The concept of an antivirus program, classification of antivirus programs. Antivirus programs. Classification of viruses. Signs of viruses

The most popular and effective antivirus programs are antivirus scanners (detector programs) and CRC scanners (auditors). There are also antivirus blockers and immunizers.

Scanners. The operating principle of anti-virus scanners is based on checking files, sectors and system memory and searching for known and new (unknown to the scanner) viruses. To search for known viruses, so-called “masks” are used. The mask of a virus is some constant sequence of code specific to this particular virus. If the virus does not contain a permanent mask or the length of this mask is not long enough, then other methods are used. An example of such a method is an algorithmic language that describes everything possible options code that may occur when infected with a virus of this type. This approach is used by some antiviruses to detect polymorphic viruses.

Many scanners also use “heuristic scanning” algorithms, i.e. analyzing the sequence of commands in the object being scanned, collecting some statistics and making a decision for each object being scanned. Because the heuristic scanning is a largely probabilistic method of searching for viruses, then many laws of probability theory apply to it. For example, the higher the percentage of detected viruses, the higher the number of false positives.

Scanners can also be divided into two categories – “universal” and “specialized”. Universal scanners designed to search for and neutralize all types of viruses, regardless of the operating system in which the scanner is designed to work. Specialized scanners are designed to neutralize a limited number of viruses or only one class of viruses, for example macro viruses.

Scanners are also divided into “resident” (monitors), which scan on the fly, and “non-resident”, which scan the system only upon request. As a rule, “resident” scanners provide more reliable system protection, since they immediately respond to the appearance of a virus, while a “non-resident” scanner is able to identify the virus only during its next launch.

The advantages of scanners of all types include their versatility, the disadvantages are their size antivirus databases, which scanners have to store and replenish, and the relatively low speed of searching for viruses.

CRC scanners. The operating principle of CRC scanners is based on calculating CRC sums (checksums) for files/system sectors present on the disk. These CRC amounts are then stored in the antivirus database, as well as some other information: file lengths, dates of their last modification, etc. When subsequently launched, CRC scanners compare the data contained in the database with the actual calculated values . If the file information recorded in the database does not match the real values, then CRC scanners signal that the file has been modified or infected with a virus.

CRC scanners that use anti-stealth algorithms respond to almost 100% of viruses immediately after changes appear on the computer. A characteristic drawback of these antiviruses is the inability to detect a virus from the moment it appears until changes are made to the computer. CRC scanners cannot detect a virus in new files (in e-mail, on floppy disks, in recoverable files, or when unpacking files from an archive), since their databases do not contain information about these files.

Detector programs They search for a signature characteristic of a particular virus in RAM and files and, if found, issue a corresponding message. The disadvantage of such antivirus programs is that they can only find viruses that are known to the developers of such programs.

Blockers. Anti-virus blockers are resident programs that intercept “virus-dangerous” situations and notify the user about it. “Virus-dangerous” ones include calls to open for writing to executable files, writing to the boot sector of the disk, etc., which are typical for viruses at the time of their reproduction.

The advantages of blockers include their ability to detect and block a virus at the earliest stage of its reproduction, which, by the way, can be very useful in cases where a long-known virus is constantly activated.

Immunizers. Immunizers are divided into two types: immunizers that report infection, and immunizers that block infection by any type of virus.

Doctor programs or phages, and vaccine programs not only find files infected with viruses, but also “treat” them, i.e. remove the body of the virus program from the file, returning the files to the initial state. At the beginning of their work, phages search for viruses in RAM, destroying them, and only then proceed to “cleaning” files. Among the phages, polyphages are distinguished, i.e. Doctor programs designed to search and destroy a large number of viruses. The most famous of them: Aidstest, Scan, Norton AntiVirus, Doctor Web.

Considering that new viruses are constantly appearing, detector programs and doctor programs quickly become outdated, and regular version updates are required.

Auditor programs are among the most reliable means of protection against viruses. Auditors remember the initial state of programs, directories and system areas of the disk when the computer is not infected with a virus, and then periodically or at the user’s request compare Current state with the original one. Detected changes are displayed on the monitor screen. As a rule, comparison of states is carried out immediately after loading the operating system. When comparing, the file length, cyclic control code (file checksum), date and time of modification, and other parameters are checked. Auditor programs have fairly developed algorithms, detect stealth viruses and can even clean up changes in the version of the program being checked from changes made by the virus. Among the audit programs is the Adinf program, widely used in Russia.

Filter programs or "watchman" are small resident programs designed to detect suspicious actions during computer operation, characteristic of viruses. Such actions may be:

· attempts to correct files with COM, EXE extensions

· changing file attributes

direct writing to disk at absolute address

· writing to disk boot sectors

When any program tries to perform the specified actions, the “guard” sends a message to the user and offers to prohibit or allow the corresponding action. Filter programs are very useful because they are able to detect a virus at the earliest stage of its existence before replication. However, they do not “clean” files and disks. To destroy viruses, you need to use other programs, such as phages. The disadvantages of watchdog programs include their “intrusiveness” (for example, they constantly issue a warning about any attempt to copy an executable file), as well as possible conflicts with other software. An example of a filter program is the Vsafe program, which is part of the MS Windows utility package.

Vaccines or immunizers- These are resident programs that prevent file infection. Vaccines are used if there are no doctor programs that “treat” this virus. Vaccination is possible only against known viruses. The vaccine modifies the program or disk in such a way that it does not affect its operation, and the virus will perceive it as infected and therefore will not take root. Currently, vaccine programs have limited use.

Timely detection of virus-infected files and disks and complete destruction of detected viruses on each computer help avoid the spread of a virus epidemic to other computers.

Classification.

Antivirus products can be classified according to several criteria, such as: the antivirus protection technologies used, product functionality, and target platforms.

According to the anti-virus protection technologies used:

Classic antivirus products (products that use only the signature detection method)
Proactive antivirus protection products (products that use only proactive antivirus protection technologies);
Combined products (products using both classic, signature-based protection methods and proactive ones)

By product functionality:

Antivirus products (products that provide only antivirus protection)
Combination products (products that provide more than just protection against malware, but also spam filtering, encryption and data backup and other functions)

By target platform:

Antivirus products for Windows operating systems
Anti-virus products for *NIX operating systems (this family includes BSD, Linux, etc.)
Antivirus products for the MacOS family of operating systems
Antivirus products for mobile platforms ( Windows Mobile, Symbian, iOS, BlackBerry, Android, Windows Phone 7, etc.)

Antivirus products for corporate users can also be classified by protection objects:

Antivirus products to protect workstations
Antivirus products to protect file and terminal servers
Antivirus products to protect email and Internet gateways
Antivirus products to protect virtualization servers
etc.

Characteristics of antivirus programs.

Anti-virus programs are divided into: detector programs, doctor programs, auditor programs, filter programs, vaccine programs.

Detector programs search for and detect viruses in RAM and external media, and when detected, issue a corresponding message. There are universal and specialized detectors.

Universal detectors in their work use checking the immutability of files by counting and comparing with a checksum standard. The disadvantage of universal detectors is associated with the inability to determine the causes of file corruption.

Specialized detectors search for known viruses by their signature (a repeated section of code). The disadvantage of such detectors is that they are unable to detect all known viruses.

A detector that can detect multiple viruses is called a polydetector.

The disadvantage of such antivirus programs is that they can only find viruses that are known to the developers of such programs.

Doctor programs (phages) not only find files infected with viruses, but also “treat” them, i.e. remove the body of the virus program from the file, returning the files to their original state. At the beginning of their work, phages search for viruses in RAM, destroying them, and only then proceed to “cleaning” files. Among the phages, polyphages are distinguished, i.e. Doctor programs designed to search and destroy a large number of viruses.

Considering that new viruses are constantly appearing, detector programs and doctor programs quickly become outdated, and regular updates of their versions are required.

Audit programs are among the most reliable means of protection against viruses. Auditors remember the initial state of programs, directories and system areas of the disk when the computer is not infected with a virus, and then periodically or at the user’s request compare the current state with the original one. Detected changes are displayed on the video monitor screen. As a rule, comparison of states is carried out immediately after loading the operating system. When comparing, the file length, cyclic control code (file checksum), date and time of modification, and other parameters are checked.

Auditor programs have fairly developed algorithms, detect stealth viruses and can even distinguish changes in the version of the program being checked from changes made by the virus.

Filter programs (watchmen) are small resident programs designed to detect suspicious actions during computer operation, characteristic of viruses. Such actions may be:

Attempts to correct files with COM and EXE extensions;

Changing file attributes;

Direct writing to disk at absolute address;

When any program tries to perform the specified actions, the “watchman” sends a message to the user and offers to prohibit or allow the corresponding action. Filter programs are very useful because they are able to detect a virus at the earliest stage of its existence before replication. However, they do not “clean” files and disks. To destroy viruses, you need to use other programs, such as phages. The disadvantages of watchdog programs include their “intrusiveness” (for example, they constantly issue a warning about any attempt to copy an executable file), as well as possible conflicts with other software.

Vaccines (immunizers) are resident programs that prevent files from becoming infected. Vaccines are used if there are no doctor programs that “treat” this virus. Vaccination is possible only against known viruses. The vaccine modifies the program or disk in such a way that it does not affect its operation, and the virus will perceive it as infected and therefore will not take root. Currently, vaccine programs have limited use.

A significant disadvantage of such programs is their limited ability to prevent infection from a large number of different viruses.

Examples of antivirus programs

When choosing an antivirus program, it is necessary to take into account not only the percentage of virus detection, but also the ability to detect new viruses, the number of viruses in the antivirus database, the frequency of its updates, and the presence of additional functions.

Currently, a serious antivirus should be able to recognize at least 25,000 viruses. This does not mean that they are all “free”. In fact, most of them have either ceased to exist or are in laboratories and are not distributed. In reality, you can find 200-300 viruses, and only a few dozen of them pose a danger.

There are many antivirus programs. Let's look at the most famous of them.

Norton AntiVirus 4.0 and 5.0 (manufacturer: Symantec).

One of the most famous and popular antiviruses. The percentage of virus recognition is very high (close to 100%). The program uses a mechanism that allows you to recognize new unknown viruses.

Norton AntiVirus's interface includes a LiveUpdate feature that allows you to update both the program and a set of virus signatures via the Web with the click of a single button. The Anti-Virus Wizard provides detailed information about the detected virus, and also gives you the choice of whether to remove the virus or automatic mode, or more carefully, through a step-by-step procedure that allows you to see each step performed during the removal process.

Anti-virus databases are updated very often (sometimes updates appear several times a week). There is a resident monitor.

The disadvantage of this program is the complexity of setup (although basic settings changes are practically not required).

Dr Solomon's AntiVirus (manufacturer: Dr Solomon's Software).

Considered one of the most best antiviruses(Eugene Kaspersky once said that this is the only competitor to his AVP). Detects almost 100% of known and new viruses. A large number of functions, scanner, monitor, heuristics and everything you need to successfully resist viruses.

McAfee VirusScan (manufacturer: "McAfee Associates")

This is one of the most famous antivirus packages. It removes viruses very well, but VirusScan is worse than other packages in detecting new varieties of file viruses. It installs quickly and easily using default settings, but can be customized to suit your needs. You can scan all files or just software files, or extend the scanning procedure to compressed files or not. It has many functions for working with the Internet.

.Dr.Web (manufacturer: Dialogue Science)

Popular domestic antivirus. It recognizes viruses well, but its database contains much fewer of them than other anti-virus programs.

Antiviral Toolkit Pro (manufacturer: Kaspersky Lab).

This antivirus is recognized throughout the world as one of the most reliable. Despite its ease of use, it has all the necessary arsenal to fight viruses. Heuristic mechanism, redundant scanning, scanning of archives and packed files - this is not a complete list of its capabilities.

Kaspersky Lab closely monitors the emergence of new viruses and promptly releases updates to its anti-virus databases. There is a resident monitor to monitor executable files.

Evgeny Kaspersky in 1992 used the following classification of antiviruses depending on their operating principle (determining functionality):

Ø Scanners (outdated version - “polyphages”, “detectors”) - determine the presence of a virus using a signature database that stores signatures (or their checksums) of viruses. Their effectiveness is determined by the relevance of the virus database and the presence of a heuristic analyzer.

Ø Auditors (a class close to IDS) - remember the state of the file system, which makes it possible to analyze changes in the future.

Ø Watchmen (resident monitors or filters ) - monitor potentially dangerous operations, issuing the user an appropriate request to allow/prohibit the operation.

Ø Vaccines (immunizers ) - change the grafted file in such a way that the virus against which the graft is being given already considers the file infected. In modern conditions, when the number of possible viruses is measured in hundreds of thousands, this approach is not applicable.

Modern antiviruses combine all of the above functions.

Antiviruses can also be divided into:

Products for home users:

Actually antiviruses;

Combined products (for example, antispam, firewall, anti-rootkit, etc. are added to the classic antivirus);

Corporate Products:

Server antiviruses;

Antiviruses on workstations (“endpoint”).

Sharing antivirus programs gives good results, as they complement each other well:

Data coming from external sources is verified detector program. If you forgot to check this data and an infected program was launched, it can be caught by a guard program. True, in both cases, viruses known to these antivirus programs are reliably detected. This accounts for no more than 80-90% of cases.

- watchman can even detect unknown viruses if they behave very arrogantly (trying to format HDD or make changes to system files). But some viruses can bypass such control.

If the virus was not detected by a detector or guard, then the results of its activity will be detected program - auditor.

As a rule, watchdog programs should run on the computer constantly, detectors should be used to check data coming from external sources (files and floppy disks), and auditors should be launched once a day to identify and analyze changes on disks. All this must be combined with regular data backups and the use of preventative measures to reduce the likelihood of contracting a virus.

Any antivirus program “slows down” the computer’s operation, but is a reliable remedy against the harmful effects of viruses.

False antiviruses (false antiviruses).

In 2009, various antivirus manufacturers began to report the widespread use of a new type of antivirus - false antiviruses or rogueware. In fact, these programs are either not antiviruses at all (that is, they are not able to fight malware) or are even viruses (they steal credit card data, etc.).

Fake antiviruses are used to extort money from users through deception. One of the ways to infect a PC with a false antivirus is as follows. The user ends up on an “infected” site, which gives him a warning message like: “A virus has been detected on your computer.” After which the user is prompted to download free program(false antivirus) to remove the virus. After installation, the false antivirus scans the PC and supposedly detects a lot of viruses on the computer. To remove malware, a fake antivirus offers to buy a paid version of the program. The shocked user pays (amounts from $50 to $80) and the fake antivirus cleans the PC of non-existent viruses.

Antiviruses on SIM, flash cards and USB devices

Mobile phones produced today have a wide range of interfaces and data transfer capabilities. Consumers should carefully review protection methods before connecting any small devices.

Protection methods such as hardware, possibly antiviruses on USB devices or on SIM, are more suitable for consumers mobile phones. A technical assessment and review of how to install an antivirus program on a cellular mobile phone should be considered a scanning process that may affect others legal applications on this phone.

Antivirus programs on SIM with antivirus built into a small memory area provide anti-malware/virus protection while protecting the phone user's PIN and information. Antiviruses on flash cards give the user the ability to exchange information and use these products with various hardware devices, as well as send this data to other devices using various communication channels.

Antiviruses, mobile devices and innovative solutions

In the future, it is possible that mobile phones will be infected with a virus. More and more developers in this area are offering antivirus programs to combat viruses and protect mobile phones. IN mobile devices There are the following types of virus control:

– processor limitations;

– memory limitation;

– identifying and updating the signatures of these mobile devices.

Conclusion: Antivirus program (antivirus) - initially a program for detecting and treating malicious objects or infected files, as well as for prevention - preventing infection of a file or operating system malicious code. Depending on the principle of operation of anti-virus programs, there is the following classification of anti-viruses: scanners (outdated version - “polyphages”, “detectors”); auditors (class close to IDS); watchmen (resident monitors or filters); vaccines (immunizers).

CONCLUSION

Achievements in computer technologies in recent years have not only contributed to the development of the economy, trade and communications; ensured effective information exchange, but also provided unique tools to persons committing computer crimes. The more intensive the computerization process is, the more real the growth of computer crime becomes, and modern society not only feels the economic consequences of computer crimes, but also becomes increasingly dependent on computerization. All of these aspects oblige us to pay more and more attention to the protection of information, further development legislative framework in the field information security. The entire range of measures should be reduced to the protection of state information resources; to the regulation of relations arising during the formation and use of information resources; creation and use information technologies; protection of information and rights of subjects participating in information processes; as well as defining the basic concepts used in legislation.

Associate Professor of the Department of Organization of Security and Convoying in the Penitentiary System

Candidate of Technical Sciences

Lieutenant Colonel of the Internal Service V.G. Zarubsky

The most popular and effective antivirus programs are antivirus scanners and CRC scanners (auditors). There are also antivirus blockers and immunizers.

Scanners. The operating principle of anti-virus scanners is based on checking files, sectors and system memory and searching them for known and new (unknown to the scanner) viruses. To search for known viruses, so-called “masks” are used. The mask of a virus is some constant sequence of code specific to this particular virus. If the virus does not contain a permanent mask or the length of this mask is not long enough, then other methods are used. An example of such a method is an algorithmic language that describes all possible code variants that may occur when infected with a similar type of virus. This approach is used by some antiviruses to detect polymorphic viruses.

Many scanners also use “heuristic scanning” algorithms, i.e. analyzing the sequence of commands in the object being scanned, collecting some statistics and making a decision for each object being scanned. Since heuristic scanning is a largely probabilistic method of searching for viruses, many laws of probability theory apply to it. For example, the higher the percentage of detected viruses, the higher the number of false positives.

Scanners can also be divided into two categories – “universal” and “specialized”. Universal scanners are designed to search for and neutralize all types of viruses, regardless of the operating system in which the scanner is designed to work. Specialized scanners are designed to neutralize a limited number of viruses or only one class of viruses, for example macro viruses.

The advantages of scanners of all types include their versatility, the disadvantages are the size of the anti-virus databases that scanners have to store and update, and the relatively low speed of searching for viruses.

CRC scanners using anti-stealth algorithms respond to almost 100% of viruses immediately after changes appear on the computer. A characteristic drawback of these antiviruses is the inability to detect a virus from the moment it appears until changes are made to the computer. CRC scanners cannot detect a virus in new files (in email, on floppy disks, in recoverable files, or when unpacking files from an archive) because their databases do not contain information about these files.

Immunizers. Immunizers are divided into two types: immunizers that report infection, and immunizers that block infection by any type of virus.

These programs can be classified into five main groups: filters, detectors, auditors, doctors and vaccinators.

Antivirus filters- these are resident programs that notify the user of all attempts by any program to write to a disk, much less format it, as well as other suspicious actions (for example, attempts to change CMOS settings). You will be prompted to allow or deny this action. The operating principle of these programs is based on intercepting the corresponding interrupt vectors. The advantage of programs of this class compared to detector programs is their versatility with respect to both known and unknown viruses, while detectors are written for specific, well-known viruses. this moment views to the programmer. This is especially true now, when many mutant viruses have appeared that do not have a permanent code. However, filter programs cannot track viruses that access the BIOS directly, as well as BOOT viruses that are activated even before the antivirus starts, in the initial stage of DOS loading. Disadvantages also include the frequent issuance of requests to perform any operation: responses to questions take up a lot of the user's time and get on his nerves. When installing some antivirus filters, conflicts may arise with other resident programs that use the same interrupts, which simply stop working.

The most widespread in our country are detector programs, or rather programs that combine detector and doctor. The most well-known representatives of this class - Aidstest, Doctor Web, MicroSoft AntiVirus - will be discussed in more detail below. Antivirus detectors are designed for specific viruses and are based on comparing the sequence of codes contained in the body of the virus with the codes of the programs being scanned. Many detector programs also allow you to “clean” infected files or disks by removing viruses from them (of course, treatment is supported only for viruses known to the detector program). Such programs need to be updated regularly, as they quickly become outdated and cannot detect new types of viruses.

Auditors- these are programs that analyze the current state of files and system areas of the disk and compare it with information previously saved in one of the auditor’s data files. This checks the state of the BOOT sector, the FAT table, as well as the length of the files, their creation time, attributes, and checksum. By analyzing messages from the audit program, the user can decide whether the changes were caused by a virus or not. When issuing messages of this kind, you should not panic, since the cause of changes, for example, in the length of the program, may not be a virus at all.

The last group includes the most ineffective antiviruses - vaccinators. They write the signs of a specific virus into the vaccinated program so that the virus considers it already infected.

In our country, as mentioned above, anti-virus programs that combine the functions of detectors and doctors have become especially popular. The most famous of them is the AIDSTEST program by D.N. Lozinsky. This program was invented in 1988 and since then it has been constantly improved and expanded. In Russia, almost every IBM-compatible personal computer has one of the versions of this program. One of latest versions detects more than 1500 viruses.

The Aidstest program is designed to fix programs infected with ordinary (non-polymorphic) viruses that do not change their code. This limitation is due to the fact that this program searches for viruses using identification codes. But at the same time, a very high speed of checking files is achieved.

For its normal functioning, Aidstest requires that there are no resident antiviruses in the memory that block writing to program files, so they should be unloaded, either by specifying the unload option to the resident program itself, or by using the appropriate utility.

When launched, Aidstest checks the RAM for viruses known to it and neutralizes them. In this case, only the functions of the virus associated with reproduction are paralyzed, while other side effects may remain. Therefore, after the virus has been neutralized in memory, the program issues a request to reboot. You should definitely follow this advice if the PC operator is not system programmer who studies the properties of viruses. However, you should reboot using the RESET button, since during a “warm reboot” some viruses may persist. In addition, it is better to run the machine and Aidstest with a write-protected floppy disk, since when running from an infected disk, the virus can write to memory as a resident and interfere with treatment.

Aidstest tests its body for the presence of known viruses, and also judges by distortions in its code whether it is infected with an unknown virus. In this case, cases of false alarms are possible, for example, when the antivirus is compressed by a packager. The program does not have a graphical interface, and its operating modes are set using keys. By specifying the path, you can check not the entire disk, but a separate subdirectory.

Disadvantages of the Aidstest program:

Does not recognize polymorphic viruses;

It is not equipped with a heuristic analyzer that allows it to find viruses unknown to it;

Does not know how to check and disinfect files in archives;

Does not recognize viruses in programs processed by executable file packers such as EXEPACK, DIET, PKLITE, etc.

Advantages of Aidstest:

Easy to use;

Works very quickly;

Recognizes a significant part of viruses;

Well integrated with the Adinf audit program;

Works on almost any computer.

IN Lately The popularity of another antivirus program, Doctor Web, offered by the Dialog-Nauka company, is rapidly growing. This program was created in 1994 by I.A. Danilov. Dr. Web, like Aidstest, belongs to the class of doctor detectors, but unlike the latter, it has a so-called “heuristic analyzer” - an algorithm that allows you to detect unknown viruses. “Healing Web,” as the name of the program is translated from English, became the response of domestic programmers to the invasion of self-modifying mutant viruses, which, when multiplying, modify their body so that not a single characteristic chain of bytes that was present in the original version of the virus remains. This program is supported by the fact that a large license (for 2000 computers) was acquired by the Main Directorate of Information Resources under the President of the Russian Federation, and the second largest buyer of the “web” was Inkombank.

Modes are controlled using keys, just like in Aidtest. The user can instruct the program to test both the entire disk and individual subdirectories or groups of files, or refuse to scan disks and test only RAM. In turn, you can test either only basic memory, or, in addition, extended memory. Like Aidstest, Doctor Web can create a work report, load a Cyrillic character generator, and support work with the Sheriff software and hardware complex.

Hard drive testing Dr. Web-based takes much longer than Aidstest, so not every user can afford to spend so much time checking everything every day hard drive. Such users may be advised to check floppy disks brought from outside more carefully. If the information on a floppy disk is in an archive (and recently programs and data are transferred from machine to machine only in this form; even manufacturing companies software, for example Borland, package their products), you should unpack it into a separate directory on your hard drive and immediately, without delay, launch Dr. Web, giving it as a parameter instead of the disk name the full path to this subdirectory. And yet, you need to perform a full scan of the hard drive for viruses at least once every two weeks, setting the maximum level of heuristic analysis.

Just as in the case of Aidstest, during initial testing you should not allow the program to disinfect files in which it detects a virus, since it cannot be ruled out that the sequence of bytes accepted as a pattern in the antivirus can be found in a healthy program.

Unlike Aidstest, the Dr. Web:

recognizes polymorphic viruses;

equipped with a heuristic analyzer;

can check and disinfect files in archives;

allows you to test files vaccinated with CPAV, as well as packaged with LZEXE, PKLITE, DIET.

The company "Dialog-Nauka" offers different versions DrWeb programs for DOS. As you know, there are two versions for DOS, which are traditionally called 16-bit And 32-bit(the latter is also called Doctor Web for DOS/386, DrWeb386). These names (16- and 32-bit) fully reflect the essence of the difference between the DOS versions, but directly from the names it is obvious only to specialists. Only the 32-bit version has everything functionality inherent in other modern versions of Doctor Web (in particular, versions for Windows).

The 16-bit version, due to limitations on the amount of available memory imposed by the operating system, does not have some extremely important “skills” today; in particular, they are not included in it (and due to the specified memory limitations, cannot be included) :

“maintenance” modules for known viruses modern types(in particular, we are talking about macro- and stealth viruses);

heuristic analyzer modules for detecting unknown modern viruses;

modules for unpacking modern types of archives and packaged Windows programs, etc.

Thus, although the 16-bit version uses the same virus database (VDB files) as the 32-bit versions, the absence of some modules in it makes it impossible to process the corresponding viruses.

In addition, for the same reasons, the 16-bit version does not support some modern software and hardware, which may make it unstable or incorrect.

Since the 32-bit version is fully functional and, as can be seen from its other name - Doctor Web for DOS/386, can be used when working in DOS on computers with a processor of at least 386, all users who need the Doctor Web version for DOS should use exactly her.

As for the 16-bit version, it continues to be released, since there is still a fleet of old machines on the 86/286 platform, where the 32-bit version cannot work.

(Anti-Virus Software Protection)

An interesting software product is AVSP antivirus. This program combines a detector, a doctor, and an auditor, and even has some resident filter functions (prohibiting writing to files with the READ ONLY attribute). Antivirus can treat both known and unknown viruses, and about the method of treatment latest program the user can tell. In addition, AVSP can treat self-modifying and Stealth viruses.

When you start AVSP, a window system with menus and information about the program status appears. Very convenient contextual hint system, which provides explanations for each menu item. It is called classically, with the F1 key, and changes when moving from item to item. Another important advantage in our age of Windows and OS/2 is mouse support. A significant drawback of the AVSP interface is the lack of the ability to select menu items by pressing a key with the corresponding letter, although this is somewhat compensated by the ability to select an item by pressing ALT and the number corresponding to the number of this item.

The AVSP package also includes resident driver AVSP.SYS, which allows you to detect most invisible viruses (except for viruses like Ghost-1963 or DIR), deactivate viruses for the duration of its operation, and also prohibits modifying READ ONLY files.

Another function of AVSP.SYS is disabling resident viruses while AVSP.EXE is running, however, along with viruses, the driver also disables some other resident programs. When you launch AVSP for the first time, you should test your system for known viruses. At the same time it is checked RAM, BOOT sector and files. In some cases, you can even recover files damaged by an unknown virus. You can check file sizes, their checksums, the presence of viruses, or all of this together. You can also specify what exactly to check (Boot sector, memory, or files). As with most antivirus programs, here the user is given the opportunity to choose between speed and quality. The essence of the high-speed check is that not the entire file is scanned, but only its beginning; in this case, most viruses can be detected. If a virus is written to the middle, or the file is infected with several viruses (while the “old” viruses are, as it were, pushed into the middle by the “young” ones), then the program will not notice it. Therefore, quality optimization should be installed, especially since in AVSP high-quality testing does not take much more time than high-speed testing.

AVSP can make many mistakes when automatically detecting new viruses. So, when automatically detecting a pattern, you should take the time to check whether it is really a virus and whether this pattern will occur in healthy programs.

If AVSP detects a known virus during the process, you should take the same actions as when working with Aidstest and Dr. Web: copy the file to disk, reboot from the backup floppy and launch AVSP. It is also advisable that the AVSP.SYS driver be loaded into memory, since it helps the main program treat Stealth viruses.

Another useful feature is built-in disassembler. With its help, you can figure out whether there is a virus in the file or whether AVSP caused a false positive when checking the disk. In addition, you can try to find out the method of infection, the principle of operation of the virus, as well as the place where it “hid” the replaced bytes of the file (if we are dealing with this type of virus). All this will allow you to write a virus removal procedure and restore damaged files. Another one useful feature- issuance visual map of changes. The change map allows you to evaluate whether these changes correspond to the virus or not, as well as narrow the search area for the virus body during disassembly.

The AVSP program has two algorithms for neutralizing stealth viruses (“invisible”), and both of them work only if there is an active virus in memory. Here's what happens when these algorithms are implemented: all files are copied into data files and then erased. Only files with the SYSTEM attribute are saved. In Adinf, the process of removing Stealths is much simpler.

The AVSP program also monitors the status of boot sectors. If the BOOT sector on a floppy disk is infected and the antivirus cannot cure it, then you should erase the boot code. The floppy disk will become non-systemic, but the data will not be lost. You can't do this with a hard drive. If changes are detected in one of the BOOT sectors of the hard drive, AVSP will offer to save it in a file and then try to remove the virus.

Microsoft Antivirus

Modern versions of MS-DOS (for example, 6.22) include an antivirus Microsoft program Antivirus (MSAV). This antivirus can work in detector-doctor and auditor modes. MSAV has MS-Windows style interface, naturally, mouse is supported. Well implemented contextual help: There is a hint for almost any menu item, for any situation. Access to menu items is universally implemented: for this you can use the cursor keys, key keys (F1-F9), keys corresponding to one of the letters of the item name, as well as the mouse. A serious inconvenience when using the program is that it saves tables with file data not in one file, but scatters them across all directories.

When launched, the program loads its own character generator and reads the directory tree of the current disk, after which it exits to the main menu. It is not clear why the directory tree should be read immediately upon startup: after all, the user may not want to check the current disk.

During the first check, MSAV creates CHKLIST.MS files in each directory containing executable files, into which it writes information about the size, date, time, attributes, as well as the checksum of the controlled files. During subsequent checks, the program will compare files with information in CHKLIST.MS files. If the size and date have changed, the program will inform the user about this and ask about further actions: update the information (Update), set the date and time in accordance with the data in CHKLIST.MS (Repair), continue, regardless of changes in this file(Continue), interrupt the check (Stop).

In the Options menu you can configure the program as you wish. Here you can set the mode to scan for invisible viruses (Anti-Stealth), check all (not just executable) files (Check All Files), and also allow or disable the creation of CHKLIST.MS tables (Create New Checksums). In addition, you can set the mode for saving a report on the work done in a file. If you set the Create Backup option, then before removing the virus from the infected file, a copy of it will be saved with the VIR extension.

While in the main menu, you can view the list of viruses known to the MSAV program by pressing the F9 key. This will display a window with the names of the viruses. To view more detailed information about the virus, you need to move the cursor to its name and press ENTER. You can quickly navigate to the virus of interest by typing the first letters of its name. Information about the virus can be output to the printer by selecting the appropriate menu item.

(Advanced Diskinfoscope)

ADinf belongs to the class of audit programs. This program was created by D.Yu. Mostov in 1991

The ADinf family of programs are disk auditors designed to work on personal computers governed by operating systems MS-DOS, MS-Windows 3.xx, Windows 95/98 and Windows NT/2000. The programs work based on regular monitoring of changes occurring on hard drives. If a virus appears, ADinf detects it by the modifications it makes to the file system and/or boot sector of the disk and informs the user about it. Unlike antivirus scanners, ADinf does not use “portraits” (signatures) of specific viruses in its work. Therefore, ADinf is especially effective for detecting new viruses for which an antidote has not yet been invented.

It should be especially noted that ADinf does not use operating system functions to monitor disks. It reads the disk sector by sector and independently parses the file system structure, which allows it to detect so-called stealth viruses.

If the Adinf treatment unit is installed in the system ( ADinf Cure Module ), then this tandem is capable of not only detecting, but also successfully removing emerging infections. Testing has shown that ADinf Cure Module is able to successfully cope with 97% of viruses, restoring damaged files with byte precision.

The useful properties of ADinf are not limited to just fighting viruses. In essence, ADinf is a system that allows you to monitor the safety of information on disks and detect any, even subtle changes in the file system, namely, changes in system areas, file changes, creating and deleting directories, creating, deleting, renaming and moving files from a directory to catalog. The composition of controlled information is flexibly configured, which allows you to control only what is needed.

The first version of the program was released in 1991 and since then ADinf has deservedly been the most popular auditor in Russia and the countries of the former USSR. Today it is difficult to count the number of legal and illegal users of ADinf. More than 2,500 corporate subscribers of the Dialog-Science Anti-Virus Suite, which includes ADinf, protect their computers with it. The ADinf program has received certificates in the GOST R. Certification System, the Certification System for Information Security Equipment of the Ministry of Defense and the Certificate of the State Technical Commission under the President Russian Federation(as part of the Dialog-Science Anti-Virus Kit). The program is constantly being improved and is always on the cutting edge of modern technology.

Initially, the ADinf auditor was developed for the MS-DOS operating system. Then versions of the program were released for Windows 3.xx and Windows 95/98/NT. Now there is a family of compatible auditors for various operating systems. All ADinf variants today support Windows 95/98 file systems, long file and directory names, and parse the internal structure of Windows 95/98 and NT executable files.

So, the Adinf program:

It has high speed work;

is able to successfully resist viruses located in memory;

allows you to control the disk by reading it sector by sector through the BIOS and without using DOS system interrupts, which can be intercepted by a virus;

can process up to 32,000 files on each drive;

unlike AVSP, in which the user has to independently analyze whether the machine is infected with a Stealth virus by booting first from the hard drive and then from the reference floppy disk, in ADinf this operation occurs automatically;

Unlike other antiviruses, Advansed Diskinfoscope does not require booting from a reference, write-protected floppy disk. When loading from a hard drive, the reliability of protection does not decrease;

ADinf has a well-executed user-friendly interface, which, unlike AVSP, is implemented not in text, but in graphical mode;

When installing ADinf into the system, it is possible to change the name of the main file ADINF.EXE and the name of the tables, and the user can specify any name. This is a very useful function, since recently a lot of viruses have appeared that “hunt” for antiviruses (for example, there is a virus that changes the Aidstest program so that instead of the DialogueScience screensaver it writes: “Lozinsky is a stump”), including including for ADinf.

There are several versions of the Adinf auditor for different operating systems. Each of them has its own characteristics.

Auditor ADinf designed for MS-DOS and Windows 95/98 operating systems. This is a development of the first version of the auditor, created back in 1991. Today ADinf is the most reliable tool for detecting both known and new unknown viruses. This is the only auditor in the world who checks file system reading by sector directly through the computer's BIOS.

Auditor ADinf for Windows designed for the Windows 3.xx operating system. This version of the program adds a convenient graphical user interface to all the properties of the ADinf auditor.

Auditor ADinf Pro is designed to monitor the safety of particularly valuable information, such as databases or documents, in the environment of MS-DOS, Windows 3.xx and Windows 95/98 operating systems. A special feature of this version of the program is the use of a 64-bit hash function to control the integrity of files, developed by the well-known Russian company LAN-Crypto. Using this hash function not only ensures that accidental file changes or changes caused by viruses are detected, but also makes it impossible to intentionally modify the data on the disk without being noticed.

Auditor ADinf32 is a 32-bit multi-threaded application for operating systems Windows systems 95/98 and Windows NT with a modern user interface. This version of the program not only has all the advantages of other options, but also contains a lot of new things compared to them.

It should be noted that the Adinf program is well integrated with other programs of the DSAV kit from Dialog-Nauka. Thus, Adinf creates a list of new and changed files on the disk, and Aidstest and DrWeb can check files from this list, which significantly reduces the operating time of these programs.

(AntiViral Toolkit Pro)

This program was created by Kaspersky Lab. AVP has one of the most advanced virus detection mechanisms. Today AVP is practically in no way inferior to its Western counterparts.

AVP provides users with maximum service - the ability to update anti-virus databases via the Internet, the ability to set parameters for automatic scanning and disinfection of infected files. Updates on the AVP website appear almost weekly, and the database includes descriptions of almost 40 thousand viruses.

AVP consists of several important modules:

1) AVP scanner checks hard disks for virus infection. You can set a full search, in which the program will scan all files in a row, and also set the scanning mode for archived files. One of the main advantages of AVP is fight against macroviruses. The user can select a special mode in which documents created in the format will be checked. Microsoft Office. After detecting viruses or infected files, AVP offers several options to choose from: remove viruses from files, delete the infected files themselves, or move them to a special folder.
2) AVP Monitor. This program downloads automatically when Windows startup. AVP Monitor automatically checks all files and documents opened on the computer and, in the event of a virus attack, notifies the user about this. Moreover, in most cases, AVP Monitor simply does not allow the infected file to run, blocking its execution process. This program function is very useful for those who constantly deal with many new files, for example, for active Internet users (since it is impossible to launch AVP every five minutes to check downloaded files, this is where AVP Monitor comes to the rescue).
3) AVP Inspector - the last and very important module of the AVP kit, which allows you to catch even unknown viruses. "Inspector" uses a method to control file size changes. By introducing itself into a file, the virus inevitably increases its size, and the “inspector” easily detects it.

In addition to all of the above, there is the so-called AVP Control Center - “control panel” for all programs of the AVP complex. The most important function of this program is the built-in Task Scheduler, which allows you to quickly check (and, if necessary, treat the system) automatically, without user intervention, but at a time specified by the user.