UCSB Science Line
Sponge Spicules Nerve Cells Galaxy Abalone Shell Nickel Succinate X-ray Lens Lupine
UCSB Science Line
How it Works
Ask a Question
Search Topics
Our Scientists
Science Links
Contact Information
How does a virus protection program detect the virus?
Question Date: 2002-02-01
Answer 1:

Most viruses get caught because the antivirus scanner searches all files for patterns unique to each particular virus. The programs stored on your computer (the executable files, usually with names ending in .exe) are just long strings of 0's and 1's which encode the many small instructions that make up the program.

A virus reproduces by inserting its own program into executable files or into the disk's boot sector (a part of the disk which is always loaded automatically). Next time you run that program, you also run the virus.

Any sufficiently long string of 0's and 1's can be a "fingerprint" for a particular program because it is very unlikely that a different, randomly selected program will just happen to have the same long sequence of instructions represented by the 0's and 1's. Since most viruses copy themselves verbatim when they reproduce, they are easily caught by a program which scans all executable files for fingerprints of known viruses. If you don't frequently download new fingerprints for your virus scanner, freshly written viruses will be able to sneak by.

Email viruses try to trick you into running a program attached to an email. If you don't click on the attachment and run the program, the virus cannot be activated- even if the attachment is already stored on your computer.

Some email viruses are "macros", which are small programs giving instructions to an application such as a word processor, spreadsheet, etc. The macros hide in files for the applications (names ending in .doc, .xls, etc.), which are not executable files because they cannot be run independently, but must be loaded by the applications. Macros are supposed to make the application more automatic and convenient, but they can also take advantage of the application's security flaws and spread viruses. Email viruses and macro viruses can be detected by the fingerprint method.

Some clever hackers make reshuffling viruses, which easily evade fingerprinting because they shuffle their program's instructions every time they reproduce. Each instruction is followed by a memory jump to the next instruction, so instructions in the executable file can be written in random order, but they will still be called in the correct order. Memory jumps are common in all programs, and all instructions are very simple and common, like Lego pieces. Scanning an executable file only tells you what pieces are there, but those pieces could be used to build many different machines. It is impossible to write a program which determines what all other programs do without actually running them. So, by reshuffling the instructions and the memory jumps every time it spawns, the virus escapes fingerprinting and blends in with the harmless programs. To add nastiness, a virus could also mutate: make occasional random changes to its program, in addition to reshuffling. Not only would it escape fingerprinting, but it would also EVOLVE and slowly become more powerful with each generation. As far as I know, there are (thankfully) no mutating viruses out there.

Virus scanners can smell reshuffling viruses by looking for general suspicious behavior such as writing to the boot sector, overwriting system files, odd changes in file size and date of last access, etc. The scanners would not be able to spot the reshuffling virus, but they might be able to give you clues about where it hides. The hackers fight back by writing "stealth" viruses that cover their tracks, disable the virus scanner, or even sneak into programs at software companies, so that the viruses are shipped on every CD. There's really no way to be absolutely certain that your computer isn't infected.

Answer 2:

It carefully opens and reads the file suspected of containing a virus and then compares each part of it to a list of known viruses. If part of the file is the same as one of the viruses on the list, then it is detected.

Click Here to return to the search form.

University of California, Santa Barbara Materials Research Laboratory National Science Foundation
This program is co-sponsored by the National Science Foundation and UCSB School-University Partnerships
Copyright © 2020 The Regents of the University of California,
All Rights Reserved.
UCSB Terms of Use