How Antivirus Works and why we get False Positives
by Brian A.
January 1, 1970
Computer malware is a prevalent problem to the users of any form of computers. The viruses cause a lot of harm and interrupt PC functionality. The viruses are developed like any other programs, and they are programmed with attributes of moving from one computer to another through sharing of data storage devices. They can also spread into folders and subfolders of the infected computer. The virus programs are uploaded to the cloud whereby the individuals without internet security on their networks fall victim of acquiring the program when they download materials from the cloud.
The most common way in which computer viruses spread across the world is through emails that contain attached documents. The viruses in the documents propagated to the recipient of the mail after they open the mail. Necessary measures have been put place by installing scanning engines of anti-virus programs. The antivirus programs behave like a virus and look for virus fingerprints in their hiding areas
The antivirus technology has addressed the issue of inadequacy of sophistication in early antivirus engines. Because of their limited technology levels, a few types of complicated viruses need some time to be analyzed before the engineer can come up with a functional fingerprint of the virus and append it to the anti-virus program.
Advances in technology have eased the process of appending fingerprints to complex new virus programs by enhancing the antivirus engines. Antiviruses face challenges such as; virus programs change with time; therefore, the antivirus programs become a cliché and useless in protecting a computer from such viruses. For instance, the antivirus is considered outdated if the virus present have fingerprints that the antivirus cannot recognize. Due to the increase of new infections created daily, many companies have produced numerous types of antivirus programs. Some of the antivirus programs developed require higher computer specification for it to run. This hence limits the usage of such antiviruses to specific users who can afford such computers thus exposing their machines to viruses.
Most antivirus programs have a cost implication, and the free versions that are provided on the internet are not reliable in giving adequate pc protection. It, therefore, becomes a challenge to computers owners to buy the antivirus programs; this primarily affects the school going students who do not have a source of income to purchase the antiviruses so that they can protect their documents from being corrupted by viruses.
Many anti-viruses are designed to function analogous to the immune system of a human being. They operate by scanning the computers for available signatures corresponding to the binary pathogens and infections. The anti-virus refers to a dictionary of the known viruses, and if any detail obtained within the file resembles the pattern in the dictionary, then the antivirus neutralizes it. Analogous to the human immune system, the content of the dictionary requires updates like the flu shots to provide considerate protection against emerging strains of viruses. Any anti-virus counteracts to what it deems as harmful. The problem arises concerning the creation of new strains of viruses at a rapid rate at which the antivirus developers may not keep pace. Thus the computer becomes vulnerable during the period between time of detection of the virus and the time the dictionary update is released from antivirus dealers, the reason behind keeping the antivirus updated as up to the current date as possible
Scan engines Method
Most importantly, the antivirus’s core function is virus scan engine. The antivirus scans the information, and when the virus is detected, the antivirus disinfects it. Mentioned below are different ways of virus scanning.
Main Basic Techniques
Size: the antivirus easily detects if the file is changed or infected. It is common for some viruses to append their malicious codes at the terminal of the file. An antivirus, in this case, the scan engine scans the file and then compares it prior and after sizes. When the computer user does no changes, the antivirus suspects the presence of malicious actions running on the computer.
Pattern matching: there is a distinct and unique signature corresponding to each virus. The signature is used by the virus to infect files of computers and could be few lines in an assembly language that overwrites the stack pointer rather than jumping to the new line of code. The antivirus compares information with the virus unique signature and presence of resemblance is a clear indication of infection being occurred.
Heuristic occurs when the information being scanned is dangerous without the user knowing whether it contains a virus or not. The technique involves an analysis of the data and then comparing it the list of hazardous actions. For instance, if the antivirus detects that software is attempting to open each EXE file and infecting it by writing a replica of the original program into it, the antivirus recognizes the program and declares it is a dangerous activity and thus sounds an alarm. Now the decision remains to the user whether to eliminate the perilous virus or not.
The above methods have merits and demerits. If the antivirus utilizes the signature approach then, it needs to update it regularly. This should be done on a daily basis since at least 15 new viruses emerge in every single day. Thus, if the antivirus is left un-updated for many days, it may cause severe dangers.
Other ways which the antivirus works include monitoring of incoming files and deleting any virus within the files, placing suspect files in quarantine and updating the software produced by the developers so that to address emerging infections. For this case, the software may be set such that it checks for updates at regular time intervals.
False positive is the process of false and positive identification of a computer virus. In false identification, the antivirus identifies a good program as a virus. False positive is regarded as a demerit of virus identification method. Small weaknesses of any virus identification method may result in false positives which are fatal as false negatives.
For an ideal situation, the false positive rate tends to be zero or approximately close to zero. Any small rise in the false positive rate is not desired
Reasons for getting False Positives
The particular procedures give very sensitive scanning by determining the relationship between the viruses and their signatures. This type of method has a drawback whereby it is impossible to detect new and unknown viruses. However, generic methods can identify all kinds of viruses without necessarily using virus signatures. The generic methods also have their drawbacks since they create false positives. For instance, the heuristic can detect new and unknown viruses though they are prone to false positives. This is as a result of the method adopted by heuristics relies on probabilistic methods and are therefore not certain of an infection. For example, if a heuristic program identifies a file “open” prompt, followed by “file read” and “write” prompts, and also identifies a string “Virus” within the program, then it can respond that the file is under attack of the unidentified virus.
There are chances that a file which is infected by a virus may meet all the conditions that render it infected; this is what results in false positives. As mentioned generic methods are the most susceptible to false positives.
False positives may result due to the complications that arise in determining the disparity between codes that are good and bad. Making wrong decisions may result in false positive or false negative. The antivirus functions to solely find signatures of viruses and not the whole of the virus program. It also looks for wildcard signatures. The signatures that the antivirus finds may not necessarily be of virus codes only. Since the conventional signature is redundant when handling polymorphic and metamorphic malware, antiviruses with new technologies should incorporate heuristic approaches in dealing with such viruses. Such methods are often faced with high rates of false positives.