Memory Scanners

Almost all antivirus programs have a memory scanning component. The memory scanner works on the same basic principles as the virus scanner described in “Virus Scanners.” Its job is to scan memory for memory-resident file and boot record viruses.

Memory scanning is critical for two reasons. First, consider what might happen if a computer is infected with a read stealth virus that has installed itself as a memory-resident service provider. Anytime an antivirus program attempts to scan an infected file or boot record, it must call upon the DOS or BIOS (and consequently the virus’) system service provider to read the file or boot record contents. Because the read stealth virus intercepts these system service requests, it can disinfect each file or boot record as they are accessed, hiding any infection from other antivirus tools, such as scanners, integrity checkers, and heuristics scanners.

These read stealth viruses can’t easily hide themselves in memory because memory-scanners can directly poke around through memory in search of viral code. In addition, antivirus programs don’t need to use a potentially infected service provider to examine the contents of memory. Thus, the virus isn’t invoked and can’t attempt to actively hide itself during a memory scan. If an antivirus product doesn’t use memory scanning, all other virus detection techniques are put at risk and may fail to detect certain viruses.

Memory scanning also must be used to detect fast infectors. (See “How and When the Memory-Resident File Infecting Virus Infects New Items” for more information about fast infectors.) These memory-resident, file-infecting viruses hook into DOS’s system service provider and infect programs as they are opened or referenced for any reason. If an antivirus product doesn’t scan memory for these fast viruses before scanning the files of a hard drive or floppy disk, it might inadvertently infect every executable file scanned!

If the antivirus product detects either a fast or stealth virus in memory, it can instruct the user to boot from an uninfected DOS floppy disk and then rescan the drive or disk. After a cold bootup from an uninfected disk, the virus is removed from memory and doesn’t pose any further threat while the antivirus program checks for infections.

The following list examines how memory scanners perform in each of the seven critical categories.

•  Memory scanners require a trained engineer (or automated process) to analyze and produce a signature for every new memory-resident virus.

•  Almost all memory-resident viruses can be detected trivially by memory scanners. Some resident viruses encrypt themselves while they are in memory, making memory detection more difficult.

•  Properly designed memory scanners have a low false-positive rate.

•  Properly designed memory scanners have a low false-negative rate.

•  Memory scanning is a fast process and should not overly inconvenience the user.

•  Memory scanners must be updated on a frequent basis, perhaps monthly or quarterly. The user can often obtain updated virus signature data files electronically and not worry about updating the actual executable antivirus program.

•  Memory scanners invariably detect the virus after it has infected the computer and is memory-resident.

Integrity Checkers

Integrity checkers have two components. The first component takes a fingerprint of each executable file and boot record on the computer while the computer is in an uninfected state. This information is stored in a database on the hard drive or preferably on an external disk (where it is safe from prying viruses).

The second component is subsequently used to confirm that the fingerprinted, or “inoculated” items, have not changed from their initial, uninfected state. If the state of an inoculated object does change due to a virus infection, the integrity checker can, in many instances, detect the change and restore the file or boot record back to its original state.

The integrity checker works based on the following assumption: Most program files and boot records never change during normal computer operation. Unless the user installs a new version of an application, for instance, the contents of its program file (for example, the machine language instructions comprising the program) would not be expected to change. If the user did reinstall a program, its program files would change and consequently the user would have to reinoculate these files to protect their contents.

Some executable program files do modify themselves and store configuration information directly within the executable program file; however, this is the exception rather than the rule. Even so, few nonviral executable files modify the machine language instructions at their entry point. On the other hand, the majority of executable file viruses must modify the machine language instructions at the entry point of executable files to propagate.

The optimal integrity checking program would work by backing up every program file on a computer to a special secondary, write-protected hard drive. Then, every time the user executed a program, the integrity checker would verify that the program was a byte-for-byte match to the original copy of the program stored on the backup drive. Unfortunately, this isn’t a feasible solution for the majority of computer users.

To infect, however, almost all file viruses modify the target executable file’s entry point or change its entry point (in the case of EXE and SYS files) to point to the appended viral code. This attribute of file viruses allows the integrity checker to take a snapshot or fingerprint of a much smaller region of each program file, rather than backing up the entire executable file.