Antivirus monitor. Types of anti-virus protection or how computer viruses win? Embedding antiviruses in computer bios

The most common and effective antivirus programs are antiviruses that work on the principle of scanners, monitors and auditors. Various types of blockers and immunizers are also used.

1. Antivirus scanners

Scanners are able to detect a fixed set of known computer viruses in system memory, files and sectors, and then remove most of them.

Scanners search for viruses using so-called "masks" - a constant code sequence inherent in a particular virus. If the virus does not have a permanent mask, then other methods are used to identify such viruses (polymorphic viruses), for example, a description of all possible variants of the virus program code is made in an algorithmic language.

Many popular scanners: Doctor Web, Kaspersky Anti-Virus, Norton Antivirus, McAfee, Panda Antivirus, AntiVir Personal Edition and others use heuristic scanning mode.

Heuristic scanning- This is a virus scan method that allows you to identify viruses unknown to the program, but at the same time, the number of false positives of the anti-virus program (messages about viruses found in files where they actually do not exist) increases.

Many anti-virus scanners can be classified as so-called antiviral tablets– special programs aimed at searching for a certain type or family of viruses, such as Trojans, macro viruses, etc. (for example, Anti-Trojan, Trojan Remover). It should be noted that the use of special scanners designed only for macro viruses is sometimes a more reliable and convenient anti-virus solution for protecting MS Excel and Word documents.

Scanner Disadvantages: they cover only a part of known computer viruses and require constant updating of anti-virus databases via the Internet. Given the speed of the emergence of new viruses and their short life cycle, to use scanners, you must update the anti-virus databases at least once or twice a week. If this is not done, then the effectiveness of scanners is significantly reduced.

2. Antivirus monitors

Monitors- this is a kind of scanners that, constantly being in the computer's memory, track virus-like situations that occur with the disk and memory, i.e. perform continuous monitoring of computer-executed processes.

An example of such antiviruses is Kaspersky Anti-Virus or SpIDer Guard.

Monitor Disadvantages A: They may conflict with other software. Like scanners, the effectiveness of monitors depends on the frequency of updating anti-virus databases. In addition, the use of monitors does not provide 100% protection, because. there are viruses that can deceive and bypass the protection of monitors.

3. Antivirus auditors

auditors- These are programs that work on the principle of calculating checksums (CRC-sums) for files stored on disk and system sectors.

An example of such an antivirus is the ADinf32 program, which calculates checksums and saves them in the database of some antivirus program. Auditors are able to timely detect infected files on a computer with almost any antivirus, preventing a critical situation.

Advantages of the auditor: high checking speed system files.

Auditor's shortcomings: The program must be running all the time while the computer is on.

4. Antivirus blockers

Blockers are programs that monitor and intercept dangerous situations, such as opening or closing executable files. By the way, the marked events are typical for viruses at the moments of their reproduction.

Advantages of blockers: they are able to detect the virus at the initial stage of its spread.

Disadvantages of blockers: false positives, some viruses can bypass blocker protection.

Exists Class antivirus programs , which are constantly in random access memory computer , and track all suspicious activities performed by other programs .

Such programs are called filters , resident monitors or watchmen.

Filter programs also called resident watchmen and resident monitors , are constantly in RAM and intercept the specified interrupts in order to suspicious activity control . At the same time, they can block "dangerous" actions or issue a request to the user.

The actions to be controlled may be the following:

modification of the master boot record (MBR) and boot records of logical disks and GMD,

writing to an absolute address,

low-level disk formatting,

leaving the resident module in the RAM, etc.

Like auditors , filters are often "intrusive" and create certain inconveniences in the user's work.

Resident Monitor will tell the user if any program tries to:

change boot hard disk or floppy disk, executable file;

leave the resident module in RAM, etc.

Resident monitors control the following operations :

record, update program files and system area of ​​disks;

disk formatting;

resident placement of programs in RAM .

This will prompt you to allow or deny this action.

The principle of operation of these programs is based on interception of the corresponding interrupt vectors.

Majority resident monitors allow you to automatically check all running programs for infection with known viruses, i.e. perform scanner features . Such a check will take some time and the process of loading the program will slow down, but you will be sure that known viruses will not be able to activate on your computer.

To the advantage of programs of this class in comparison with programs-detectors can be attributed universality in relation to both known and unknown viruses, while detectors are written for specific types known to the programmer at the moment.

This is especially true now, when many mutant viruses have appeared that do not have a permanent code.

However, filter programs cannot track:

viruses that communicate directly with BIOS,

as well as BOOT viruses, activated even before the antivirus is launched, at the initial stage of loading DOS.

In the same time, resident monitors have a lot of shortcomings that make this class of programs unusable .

Many programs, even those that do not contain viruses, can perform actions that resident monitors respond to.

For example, ordinary the LABEL command changes the data in the boot sector and triggers the monitor.

Therefore, the user's work will be constantly interrupted by annoying antivirus messages. In addition, the user will have to decide each time whether this operation is caused by a virus or not. As practice shows, sooner or later the user turns off the resident monitor.

Disadvantage of resident monitors is also that they must be constantly loaded into RAM and therefore reduce the amount of memory available to other programs.

The MS-DOS operating system already includes the VSafe resident anti-virus monitor.

When installing some resident antivirus monitors there may be conflicts with other resident programs using the same interrupts that simply stop working.

Today, more than ever, antivirus software is not only the most demanded in the security system of any "OS", but also one of its main components. And if earlier the user had a very limited, modest choice, now there are a lot of such programs. But if you look at the list of "Top 10 antiviruses", you will notice that not all of them are equal in terms of functionality. Consider the most popular packages. At the same time, the analysis will include both paid and shareware (anti-virus for 30 days), and freely distributed applications. But first things first.

Top 10 Antiviruses for Windows: Testing Criteria

Before proceeding with the compilation of a certain rating, perhaps, you should familiarize yourself with the main criteria that in most cases are used when testing such software.

Naturally, it is simply impossible to consider all known packages. However, among all those designed to protect a computer system in the broadest sense, the most popular ones can be distinguished. At the same time, we will take into account both the official ratings of independent laboratories and the reviews of users who use this or that software product in practice. In addition, mobile programs will not be affected, we will focus on stationary systems.

As for the conduct of basic tests, as a rule, they include several main aspects:

• availability of paid and free versions and restrictions related to functionality;
• regular scan speed;
• the speed of identifying potential threats and the ability to remove or isolate them in quarantine using built-in algorithms;
• frequency of updating anti-virus databases;
• self-defense and reliability;
• availability of additional features.

As you can see from the above list, checking the operation of antivirus software allows you to determine the strengths and weaknesses of a particular product. Next, I will consider the most popular software packages included in the Top 10 antiviruses, and also give their main characteristics, of course, taking into account the opinions of people who use them in their daily work.

Kaspersky Lab software products

To begin with, let's consider the software modules developed by Kaspersky Lab, which are extremely popular in the post-Soviet space.

It is impossible to single out any one program here, because among them you can find a regular scanner of Kaspersky Antivirus, and modules like Internet Security, and portable utilities like Virus Removal Tool, and even boot disks for corrupted Rescue Disc systems.

Immediately it is worth noting two main disadvantages: firstly, judging by the reviews, almost all programs, with rare exceptions, are paid or shareware, and secondly, system requirements are unreasonably high, which makes it impossible to use them in relatively weak configurations. Naturally, this scares off many ordinary users, although activation keys for Kaspersky Antivirus or Internet Security can easily be found on the World Wide Web.

On the other hand, the situation with activation can be corrected in another way. For example, Kaspersky keys can be generated using special applications like Key Manager. True, this approach is, to put it mildly, illegal, however, as a way out, it is used by many users.

The speed of work on modern machines is average (for some reason, more and more heavy versions are created for new configurations), but constantly updated databases, the uniqueness of technologies for detecting and removing known viruses and potentially dangerous programs are on top here. It is not surprising that Kapersky Lab is today a leader among developers of security software.

And two more words about the recovery disk. It is unique in its own way, because it loads a scanner with a graphical interface even before the start of Windows itself, allowing you to remove threats even from RAM.

The same goes for the portable Virus utility. Removal Tool, capable of tracking down any threat on an infected terminal. It can only be compared with a similar utility from Dr. Web.

Protection from Dr. web

Before us is another of their strongest representatives in the field of security - the famous "Doctor Web", who stood at the origins of the creation of all anti-virus software from time immemorial.

Among the huge number of programs, you can also find regular scanners, and protection tools for Internet surfing, and portable utilities, and recovery disks. You can't list everything.

The main factor in favor of the software of this developer can be called high speed, instant detection of threats with the ability to either complete removal, or isolation, as well as a moderate load on the system as a whole. In general, from the point of view of most users, this is a kind of lightweight version of Kaspersky. there is still something interesting here. In particular, this is Dr. web katana. It is believed that this is a new generation software product. It is focused on the use of "sand" technologies, i.e. placing a threat in the "cloud" or "sandbox" (whatever you want to call it) for analysis before it penetrates the system. However, if you look, there are no special innovations here, because this technique was used in the free Panda antivirus. In addition, according to many users, Dr. Web Katana is a kind of Security Space with the same technologies. However, speaking in general, any software from this developer is quite stable and powerful. It is not surprising that many users prefer just such packages.

ESET software

Speaking about the Top 10 antiviruses, one cannot fail to mention another brightest representative of this area - ESET, which became famous for such a well-known product as NOD32. A little later, the ESET module was born smart security.

If we consider these programs, we can note an interesting point. To activate the full functionality of any package, you can do two things. On the one hand, this is the acquisition of an official license. On the other hand, you can install trial antivirus free, but activate it every 30 days. With activation, too, an interesting situation.

As noted by absolutely all users, for ESET Smart Security (or for a regular antivirus) on the official website, one could find freely distributed keys in the form of a login and password. Until recently, only this data could be used. Now the process has become somewhat more complicated: first you need a login and password on a special site, convert it into a license number, and only then enter it in the registration field already in the program itself. However, if you do not pay attention to such trifles, it can be noted that this antivirus is one of the best. Benefits reported by users:

• virus signature databases are updated several times a day,
• definition of threats at the highest level,
• there are no conflicts with system components (firewall),
• the package has the strongest self-protection,
• no false alarms, etc.

Separately, it is worth noting that the load on the system is minimal, and the use of the Anti-Theft module even allows you to protect data from theft or misuse for personal gain.

AVG Antivirus

AVG Antivirus is paid software designed to provide comprehensive security for computer systems (there is also a free truncated version). And although today this package is no longer among the top five, nevertheless, it demonstrates a fairly high speed and stability.

Basically, it is ideal for home use, because, in addition to the speed of work, it has a convenient Russified interface and more or less stable behavior. True, as some users note, sometimes it is able to skip threats. And this does not apply to viruses as such, but rather to spyware or advertising junk called Malware and Adware. The program's own module, although widely advertised, still, according to users, looks somewhat unfinished. Yes, and an additional firewall can often cause conflicts with the "native" Windows firewall if both modules are in the active state.

Avira package

Avira is another member of the antivirus family. Fundamentally, it does not differ from most similar packages. However, if you read user reviews about it, you can find quite interesting posts.

Many in no case recommend using the free version, since some modules are simply missing in it. To ensure reliable protection, you will have to purchase a paid product. But such an antivirus is suitable for the 8th and 10th versions, in which the system itself uses a lot of resources, and the package uses them at the lowest level. In principle, Avira is best suited, say, for budget laptops and weak computers. On a network installation, however, there can be no question.

Cloud service Panda Cloud

Free at one time became almost a revolution in the field of antivirus technology. The use of the so-called "sandbox" to send suspicious content for analysis before it enters the system has made this application especially popular among users of all levels.

And it is with the "sandbox" that this antivirus is associated today. Yes, indeed, this technology, unlike other programs, allows you to keep the threat out of the system. For example, any virus first saves its body on the hard drive or in RAM, and only then begins its activity. Here, the matter does not come to preservation. First, a suspicious file is sent to the cloud service, where it is checked, and only then can it be saved in the system. True, according to eyewitnesses, alas, this can take quite a lot of time and unnecessarily heavily loads the system. On the other hand, here it is worth asking yourself what is more important: security or increased scan time? However, for modern computer configurations with an Internet connection speed of 100 Mbps or higher, it can be used without problems. By the way, its own protection is provided precisely through the "cloud", which sometimes causes criticism.

Scanner Avast Pro Antivirus

Now a few words about another bright representative. It is quite popular with many users, however, despite the presence of the same “sandbox”, anti-spyware, network scanner, firewall and virtual cabinet, unfortunately, Avast Pro Antivirus is in terms of the main indicators of performance, functionality and reliability clearly loses to such giants as software products Kaspersky Labs or applications using Bitdefender technologies, although it demonstrates high scanning speed and low resource consumption.

Users in these products are attracted mainly by the fact that free version package is as functional as possible and does not differ much from paid software. In addition, this antivirus works on all Windows versions, including the "top ten", and behaves perfectly even on outdated machines.

360 Security Packages

Before us is probably one of the fastest antiviruses of our time - 360 Security, developed by Chinese specialists. In general, all products labeled "360" are distinguished by an enviable speed of work (the same Internet browser 360 Safety Browser).

Despite the main purpose, the program has additional modules for eliminating operating system vulnerabilities and optimizing it. But neither the speed of work nor the free distribution can be compared with false alarms. In the list of programs that have the highest indicators for this criterion, this software occupies one of the first places. According to many experts, conflicts arise at the system level due to additional optimizers, the action of which intersects with the tasks of the OS itself.

Software products based on Bitdefender technologies

Another "old man" among the most famous defenders of "OSes" is Bitdefender. Unfortunately, in 2015 he lost the palm to Kaspersky Lab products, nevertheless, in the antivirus fashion, so to speak, he is one of the trendsetters.

If you look a little more closely, you can see that many modern programs (the same 360 ​​Security package) in different variations are made on the basis of these technologies. Despite the rich functional base, it also has its shortcomings. Firstly, you will not find the Russian antivirus (Russified) Bitdefender, since it does not exist in nature at all. Secondly, despite the use of the latest technological developments in terms of system protection, alas, it shows too high a number of false positives (by the way, according to experts, this is typical for the entire group of programs created on the basis of Bitdefender). The presence of additional optimizer components and your own firewalls generally affects the behavior of such antiviruses not for the better. But you can't refuse the speed of this application. In addition, P2P is used for verification, but real-time email verification is completely absent, which many do not like.

Antivirus from Microsoft

Another app that scores enviably well with and without reason is Microsoft's own product called Security Essentials.

This package is included in the Top 10 antiviruses, apparently, only because it was developed exclusively for Windows systems, which means that it does not cause absolutely no conflicts at the system level. Besides, who, if not specialists from Microsoft, should know all the security holes and vulnerabilities of their own operating systems. By the way, it is interesting that the initial Windows builds 7 and Windows 8 in basic configuration had MSE, but then for some reason this kit was abandoned. However, it is for Windows that it can become the simplest solution in terms of protection, although you can’t count on special functionality.

McAfee app

As for this application, it looks quite interesting. True, it earned the greatest popularity in the field of application on mobile devices with all kinds of blocking, however, on stationary computers, this antivirus behaves no worse.

The program has low-level support for P2P networks when sharing Instant Messenger files, and also offers 2-level protection, in which the main role is assigned to the WormStopper and ScriptStopper modules. But in general, according to consumers, the functional set is at an average level, and the program itself is more focused on detecting spyware, computer worms and Trojans and preventing executable scripts or malicious codes from entering the system.

Combined antiviruses and optimizers

Naturally, only those included in the Top 10 antiviruses were considered here. If we talk about the rest of the software of this kind, we can note some packages that contain anti-virus modules in their sets.

What to prefer?

Naturally, all antiviruses have certain similarities and differences. What to install? Here you need to proceed from the needs and the level of protection provided. Usually, to corporative clients it is worth buying something more powerful with the ability network installation(Kaspersky, Dr. Web, ESET). As for home use, here the user himself chooses what he needs (if desired, you can even find an antivirus for a year - without registration or purchase). But, if you look at user reviews, it is better to install Panda Cloud, even with some additional system load and sandboxing time. But it is here that there is a full guarantee that the threat will not penetrate the system in any way. However, everyone is free to choose what he needs. If activation does not make it difficult, please: ESET products work fine in home systems. But using optimizers with anti-virus modules as the main means of protection is highly undesirable. Well, it’s also impossible to say which program takes the first place: how many users, so many opinions.

This is a malicious program that belongs to the class of fake anti-spyware programs, because it detects non-existent infected files and Trojans on the computer, shows a large number of a variety of warnings, and in addition, it makes it difficult to work normally with the computer, blocking the launch of most programs. Antivirus Monitor is an update of a previously introduced malware named AntiMalware GO and infiltrates the computer mainly through Trojans. These Trojans infect the computer through a variety of vulnerabilities in installed programs(Internet Explorer, Adobe Acrobar Reader, Adobe Flash Player and etc.). In addition, Antivirus Monitor can get on the computer under the guise of other programs. So be careful what you download from the network and then run on your computer!

Spyware alert
Application cannot be executed. The file rundll32.exe is
infected.
Do you want to activate your antivirus software now?

Windows security alert
Windows reports that computer is infected. Antivirus software
helps to protect your computer against viruses and other
security threats. Click here for the scan your computer. Your
system might be at risk now.

In addition, Antivirus Monitor can block the launch of any program, while reporting that the file being launched is infected with a dangerous virus or trojan. An example of such a message is below:

Application cannot be executed. The file (program name) is infected.
Do you want to activate your antivirus software now.

But that's not all, this malware also changes the settings of installed browsers (proxy server settings), due to which access to any site can be blocked. Instead, a page will be displayed with a message that the site you are visiting is not safe and can damage your computer. Remember, all these messages and warnings are fake and how scan results should be ignored!

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:(random numbers)
O4 - HKLM\..\Run: [(random letter set)] %Temp%\(random letter set)\(random letter set).exe
O4 - HKCU\..\Run: [(random letter set)] %Temp%\(random letter set)\(random letter set).exe

How to remove Antivirus Monitor

Restart your computer. After your computer beeps briefly, press the F8 key. A menu will appear in front of you. Windows boot as shown below.

Choose Safe Boot Mode network drivers(Safe Mode with networking) - the second line and press Enter. More about working in safe mode you can read in the article -.

Step 2: Restore Internet Explorer

Launch Internet Explorer. Click Tools and select Internet Options as shown below:

You will see a window as shown in the picture below:

Here, open the Connections tab and click on the "LAN settings" button in it. You will be shown the current settings local network.

Uncheck the box next to "Use a proxy server for LAN connections". Click OK to save the settings and click OK again to close the Internet Explorer settings window.

Step 3: Removing Antivirus Monitor from Autorun

Once you have found Antivirus Monitor on your computer, then this is a reason to think about whether everything is fine with your anti-virus and anti-spyware protection, whether the programs have been updated to the latest versions. First of all, pay attention to the fact that you have automatic windows update and all available updates are already installed. If you are not sure, then you need to visit the Windows Update site, where they will tell you how and what to update in Windows. In addition, be sure to check that you have installed latest versions following programs: Java JRE, Adobe Acrobat Reader, Adobe Flash Player. If this is not the case, then be sure to update them. In addition, I advise you to purchase the full version of Malwarebytes Anti-malware, which will help you protect your computer from possible infection in the future. The main difference between the full version and the free version is the presence of a real-time computer protection module. To purchase, go to the following link: Full version of Malwarebytes Anti-malware .

Registry keys associated with Antivirus Monitor

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter | "Enabled" = "0"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | “ProxyOverride” = “”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | "ProxyServer" = "http=127.0.0.1:11415"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | "ProxyEnable" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | (a set of random letters)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | (a set of random letters)

Files and directories associated with Antivirus Monitor

%Temp%\(a set of random letters)\
%Temp%\(set of random letters)\(set of random letters).exe

Alexander Frolov, Grigory Frolov

alexandre @frolov .pp .ru ; http://www.frolov.pp.ru, http://www.datarecovery.ru

In the previous article on anti-virus protection, we looked at the main types of viruses and how they spread. Now, based on this knowledge, we will deal with protection against viruses, Trojans and other malicious programs. We will talk about the software, hardware and administrative and technological solutions and measures necessary to reduce the risk of a virus infection and reduce harm, if such an infection has already occurred.

Software and hardware methods for detecting viruses

Anti-virus programs have been and remain the main means of combating viruses. You can use antivirus programs (antiviruses) without having an idea of ​​how they work. However, without understanding the principles of the antivirus device, knowing the types of viruses, as well as how they spread, it is impossible to organize reliable computer protection. As a result, a computer can be infected even if antiviruses are installed on it.

Today, several fundamental methods for detecting and protecting against viruses are used:

scanning;

heuristic analysis;

use of anti-virus monitors;

detection of changes;

use of antiviruses built into the BIOS of the computer.

In addition, almost all anti-virus programs provide automatic recovery infected programs and boot sectors. Of course, if possible.

Scanning

The simplest virus-scanning technique is for the anti-virus program to sequentially scan the files it checks for signatures of known viruses. A signature is a unique sequence of bytes that belongs to a virus and is not found in other programs.

Antivirus scanners can only find known and studied viruses for which a signature has been determined. The use of simple scanner programs does not protect your computer from the penetration of new viruses.

For encrypted and polymorphic viruses capable of completely changing their code upon infection new program or boot sector, the signature cannot be extracted. Therefore, simple anti-virus scanners cannot detect polymorphic viruses.

Heuristic analysis

Heuristic analysis allows you to detect previously unknown viruses, and for this you do not need to first collect data about the file system, as required, for example, by the change detection method discussed below.

Anti-virus programs that implement the heuristic analysis method scan programs and boot sectors disks and floppy disks, trying to detect in them a code characteristic of viruses. The heuristic analyzer can detect, for example, that the program under test installs a resident module in memory or writes data to the program's executable file.

Almost all modern anti-virus programs implement their own methods of heuristic analysis. On fig. 1 we showed one of these programs - the McAffee VirusScan scanner, launched manually for anti-virus scanning of the disk.

Rice. 1. McAffee VirusScan scans the drive

When an antivirus detects an infected file, it usually displays a message on the monitor screen and makes an entry in its own or system log. Depending on the settings, the antivirus can also send a message about a detected virus to the network administrator.

If possible, the antivirus disinfects the file by restoring its contents. Otherwise, only one option is offered - delete the infected file and then restore it from backup(unless, of course, you have one).

Antivirus monitors

There is still whole class anti-virus programs that are constantly in the computer's memory and monitor all suspicious activities performed by other programs. Such programs are called anti-virus monitors or watchmen.

The monitor automatically checks all running programs, created, opened and saved documents, program and document files received via the Internet or copied to HDD from floppy disk and CD. The antivirus monitor will notify the user if any program tries to perform a potentially dangerous action.

One of the most advanced Doctor Web scanners (Fig. 2) developed by Igor Danilov (http ://www .drweb .ru ) includes Spider Guard, which acts as an anti-virus monitor.

Rice. 2. Doctor Web Scanner

Change detection

When a virus infects a computer, it changes the content hard drive, for example, appends its code to a program or document file, adds a virus program call to the AUTOEXEC.BAT file, changes the boot sector, and creates a companion file. Such changes, however, are not made by “incorporeal” viruses that live not on the disk, but in the memory of OS processes.

Anti-virus programs, called disk auditors, do not scan for viruses by signatures. They first remember the characteristics of all areas of the disk that are attacked by the virus, and then periodically check them (hence the name of the program-auditors). The auditor can find changes made by a known or unknown virus.

As examples of disk auditors, we can cite the Advanced Diskinfoscope (ADinf) program developed by DialogNauka CJSC (http ://www .dials .ru , http ://www .adinf .ru ) and the AVP Inspector auditor manufactured by Kaspersky Lab CJSC » (http://www.kaspersky.ru).

Together with ADinf, the ADinf Cure Module (ADinfExt) is used, which uses previously collected information about files to recover them after being infected by unknown viruses. The AVP Inspector also includes a disinfection module that can remove viruses.

Protection built into the computer's BIOS

The simplest means of protecting against viruses are also built into the motherboards of computers. These tools allow you to control all access to the master boot record. hard drives, as well as to the boot sectors of disks and floppy disks. If any program tries to change the contents of the boot sectors, protection is triggered and the user receives a corresponding warning.

However, this protection is not very reliable. There are viruses (for example, Tchechen.1912 and 1914) that try to disable BIOS anti-virus control by changing some cells in the computer's non-volatile memory (CMOS memory).

Features of protecting the corporate intranet

A corporate intranet can include hundreds or thousands of computers that act as workstations and servers. This network is typically connected to the Internet and contains mail servers, workflow servers such as Microsoft Exchange and Lotus Notes, and custom information systems.

For reliable protection of the corporate intranet, it is necessary to install antiviruses on all workstations and servers. At the same time, special server anti-virus software should be used on file servers, e-mail servers and servers of document management systems. As for workstations, they can be protected with conventional anti-virus scanners and monitors.

Special anti-virus proxy servers and firewalls have been developed that scan the traffic passing through them and remove malicious software components from it. These antiviruses are often used to protect mail servers and document management systems servers.

File server protection

Protection file servers should be carried out using anti-virus monitors that can automatically check all server files that are accessed over the network. Antiviruses designed to protect file servers are produced by all antivirus companies, so you have a wide choice.

Mail server protection

Antivirus monitors are not effective at detecting viruses in email messages. This requires special antiviruses capable of filtering SMTP, POP3 and IMAP traffic, preventing infected messages from reaching users' workstations.

To protect mail servers, you can purchase antiviruses specifically designed to scan mail traffic, or connect conventional antiviruses to your mail server that allow you to work in command line mode.

The Doctor Web anti-virus daemon can be integrated with all the most well-known mail servers and systems such as Doctor ComminiGatePro, Sendmail, Postfix, Exim, QMail, and Zmailer. Similar tools are provided by Kaspersky Lab as part of the Kaspersky Corporate Suite package.

MERAK Mail Server allows connection of various types of external anti-viruses that have a command line interface. Some mail servers (such as EServ) come with a built-in antivirus.

You can also additionally check POP 3 traffic on user workstations. This allows you to make, for example, the SpIDer Mail anti-virus proxy server for the POP 3 protocol, which can be purchased together with Doctor Web anti-virus.

Protection of servers of document management systems

Workflow servers such as Microsoft Exchange and Lotus Notes store documents in databases of their own format. Therefore, the use of conventional file scanners for anti-virus scanning of documents will not give any results.

There are a number of anti-virus programs specifically designed for anti-virus protection of such systems. These are Trend Micro ScanMail for Lotus Notes, McAfee GroupScan and McAfee GroupShield, Norton Antivirus for Lotus Notes, Kaspersky Business Optimal antivirus for MS Exchange Server and some others.

These programs scan mail and file attachments, deleting everything in real time. malware, detect macro viruses and Trojans in forms and macros, in script files, and in OLE objects. Verification is performed in real time as well as on demand.

Protection of non-standard information systems

For anti-virus protection of non-standard information systems that store data in own formats, you need to either embed the anti-virus engine into the system, or connect an external scanner that works in command line mode.

For example, the core of the Doctor Web anti-virus was used by FSUE NPO Mashinostroeniya to protect a workflow system created on the basis of Sapiens' proprietary technology (http://www.npomit.ru). All information stored by this system in the database is checked by the Doctor Web anti-virus engine.

As developers of information systems for responsible use, "NPO Mashinostroeniya" has provided anti-virus protection to such of its developments as Sapiens Registration and Document Execution Control, Sapiens Monitoring of Computing Resources, Sapiens Electronic archive Design Documentation.

Network antivirus control center

If the intranet has hundreds and thousands of computers, then centralized remote control of anti-virus programs and control of their work is necessary. Performing in the "manual" mode such operations as monitoring updates of the anti-virus database and load modules of anti-virus programs, monitoring the effectiveness of virus detection on workstations and servers, etc., is ineffective if the network has a large number of users or if the network consists of geographically separated segments.

If you do not ensure the timely and efficient execution of the above operations, the technology of anti-virus protection of the corporate network will certainly be violated, which will sooner or later lead to a virus infection. For example, users may incorrectly configure the automatic updating of the anti-virus database or simply turn off their computers while such an update is in progress. As a result, automatic updates will not be performed and there will be a potential threat of infection with new viruses.

Modern anti-virus systems implement the following remote management and control functions:

installation and updating of anti-virus programs, as well as anti-virus databases;

centralized remote installation and configuration of antiviruses;

Automatic detection of new workstations connected to the corporate network, followed by automatic installation to these stations of anti-virus programs;

· scheduling tasks for immediate or delayed launch (such as updating programs, anti-virus database, scanning files, etc.) on any network computers;

· real-time display of anti-virus operation on workstations and network servers.

All of the functions listed above or many of them are implemented in the network control centers of the leading corporate anti-virus products created by Sophos (http://www.sophos.com), Symantec (http://www.symanteс.ru), Network Associates ( http://www.nai.com) and Kaspersky Lab.

Network control centers allow you to manage the anti-virus protection of the entire network from one workstation of the system administrator. At the same time, to speed up the process of installing antiviruses in remote networks connected to the main network via slow communication channels, these networks create their own local distribution directories.

When using a client-server architecture, the network control center is based on an anti-virus server installed on one of the corporate network servers. It interacts, on the one hand, with agent programs installed together with antiviruses on network workstations, and, on the other hand, with the management console of the antivirus protection administrator (Fig. 3).

Rice. 3. Interaction between the administrator console, agents and the anti-virus server

The anti-virus server performs managing and coordinating actions. It stores a general log of events related to anti-virus protection and occurring on all computers in the network, as well as a list and schedule of tasks. The anti-virus server is responsible for receiving messages from agents and sending them to the anti-virus protection administrator about the occurrence of certain events in the network, performs periodic network configuration checks in order to detect new workstations or workstations with a changed anti-virus configuration, etc.

In addition to agents, an antivirus is installed on each workstation and corporate network server that scans files and checks files when they are opened (scanner and anti-virus monitor functions). The results of the anti-virus operation are transmitted through agents to the anti-virus server, which analyzes them and logs them in the event log.

The control console can be a standard Microsoft Windows application with a window interface or an applet (snap -in) of the Control Panel control console of the Microsoft Windows operating system. The first approach is implemented, for example, in the Sophos antivirus management system, and the second - in the Norton AntiVirus management system.

The user interface of the management console allows you to view the tree structure of the corporate network, gaining access, if necessary, to individual computers of certain user groups or domains.

Multilevel systems with a Web interface

The architecture of multilevel systems with a Web interface involves the use of a Web server as the core of the system. The task of this core is, on the one hand, the organization of interactive interactive interaction with the user, and on the other hand, with the software modules of a particular system.

The advantages of this approach are the unification of methods for managing various network systems, as well as the absence of the need to install any control programs or consoles on the administrator's workstation. Administration can be performed from any network computer, and if the network is connected to the Internet, then from any place on the globe where there is an Internet connection and a computer with a browser.

Control information is protected in transit over the Internet or a corporate intranet using SSH protocols or other similar means (for example, proprietary secure modifications of the HTTP protocol).

On fig. In Figures 4-5, we have shown a block diagram of the web-based anti-virus protection system Trend Virus Control System. This system allows you to fully manage and control the operation of the corporate anti-virus protection system from one workstation through a browser, even if individual network fragments are located in different countries or on different continents.

Rice. 4. Anti-virus system with Web interface

This circuit is similar to the circuit shown in Fig. 4-1, however, the anti-virus protection administrator manages its operation through the browser, and not through the console application.

An antivirus is installed on the workstations (PC-cillin , Server Protect , InterScan VirusWall , ScanMail , etc.). This antivirus is managed by the antivirus server through an agent.

On the computer playing the role of an anti-virus server, the Microsoft IIS Web server is installed. A special Web application running on this server manages the anti-virus server. It also provides the administrator with a user interface for managing the anti-virus protection system.

To be as independent from computer platforms as possible, the Trend VCS Server and client application are written in the Java programming language and other languages ​​used for developing web applications.

As for notifications about the occurrence of events in the corporate anti-virus protection system, they are transmitted by agent programs to the Trend VCS Server and sent via e-mail, via paging networks, via SMS systems, etc.

Administrative and technological methods of protection

In order for anti-virus programs to effectively perform their functions, it is necessary to strictly follow the recommendations for their use described in the documentation. Particular attention should be paid to the need for regular updates of virus databases and antivirus software components. Modern antiviruses are able to download update files via the Internet or over a local network. However, for this they must be configured accordingly.

However, even without the use of antivirus programs, you can try to prevent viruses from entering your computer and reduce the harm they cause if they become infected. Here's what to do first:

block possible channels of virus penetration: do not connect the computer to the Internet and the company's local network, if this is not necessary, disconnect the devices external memory, such as floppy disk drives and CD - ROM devices ;

Prohibit programmatic modification of the contents of non-volatile BIOS memory;

Make a system boot floppy by writing antiviruses and other system utilities to work with the disk, as well as the Microsoft Windows Rescue Disk;

· check all programs and document files that are written to the computer, as well as floppy disks using the latest versions of anti-virus programs;

· install software only from licensed CDs;

· Install write protection on all floppy disks and remove it only if necessary;

· limit the exchange of programs and floppy disks;

Do it regularly backup data;

· set the minimum necessary access rights to the directories of the file server, write-protect the directories of distributions and program files;

· compile instructions for users on anti-virus protection, describing in it the rules for using anti-viruses, the rules for working with files and e-mail, and also describe the actions to be taken when viruses are detected.

Home computer problem

Often, company employees work not only in the office, but also at home, exchanging files between their home computer and office workstation. The system administrator of the company is not able to protect all home computers of employees from viruses. Viruses can get onto a home computer from the Internet, as well as from the exchange of game programs. Often this happens if other family members and children have access to the home computer.

All files that employees bring from home to work should be considered potentially dangerous. In critical cases, such an exchange should be completely prohibited, or severely limited. Potentially dangerous "home" files must be scanned before being opened by antivirus programs.

Installing Personal Firewalls

A corporate network connected to the Internet must be protected from hackers using a firewall. However, in addition to this, you can additionally protect workstations and network servers by installing personal firewalls on them, such as AtGuard (Fig. 5).

Rice. 5. Setting up a personal firewall AtGuard

In addition to filtering out unwanted traffic, some personal firewalls can protect your computer from Java Trojan applets and ActiveX controls. Such components can be built into mail messages HTML format and into the pages of Trojan Web sites.

Personal firewalls in what's known as learning mode can help detect traffic from Trojans, logic bombs, and other unwanted malware. When such a component attempts to communicate with a hacker's computer, the firewall will display a warning message on the screen.

It should be noted that in the browser settings you can also disable the ability to use active components such as Java applets and ActiveX controls. However, personal firewalls are more versatile, and allow you to block the use of such components by any programs, such as email clients.