Security, Data Protection and Antivirus Software

Security Software TestingAccording to the survey of the day by day the company and software solution provider increase the software security for protection beside enemy and hacker and also enhanced their software virus strength and version for capture the client valuable data. For safety of the external attack on the system and software to destroy the application and data; antivirus software is more necessary. Precise testing solution has highly experience software tester team they have great experience of antivirus software testing. In our testing we divide the antivirus software into these categories.

Antivirus Types

There are a number of antivirus applications. And obviously, to perform antivirus compatibility testing, you should know main principles of their work.

By the basic principle of work, we can divide all the antivirus products into 5 types:

  • Scanners
  • Monitors
  • Auditors
  • Immunizers
  • Analyzers of Behavior

The modern antivirus software product can include a combination of the components of these types and also some additional security elements: firewall, mail protection, etc.

Scanners

Scanners are present almost in each antivirus. Such anti viruses perform the check of files and sectors in memory or on the hard drive by the user or system request. The check consists in comparing the file or segment contents with the certain masks – specific parts of the malware code, which are stored in the virus signatures. If the virus is still unregistered, or doesn’t have the constant mask (polymorphism), or its mask merges with the common application code, than other threat detection techniques are used. Algorithmization method is applied to track all the variants of code that can generate a virus. Heuristic analysis method includes the analysis of the object code command sequence and statistics gathering; using these data the antivirus decides if an object is infected or no. Using such analyzer, one should remember that it can produce false infection reports.

Resident monitors

Resident monitors, work like scanners, but unlike them, permanently reside in the RAM and automatically check all files to be opened or closed – to block the start of the infected file or its modification, if it was infected during its usage. We can mention file, mail and specific monitors for applications. When working, the file monitors is registering as the autorun system service that starts at system start for any user, integrates to the file system driver and check the objects that interact with these files. (As we know, opening or closing of the file requires file system call and thus, file system driver call). Other monitors integrate into the mail program or other applications; check all the objects they use, even if they are just stored in RAM. These monitors reside in the computer memory only when the corresponding application is running.

Auditors

Auditors of changes proceed not from the image of virus, but from the image of the no infected file or sector. Auditor gathers and stores the information about all files and sectors in the system. Usually these data include CRC sums, file size, last modification date, etc. Then auditor, by request, compares the actual file state with the one registered before, and thus detects all suspicious changes – like those that malware generates. Modern auditors can call the file via file system driver – thus avoiding the “masking” of the infected file with its clean prototype.

Immunizers

Immunizers are almost out of use now a days. They add some specific code to the file content to block file infection or at least detect infection if it is already present. To block, the specific signature is added to the file so that a virus thinks that it is already infected and does not touch its “congener”. To detect the infection, antivirus adds a specific code at the end of the file, and this code automatically checks the content for the suspicious changes at file opening, and if something is wrong, notifies user. The viruses, which mask and imitate clear file prototype, meanwhile, infect all the files they can reach (without checking them) and so they can easily overcome this protection. That is why immunizers nowadays are used very rarely and in some special occasions.

Analyzers of behavior

Analyzers of behavior intercept and analyze the events, produced by the application, and if an action is considered as a suspicious one, analyzer blocks it or asks user for explicit permission. The suspicious actions can be classified by user, or they can be described inside the AI of the antivirus. In the former case, the administrator must know all the nuances and aspects of the system and internal processes. In the latter, AI makes a decision, basing on its internal logic and knowledge. At the moment, the AI is not so perfect, so such blockers are not used for the whole file system, only for the specific applications with specific file types – in this case, the antivirus has enough information about which actions are normal, and which are not. This is the way how the anti viruses detect marco-viruses in the MS Office, Autocad, mail and some other applications.

Well-known specialties and nuances of the antivirus software

Linux antiviruses

There are versions of antiviruses for Linux for quite a long time already. They are produced by the same companies, which produce Windows-versions – Avira, AVG, Panda, etc. But nevertheless, Linux antiviruses are not so widespread at the moment, so compatibility testing with them is not of high priority. Anyway, tester should take into consideration that the antivirus for any system can provoke bugs.

Virus signature database and update

Virus signature database and update. The most of the antivirus products includes virus signature database, which they use for checking files in the system. To accelerate analysis, this database is entirely loaded to the RAM during scanning, and moreover, it is actively used. If antivirus resides in the system (like monitor), this database constantly resides in RAM (or in the swap file), and can be quickly invoked at each system check request.

To work properly, the program kernel and signature database need permanent update. Usually, it is performed automatically and user is just notified about the results. To perform update, the program establishes Internet-connection, sends requests for the new files and receives necessary data. Frequently, update supposes installation with some services restart and system settings change. That is why the installation of the other applications can cause problems: the system can forbid simultaneous installation of two programs, or the action of two installers can prevent each other.

Monitors of Web and mail traffic

Monitors of Web and mail traffic. These applications check all the incoming traffic from the Internet in real-time – in RAM, before it is written to the hard drive. Web-monitor also can connect to the server and get information about the potentially dangerous sites, and then block access to them just after the request is sent from the browser. The common implementation of these mechanisms is services that start in the name of the system and integrate directly to the browser of mail application.

Specific scanning modes

Specific scanning modes. Some versions of the Dr.Web, Eset and probably some other antiviruses include the option of “enhanced scanning” that can use various approaches: it can block user desktop, block any settings and antivirus file changes, or block all network traffic. Surely, the antivirus product will show a warning about what is going to happen, but it won’t prevent the bad consequences. Users complain frequently about these scanning modes as they limit dramatically the user possibilities or consume too many resources, that is why they are not widespread yet, and anyway these problems are antivirus problems.

Cure and remove

Cure and remove While curing, antivirus removes harmful pieces of code or restore the previous clean file version – so we can preserve the file. But the most of the modern malware make irretrievable changes to the files, so it’s impossible to use it then. In this case, this file is blocked or deleted. One should remember that the antivirus doesn’t care – it can block any file, even the one that is essential for the system or application functioning.

Self-protection

Self-protection is a counter measure against malware trying to prevent the work of the antivirus program. Almost all interference to the antivirus configuration or its files are blocked – to perform some changes user must enter the password and captcha for authorization. One should remember that the self-protection mechanism uses its proper driver, which can be really unfriendly to the rest of the applications.

Firewall

Firewall is usually included to the products of the «security suite» or «internet security» type, which are the universal security products consisting of more than 5 components. Firewall controls the activity at the network ports and the way applications use them. It can block partially or completely user access to the network, it its security policy requires it. Also firewall gathers the network statistics and prevents network attacks.