The following list examines how the integrity checker performs in each of the seven critical categories:

•  Integrity checkers don’t require frequent updates to remain effective.

•  Slow viruses can’t be detected by integrity checkers. Companion viruses can’t be detected by a strict integrity checker.

•  The integrity checker may have occasional false-positives; that is, a virus being reported when no virus is present. The user may be prompted to indicate whether a change in a program file or boot record is legitimate.

•  The integrity checker should have few false-negatives; that is, the presence of a virus going undetected. Either a virus infects in such a way as to be detectable by the integrity checker or it doesn’t.

•  Integrity checking requires the user to “inoculate” their files while the system is in a known, clean state. In addition, the integrity checker may require user intervention to determine whether a modification is viral or legitimate. As users install new programs, they must make sure to “inoculate” them.

•  The integrity checker only needs infrequent updating.

•  This technology can only detect viruses after they have infected programs and boot records on the system. It doesn’t prevent these programs from infecting the system in the first place.

Behavior Blockers

Behavior blockers are memory-resident programs that install in memory as system service providers. These programs work silently in the background, waiting for viruses or other malicious programs to attempt damaging activities. If the behavior blocker detects such activities, it informs the user of the suspicious behavior and allows the user to decide whether the action should continue.

Unfortunately, some legitimate programs do initiate actions that appear to be virus-like in nature.

Therefore, while the integrity checker can prevent many virus-like activities, the uninformed user might be asked to make decisions they’re not prepared to make.

Behavior blockers can prevent new and unknown viruses from spreading onto a computer. Although a memory-resident virus scanner might miss a new virus, the blocker would detect the virus’ modification of executable program files and prevent such action.

The following list examines how the behavior blocker performs in each of the seven critical categories:

•  Behavior blockers don’t require frequent updates to remain effective.

•  Slow viruses can’t be detected by behavior blockers because they do not actively call upon system services when they infect.

•  The behavior blocker may “complain” during normal operations. The user must decide whether the blocked activity is legitimate.

•  The design of the behavior blocker and the system activities that the behavior blocker intercepts have a direct effect on what types of virus activity can be detected.

•  Ideally, the behavior blocker should never inconvenience the user during normal computer operation, although the user may be asked to decide whether an activity should be allowed.

•  The behavior blocker rarely needs to be updated.

•  Behavior blocker technology can only detect viruses once they are functioning and as they try to infect or destroy information on the computer.

Heuristics

The heuristic scanner is a program that attempts to identify virus-infected files and boot records without the explicit use of virus signatures or integrity information. The heuristic scanner can detect many new and as yet unknown viruses that would normally evade a virus signature scanner.

Heuristic scanners look for “telltale” signs of viruses in files and boot records. If the heuristic scanner sees enough virus-like attributes to indicate an infection, the scanner reports the file or boot record as “possibly” being infected. The user must make the final determination of whether they have a virus and how to deal with it if so.

Most users aren’t ready to reverse engineer a program’s machine language instructions to verify that the heuristic scanner is correct in its assessment. Therefore, unless a heuristic scanner has a 0 percent false identification rate (virtually impossible to accomplish), the heuristic scanner is more a tool for a savvy computer expert than a useful antivirus utility for the average user or corporation.

The following list examines how the heuristic scanner performs in each of the seven critical categories:

•  Heuristic scanners don’t require frequent updates to remain effective.

•  Depending on the technology used in the heuristic scanner, different types of viruses may or may not be detected.

•  The heuristic scanner may falsely identify uninfected programs as being infected. The number of false-positives depends on the implementation of the product.

•  Some samples of a given virus may be detected while others are not. This depends on the technology used in the heuristic scanner.

•  The heuristic scanner is just as imposing as the standard virus scanner.

•  Ideally, the heuristic scanner never needs to be updated. However, as viruses become more clever and use different techniques to hide from the heuristic scanner, it should be updated.

•  The heuristic scanner can be used to detect viruses before they infiltrate the computer or after.

Preventative Measures and Cures

End users can take certain simple precautions to protect their computers from viruses. Most of these are specific to a virus type. One wise universal precaution is to use more than one nonmemory-resident antivirus scanner program on workstations. Each antivirus manufacturer encounters different viruses at different times. Often, one scanner might detect some viruses that another does not, and vice versa. This dramatically reduces any chances of infection.

This section describes preventative measures that can be taken to reduce the risk of viral infection. This section also describes some methods antivirus programs use to repair infected items, as well as recommended methods for repairing infected floppy disks, hard drives, and programs using common tools.