(t so(t* *are are

a dicti!nar% !" irus signatures signatures44

c!&$a !&$are res s the the c!n c!nten tents !" a "i"i-e t! Aecaus Aec ause e viruses viruses can can em5ed em5ed themsel themselves ves in

eBisting (iles, the entire (ile is searched, not 7ust as a *hole, 5ut also in pieces4



'age 16 o( 16 o( /2

Misrak TVET College Training, Teaching and Learning Materials Development •

8euristic5ased 8euristic5ased detecti!n detecti!n,, like like malic malicio ious us acti activit vit+ + detec detecti tion, on, can can 5e used used to identi(+ unkno*n viruses4

•

,i-e e&u-ati!n is e&u-ati!n is another heuristic approach4 File emulation involves eBecuting a program in a virtual environment and environment and logging *hat actions actions the program per(orms4 per(orms4 Depend Depending ing on the action actions s logged logged,, the antivi antivirus rus so( so(t*a t*are re can determ determine ine i( the program is malicious or not and then carr+ out the appropriate disin(ection actions4

Signature5ased detecti!n Traditionall+, antivirus so(t*are heavil+ relied upon signatures to identi(+ mal*are4 This This can 5e ver+ ver+ e((ecti e((ective, ve, 5ut cannot cannot de(end de(end against against mal*are mal*are unless unless sample samples s have have alre alread ad+ + 5een 5een o5ta o5tain ined ed and and sign signat atur ures es crea created ted44 Ae Aeca cause use o( this this,, signa signatu ture re15 15as ased ed approaches are n!t e""ectie against ne, ne , unkno*n viruses4 !s ne* viruses are 5eing created each da+, the signature15ased detection approach re@uires re@uires "re@uent "re@uent u$dates u$dates o( the virus virus signat signature ure dictio dictionar nar+ +4 To ass assist ist the antivi antivirus rus so(t*are companies, the so(t*are ma+ allo* the user to upload ne* viruses or variants to the the comp compan an+ +, allo allo*i *ing ng the the virus virus to 5e anal anal+K +Ked ed and and the the signat signature ure added added t! the dicti!nar%4 dicti!nar%4 !lthough !lthough the signature15a signature15ased sed approach approach can e((ectivel+ e((ectivel+ contain virus out5reaks, virus

authors ors

have

tried

to

sta+

a

step

ahea ead d

o(

such

so(t*are

5+

*riting

!-ig!&!r$hic7 !-ig!&!r$hic7 $!-%&!r$hic $!-%&!r$hic and, more recentl+, recentl+, &eta&!r$hic &eta&!r$hic iruses, iruses, *hich encr%$t parts encr%$t parts o( the&se-es or the&se-es or other*ise modi(+ themselves as a ð!d !" disguise, disguise , s! as t! n!t &atch irus signatures in the dicti!nar%4 dicti!nar% 4 8euristics %ome more sophisticate sophisticated d antivirus antivirus so(t*are so(t*are uses heuristic anal+sis heuristic anal+sis to identi(+ ne* mal*are or variants o( kno*n mal*are4 Man+ iruse iruses s start start as a sing-e sing-e in"ecti!n in"ecti!n and and thro throug ugh h eithe eitherr mutation or mutation or re(inements 5+ other attackers, can gr! into doKens o( slightl+ slightl+ di((erent di((erent strains, strains, called ariants4 ariants4 #eneric detection re(ers to the detection and removal removal o( multiple threats using a single virus de(inition4 For For eBampl eBample, e, the Vund! tr!*an has severa severall (amil+ (amil+ mem5er mem5ers, s, depend depending ing on the antivirus antivirus vendors vendors classi(icati classi(ication4 on4 %+mantec classi(ies %+mantec classi(ies mem5ers o( the Vundo (amil+ into t*o distinct categories, Tro7an4Vundo and Tro7an4Vundo4A4 hile it ma+ 5e advantageous to identi(+ a speci(ic virus, it can 5e uicker to detect a virus (amil+ through a generic signature or signature or through an ineBact match to an eBisting Learning #uide First Edition


'age 1: o( 1: o( /2


signature4 Virus researchers (ind common areas that all viruses in a (amil+ share uniuel+ and can thus thus creat create e a single single generi generic c signat signature ure44 These These signat signature ures s o(ten o(ten contain contain non1 non1 contiguous code, using *ildcard characters *here characters *here di((erences lie4 These *ildcards allo* the scanner to detect detect viruses even i( the+ are padded padded *ith *ith eBtra, meaningles meaningless s code4 ! detection that uses this method is said to 5e Gheuristic detection4G R!!t2it detecti!n !nti !n ti1v 1vir irus us so(t so(t*a *are re can can

also also

scan scan (or (or

root rootki kits ts

a r!!t2it r!!t2it irus is

a

t+pe

o( mal*are that mal*are that is designed to gain administrative1level control over a computer s+stem *ithout *ithout 5eing detected4 ootkits ootkits can change ho* the operating s+stem (unctions s+stem (unctions and in some cases can tamper *ith the anti1virus anti1virus program and render render it ine((ective4 ootkits are also di((icult to remove, in some cases reuiring a complete re1installation o( the operating s+stem4 Une<$ected renea- c!sts %ome commercial commercial antivirus antivirus so(t*are so(t*are end1user license agreements include agreements include a clause that that the su5scription *ill *ill 5e automa automatic ticall all+ + rene*e rene*ed, d, and the purchas purchaser ers s credit credit card card automaticall+

5illed,

at

the

rene*al

time

*ithout

eBplicit

approval4

For

eBample, Mc!(ee reuires Mc!(ee reuires users to unsu5scri5e at least <- da+s 5e(ore the eBpiration o( the present present su5scripti su5scription on *hile AitDe(ender sends sends noti(ic noti(icati ations ons to unsu5s unsu5scri cri5e 5e :- da+s da+s 5e(ore the rene*al4 Norton !ntivirus also !ntivirus also rene*s su5scriptions automaticall+ 5+ de(ault4 R!gue securit% a$$-icati!ns %ome %o me

appa appare rent nt

anti antivi viru rus s

prog progra rams ms

are are

actu actual all+ l+ mal*are masue masuera radin ding g

as

legitimate so(t*are, such as inFiBer and inFiBer and M% !ntivirus4 !ntivirus4 /r!5-e&s caused 5% "a-se $!sities ! G(alse positiveG is *hen antivirus so(t*are identi(ies a non1malicious (ile as a virus4 hen hen this happens, happens, it can cause serious serious pro5lems4 pro5lems4

For eBample, eBample, i( an antivirus antivirus

program is con(igured to immediatel+ delete or uarantine in(ected (iles, a (alse positive in an essential (ile can render the operating s+stem o s+stem orr some application applications s unusa5le4 In Ma+ /-->, a (ault+ virus signature issued 5+ %+mantec mistakenl+ %+mantec mistakenl+ removed essential operating s+stem (iles, leaving thousands o( 'Cs una5le to 5oot4 5oot4 !lso in Ma+ Ma+ /-->, /-->, the eBecuta5le (ile reu (ile reuired ired 5+ 'egasus Mail *as Mail *as (alsel+ detected 5+ Norton !ntiVirus as !ntiVirus as 5eing a Tro7an and it *as automaticall+ removed, preventing 'egasus Mail (rom running4 Norton anti1 virus had (alsel+ identi(ied three releases o( 'egasus Mail as mal*are, and *ould delete the 'egasus 'egasus Mail installer installer (ile *hen *hen that that happen happened4 ed4 In respon response se to this 'egasu 'egasus s Mail Mail stated) Learning #uide First Edition


'age 1; o( 1; o( /2


8On the 5asis that Norton6%+mantec Norton6%+mantec has done this (or ever+ one o( the last three three releases o( 'egasus Mail, *e can onl+ condemn this product as too (la*ed to use, and recommend in the strongest terms that our users cease using it in (avor o( alternative, less 5ugg+ anti1virus packages49 In !pril /--, Mc!(ee Virus%can detected Virus%can detected sch!st9e, rendering it una5le to 5oot, due to an endless 5oot loop created4 hen Microso(t indo*s 5ecomes damaged 5+ (ault+ anti1virus products, (iBing the damage to Microso(t indo*s incurs technical support costs and 5usinesses can 5e (orced to close *hilst remedial action is undertaken4

S%ste& and inter!$era5i-it% re-ated issues Runn Runnin ing g

&u-t &u-ti$ i$-e -e

anti antii iru rus s

$r!g $r!gra ra&s &s

c!nc c!ncur urre rent nt-% -%

can can

degra egrade de

$er"!r&ance and create c!n"-icts4 c!n"-icts 4 "o*eve "o*everr, using using a concep conceptt called called multi1scanning, multi1scanning, several companies ?including # Data and Data and Microso(t@ Microso(t@ have created created applications *hich can run &u-ti$-e engines c!ncurrent-%4 c!ncurrent-% 4 It is is s!&eti&es s!&eti&es necessar% necessar% t! te&$!rari-% te&$!rari-% disa5-e irus $r!tecti!n $r!tecti!n hen insta--ing &a*!r u$dates u$dates such as indo*s %ervice 'acks or updating graphics card drivers4 !ctive antivirus protection ma+ ma+ partiall+ or completel+ completel+ prevent the installation o( a ma7or update4 ! &in! &in!ri rit% t% !" s! s!"t "ta are re $r!g $r!gra ra&s &s are n! n!tt c!&$ c!&$at ati5 i5-e -e ith ith anti anti ir irus us s!"tare4 s!"tare4 For eBam eBampl ple, e, the the TrueCr+pt trou5l trou5lesho eshootin oting g page page report reports s that that anti1v anti1virus irus programs can con(lict *ith TrueCr+pt TrueCr+pt and cause it to mal(unction4

E""ectieness %tudies in Decem5er /--> sho*ed that the e((ectiveness o( antivirus so(t*are had decreased in the previous +ear, particularl+ against unkno*n or Kero da+ attacks4 attacks 4 The computer magaKine ct (ound ct (ound that detection rates (or these threats had dropped (rom .-1 0-P

in

/--<

to

/-1:-P

in

/-->4

!t

that

time,

the

onl+

eBception

the NOD:/ antivirus, NOD:/ antivirus, *hich managed a detection rate o( <2 percent4



'age 1= o( 1= o( /2

*as


The pro5lem is magni(ied 5+ the changing intent o( virus authors4 %ome +ears ago it *as o5vious *hen a virus in(ection *as present4 The viruses o( the da+, *ritten 5+ amateurs, eBhi5ited destructive 5ehavior or pop1ups4 pop1ups4 M!dern iruses are iruses are o(ten ritten 5+ $r!"essi!na-s, $r!"essi!na-s, (inanced 5+ criminal organiKations4 organiKations4 Independent testing on all the ma7or virus scanners consistentl+ sho*s that none provide --P virus detection4 The 5est ones provided as high as ==4

include include

!V1Com !V 1Compara paratives tives,, IC%! IC%! La5s La5s,,

est Coa oast st La La5s 5s,, VA-- and and

othe otherr

mem5ers o( the !nti1Mal*are Testing %tandards OrganiKation4 Ne iruses !nti1virus !nti1virus programs programs are not al*a+s al*a+s e((ective e((ective against ne* viruses, viruses, even those that use non1signature15ased methods that should detect ne* viruses4 The reason (or this is that the

iru irus s desi design gner ers s test test thei their r ne ne iru iruse ses s !n the the &a*! &a*!r r

anti anti ir irus us

a$$-icati!ns to a$$-icati!ns to make sure that the+ are not detected 5e(ore releasing them into the *ild4 %ome %o me

ne*

viru viruses ses,,

part partic icula ularl rl+ + ransom*are, ransom*are ,

use pol+mo pol+morph rphic ic

code code to

avoid oid

dete detect ctio ion n 5+ viru virus s scan scanne ners rs44 ero erome me %e %egu gura ra,, a secu securi rit+ t+ anal anal+s +stt *ith *ith 'aretoLogic, 'aretoLogic, eBplained) 8Its something that the+ miss a lot o( the time 5ecause this t+pe o( Qransom*are Qransom*are virusR virusR comes comes (rom (rom sites sites that that use a pol+mo pol+morph rphism ism,, *hich *hich means means the+ 5asicall+ 5asicall+ randomiKe the (ile the+ send +ou and it gets 5+ *ell1kno*n antivirus products ver+ easil+4 Ive seen people (irsthand getting in(ected, having all the pop1ups and +et the+ have antivirus so(t*are running and its not detecting an+thing4 It actuall+ can 5e prett+ hard to get rid o(, as *ell, and +oure never reall+ sure i( its reall+ gone4 hen *e see something like that usuall+ *e advise to reinstall the operating s+stem or reinstall 5ackups49 5ackups49 ! proo( o( concept virus concept virus has used the Gra$hics /r!cessing Unit BG/ Unit BG/U U to avoid detect detection ion (rom (rom anti1v anti1viru irus s so( so(t* t*are are44 The potent potential ial success success o( this involv involves es 5+pass 5+passing ing the C'& in C'& in order to make it much harder (or securit+ researchers to anal+Ke the inner *orkings o( such mal*are4 R!!t2its Detecting rootkits is rootkits is a ma7or challenge (or anti1virus programs4 ootkits have (ull administra administrative tive access to the computer and are invisi5le to users and hidden (rom the list Learning #uide First Edition


'age '> o( '> o( /2


o( running processes in the task manager4 manager4 R!!t2its can &!di"% the inner !r2ings !" the !$erating s%ste& and s%ste& and ta&$er ith antiirus $r!gra&s9 Da&aged "i-es File Files s *hic *hich h have have 5een 5een dama damage ged d 5+ comp comput uter er viru viruse ses s are are n!r&a--% n!r&a--% da&aged da&aged 5e%!nd 5e%!nd rec!er% rec!er%44

!nti1v !nti1virus irus so(t* so(t*ar are e remove removes s the virus virus code (rom the (ile during during

disin(ection, 5ut this does not al*a+s restore the (ile to its undamaged state4 In such circums circumstan tances ces,, damage damaged d (iles (iles can onl+ 5e restor restored ed (rom (rom eBisti eBisting ng 5ackup 5ackups s install installed ed so(t*are that is damaged reuires re1installation4 ,ir&are issues !cti !c tive ve anti anti1v 1vir irus us so( so(t* t*ar are e can can inte inter( r(er ere e *ith *ith a (irm*are update update process4 process4

!n+

ritea5-e "ir&are in "ir&are in the computer can can 5e in(ected 5+ 5+ malicious malicious code4 This is a ma7or concern, as an in(ected AIO% could AIO% could reuire reuire the actual AIO% chip to 5e replaced replaced to ensure ensure the malicious code is completel+ removed4 !nti1virus so(t*are is not e((ective at protecting (irm*are and the mother5oard AIO% mother5oard AIO% (rom in(ection4

! comman command1l d1line ine virus virus sca scanner nner,, C-a& C-a& AV >9=4 >9=49' 9',, runn runnin ing g a viru virus s sign signat atur ure e de(inition update, scanning a (ile and identi(+ing a Tro7an Tro7an Installed antivirus so(t*are running on an individual computer is onl+ one method o( guarding against viruses4 Other methods are also used, including cloud15ased antivirus, (ire*alls and on1line scanners4 C-!ud antiirus



'age '1 o( '1 o( /2


Clou Cloud d anti antivi viru rus s is a tech technol nolog og+ + that that uses uses light light*e *eig ight ht agen agentt so(t so(t*a *are re on the the protec protected ted comput computer er,, *hile *hile o((loa o((loadin ding g the ma7ori ma7orit+ t+ o( data data anal+s anal+sis is to the provid provider ers s in(rastructure4 One approach to implementing cloud antivirus involves scanning suspicious (iles using multiple antivirus engines4 This approach *as proposed 5+ an earl+ implementation o( the the cloud cloud anti antivi viru rus s conc concep eptt call called ed Clou Cloud! d!V V4

C-!udAV as as desi design gned ed t! send send

$r!g $r!gra ra&s &s !r d!cu d!cu&e &ent nts s t! a net!r net!r2 2 c-!ud c-!ud her here e &u-t &u-ti$ i$-e -e anti antii iru rus s and and 5ehai 5ehai!ra !ra-- detect detecti!n i!n $r!gra $r!gra&s &s are used used si&u-t si&u-tane ane!us !us-% -% in !rder !rder t! i&$r! i&$r!e e detecti!n detecti!n rates9 'a 'ara rallel llel sca scannin nning g o( (iles (iles using using potent potential iall+ l+ incompa incompati5 ti5le le antivi antivirus rus scanners is achieved 5+ spa*ning a virtual machine per detection engine and there(ore eliminating eliminating an+ possi5le possi5le issues4 issues4 Cloud!V Cloud!V can also per(orm per(orm Gretr!s$ectie Gretr!s$ectie detecti!n,G detecti!n ,G *here5+ the cloud detection engine rescans all (iles in its (ile access histor+ *hen a ne* threat threat is identi( identi(ied ied thus thus improv improving ing ne* threat threat detect detection ion speed4 speed4 Finall Finall+ +, Cloud! Cloud!V V is a solution (or e((ective virus scanning on devices that lack the computing po*er to per(orm the scans themselves4 Net!r2 "irea-Net*ork Net*ork (ire*alls (ire*alls prevent prevent unkno*n unkno*n programs programs and processes processes (rom accessing the s+stem4 "o*ever, the+ are not antivirus s+stems and make no attempt to identi(+ or remove an+thing4 The+ ma+ protect against in(ection (rom outside the protected computer or net*ork, net*ork, and limit the activit+ o( an+ malicious so(t*are *hich is present 5+ 5locking incoming or outgoing reuests on certain TC'6I' ports4 ! (ire*all is designed to deal *ith 5roader s+stem threats that come (rom net*ork connections into the s+stem and is not an alternative to a virus protection s+stem4

On-ine scanning %ome antivirus vendors maintain *e5sites *ith (ree online scanning capa5ilit+ o( the entire entire comput computer er,, critical critical areas areas onl+, onl+, loc local al disks, disks, (older (olders s or (iles4 (iles4 /eri!dic /eri!dic !n-ine !n-ine scanning is a g!!d idea idea (or those that run antivirus applications on their computers 5ecause 5ecause those applications applications are (reuentl+ (reuentl+ slo* to catch threats4 threats4 One !" the "irst things that that &a-i &a-ici ci!u !us s s! s!"t "ta are re d!es d!es in an atta attac2 c2 is disa disa55-e e an% an% e


'age '' o( '' o( /2


&sing rkhunter to rkhunter to scan (or r!!t2its on r!!t2its on an&5untu an&5untu LinuB computer4 LinuB computer4 Virus Virus remov removal al too tools ls are are avail availa5l a5le e to help help remove remove stu55or stu55orn n in(ecti in(ections ons or certai certain n t+pes o( in(ection4 in(ection4 detect ection

EBamples EBamples include include Trend Micros Micros ootkit Auster, and rkhunter (or rkhunter (or the

o( rootkits, rootkits, !viras !viras !ntiVir

emoval

Tool,

'CTools Thr Threa eatt

emov moval

Tool, and !V#s !V# s !nti1Virus Free /-4 ! rescue dis2 dis2 that that is 5!!ta5-e, 5!!ta5-e, such as a CD !r US+ st!rage deice, deice , can 5e used used to run antivi antivirus rus so( so(t* t*are are outsid outside e o( the instal installed led opera operatin ting g s+stem s+stem,, in order order to remove remove in(ections *hile the+ are dormant4 dormant4 A 5!!ta5-e antiirus dis2 can 5e use"uhen7 "!r e
Se-"Chec2 0 Name Name))             


Instructi!n3 Instructi!n3 !ns*er all the uestions listed 5elo*, i( +ou have some di((icult+ doing this sel(1 check, (eel (ree to ask +our teacher (or clari(ications4 4 It is used to preven prevent, t, detect, detect, and remov remove e mal*are mal*are,, including 5ut not limited to computer viruses,, computer *orm, viruses *orm , tro7an horses, horses, sp+*are and ad*are ad*are44 /4 This virus virus detection detection strat strateg+ eg+ compares compares the the contents contents o( a (ile to a dictionar+ o( virus signatures :4 This virus virus detection detection strateg+ strateg+ can identi(+ identi(+ ne* viruses or varian variants ts o( eBisting viruses viruses 5+ looking looking (or kno*n malicious code4 .4 The dra*5ac dra*5acks ks o( antiviru antivirus s so(t*are so(t*are it that that it can   a computers per(ormance4 per(ormance 4 Learning #uide First Edition


'age '. o( '. o( /2

Misrak TVET College Training, Teaching and Learning Materials Development 04 hich is more more destructiv destructive e False False Negative Negative or False False 'ositive 'ositive  <4 hat do +ou call call a *rong detectio detection n o( a virus that has has not 5een detected detected as a threat threat >4 hat do +ou call a *rong *rong detection *here *here a legitimate legitimate (ile *as mistakenl+ mistakenl+ detected as a virus virus 24 Most Viruse Viruses s *ritten *ritten in mid mid =2-s *ere limited limited to to *hat *hat =4 The (irst pu5licl+ documented documented removal removal o( a computer virus in the *ild *as *as per(ormed per(ormed 5+ *hom *hom -4 Ae(ore Ae(ore internet internet connectivit+ connectivit+ *as *idespread, viruses *ere t+picall+ spread 5+ in(ected *hat 4 #ive at least t*o ?/@ reasons reasons *h+ it has 5ecome necessar+ necessar+ (or antivirus antivirus so(t*ar so(t*are e to check an increasing variet+ o( (iles, rather than 7ust eBecuta5les4 /4 hat is another heuristic virus detection approach approach :4 %ignature15ased detection is not e((ective e((ective *ith *hat virus .4 .4 hat hat are the the : kind kinds s o( viruse viruses s *hic *hich h encr%$t part parts s o( the&se-es the&se-es or other*ise modi(+ themselves as a ð!d !" disguise) 04 04 It is a t+pe t+pe o( mal*are mal*are that that is designed to gain administrative1level control over a computer s+stem *ithout 5eing detected4 <4 Normall+, modern viruses *ere created 5+ *hom >4 It is a technolog+ that uses light*eight agent so(t*are on the protected computer4 computer4 24 Cloud!V per(ormed this *here5+ the cloud detection engine rescans all (iles in its (ile access a4 histor+ histor+ *hen a ne* threat threat is identi(ie identi(ied d thus improving improving ne* threat threat detectio detection n speed4 =4 It prevent unkno*n programs and processes (rom accessing accessing the s+stem4 /-4 #ive three?:@ eBamples o( 5oota5le disks4

$ou $ou must a5le to get /-points to 5e competent other*ise +ouJll take another test

O$erati!n Sheet 1

rotecting your computer from Viruses

You can protect yourself against viruses with a few simple steps: •

•

•

If you are truly worried aout traditional !as opposed to e"mail# viruses, you should e running a more secure operating system li$e %NI& %NI&'' You You never hear aout viruses on these operating systems ecause the security features $eep viruses !and unwanted human visitors# away from your hard dis$' If you you are using using an unsecu unsecured red oper operati ating ng syste system, m, then then uying uying viru virus s prot protecti ection on software is software is a nice safeguard' If you you simply simply avoid !li$e the Intern Internet# et#,, and and avoid program programs s from un#no"n un#no"n source sources s !li$e instead stic$ with commercial software purchase software purchased d on (Ds, you eliminate almost all of the ris$ from traditional viruses'



'age '0 o( '0 o( /2

Misrak TVET College Training, Teaching and Learning Materials Development •

•

You shou should ld ma$e ma$e sure sure that that $acro Virus enaled led in all all )icros )icrosof oftt Virus rotection rotection is ena applications, and you should N*V*R run macros in a document unless you $now what they do' +here is seldom a good reason to add macros to a document, so avoiding all macros is a great policy' You should should never never dou% dou%le le-cl -clic ic# # on an e-mai e-maill attac attachm hmen entt that that cont contai ains ns an e&ecuta%le' ttachments that come in as -ord files !'D.(#, spreadsheets !'&/0#, images !'1I2#, etc', are data files and they can do no damage !noting the macro virus prolem in -ord and *3cel documents mentioned aove#' 4owever, some viruses can now come in through '5P1 graphic file attachments'  file with an e3tension li$e *&*, (.) or V60 is an e3ecutale, e3ecutale, and an e3ecutale e3ecutale can do any sort of damage it wants' .nce you run it, you have given it permission to do anything on your machine' +he only defense is never to run e3ecutales that arrive via e"mail'

.pen the .ptions dialog from the +ools menu in )icrosoft -ord and ma$e sure sure that that )acr )acro o Viru Virus s Prot Protec ecti tion on is enaled' Newer versions of -ord allow you you to cust custom omi7 i7e e the the leve levell of macr macro o protection you use'

Setting Aut!&atic U$dates in %!ur c!&$uter !sk the trainer (or the cop+ o( the video on ho* to set !utomatic &pdates4 •

Turn the "irea-- !n !sk the trainer (or the cop+ o( the video on ho* to turn on the (ire*all4 •

Setting Internet Lee- !" Securit% !sk the trainer (or the cop+ o( the video on ho* to set Internet Level %ecurit+4 •

Setting Macr! Lee- !" Securit% !sk the trainer (or the cop+ o( the video on ho* to set Macro Level %ecurit+4 %ecurit+4 •



'age '4 o( '4 o( /2


La$ Test

/ractica- De&!nstrati!n

Name)    Time started)  

Date) Time (inished)

    

Instructi!ns3 $ou $ou are reuired to per(orm the (ollo*ing individuall+ *ith the presence o( +our teacher4 4 %et the inter internet net (ire (ire*a *all ll on /4 %et the autom automati atic c updat updates es on :4 Ena5le Ena5le Macro Virus Virus 'rotection 'rotection on M% M% ord, ord, M% EBcel EBcel and M% !ccess Learning #uide First Edition


'age '6 o( '6 o( /2


.4 Install Install an+ an+ %o(t*a %o(t*are re !ntivi !ntivirus rus 04 Install Install Deep( Deep(ree reeKe Ke ?opti ?optional onal@@



$our teacher *ill evaluate +our output ou tput either satis(actor+ or unsatis(actor+4 I( unsatis(actor+, +our teacher shall advice +ou on additional *ork4 Aut i( satis(actor+, +ou can proceed to the neBt topic4



'age ': o( ': o( /2




'age '; o( '; o( /2

lo2

Recommend Documents