Prevention and control of viruses

Prevention, detection and lifting of computer viruses

The prevention and control of computer viruses should be carried out from the anti-virus, anti-virus, anti-virus three aspects; the system for the actual prevention and control of computer viruses and the effect of anti-virus capabilities, anti-virus capabilities and anti-virus capabilities from the anti-virus capabilities, anti-virus capabilities and anti-virus capabilities of the three aspects of the judgment.

"Anti-virus" refers to the system characteristics, to take appropriate system security measures to prevent viruses from invading the computer.

"Detection" means the ability to accurately report the name of the virus for a defined environment, which includes memory, files, boot area (including the main area), network and so on.

"Detoxification" refers to the recovery of infected objects according to the modification of different types of viruses, in accordance with the characteristics of the virus infection. This recovery process cannot destroy what has not been modified by the virus. Infected objects include: memory, boot area (including the main boot area), executable files, document files, networks, etc.

Anti-virus capability is the ability to prevent viruses from invading a computer system. By taking anti-virus measures, it should be able to accurately monitor and warn in real time through the CD-ROM, floppy disk, hard disk between different directories, LAN, Internet (including FTP, E-MAIL, HTTP) or other forms of file downloads and other forms of transmission; to be able to send out an alarm when the virus invades the system, record the files carrying viruses, and instantly remove the virus; for the network, it should also be able to send a message to the network administrator, and then to the network administrator.

The ability to detect and trace the source of a virus is the ability to detect and trace the source of a virus. Through the check should be able to accurately find out whether the computer system is infected with viruses, and accurately find out the source of the virus, and can give a statistical report; check the ability to check by the rate of detection and false alarm rate to judge. Detoxification capability is the ability to remove a virus from an infected object and restore the original information before it was infected by the virus; detoxification capability should be judged by the detoxification rate.

Anti-virus technology

Virus Behavioral Language

From the perspective of a programming language, a computer virus is a piece of regular code, and the process of finding a virus is usually the process of finding the code used by the virus. The virus behavior language uses a mathematical calculation method to calculate a formula for the virus code, with this formula can accurately describe the virus, this method of describing computer viruses has the characteristics of accurate description, rapid search, low false alarm rate.

Data description of the antidote technology

The process of virus parasitism in the system is a mathematical transformation of files and sectors, from a macro point of view can be regarded as a piece of data operations, its inverse operation is the data antidote technology (Note: here referred to as "file" is the logical structure of the disk unit, usually used for). Save programs, databases, text and other data. The "sector" referred to here is created when the disk is formatted and is the smallest allocation unit on the disk). This technique of detoxification is characterized by accurate detoxification, high detoxification efficiency, and good detoxification results.

Virus family classification method:

"Family" refers to several or dozens of viruses are developed from the same virus, their nature is similar, similar methods of expression, and even detection, elimination methods are very similar. The same family of viruses designated the same base name, and crowned with different sub-names, base name and sub-names separated by a decimal point, which can be effective on a wide variety of computer viruses for scientific and effective classification.

Data Code Separation Technology

Data Code Separation Technology divides the checking and solving of a virus into two categories, one is that the virus conforms to the standard checking and solving algorithm, and as long as it increases a few data about the virus (only a few bytes), the virus can be checked and solved; the other is that it does not conform to the standard solving algorithm for viruses, and as long as it increases the checking and solving code about the virus (only a few dozens of bytes), it can be increased by a few bytes. dozens of bytes), you can increase the detection and resolution algorithm for this type of virus. This method is characterized by the system file version of the same case, as long as the addition of new virus information, not only can the general new virus effective detection and resolution, and can be a new generation of viruses automatically upgraded detection and resolution of anti-virus software upgrades in the new virus that is to be found to eliminate the problem.

Virus detection and lifting

(1) file-type virus lifting

The vast majority of computer viruses are file-type. The so-called file-based viruses mean that such viruses are parasitized on executable files and rely on executable files to spread. Mathematically, the process of disarming such viruses is actually the inverse of the virus infection process. Through the detection work, (jumping, decoding), has got all the code of the virus body, the data used to restore the virus must be in the virus body, as long as we find these data, in accordance with a certain program or method can be restored to the file, that is to say, the virus can be lifted.

(2) the lifting of the boot type virus

This type of virus is also more varied, the first case of virus found in China - "small ball" virus is a boot type virus, which occupies the first sector of the floppy disk or hard disk, the operating system in the boot before the control of the computer, the impact of the system's I / O access speed, interfering with the normal operation of the system. O access speed, interfering with the normal operation of the system; such viruses can be address method, relative method, logical method, overlay method, special method to be lifted.

(3) Memory detoxification

Because live viruses in memory can interfere with the detection results of anti-virus software, almost all anti-virus software designers have to take memory detoxification into account. The new memory detoxification technique is to find the location of the virus in memory and reconstruct part of its code to disable its propagation function.

(4) Detection of unknown viruses

Through the analysis of a large number of viruses, you can grasp the virus ****, and in accordance with the laws of its development and derivation of classification, summarize the virus commonly used code (these codes are the virus existence, propagation and seizure of the fundamentals of the virus) to the file contains the weighted statistical value of these codes as a basis for the detection of unknown viruses, the use of executable file format Knowledge to analyze the initiation code, through a certain degree of disassembly and prediction jumps, the combined results report unknown viruses. This method is based on a unique virus description language, with accurate description and low false alarm rate.

(5) parcel file virus detection

Parcel program is a number of common tools and software, it can wrap the executable file, reduce disk space occupied, speed up the operation. However, after a virus is wrapped, the virus will be protected, making it impossible for various anti-virus software to detect it. When the wrapped executable file containing a virus is executed, the virus will spread everywhere, and after the virus is unwrapped by anti-virus software, the virus in the wrapped executable file will remain, which is more harmful. Through the unique unwrapping module, it can detect and unwrap the virus without destroying the wrapped executable file. (6)Detecting files processed by compression tools

There are often files processed by compression tools on the disk, which can save disk space and facilitate confidentiality and portability. But if someone unintentionally virus infected files using compression tools compressed, then the general anti-virus software will not be able to detect the virus from the compressed file, the use of decompression algorithms and processes to deal with can be rooted out of this kind of virus.

Network virus prevention and control

For stand-alone virus prevention and control, the use of the above technology or the use of anti-virus software with the corresponding functions can be a basic protection of the computer system from virus interference. Relative to the protection of stand-alone viruses, the prevention and control of network viruses has a greater difficulty, network virus prevention and control should be integrated with network management. The biggest advantage of the network anti-virus is the network's management functions, if there is no management functions plus, it is difficult to complete the task of network anti-virus, only a combination of management and prevention to ensure that the system operates well.

Management function is to manage all the network equipment and operations: from the Hub, switches, servers to PCs, including access to floppy disks, LAN information interoperability and connectivity with the Internet and all the virus can be infected and spread the way.

Generally speaking, the prevention and control of computer viruses lies in the improvement of the operating system and application software security mechanisms, but in the network environment, should be taken accordingly new means of prevention. In the network environment, the spread of the virus spread fast, only with a single anti-virus products have been difficult to remove the network virus, there must be applicable to the LAN, WAN, the full range of anti-virus products.

In order to realize the prevention and control of computer viruses, can be installed on the computer network system network virus prevention and control server; can be installed on the internal network server network virus prevention and control software; can be installed on a single machine stand-alone environment anti-virus software

Installation of the network virus prevention and control server is the goal of the real-time operation to scan all the files in and out of the network. So that the local network and other networks (including the INTERNET and various LANs) between the exchange of data, the local network of workstations and the exchange of data between the server, the local network of workstations between the exchange of data to be detected and filtered through the network virus prevention and control servers, so as to ensure that real-time prevention and control of network viruses and checking and killing, and its common features are as follows:

1 Continuous scanning

2 Powerful virus detection

Can detect most known viruses and a certain number of unknown viruses.

3Powerful network management

4Powerful scanning logs and reports

Tracks and records all virus activity on the network for a specified period of time, and gives you scanning reports, scanning logs, and other reports.

5 Automatic Alarm Function

An alarm can be generated immediately when a virus is detected to notify the administrator, and the source of the virus can be traced.

6 Ability to check and disarm viruses residing in memory

7 Strong ability to scan packages and compressed files for viruses

8 Fast upgrade

9 Can be set up by yourself as needed

10 Provides a friendly help system and virus information material