• Anti-virus information protection tools. Anti-virus information protection tools

    Plan:

    Introduction……………………………………………………………………………….…..3

      Concept antivirus agents information protection………………5

      Classification of antivirus programs…………………...…….6

      1. Scanners……………………………………………………….…6

        CRC scanners……………………………………………………………………..…..7

        Blockers……………………………………………………..8

        Immunizers…………………………….………………….…9

      Main functions of the most common antiviruses…..10

        Antivirus Dr. Web…………………………………………...…10

        Kaspersky Anti-Virus……………………………………...10

        Antivirus Antiviral Toolkit Pro……………………………12

        Norton AntiVirus 2000……………………………………………………13

    Conclusion………………………………………………………………………………….15

    List of references………………………………………………………...16

    Introduction.

    Information security means are a set of engineering, technical, electrical, electronic, optical and other devices and devices, devices and technical systems, as well as other material elements used to solve various problems of information protection, including preventing leaks and ensuring the security of protected information.

    In general, the means of ensuring information security in terms of preventing intentional actions, depending on the method of implementation, can be divided into groups:

      Technical (hardware) means. These are devices of various types (mechanical, electromechanical, electronic, etc.), which use hardware to solve information security problems. They either prevent physical penetration, or, if penetration does occur, access to information, including through its masking. The first part of the problem is solved by locks, bars on windows, watchmen, security alarms, etc. The second part is solved by noise generators, network filters, scanning radios and many other devices that “block” potential channels of information leakage or allow them to be detected. The advantages of technical means are associated with their reliability, independence from subjective factors, and high resistance to modification. Weaknesses- insufficient flexibility, relatively large volume and weight, high cost;

      Software tools include programs for user identification, access control, information encryption, removal of residual (working) information such as temporary files, test control of the security system, etc. The advantages of software tools are versatility, flexibility, reliability, ease of installation, ability to modify and develop. Flaws - limited functionality networks, use of part of the resources of the file server and workstations, high sensitivity to accidental or intentional changes, possible dependence on the types of computers (their hardware);

      Mixed hardware and software implement the same functions as hardware and software separately, and have intermediate properties;

      Organizational means consist of organizational and technical ones (preparing premises with computers, laying cable system taking into account the requirements for restricting access to it, etc.) and organizational and legal (national legislation and work rules, established by the management of a particular enterprise). The advantages of organizational tools are that they allow you to solve many different problems, are easy to implement, quickly respond to unwanted actions on the network, have unlimited possibilities modifications and developments. Disadvantages - high dependence on subjective factors, including general organization work in a specific department.

    In my work I will consider one of the software tools for information protection - antivirus programs. So, the purpose of my work is to analyze anti-virus information security tools. Achieving the set goal is mediated by solving the following tasks:

      Studying the concept of anti-virus information protection tools;

      Consideration of the classification of anti-virus information security tools;

      Familiarization with the basic functions of the most popular antiviruses.

      The concept of anti-virus information protection tools.

    Antivirus program (antivirus) - a program for detecting computer viruses, as well as unwanted (considered malicious) programs in general, and recovery of files infected (modified) by such programs, as well as for prevention - preventing infection (modification) of files or the operating system with malicious code (for example, through vaccination).

    Antivirus software consists of routines that attempt to detect, prevent, and remove computer viruses and other malicious software.

      Classification of antivirus programs.

    Antivirus programs are the most effective in fighting computer viruses. However, I would like to immediately note that there are no antiviruses that guarantee one hundred percent protection against viruses, and statements about the existence of such systems can be regarded as either false advertising or unprofessionalism. Such systems do not exist, since for any antivirus algorithm it is always possible to propose a counter-algorithm for a virus that is invisible to this antivirus (the reverse, fortunately, is also true: for any virus algorithm it is always possible to create an antivirus).

    The most popular and effective antivirus programs are antivirus scanners (other names: phage, polyphage, doctor program). Following them in terms of efficiency and popularity are CRC scanners (also: auditor, checksumer, integrity checker). Often both of these methods are combined into one universal antivirus program, which significantly increases its power. Various types of blockers and immunizers are also used.

    2.1 Scanners.

    The operating principle of anti-virus scanners is based on checking files, sectors and system memory and searching them for known and new (unknown to the scanner) viruses. To search for known viruses, so-called “masks” are used. The mask of a virus is some constant sequence of code specific to this particular virus. If the virus does not contain a permanent mask, or the length of this mask is not long enough, then other methods are used. An example of such a method is an algorithmic language that describes all possible code options that may occur when infected with a similar type of virus. This approach is used by some antiviruses to detect polymorphic viruses. Scanners can also be divided into two categories - “universal” and “specialized”. Universal scanners are designed to search for and neutralize all types of viruses, regardless of the operating system in which the scanner is designed to work. Specialized scanners are designed to neutralize a limited number of viruses or only one class of viruses, for example macro viruses. Specialized scanners designed only for macro viruses often turn out to be the most convenient and reliable solution for protecting document management systems in MS Word and MS Excel.

    Scanners are also divided into “resident” (monitors, guards), which perform on-the-fly scanning, and “non-resident”, which scan the system only upon request. As a rule, “resident” scanners provide more reliable system protection, since they immediately respond to the appearance of a virus, while a “non-resident” scanner is able to identify the virus only during its next launch. On the other hand, a resident scanner can somewhat slow down the computer, including due to possible false positives.

    The advantages of scanners of all types include their versatility; the disadvantages are the relatively low speed of virus scanning. The most common programs in Russia are: AVP - Kaspersky, Dr.Weber - Danilov, Norton Antivirus from Semantic.

    2.2 CRC-scanners.

    The operating principle of CRC scanners is based on calculating CRC sums (checksums) for files/system sectors present on the disk. These CRC sums are then stored in the antivirus database, as well as some other information: file lengths, dates of their last modification, etc. When subsequently launched, CRC scanners compare the data contained in the database with the actual calculated values. If the file information recorded in the database does not match the real values, then CRC scanners signal that the file has been modified or infected with a virus. CRC scanners using anti-stealth algorithms are quite a powerful weapon against viruses: almost 100% of viruses are detected almost immediately after they appear on the computer. However, this type of antivirus has an inherent flaw that significantly reduces their effectiveness. This disadvantage is that CRC scanners are not able to catch a virus at the moment it appears in the system, but do this only some time later, after the virus has spread throughout the computer. CRC scanners cannot detect a virus in new files (in email, on floppy disks, in files restored from a backup or when unpacking files from an archive), because their databases do not contain information about these files. Moreover, viruses periodically appear that take advantage of this “weakness” of CRC scanners, infecting only newly created files and thus remaining invisible to them. The most used programs of this kind in Russia are ADINF and AVP Inspector.

    2.3 Blockers.

    Anti-virus blockers are resident programs that intercept “virus-dangerous” situations and notify the user about it. “Virus-dangerous” include calls to open for writing to executable files, writing to boot sectors of disks or the MBR of a hard drive, attempts by programs to remain resident, etc., that is, calls that are typical for viruses at the moment of reproduction. Sometimes some blocker functions are implemented in resident scanners.

    The advantages of blockers include their ability to detect and stop a virus at the earliest stage of its reproduction, which, by the way, can be very useful in cases where a long-known virus constantly “creeps out of nowhere.” Disadvantages include the existence of ways to bypass blocker protection and large number false positives, which, apparently, was the reason for the almost complete refusal of users from this kind of anti-virus programs (for example, not a single blocker for Windows95/NT is known - there is no demand, no supply).

    It is also necessary to note such a direction of anti-virus tools as anti-virus blockers, made in the form of computer hardware components (“hardware”). The most common is the write protection built into the BIOS in the MBR of the hard drive. However, as in the case of software blockers, such protection can be easily bypassed by direct writing to the disk controller ports, and launching the DOS utility FDISK immediately causes a “false positive” of the protection.

    There are several more universal hardware blockers, but in addition to the disadvantages listed above, there are also problems of compatibility with standard computer configurations and complexity in installing and configuring them. All this makes hardware blockers extremely unpopular compared to other types antivirus protection.

    2.4 Immunizers.

    Immunizers are programs that write codes into other programs that report infection. They usually write these codes at the end of files (similar to a file virus) and check the file for changes every time they run it. They have only one drawback, but it is lethal: the absolute inability to report infection with a stealth virus. Therefore, such immunizers, like blockers, are practically not used at present. In addition, many programs developed recently check themselves for integrity and can mistake the codes embedded in them for viruses and refuse to work.

      Basic functions of the most common antiviruses.

        Antivirus Dr. Web.

    Dr. Web is an old and deservedly popular antivirus in Russia, which has been helping users fight viruses for several years. New versions of the program (DrWeb32) work on several operating systems, protecting users from more than 17,000 viruses.

    The set of functions is quite standard for an antivirus - scanning files (including those compressed with special programs and archived), memory, boot sectors of hard drives and floppy disks. Trojan programs, as a rule, cannot be cured but must be removed. Unfortunately, email formats are not checked, so it is impossible to know immediately after receiving an email whether the attachment contains a virus. The attachment will have to be saved to disk and checked separately. However, the resident monitor "Spider Guard" supplied with the program allows you to solve this problem on the fly.

    Dr. Web is one of the first programs to implement heuristic analysis, which allows you to detect viruses that are not included in the anti-virus database. The analyzer detects virus-like instructions in a program and marks such a program as suspicious. The anti-virus database is updated via the Internet with one click of a button. The free version of the program does not perform heuristic analysis and does not disinfect files.

        Kaspersky Anti-Virus.

    Inspector monitors all changes in your computer and, if unauthorized changes are detected in files or in the system registry, allows you to restore the contents of the disk and remove malicious codes. Inspector does not require updates to the anti-virus database: integrity control is carried out based on taking original file fingerprints (CRC sums) and their subsequent comparison with modified files. Unlike other inspectors, Inspector supports all the most popular executable file formats.

    The heuristic analyzer makes it possible to protect your computer even from unknown viruses.

    The Monitor background virus interceptor, which is constantly present in the computer’s memory, conducts an anti-virus scan of all files immediately at the time they are launched, created or copied, which allows you to control all file operations and prevent infection by even the most technologically advanced viruses.

    Antivirus filtering email prevents viruses from entering your computer. The Mail Checker plug-in not only removes viruses from the body of an email, but also completely restores the original content of emails. A comprehensive scan of email correspondence does not allow a virus to hide in any element of an email by scanning all areas of incoming and outgoing messages, including attached files (including archived and packaged ones) and other messages of any nesting level.

    The Scanner anti-virus scanner makes it possible to conduct a full-scale scan of the entire contents of local and network drives on demand.

    The Script Checker script virus interceptor provides anti-virus scanning of all running scripts before they are executed.

    Support for archived and compressed files provides the ability to remove malicious code from an infected compressed file.

    Isolation of infected objects ensures the isolation of infected and suspicious objects and their subsequent movement to a specially organized directory for further analysis and recovery.

    Automation of anti-virus protection allows you to create a schedule and order of operation of program components; automatically download and connect new anti-virus database updates via the Internet; send warnings about detected virus attacks by email, etc.

        Antivirus Antiviral Toolkit Pro.

    Antiviral Toolkit Pro is a Russian product that has earned popularity abroad and in Russia due to its extensive capabilities and high reliability. There are versions of the program for most popular operating systems; the anti-virus database contains about 34,000 viruses.

    There are several delivery options - AVP Lite, AVP Gold, AVP Platinum. The most complete version comes with three products - a scanner, a resident monitor and a control center. The scanner allows you to check files and memory for viruses and Trojans. This scans packaged programs, archives, mail databases (Outlook folders, etc.) and performs heuristic analysis to search for new viruses not included in the database. The monitor "on the fly" checks every opened file for viruses and warns about virus danger, while simultaneously blocking access to the infected file. The Control Center allows you to schedule anti-virus scans and update databases via the Internet. The demo version lacks the ability to disinfect infected objects, scan packaged and archived files, and heuristic analysis.

        Norton AntiVirus 2000.

    Norton AntiVirus is based on another popular product - AtGuard (@guard) personal firewall from WRQ Soft. As a result of applying the technological power of Symantec to it, the result is an integrated product with significantly expanded functionality. The core of the system is still the firewall. It works very effectively without configuration, practically without interfering with everyday use of the network, but blocking attempts to reboot or freeze the computer, gain access to files and printers, or establish communication with Trojan programs on the computer.

    Norton AntiVirus is the only firewall reviewed that implements the capabilities of this method of protection 100%. All types of packets traveling over the network are filtered, incl. service (ICMP), rules for the operation of the firewall can take into account which application is working with the network, what kind of data is transferred and to which computer, at what time of day this happens.

    To preserve confidential data, a firewall can block email addresses, browser types, and cookies from being sent to web servers. The Confidential Information Filter warns about an attempt to send unencrypted information to the network that the user has entered and marked as confidential.

    Active content on web pages (Java applets, scripts, etc.) can also be blocked using Norton AntiVirus - the content filter can cut unsafe elements from the text of web pages before they reach the browser.

    As an additional service not directly related to security issues, Norton AntiVirus offers a very convenient filter advertising banners(those annoying pictures are simply cut out of the page, which speeds up its loading), as well as a parental control system. By prohibiting visiting certain categories of sites and launching certain types of Internet applications, you can be fairly calm about the network content that is accessible to children.

    In addition to the firewall capabilities, Norton AntiVirus offers the user the protection of the Norton Antivirus program. This popular anti-virus application with regularly updated anti-virus databases allows you to quite reliably detect viruses at the earliest stages of their appearance. All files downloaded from the network, files attached to email, and active elements of web pages are scanned for viruses. In addition, Norton Antivirus has an anti-virus scanner and monitor that provide system-wide protection against viruses without being tied to network access.

    Conclusion:

    Getting acquainted with the literature, I achieved my goal and made the following conclusions:

      Antivirus program (antivirus) is a program for detecting computer viruses, as well as unwanted (considered malicious) programs in general, and restoring files infected (modified) by such programs, as well as for prevention - preventing infection (modification) of files or the operating system with malicious code (for example , through vaccination);

      there are no antiviruses that guarantee 100% protection against viruses;

      The most popular and effective antivirus programs are antivirus scanners (other names: phage, polyphage, doctor program). Following them in terms of efficiency and popularity are CRC scanners (also: auditor, checksumer, integrity checker). Often both of these methods are combined into one universal antivirus program, which significantly increases its power. Various types of blockers and immunizers are also used.

      ...

    1. Protection information and information security (2)

      Abstract >> Computer Science

      ... protection information(legal protection information, technical protection information, protection economic information etc.). Organizational methods protection information And protection information in Russia have the following properties: Methods and funds protection information ...

    Information security tools

    test

    1. Protection of information from unauthorized access. Anti-virus information protection tools

    The task of protecting information stored in computer systems from unauthorized access (UNA) is very relevant. To solve this problem, a whole range of tools is used, including technical, software and hardware tools and administrative measures for protecting information.

    Unauthorized access to information is the unplanned access, processing, copying, use of various viruses, including those that destroy software products, as well as modification or destruction of information in violation of established access control rules.

    An information security system is an organized set of special legislative and other regulations, bodies, services, methods, measures and means that ensure the security of information from internal and external threats.

    There are three main areas in protecting information from unauthorized access:

    The first is focused on preventing the intruder from accessing the computing environment and is based on special technical means of user identification;

    The second is related to the protection of the computing environment and is based on the creation of special software for information security;

    The third direction is related to the use special means protecting information from unauthorized access

    A means of protecting information from unauthorized access is a technical, cryptographic, software and other means designed to protect information, the means in which it is implemented, as well as a means of monitoring the effectiveness of information protection.

    Information security means are divided into:

    1. Physical - various engineering means and structures that impede or exclude physical penetration (or access) of offenders to objects of protection and to material media of confidential information:

    2. Hardware - mechanical, electrical, electronic and other devices designed to protect information from leakage, disclosure, modification, destruction, as well as counteracting technical intelligence means:

    3. Software - special programs for computers that implement the functions of protecting information from unauthorized access, familiarization, copying, modification, destruction and blocking.

    4. Cryptographic - technical and software means of data encryption, based on the use of a variety of mathematical and algorithmic methods.

    5. Combined - combined implementation of hardware and software and cryptographic methods information protection.

    Various software methods significantly expand the ability to ensure the security of stored information.

    Among the standard protective equipment for a personal computer, the most widely used are:

    Tools for protecting computing resources that use password identification and limit access to unauthorized users;

    Application of various encryption methods that do not depend on the context of the information;

    Copy protection tools for commercial software products;

    Protection against computer viruses;

    Creation of archives.

    A computer virus is a program capable of spontaneously injecting itself and introducing copies of itself into other programs, files, system areas of the computer and into computer networks, in order to create all kinds of interference with the work on the computer.

    Basic measures to protect against viruses: equipping your computer with an anti-virus program, constantly updating anti-virus databases, archival copies of valuable information.

    Antivirus program (antivirus) is a program for detecting computer viruses, as well as unwanted (considered malicious) programs in general and restoring files infected (modified) by such programs, as well as for prevention - preventing infection (modification) of files or the operating system with malicious code ( for example, through vaccination).

    Antivirus software consists of routines that attempt to detect, prevent, and remove computer viruses and other malicious software.

    Antivirus software typically uses two distinct methods:

    scanning files to search for known viruses that match the definition in anti-virus databases

    detection of suspicious behavior of any program, similar to the behavior of an infected program.

    The main methods for detecting computer viruses include the following:

    method of comparison with the standard;

    heuristic analysis;

    antivirus monitoring;

    change detection method;

    embedding antiviruses into Computer BIOS etc.

    Method of comparison with the standard. The simplest detection method is to use so-called masks to search for known viruses. The mask of a virus is some constant sequence of code specific to this particular virus. The anti-virus program sequentially views (scans) the scanned files in search of masks of known viruses. Anti-virus scanners can only find already known viruses for which a mask has been defined. If the virus does not contain a permanent mask or the length of this mask is not long enough, then other methods are used. The use of simple scanners does not protect your computer from the penetration of new viruses. For encrypting and polymorphic viruses that can completely change their code when infecting a new program or boot sector, it is impossible to select a mask, so anti-virus scanners do not detect them.

    Heuristic analysis. In order to reproduce, a computer virus must perform some specific actions: copying into memory, writing to sectors, etc. The heuristic analyzer (which is part of the anti-virus kernel) contains a list of such actions and checks programs and boot sectors of disks and floppy disks, trying to detect code typical of viruses in them. A heuristic analyzer can detect, for example, that the program being tested installs a resident module in memory or writes data to the program's executable file. Having detected an infected file, the analyzer usually displays a message on the monitor screen and makes an entry in its own or system log. Depending on the settings, the antivirus may also send a message about the detected virus to the network administrator. Heuristic analysis allows you to detect previously unknown viruses. Almost all modern antivirus programs implement their own heuristic analysis methods.

    Antivirus monitoring. The essence of this method is that an anti-virus program is constantly located in the computer’s memory, monitoring all suspicious actions performed by other programs. Anti-virus monitoring allows you to scan all launched programs, created, opened and saved documents, program files and documents received via the Internet or copied to hard drive from a floppy disk or CD. The antivirus monitor will notify the user if any program attempts to perform a potentially dangerous action.

    Change detection method. When implementing this method, anti-virus programs, called disk auditors, first remember the characteristics of all areas of the disk that may be attacked, and then periodically check them. When infecting a computer, the virus changes the contents hard drive: for example, it adds its code to a program or document file, adds a call to a virus program to the AUTOEXEC.BAT file, changes the boot sector, creates a satellite file. By comparing the characteristic values ​​of disk areas, an antivirus program can detect changes made by both known and unknown viruses.

    Embedding antiviruses into the computer's BIOS. IN motherboards Computers are equipped with the simplest means of protection against viruses. These tools allow you to control all access to the master boot recording hard disks, as well as to the boot sectors of disks and floppy disks. If any program tries to change the contents of boot sectors, protection is triggered and the user receives a corresponding warning. However, this protection is not very reliable. There are known viruses that try to disable BIOS anti-virus control by changing some cells in the non-volatile memory (CMOS memory) of the computer.

    Here are the results of a survey conducted by WEBCITY Business Network last quarter. More than 7,000 people took part in the survey (Internet). Survey results:

    antivirus information program formatting

    The best antivirus for home and office in 2010

    Automated workplace warehouse manager of a trading company

    information base warehouse Much attention is currently being paid to the formation of principles for constructing information security mechanisms (IP)...

    Features of personal computer protection are determined by the specifics of their use. Standardity architectural principles building personal computer hardware and software...

    Information protection in automated data processing systems: development, results, prospects

    The ideological basis for the set of guiding documents is the “Concept for the protection of computer equipment and automated systems from unauthorized access to information.” The concept “sets out a system of views, basic principles...

    Complex systems information security

    Methods and means of information protection include organizational, technical and legal information security measures and information security measures ( legal protection information, technical protection information, protection economic information etc...

    Methods and means of information protection

    The need to protect information

    The choice of means of protecting information from unauthorized access should be based on the above requirements for the information protection system in the AS GRN and on an analysis of existing means of protection in the country. These funds should, if possible...

    Ensuring information protection in local computer networks

    The architecture of the LAN and the technology of its operation allows an attacker to find or specifically create loopholes for hidden access for information...

    Organization of information security in a local computer network (using the example of OJSC "Mari Machine-Building Plant")

    Development of a software tool for certification of network sections

    Methods of protecting information in an enterprise, as well as methods of obtaining it, are constantly changing. New offers appear regularly from companies providing information security services...

    The classification applies to all existing and projected AS institutions, organizations and enterprises processing confidential information...

    Development of a program to automate audit verification during certification of informatization objects

    Security Code company's software product Secret Net 6...

    Development of a project for protecting information from unauthorized access for automated system district administration institutions

    SZI Secret Net 7.0 is a system for protecting confidential information on servers and workstations from unauthorized access. Operates under OS control Windows families,Linux. Secret Net 7...

    Methods for protecting information

    Unauthorized access is the reading, modification or destruction of information without the appropriate authority to do so...

    Information security tools

    The task of protecting information stored in computer systems from unauthorized access (UNA) is very relevant. To solve this problem, a whole range of tools is used, including technical...

    Antivirus programs are widely used to combat virus programs. Let's look at the main classes of antivirus programs.

    • Software integrity checking programs.

    This class allows you to calculate the checksum (called signature) of each user program. Before executing the program, the calculated checksum value is compared with the one recorded for protected copies of the program. Such programs cannot prevent infection, but they provide the user with valuable information about infected or modified programs.

    • Control programs.

    Programs of this class use the computer interrupt mode. If, in the opinion of the author of the anti-virus program, the programs notice something suspicious, they interrupt the operation of the computer and give the operator a recommendation on further actions.

    • Virus removal programs.

    Such programs check the presence of magnetic disk only known viruses. Having detected a virus, they report it to the operator or remove the virus.

    • Copies.

    Copying programs is a method of protection, but it does not guarantee the absence of viruses.

    • There are mixed antivirus programs, combining the properties of programs of the classes listed above.

    To date, no method has been found that provides complete guarantee of protection against the virus. Among the promising methods being developed, the following can be noted:

    • adaptive and self-learning methods;
    • intellectual methods;
    • hardware methods.

    Adaptive and self-learning tools- These are tools that automatically expand the list of viruses that they resist. These include tools containing constantly updated virus databases.

    Intelligent methods– methods based in logical inference systems. Their essence comes down to determining the algorithm implemented by the program using its code, and thus identifying programs that carry out unauthorized actions. This is a promising method, but it requires huge costs.

    Hardware– This is an additional strengthening of the protection system. Used in special applications, have not yet received wide distribution, because their use limits the capabilities of the system.

    Systematic approach to security

    Construction and support secure system requires systematic approach. This approach requires awareness of the full spectrum possible threats For specific network and for each of these threats, think over tactics to repel it. In this fight, it is necessary to use various means and techniques: moral and ethical, legislative, administrative, psychological, and protective capabilities of network software and hardware.

    Towards moral and ethical remedies It is possible to include all sorts of norms that have developed as computing tools have spread.

    Legislative remedies are laws, government regulations, presidential decrees. Regulatory acts and standards that regulate the rules for the use and processing of information limited access, and penalties are also introduced for violations of these rules.

    Administrative measures– these are actions taken by the management of an enterprise or organization to ensure organizational security (job descriptions that strictly define the procedure for working with confidential information on a computer, rules for purchasing security equipment by an enterprise, etc.).

    Psychological measures security can play a significant role in enhancing system security. Neglecting to take psychological aspects into account in informal security-related procedures can lead to security violations.

    TO physical protection means include shielding of premises to protect against radiation, checking the supplied equipment for compliance with its specifications and the absence of hardware “bugs”, external surveillance equipment, devices that block physical access to individual computer units, various locks and other equipment that protect the premises where the media are located information from illegal entry.

    Technical information security means are implemented by software and hardware computer networks. Such means are called network security services. The range of protection tasks they solve is varied (access control, auditing, information encryption, anti-virus protection, monitoring network traffic etc.). Technical means security solutions can either be built into software (OS, applications) and hardware (computers and communications equipment) network support, or implemented in the form of separate products created specifically to solve security problems.

    Security Policy

    Information Security Policy determines what information should be protected and from whom, what the damage may be from a successfully implemented threat, and by what means of protection. When forming a security policy, specialists responsible for system security must take into account several basic principles:

    • Providing each employee of the enterprise with minimum level of privileges access to data necessary for him to perform his official duties.
    • Usage integrated approach to ensure safety. This implies the use of a variety of security measures, from organizational and administrative restrictions to built-in network equipment.
    • Using multi-level system protection, it is important to ensure balance of reliability of protection at all levels.
    • The use of means that, upon failure, go into a state maximum protection . This applies to a wide variety of security features.
    • The principle of a single checkpoint - All traffic entering the internal network and exiting the external network must pass through a single network node, for example, through a firewall. Only this allows you to sufficiently control traffic.
    • The principle of balancing possible damage from the implementation of a threat and the costs of preventing it. No security system guarantees 100% data protection, because... is the result of a compromise between possible risks and possible costs.

    When defining a security policy for a network with Internet access, it is recommended to divide the task into two parts: develop an access policy network services Internet and develop a policy for access to resources on the company’s internal network.

    Internet Network Services Access Policy:

    • Define a list of Internet services to which internal network users should have limited access.
    • Define restrictions on access methods, such as the use of SLIP and PPP protocols.
    • Decide whether external users from the Internet are allowed to access the internal network.

    The policy for access to resources on a company's internal network can be expressed in one of two principles:

    • Prohibit everything that is not expressly permitted;
    • Allow everything that is not explicitly prohibited.

    One of the conditions for safe work in an information system is the user’s compliance with a number of rules that have been tested in practice and have shown to be highly effective. There are several of them:

    1. Use of software products obtained through legal, official means. The likelihood of a pirated copy containing a virus is many times higher than that of officially obtained software.
    2. Duplication of information. First of all, it is necessary to save the software distribution media. In this case, writing to media that allows this operation should be blocked, if possible. Particular care should be taken to preserve working information. It is preferable to regularly create copies of work files on removable computer storage media with write protection. Either the entire file or only the changes made are copied. The last option is applicable, for example, when working with databases.
    3. Regular system software updates. The operating system must be updated regularly and all security patches from Microsoft and other manufacturers must be installed to address existing software vulnerabilities.
    4. Restricting user access to operating system settings and system data. To ensure stable operation of the system, it is often necessary to limit user capabilities, which can be done either using built-in Windows tools or using specialized programs, designed to control access to the computer.

      IN corporate networks possible use group policies on a Windows domain network.

    5. To make the most efficient use of network resources, it is necessary to introduce restrictions on the access of authorized users to internal and external network resources and block access to unauthorized users.
    6. Regular use of antivirus products. Before starting work, it is advisable to run scanner programs and audit programs. Anti-virus databases must be updated regularly. In addition, it is necessary to carry out anti-virus monitoring of network traffic.
    7. Protection against network intrusions is ensured by the use of software and hardware, including: the use of firewalls, intrusion detection/prevention systems IDS/IPS (Intrusion Detection/Prevention System), implementation VPN technologies(Virtual Private Network).
    8. Application of authentication and cryptography means - use of passwords (simple/complex/non-repeating) and encryption methods. It is not recommended to use the same password on different resources and to disclose information about passwords. When writing a password on sites, you should be especially careful to prevent entering your password on a fraudulent duplicate site.
    9. Particular care should be taken when using new (unknown) removable storage media and new files. New removable media must be checked for the absence of bootable and file viruses, and the received files are checked for the presence of file viruses. When working in distributed systems or in shared use systems, it is advisable to check new removable storage media and files entered into the system on computers specially designated for this purpose that are not connected to local network. Only after a comprehensive anti-virus scan of disks and files can they be transferred to system users.
    10. When working with documents and tables received (for example, via email), it is advisable to prohibit the execution of macro commands by means built into text and spreadsheet editors (MS Word, MS Excel) until completion full check these files.
    11. If you do not intend to write information to external media, then you need to block this operation, for example, by software disabling the USB ports.
    12. When working with shared resources in open networks(for example, the Internet) use only trusted network resources that do not contain malicious content. You should not trust all information coming to your computer - emails, links to Web sites, messages to Internet pagers. It is strictly not recommended to open files and links coming from an unknown source.

    Constantly following these recommendations can significantly reduce the likelihood of infection by software viruses and protects the user from irretrievable loss of information. However, even if all prevention rules are scrupulously followed, the possibility of PC infection by computer viruses cannot be completely excluded, therefore methods and means of countering malware must be constantly improved and maintained in working order.

    Anti-virus information protection tools

    The massive spread of malicious software and the serious consequences of its impact on information systems and networks have necessitated the development and use of special antivirus agents and methods of their application.

    It should be noted that there are no anti-virus tools that guarantee the detection of all possible virus programs.

    Antivirus tools are used to solve the following problems:

    • malware detection in information systems Oh;
    • blocking malware;
    • eliminating the consequences of malware.

    It is advisable to detect malware at the stage of its introduction into the system or, at least, before it begins to carry out destructive actions. If such software or its activity is detected, it is necessary to immediately stop the virus program in order to minimize the damage from its impact on the system.

    Elimination of the effects of viruses is carried out in two directions:

    • virus removal;
    • recovery (if necessary) of files, memory areas.

    The procedure for removing detected malicious code from an infected system must be performed extremely carefully. Often viruses and Trojans take special actions to hide the fact of their presence in the system, or are embedded in it so deeply that the task of destroying it becomes quite non-trivial.

    System recovery depends on the type of virus, as well as the time of its detection in relation to the onset of destructive actions. In the event that a virus program is already running on the system and its activity involves changing or deleting data, restoring information (especially if it is not duplicated) may be impossible. To combat viruses, software and firmware are used that are used in a certain sequence and combination, forming methods of protection against malware.

    The following virus detection methods are known and are actively used by modern antivirus tools:

    • scanning;
    • change detection;
    • heuristic analysis;
    • use of resident guards;
    • use of software and hardware protection against viruses.

    Scanning– one of the simplest methods of detecting viruses, is carried out by a scanner program that scans files in search of the identifying part of the virus – signatures. A signature is a unique sequence of bytes that belongs to a specific virus and is not found in other programs.

    The program detects the presence of already known viruses for which a signature has been defined. To effectively use antivirus programs that use the scanning method, you must regular update information about new viruses.

    Method change detection is based on the use of audit programs that monitor file changes and disk sectors on the computer. Any virus somehow changes the data system on the disk. For example, the boot sector may change, a new one may appear executable file or change an existing one, etc.

    As a rule, anti-virus audit programs determine and store in special files images of the master boot record, boot sectors of logical disks, characteristics of all controlled files, directories and numbers of defective disk clusters. Periodically, the auditor checks the current state of disk areas and the file system, compares it with the previous state and immediately issues messages about any suspicious changes.

    The main advantage of the method is the ability to detect viruses of all types, as well as new unknown viruses.

    This method also has disadvantages. Using audit programs, it is impossible to detect a virus in files that enter the system already infected. Viruses will only be detected after they have multiplied in the system.

    Heuristic analysis, like the change detection method, allows you to detect unknown viruses, but does not require preliminary collection, processing and storage of information about the file system.

    Heuristic analysis in anti-virus programs is based on signatures and a heuristic algorithm, designed to improve the ability of scanner programs to apply signatures and recognize modified versions of viruses in cases where the code of an unknown program does not completely match the signature, but the suspicious program clearly shows more general signs of a virus or his behavioral model. When such codes are detected, a message about a possible infection is displayed. After receiving such messages, you must carefully scan the supposedly infected files and boot sectors with all available anti-virus tools.

    The disadvantage of this method is the large number of false positives of antivirus tools in cases where a legal program contains fragments of code that perform actions and/or sequences characteristic of some viruses.

    Method use of resident guards is based on the use of programs that are constantly in RAM device (computer) and monitor all actions performed by other programs. If any program performs suspicious actions typical of viruses (accessing to write to boot sectors, placing resident modules in RAM, attempting to intercept interrupts, etc.), the resident guard issues a message to the user.

    The use of anti-virus programs with a resident guard reduces the likelihood of viruses running on the computer, but it should be taken into account that the constant use of RAM resources for resident programs reduces the amount of memory available for other programs.

    Today, one of the most reliable mechanisms for protecting information systems and networks is software and hardware, as a rule, including not only anti-virus systems, but also providing additional services. This topic is discussed in detail in the section "Hardware and software for ensuring the security of information networks."

    The material carrier of information security is specific software and hardware solutions, which are combined into complexes depending on the purposes of their application. Organizational measures are secondary to the existing material basis for ensuring information security, therefore in this section of the manual the main attention will be paid to the principles of constructing basic software and hardware solutions and the prospects for their development.

    A threat to the interests of subjects of information relations is usually called a potential event, process or phenomenon that, through its impact on information or other components of the IRF, can directly or indirectly lead to damage to the interests of these subjects.

    Due to the characteristics of modern IRFs, there are a significant number of different types of security threats to subjects of information relations.

    One common type of threat is computer viruses. They are capable of causing significant damage to the IRC. Therefore, it is important not only to protect the network or individual means of information exchange from viruses, but also for users to understand the principles of anti-virus protection.

    In our country, the most popular anti-virus packages are Kaspersky Anti-Virus and DrWeb. There are also other programs, such as McAfee Virus Scan and Norton AntiVirus. Dynamics of changes in information in this subject area high, so additional information on virus protection can be found on the Internet by searching for the keywords “virus protection.”

    It is known that it is impossible to achieve 100% protection of a PC from computer viruses using individual software. Therefore, to reduce the potential danger of introducing computer viruses and their spread through the corporate network, an integrated approach is required, combining various administrative measures, software and hardware anti-virus protection, as well as backup and recovery tools. Focusing on software and hardware, we can distinguish three main levels of anti-virus protection:

    Search and destruction of known viruses;

    Search and destruction of unknown viruses;

    Blocking the manifestation of viruses.

    The levels and means of anti-virus protection are schematically presented in Fig. 2.1.

    Rice. 2.1. Levels and means of anti-virus protection

    2.1.1. Protection against known viruses

    When searching for and destroying known viruses, the most common method is scanning. This method consists of identifying computer viruses by their unique fragment of program code (signature, software strain). To do this, a scanning database is created with code fragments of known computer viruses. Virus detection is carried out by comparing computer memory data with fixed codes scan databases. If a new virus code is detected and identified, its signature can be entered into the scanning database. Since the signature is known, it is possible to correctly restore (disinfect) infected files and areas. It should be added that some systems do not store the signatures themselves, but, for example, checksums or signature prefixes.

    Antivirus programs that detect known computer viruses are called scanners or detectors. Programs that include functions for recovering infected files are called polyphages (phages), doctors or disinfectors. It is customary to divide scanners into the following:

    Transit, periodically launched to identify and eliminate viruses,

    Resident (permanently located in RAM), checking specified areas of system memory when events associated with them occur (for example, checking a file when it is copied or renamed).

    The disadvantages of scanners include the fact that they can detect only those viruses that have already penetrated computer systems, have been studied and a signature has been determined for them. For efficient work scanners, it is necessary to promptly replenish the scanning database. However, as the size of the scanning database and the number of different types of viruses searched increases, the speed of anti-virus scanning decreases. Of course, if the scanning time approaches the recovery time, then the need for anti-virus control may become less relevant.

    Some viruses (mutants and polymorphic) encode or modify their program code. This makes it difficult or impossible to extract a signature and, therefore, detect viruses by scanning.

    To identify these masquerading viruses, special methods are used. These include the processor emulation method. The method involves simulating the processor's execution of a program and feeding the virus fictitious control resources. The virus, deceived in this way and under the control of the antivirus program, decrypts its code. After this, the scanner compares the decrypted code with codes from its scanning database.

    2.1.2. Protection against unknown viruses

    Identification and elimination of unknown viruses are necessary to protect against viruses missed by the first level of anti-virus protection. The most effective method is to monitor system integrity (change detection). This method consists of checking and comparing current parameters computing system with reference parameters corresponding to its uninfected state. It is clear that integrity control is not the prerogative of the anti-virus protection system. It provides security information resource from unauthorized modification and removal as a result of various types of illegitimate influences, failures and failures of the system and environment.

    To implement these functions, programs called auditors are used. The auditor's work consists of two stages: recording the reference characteristics of the computing system (mainly the disk) and periodically comparing them with the current characteristics. Commonly monitored characteristics are checksum, length, time, read-only attribute of files, directory tree, failed clusters, disk boot sectors. In network systems, average statistical parameters of the functioning of subsystems (in particular, the historical profile of network traffic) can be accumulated, which are compared with current parameters.

    Auditors, like scanners, are divided into transit and resident. The disadvantages of auditors, primarily resident ones, include the various inconveniences and difficulties they create in the user’s work. For example, many changes in system parameters are caused not by viruses, but by the operation of system programs or the actions of the user programmer. For the same reason, auditors do not use text files, which are constantly changing. Thus, some balance must be maintained between ease of use and control of system integrity.

    Auditors provide a high level of detection of unknown computer viruses, but they do not always provide correct treatment of infected files. To treat files infected with unknown viruses, the standard characteristics of the files and the expected methods of infection are usually used.

    A type of system integrity monitoring is a software self-monitoring method called vaccination. The idea of ​​the method is to attach a module (vaccine) to the protected program that controls the characteristics of the program, usually its checksum.

    In addition to statistical integrity monitoring methods, heuristic methods are used to identify unknown and masquerading viruses. They allow you to identify, based on known characteristics (defined in the system knowledge base), some camouflaged or new modified viruses of known types. An example of a virus sign is code that installs a resident module in memory, changes interrupt table parameters, etc. Software module, which implements a heuristic method of detecting viruses, is called a heuristic analyzer. An example of a scanner with a heuristic analyzer is the Dr Web program from Dialog-Nauka.

    The disadvantages of heuristic analyzers include errors of the 1st and 2nd types: false positives and missed viruses. Ratio specified errors depends on the level of heuristics.

    It is understood that if a signature for a computer virus detected by a heuristic analyzer is not in the scanning database, then the treatment of infected data may not be correct.

    2.1.3. Protection against viruses

    Blocking the manifestation of viruses is designed to protect against destructive actions and reproduction of computer viruses that have managed to overcome the first two levels of protection. The methods are based on intercepting functions characteristic of viruses. There are two known types of these antivirus agents:

    Filter programs,

    Hardware controls.

    Filter programs, also called resident watchmen and monitors, reside permanently in RAM and intercept specified interrupts in order to monitor suspicious activities. At the same time, they can block “dangerous” actions or issue a request to the user.

    Actions subject to control may be the following: modification of the master boot record (MBR) and boot records of logical disks and GMD, writing to an absolute address, low level formatting disk, leaving a resident module in the RAM, etc. Like auditors, filters are often “intrusive” and create certain inconveniences in the user’s work.

    Built-in PC hardware provides boot loader and table modification control hard sections disk located in the disk's master boot record (MBR). Enabling these features on a PC is done using the Setup program located in ROM. It should be noted that the Setup program can be bypassed in the case of replacing boot sectors by directly accessing the I/O ports of the hard drive and floppy drive controllers.

    The most complete protection against viruses can be provided using special hardware protection controllers. Such a controller connects to the ISA bus of the PC and at the hardware level controls all access to the computer's disk subsystem. This prevents viruses from camouflaging themselves. The controller can be configured to control separate files, logical partitions, “dangerous” operations, etc. In addition, controllers can perform various additional security functions, for example, provide access control and encryption.

    The disadvantages of these controllers, such as ISA boards, include the lack of an auto-configuration system, and, as a result, the possibility of conflicts with some system programs, including antivirus.

    When working in global networks for public use, in particular on the Internet, in addition to traditional methods of anti-virus protection of computer data, anti-virus control of all passing traffic is becoming relevant. This can be done by implementing an anti-virus proxy server, or by integrating an anti-virus component with firewall. In the latter case, the firewall passes valid, for example, SMTP, FTP and HTTP traffic to the antivirus component (or server). The files it contains are checked for viruses and then sent to users. We can say that we are dealing with a new level of anti-virus protection - the firewall level.

    2.1.4. Overview of antivirus capabilities

    Currently, there is a trend towards integrating various antivirus tools in order to provide reliable multi-layered protection. On the Russian market, the most powerful antivirus kit is DialogueScience’s Anti-Virus kit (DSAV) of DialogueScience JSC and the integrated antivirus system AntiViral Toolkit Pro (AVP) by Kaspersky Lab. These complexes have proven themselves highly in our country, especially when providing anti-virus protection for information systems of small and medium-sized offices. Let's look at the capabilities of the Kaspersky Lab tool.

    The specified software product declares: “One of the main tasks of Kaspersky Lab specialists when creating Kaspersky Anti-Virus was the optimal configuration of all application parameters. This allows a user of any level computer literacy, without delving into the settings, ensure the security of your computer immediately after installing the application.” The invitation window (main window) of the specified antivirus tool is understandable to a user of any level.

    If necessary, the user can seek help from the help system by clicking the “? Help" and get an answer to your question. Let us present without any cuts the contents of one of the information windows of the software product.

    Kaspersky Anti-Virus is a fundamentally new approach to information protection. The main thing in the application is the integration and noticeable improvement of the current functionality of all the company's products into one comprehensive security solution. The application provides not only anti-virus protection, but also protection against unknown threats. You no longer need to install multiple products on your computer to ensure complete protection. You just need to install Kaspersky Anti-Virus.

    Comprehensive protection is provided on all channels of information receipt and transmission. Flexible configuration of any application component allows you to maximally adapt Kaspersky Anti-Virus to the needs of a specific user. A unified configuration of all protection components is also provided.

    Let's take a closer look at the innovations of Kaspersky Anti-Virus.

    New in protection

    Now Kaspersky Anti-Virus protects not only against already known malware, but also from those that are not yet known. The presence of a proactive protection component is the main advantage of the application. Its work is based on analyzing the behavior of applications installed on your computer and monitoring changes system registry, tracking macro execution and combating hidden threats. The component uses a heuristic analyzer to detect various types malware. At the same time, a history of malicious activity is maintained, on the basis of which the actions performed by the malicious program are rolled back and the system is restored to the state prior to the malicious impact.

    The technology for protecting files on the user’s computer has changed: now you can reduce the load on CPU and disk subsystems and increase the speed of file scanning. This is achieved through the use of iChecker and iSwift technologies. This mode of operation of the application eliminates repeated scanning of files.

    The virus scanning process now adapts to your work on the computer. The scan may take a fair amount of time and system resources, but the user can do his work in parallel. If any operation requires system resources, virus scanning will be suspended until the operation is completed. The scan will then continue from where it left off.

    Scanning critical areas of the computer, infection of which can lead to serious consequences, is a separate task. You can customize automatic start this task every time the system starts.

    The protection of electronic correspondence on the user's computer from malware has been significantly improved. The application scans mail traffic on the following protocols for viruses:

    * IMAP, SMTP, POP3, regardless of the email client you use;

    * NNTP, regardless of email client;

    * Regardless of the protocol type (including MAPI, HTTP) as part of the work of plugins built into mailers Microsoft Office Outlook and The Bat!

    In such well-known email clients as Microsoft Office Outlook, Microsoft Outlook Express and The Bat! special extension modules (plugins) are built in that allow you to configure mail protection directly in the mail client.

    The function of notifying the user about the occurrence of certain events in the application has been expanded. You can choose the notification method for each type of event: email message, sound notification, pop-up message, event log entry.

    Implemented checking of traffic transmitted through a secure connection using the SSL protocol.

    Added technology for application self-protection, protection against remote unauthorized control of the Anti-Virus service, and protection of access to application settings using a password. This avoids protection being disabled by malware, attackers or unskilled users.

    Added the ability to create a system emergency recovery disk. Using this disk, you can boot the operating system for the first time after a virus attack and scan your computer for malicious objects.

    The Dr. program is quite popular among a number of users. Web. Main focus of Dr. Web is to detect polymorphic viruses. Currently Dr. Web implements the most efficient heuristic analyzer for unknown viruses in the world. According to Virus Bulletin magazine, this ensures detection of up to 80 – 91% of unknown viruses, including 99% of macro viruses! At international competitions Dr. Web has been among the top three best antiviruses for DOS several times. The product is compact enough that you can run it from a floppy disk.

    In conclusion, we note that the network administrator and PC users must constantly monitor the update of anti-virus tools and promptly implement a set of measures to protect the network hardware and software from highly probable damage by viruses.

    Read more: