Debre Birhan Polytechnic College

Training, Teaching and Learning Materials Development

ghh

DEBRE BIRHAN POLYTECHNIC COLLEGE

Ethiopian TVET-System

INFORMATION TECHNOLOGY
SUPPORT SERVICE
Level I

LEARNING GUIDE # 2

Unit of Competence: protect application and system software

Module Title : protecting application and system software
LG Code : ICT ITS1 L01 2
TTLM Code : ICT ITS1 TTLM 0811

LO 2: Detect and removed destructive software

INTRODUCTION Learning Guide # 2

This learning guide is developed to provide you the necessary information regarding the following
content coverage and topics –

 Computer Viruses
 Virus Origin, History and Evolution
 Virus Infection, Removal and Prevention
 Anti-virus Software

Learning Guide Date: 04/07/2018 Page 1 of 21
3rd Edition Author: All ICT Trainers’
Debre Birhan Polytechnic College
Training, Teaching and Learning Materials Development
This guide will also assist you to attain the learning outcome stated in the cover page.
Specifically, upon completion of this Learning Guide, you will be able to –

 Define and identify common types of destructive software
 Select and install virus protection compatible with the operating system in use
 Describe advanced systems of protection in order to understand further options
 Install Software updates on a regular basis
 Configure software security settings to prevent destructive software from infecting computer
 Run and/or schedule virus protection software on a regular basis
 Report detected destructive software to appropriate person and remove the destructive software

Learning Activities
1. Read the specific objectives of this Learning Guide.
2. Read the information written in the “Information Sheets 1” in pages 3-4.
3. Accomplish the “Self-check” in page 5.
4. If you earned a satisfactory evaluation proceed to “Information Sheet 2”. However, if your rating is
unsatisfactory, see your teacher for further instructions or go back to Learning Act. #1.
5. Read the information written in the “Information Sheets 2” in pages 6-9.
6. Accomplish the “Self-check” in page 10.
7. If you earned a satisfactory evaluation proceed to “Information Sheet 3”. However, if your rating is
unsatisfactory, see your teacher for further instructions or go back to Learning Act. #2.
8. Read the information written in the “Information Sheets 3” in pages 11-12.
9. Accomplish the “Self-check” in page 13.
10. If you earned a satisfactory evaluation proceed to “Information Sheet 4”. However, if your rating is
unsatisfactory, see your teacher for further instructions or go back to Learning Act. #3.
11. Read the information written in the “information Sheet 4” in pages 14-24.
12. Accomplish the “Self-check” in page 25.
13. If you earned a satisfactory evaluation proceed to “Operation Sheet” on pages 26-27. However, if
your rating is unsatisfactory, see your teacher for further instructions or go back to Learning Activity
# 4.
14. If you earned a satisfactory evaluation proceed to “Lap Test” on page 28. However, if your rating is
unsatisfactory, see your teacher for further instructions or go back to Learning Activity Operation
Sheet.
15. Do the “LAP test” (if you are ready) and show your output to your teacher. Your teacher will
evaluate your output either satisfactory or unsatisfactory. If unsatisfactory, your teacher shall advice
you on additional work. But if satisfactory you can proceed to Learning Guide 12.

 Your teacher will evaluate your output either satisfactory or unsatisfactory. If unsatisfactory,
your teacher shall advice you on additional work. But if satisfactory you can proceed to the next
topic.

Information Sheet 1 Computer Viruses

Learning Guide Date: 04/07/2018 Page 2 of 21

3rd Edition Author: All ICT Trainers’
Debre Birhan Polytechnic College
Training, Teaching and Learning Materials Development
What is a Virus?

Definition

A computer virus is a small software program that is specifically designed to spread between
computers and hinder basic computer functions.

Viruses are commonly spread through email attachments or instant messages, so it's never a good
idea to open an attachment from a sender that you are not familiar with. They can also be inadvertently
downloaded through the Internet, as part of a file or program that might have come from a questionable
website.

Computer viruses can cause serious damage to a computer system. They can slow down the
computer's overall performance and lead to a loss of data that could range from one single file to your
entire hard drive. These viruses have kept pace with new computer technology, evolving rapidly and
increasing in complexity; however, there are still many easy and often free ways to eliminate these
destructive programs, while keeping new ones from invading.

Here are the different kinds of viruses:

 Virus - Can replicate and spread to other computers. Also attacks other program
 Worm - A special type of virus that can replicate and spread, but generally doesn't attack other
programs
 Trojan - Doesn't replicate, but can spread. Doesn't attack other programs. Usually just a way of
recording and reporting what you do on your PC

Viruses are split into different categories, depending on what they do. Here are a few categories
of viruses:

 Boot Sector Virus

The Boot Sector of a PC is a part of your computer that gets accessed first when you turn
it on. It tells Windows what to do and what to load. It's like a "Things To Do" list. The Boot
Sector is also known as the Master Boot Record. A boot sector virus is designed to attack this,
causing your PC to refuse to start at all!

 File Virus
A file virus, as its name suggests, attacks files on your computer. Also attacks entire
programs, though.

 Macro Virus
These types of virus are written specifically to infect Microsoft Office documents (Word,
Excel PowerPoint, etc.) A Word document can contain a Macro Virus. You usually need to open
a document in an Microsoft Office application before the virus can do any harm.

Learning Guide Date: 04/07/2018 Page 3 of 21

3rd Edition Author: All ICT Trainers’
Debre Birhan Polytechnic College
Training, Teaching and Learning Materials Development
 Multipartite Virus
A multipartite virus is designed to infect both the boot sector and files on your computer

 Polymorphic Virus
This type of virus alters their own code when they infect another computer. They do this
to try and avoid detection by anti-virus programs.

Information Sheet 2 Virus Origin, History and Evolution

Virus Origins

Learning Guide Date: 04/07/2018 Page 4 of 21

3rd Edition Author: All ICT Trainers’
Debre Birhan Polytechnic College
Training, Teaching and Learning Materials Development
Computer viruses are called viruses because they share some of the traits of biological viruses.
A computer virus passes from computer to computer like a biological virus passes from person to
person.
Unlike a cell, a virus has no way to reproduce by itself. Instead, a biological virus must inject its
DNA into a cell. The viral DNA then uses the cell's existing machinery to reproduce itself. In some
cases, the cell fills with new viral particles until it bursts, releasing the virus. In other cases, the new
virus particles bud off the cell one at a time, and the cell remains alive.
A computer virus shares some of these traits. A computer virus must piggyback on top of some
other program or document in order to launch. Once it is running, it can infect other programs or
documents. Obviously, the analogy between computer and biological viruses stretches things a bit, but
there are enough similarities that the name sticks.

People write computer viruses. A person has to write the code, test it to make sure it spreads
properly and then release it. A person also designs the virus's attack phase, whether it's a silly message
or the destruction of a hard disk.

Why do they do it?

There are at least three reasons.

 The first is the same psychology that drives vandals and arsonists. Why would
someone want to break a window on someone's car, paint signs on buildings or burn
down a beautiful forest? For some people, that seems to be a thrill. If that sort of person
knows computer programming, then he or she may funnel energy into the creation of
destructive viruses.
 The second reason has to do with the thrill of watching things blow up. Some people
have a fascination with things like explosions and car wrecks. When you were growing
up, there might have been a kid in your neighborhood who learned how to make
gunpowder. And that kid probably built bigger and bigger bombs until he either got bored
or did some serious damage to himself. Creating a virus is a little like that -- it creates a
bomb inside a computer, and the more computers that get infected the more "fun" the
explosion.

 The third reason involves bragging rights, or the thrill of doing it. Sort of like Mount
Everest -- the mountain is there, so someone is compelled to climb it. If you are a certain
type of programmer who sees a security hole that could be exploited, you might simply
be compelled to exploit the hole yourself before someone else beats you to it.
Of course, most virus creators seem to miss the point that they cause real damage to real people
with their creations. Destroying everything on a person's hard disk is real damage. Forcing a large
Learning Guide Date: 04/07/2018 Page 5 of 21
3rd Edition Author: All ICT Trainers’
Debre Birhan Polytechnic College
Training, Teaching and Learning Materials Development
company to waste thousands of hours cleaning up after a virus is real damage. Even a silly message is
real damage because someone has to waste time getting rid of it. For this reason, the legal system is
getting much harsher in punishing the people who create viruses.

Virus History
Traditional computer viruses were first widely seen in the late 1980s, and they came about
because of several factors.
The first factor was the spread of personal computers (PCs). Prior to the 1980s, home
computers were nearly non-existent or they were toys. Real computers were rare, and they were locked
away for use by "experts." During the 1980s, real computers started to spread to businesses and homes
because of the popularity of the IBM PC (released in 1982) and the Apple Macintosh (released in 1984).
By the late 1980s, PCs were widespread in businesses, homes and college campuses.
The second factor was the use of computer bulletin boards. People could dial up a bulletin
board with a modem and download programs of all types. Games were extremely popular, and so were
simple word processors, spreadsheets and other productivity software. Bulletin boards led to the
precursor of the virus known as the Trojan horse. A Trojan horse is a program with a cool-sounding
name and description. So you download it. When you run the program, however, it does something
uncool like erasing your disk. You think you are getting a neat game, but it wipes out your system.
Trojan horses only hit a small number of people because they are quickly discovered, the infected
programs are removed and word of the danger spreads among users.

Floppy disks were factors in the spread of computer viruses.

The third factor that led to the creation of viruses was the floppy disk. In the 1980s, programs
were small, and you could fit the entire operating system, a few programs and some documents onto
a floppy disk or two. Many computers did not have hard disks, so when you turned on your machine it
would load the operating system and everything else from the floppy disk. Virus authors took advantage
of this to create the first self-replicating programs.

Early viruses were pieces of code attached to a common program like a popular game or a popular word
processor. A person might download an infected game from a bulletin board and run it. A virus like this
is a small piece of code embedded in a larger, legitimate program. When the user runs the legitimate
program, the virus loads itself into memory and looks around to see if it can find any other programs on
the disk. If it can find one, it modifies the program to add the virus's code into the program. Then the
virus launches the "real program." The user really has no way to know that the virus ever ran.
Unfortunately, the virus has now reproduced itself, so two programs are infected. The next time the user
launches either of those programs, they infect other programs, and the cycle continues.

Learning Guide Date: 04/07/2018 Page 6 of 21

3rd Edition Author: All ICT Trainers’
Debre Birhan Polytechnic College
Training, Teaching and Learning Materials Development
If one of the infected programs is given to another person on a floppy disk, or if it is uploaded to
a bulletin board, then other programs get infected. This is how the virus spreads.
The spreading part is the infection phase of the virus. Viruses wouldn't be so violently despised
if all they did was replicate themselves. Most viruses also have a destructive attack phase where they
do damage. Some sort of trigger will activate the attack phase, and the virus will then do something --
anything from printing a silly message on the screen to erasing all of your data. The trigger might be a
specific date, the number of times the virus has been replicated or something similar.
Virus Evolution
Other Threats
Viruses and worms get a lot of publicity, but they aren't the only threats to your computer's health.
Malware is just another name for software that has an evil intent. Here are some common types of
malware and what they might do to your infected computer:
 Adware puts ads up on your screen.
 Spyware collects personal information about you, like your passwords or other
information you type into your computer.
 Hijackers turn your machine into a zombie computer.
 Dialers force your computer to make phone calls. For example, one might call toll
900-numbers and run up your phone bill, while boosting revenue for the owners of
the 900-numbers.

As virus creators became more sophisticated, they learned new tricks. One important trick was
the ability to load viruses into memory so they could keep running in the background as long as the
computer remained on. This gave viruses a much more

effective way to replicate themselves. Another trick was the ability to infect the boot sector on floppy
disks and hard disks. The boot sector is a small program that is the first part of the operating system that
the computer loads. It contains a tiny program that tells the computer how to load the rest of the
operating system. By putting its code in the boot sector, a virus can guarantee it is executed. It can load
itself into memory immediately and run whenever the computer is on. Boot sector viruses can infect the
boot sector of any floppy disk inserted in the machine, and on college campuses, where lots of people
share machines, they could spread like wildfire.
In general, neither executable nor boot sector viruses are very threatening any longer. The first
reason for the decline has been the huge size of today's programs. Nearly every program you buy today
comes on a compact disc. Compact discs (CDs) cannot be modified, and that makes viral infection of a
CD unlikely, unless the manufacturer permits a virus to be burned onto the CD during production. The
programs are so big that the only easy way to move them around is to buy the CD. People certainly can't
carry applications around on floppy disks like they did in the 1980s, when floppies full of programs
were traded like baseball cards. Boot sector viruses have also declined because operating systems now
protect the boot sector.
Infection from boot sector viruses and executable viruses is still possible. Even so, it is a lot
harder, and these viruses don't spread nearly as quickly as they once did. Call it "shrinking habitat," if
you want to use a biological analogy. The environment of floppy disks, small programs and weak
operating systems made these viruses possible in the 1980s, but that environmental niche has been
largely eliminated by huge executables, unchangeable CDs and better operating system safeguards.
Learning Guide Date: 04/07/2018 Page 7 of 21
3rd Edition Author: All ICT Trainers’
Debre Birhan Polytechnic College
Training, Teaching and Learning Materials Development
E-mail Viruses
Virus authors adapted to the changing computing environment by creating the e-mail virus. For
example, the Melissa virus in March 1999 was spectacular. Melissa spread in Microsoft Word
documents sent via e-mail, and it worked like this:
Someone created the virus as a Word document and uploaded it to an Internet newsgroup.
Anyone who downloaded the document and opened it would trigger the virus. The virus would then
send the document (and therefore itself) in an e-mail message to the first 50 people in the person's
address book. The e-mail message contained a friendly note that included the person's name, so the
recipient would open the document, thinking it was harmless. The virus would then create 50 new
messages from the recipient's machine. At that rate, the Melissa virus quickly became the fastest-
spreading virus anyone had seen at the time. As mentioned earlier, it forced a number of large
companies to shut down their e-mail systems.

Information Sheet 3 Virus Infection, Removal and Prevention

How do Viruses get on my computer?

The most common way that a virus gets on your computer is by an email attachment. If you
open the attachment, and your anti-virus program doesn't detect it, then that is enough to infect your
computer. Some people go so far as NOT opening attachments at all, but simply deleting the entire
message as soon as it comes in. While this approach will greatly reduce your chances of becoming
infected, it may offend those relatives of yours who have just sent you the latest pictures of little Johnny!

You can also get viruses by downloading programs from the internet. That great piece of
freeware you spotted from an obscure site may not be so great after all. It could well be infecting your
PC as the main program is installing.

If your PC is running any version of Windows, and it hasn't got all the latest patches and updates,
then your computer will be attacked a few minutes after going on the internet! (Non Windows users can
go into smug mode!)

Nowadays, they utilized the use of removable storage devices to spread viruses. The most
common is the use of flash drive. Since removable drives like flash drive, CD/DVDs have the autorun
functionality, a simple command that enables the executable file to run automatically, they exploited
and altered it so it will automatically run the virus (normally with .exe, .bat, .vbs format) when you
insert your flash drive or CD/DVDs.
Learning Guide Date: 04/07/2018 Page 8 of 21
3rd Edition Author: All ICT Trainers’
Debre Birhan Polytechnic College
Training, Teaching and Learning Materials Development
Virus infected Symptoms

Common symptoms of a virus-infected computer include

 unusually slow running speeds

 failure to respond to user input
 system crashes and constant system restarts that are triggered
automatically.
 Individual applications also might stop working correctly,
 disk drives might become inaccessible,
 unusual error messages may pop up on the screen,
 menus and dialog boxes can become distorted and peripherals like printers
might stop responding.
 You can't access your disk drives Other symptoms to look out for are strange
error messages, documents not printing correctly, and distorted menus and dialogue
boxes. Try not to panic if your computer is exhibiting one or two items on the list.

Keep in mind that these types of hardware and software problems are not always caused
by viruses, but infection is certainly a strong possibility that is worth investigating.

 Removal

The first step in removing computer viruses is installing any updates that are available
for your operating system; modern operating systems will automatically look for updates if they
are connected to the Internet. If you do not already have anti-virus software on your computer,
subscribe to a service and use the software to do a complete scan of your computer. Since new
computer viruses are constantly being created, set your anti-virus program to automatically
check for updates regularly.

 Prevention

In order to prevent future computer infections:

 use an Internet firewall,
 check for operating system and anti-virus program updates,
 scan your computer regularly and exercise caution when handling email and Internet
files.

A firewall is a program or piece of hardware that helps screen out viruses, worms and
hackers which are attempting to interact with your computer via the Internet. On modern
computers, firewalls come pre-installed and are turned on by default, so you probably already
Learning Guide Date: 04/07/2018 Page 9 of 21
3rd Edition Author: All ICT Trainers’
Debre Birhan Polytechnic College
Training, Teaching and Learning Materials Development
have one running in the background. When opening email attachments, don't assume they are
safe just because they come from a friend or reliable source; the sender may have unknowingly
forwarded an attachment that contains a virus.

Information Sheet 4 Anti-virus Software

Antivirus software
Antivirus or anti-virus software is used to prevent, detect, and remove  malware, including but
not limited to computer viruses, computer worm, trojan horses, spyware  and adware. This page talks
about the software used for the prevention and removal of such threats, rather than computer
security implemented by software methods.

A variety of strategies are typically employed. Signature-based detection involves searching for
known patterns of data within executable code. However, it is possible for a computer to be infected
with new malware for which no signature is yet known.

To counter such so-called zero-day threats, heuristics can be used. One type of heuristic

approach, generic signatures, can identify new viruses or variants of existing viruses by looking for
known malicious code, or slight variations of such code, in files. Some antivirus software can also
predict what a file will do by running it in a sandbox and analyzing what it does to see if it performs any
malicious actions.

No matter how useful antivirus software can be, it can sometimes have drawbacks. Antivirus
software can impair a computer's performance. Inexperienced users may also have trouble
understanding the prompts and decisions that antivirus software presents them with. An incorrect
decision may lead to a security breach. If the antivirus software employs heuristic detection, success
depends on achieving the right balance between false positives and false negatives. False positives can
be as destructive as false negatives.
Learning Guide Date: 04/07/2018 Page 10 of 21
3rd Edition Author: All ICT Trainers’
Debre Birhan Polytechnic College
Training, Teaching and Learning Materials Development
False positives are wrong detection by an anti-virus where legitimate files were mistakenly
identified as viruses while False negatives are wrong detection by an anti-virus where legitimate viruses
were not detected as viruses.

Finally, antivirus software generally runs at the highly trusted kernel level of the operating

system, creating a potential avenue of attack.

An example of free antivirus software: ClamTk 3.08.

Most of the computer viruses written in the early and mid 1980s were limited to self-
reproduction and had no specific damage routine built into the code.  That changed when more and
more programmers became acquainted with virus programming and created viruses that manipulated or
even destroyed data on infected computers.
There are competing claims for the innovator of the first antivirus product. Possibly the first
publicly documented removal of a computer virus in the wild was performed by Bernd Fix in 1987.

Fred Cohen, who published one of the first academic papers on computer viruses in 1984, began
to develop strategies for antivirus software in 1988 that were picked up and continued by later antivirus
software developers.

Also in 1988 a mailing list named VIRUS-L was started on the BITNET/EARN network where

new viruses and the possibilities of detecting and eliminating viruses were discussed. Some members of
this mailing list like John McAfee or Eugene Kaspersky later founded software companies that
developed and sold commercial antivirus software.

Before internet connectivity was widespread, viruses were typically spread by infected floppy

disks. Antivirus software came into use, but was updated relatively infrequently. During this time, virus
Learning Guide Date: 04/07/2018 Page 11 of 21
3rd Edition Author: All ICT Trainers’
Debre Birhan Polytechnic College
Training, Teaching and Learning Materials Development
checkers essentially had to check executable files and the boot sectors of floppy disks and hard disks.
However, as internet usage became common, viruses began to spread online.

Over the years it has become necessary for antivirus software to check an increasing variety of
files, rather than just executables, for several reasons:

 Powerful macros used in word processor applications, such as Microsoft Word, presented

a risk. Virus writers could use the macros to write viruses embedded within
documents. This meant that computers could now also be at risk from infection by
opening documents with hidden attached macros.
 Later email programs, in particular Microsoft's Outlook Express and Outlook,
were vulnerable to viruses embedded in the email body itself. A user's computer could
be infected by just opening or previewing a message.

As always-on broadband connections became the norm, and more and more viruses were
released, it became essential to update virus checkers more and more frequently. Even then, a new zero-
day virus could become widespread before antivirus companies released an update to protect against it.

Malwarebytes' Anti-Malware version 1.46 - a proprietary freeware antimalware product

There are several methods which antivirus software can use to identify malware.

 Signature based detection is the most common method. To identify viruses and other malware,
antivirus software compares the contents of a file to a dictionary of virus signatures.

Learning Guide Date: 04/07/2018 Page 12 of 21

3rd Edition Author: All ICT Trainers’
Debre Birhan Polytechnic College
Training, Teaching and Learning Materials Development
Because viruses can embed themselves in existing files, the entire file is searched, not just as a
whole, but also in pieces.

 Heuristic-based detection, like malicious activity detection, can be used to identify unknown
viruses.

 File emulation is another heuristic approach. File emulation involves executing a program in
a virtual environment and logging what actions the program performs. Depending on the actions
logged, the antivirus software can determine if the program is malicious or not and then carry out
the appropriate disinfection actions.

Signature-based detection
Traditionally, antivirus software heavily relied upon signatures to identify malware. This can be
very effective, but cannot defend against malware unless samples have already been obtained and
signatures created. Because of this, signature-based approaches are not effective against new, unknown
viruses.

As new viruses are being created each day, the signature-based detection approach requires
frequent updates of the virus signature dictionary. To assist the antivirus software companies, the
software may allow the user to upload new viruses or variants to the company, allowing the virus to be
analyzed and the signature added to the dictionary.

Although the signature-based approach can effectively contain virus outbreaks, virus authors
have tried to stay a step ahead of such software by writing "oligomorphic", "polymorphic" and, more
recently, "metamorphic" viruses, which encrypt parts of themselves or otherwise modify themselves
as a method of disguise, so as to not match virus signatures in the dictionary.

Heuristics
Some more sophisticated antivirus software uses heuristic analysis to identify new malware or
variants of known malware.

Many viruses start as a single infection and through either mutation or refinements by other
attackers, can grow into dozens of slightly different strains, called variants. Generic detection refers to
the detection and removal of multiple threats using a single virus definition.

For example, the Vundo trojan has several family members, depending on the antivirus vendor's
classification. Symantec classifies members of the Vundo family into two distinct
categories, Trojan.Vundo and Trojan.Vundo.B.

While it may be advantageous to identify a specific virus, it can be quicker to detect a virus
family through a generic signature or through an inexact match to an existing signature. Virus
researchers find common areas that all viruses in a family share uniquely and can thus create a single

Learning Guide Date: 04/07/2018 Page 13 of 21

3rd Edition Author: All ICT Trainers’
Debre Birhan Polytechnic College
Training, Teaching and Learning Materials Development
generic signature. These signatures often contain non-contiguous code, using wildcard characters where
differences lie. These wildcards allow the scanner to detect viruses even if they are padded with extra,
meaningless code.  A detection that uses this method is said to be "heuristic detection."

Rootkit detection
Anti-virus software can also scan for rootkits; a rootkit virus is a type of malware that is
designed to gain administrative-level control over a computer system without being detected. Rootkits
can change how the operating system functions and in some cases can tamper with the anti-virus
program and render it ineffective. Rootkits are also difficult to remove, in some cases requiring a
complete re-installation of the operating system.

Unexpected renewal costs

Some commercial antivirus software end-user license agreements include a clause that
the subscription will be automatically renewed, and the purchaser's credit card automatically billed, at
the renewal time without explicit approval. For example, McAfee requires users to unsubscribe at least
60 days before the expiration of the present subscription while BitDefender sends notifications to
unsubscribe 30 days before the renewal.  Norton Antivirus also renews subscriptions automatically by
default.

Rogue security applications

Some apparent antivirus programs are actually malware masquerading as legitimate software,
such as WinFixer and MS Antivirus.

Problems caused by false positives

A "false positive" is when antivirus software identifies a non-malicious file as a virus. When this
happens, it can cause serious problems. For example, if an antivirus program is configured to
immediately delete or quarantine infected files, a false positive in an essential file can render
the operating system or some applications unusable.  In May 2007, a faulty virus signature issued
by Symantec mistakenly removed essential operating system files, leaving thousands of PCs unable
to boot.  Also in May 2007, the executable file required by Pegasus Mail was falsely detected by Norton
AntiVirus as being a Trojan and it was automatically removed, preventing Pegasus Mail from running.
Norton anti-virus had falsely identified three releases of Pegasus Mail as malware, and would delete the
Pegasus Mail installer file when that happened.  In response to this Pegasus Mail stated:

“On the basis that Norton/Symantec has done this for every one of the last three releases of
Pegasus Mail, we can only condemn this product as too flawed to use, and recommend in the
strongest terms that our users cease using it in favor of alternative, less buggy anti-virus
Learning Guide Date: 04/07/2018 Page 14 of 21
3rd Edition Author: All ICT Trainers’
Debre Birhan Polytechnic College
Training, Teaching and Learning Materials Development

packages.”

In April 2010, McAfee VirusScan detected svchost.exe, a normal Windows binary, as a virus on

machines running Windows XP with Service Pack 3, causing a reboot loop and loss of all network
access.

In December 2010, a faulty update on the AVG anti-virus suite damaged 64-bit versions of

Windows 7, rendering it unable to boot, due to an endless boot loop created.

When Microsoft Windows becomes damaged by faulty anti-virus products, fixing the damage to
Microsoft Windows incurs technical support costs and businesses can be forced to close whilst remedial
action is undertaken.

System and interoperability related issues

Running multiple antivirus programs concurrently can degrade performance and create
conflicts.  However, using a concept called multi-scanning, several companies (including G
Data and Microsoft) have created applications which can run multiple engines concurrently.

It is sometimes necessary to temporarily disable virus protection when installing major

updates such as Windows Service Packs or updating graphics card drivers.  Active antivirus protection
may partially or completely prevent the installation of a major update.

A minority of software programs are not compatible with anti-virus software. For example,
the TrueCrypt troubleshooting page reports that anti-virus programs can conflict with TrueCrypt and
cause it to malfunction.

Effectiveness
Studies in December 2007 showed that the effectiveness of antivirus software had decreased in
the previous year, particularly against unknown or zero day attacks. The computer magazine c't found
that detection rates for these threats had dropped from 40-50% in 2006 to 20-30% in 2007. At that time,
the only exception was the NOD32 antivirus, which managed a detection rate of 68 percent.

The problem is magnified by the changing intent of virus authors. Some years ago it was obvious
when a virus infection was present. The viruses of the day, written by amateurs, exhibited destructive
behavior or pop-ups. Modern viruses are often written by professionals, financed by criminal
organizations.

Independent testing on all the major virus scanners consistently shows that none provide 100%
virus detection. The best ones provided as high as 99.6% detection, while the lowest provided only

Learning Guide Date: 04/07/2018 Page 15 of 21

3rd Edition Author: All ICT Trainers’
Debre Birhan Polytechnic College
Training, Teaching and Learning Materials Development
81.8% in tests conducted in February 2010. All virus scanners produce false positive results as well,
identifying benign files as malware.

Although methodologies may differ, some notable independent quality testing agencies include
AV-Comparatives, ICSA Labs, West Coast Labs, VB100 and other members of the Anti-Malware
Testing Standards Organization.

New viruses
Anti-virus programs are not always effective against new viruses, even those that use non-
signature-based methods that should detect new viruses. The reason for this is that the virus designers
test their new viruses on the major anti-virus applications to make sure that they are not detected
before releasing them into the wild.

Some new viruses, particularly ransomware, use polymorphic code to avoid detection by virus

scanners. Jerome Segura, a security analyst with ParetoLogic, explained:

“It's something that they miss a lot of the time because this type of [ransomware virus] comes
from sites that use a polymorphism, which means they basically randomize the file they send you
and it gets by well-known antivirus products very easily. I've seen people firsthand getting
infected, having all the pop-ups and yet they have antivirus software running and it's not detecting
anything. It actually can be pretty hard to get rid of, as well, and you're never really sure if it's
really gone. When we see something like that usually we advise to reinstall the operating system
or reinstall backups.”

A proof of concept virus has used the Graphics Processing Unit (GPU) to avoid detection from
anti-virus software. The potential success of this involves bypassing the CPU in order to make it much
harder for security researchers to analyze the inner workings of such malware.

Rootkits
Detecting rootkits is a major challenge for anti-virus programs. Rootkits have full administrative
access to the computer and are invisible to users and hidden from the list of running processes in the task
manager. Rootkits can modify the inner workings of the operating system and tamper with
antivirus programs.

Damaged files
Files which have been damaged by computer viruses are normally damaged beyond recovery.
Anti-virus software removes the virus code from the file during disinfection, but this does not always
Learning Guide Date: 04/07/2018 Page 16 of 21
3rd Edition Author: All ICT Trainers’
Debre Birhan Polytechnic College
Training, Teaching and Learning Materials Development
restore the file to its undamaged state. In such circumstances, damaged files can only be restored from
existing backups; installed software that is damaged requires re-installation.

Firmware issues
Active anti-virus software can interfere with a firmware update process.  Any writeable
firmware in the computer can be infected by malicious code.  This is a major concern, as an
infected BIOS could require the actual BIOS chip to be replaced to ensure the malicious code is
completely removed. Anti-virus software is not effective at protecting firmware and
the motherboard BIOS from infection.

A command-line virus scanner, Clam AV 0.95.2, running a virus signature definition update,

scanning a file and identifying a Trojan
Installed antivirus software running on an individual computer is only one method of guarding
against viruses. Other methods are also used, including cloud-based antivirus, firewalls and on-line
scanners.

Cloud antivirus
Cloud antivirus is a technology that uses lightweight agent software on the protected computer,
while offloading the majority of data analysis to the provider's infrastructure.

One approach to implementing cloud antivirus involves scanning suspicious files using multiple
antivirus engines. This approach was proposed by an early implementation of the cloud antivirus
concept called CloudAV. CloudAV was designed to send programs or documents to a network
cloud where multiple antivirus and behavioral detection programs are used simultaneously in
order to improve detection rates. Parallel scanning of files using potentially incompatible antivirus
scanners is achieved by spawning a virtual machine per detection engine and therefore eliminating any
Learning Guide Date: 04/07/2018 Page 17 of 21
3rd Edition Author: All ICT Trainers’
Debre Birhan Polytechnic College
Training, Teaching and Learning Materials Development
possible issues. CloudAV can also perform "retrospective detection," whereby the cloud detection
engine rescans all files in its file access history when a new threat is identified thus improving new
threat detection speed. Finally, CloudAV is a solution for effective virus scanning on devices that lack
the computing power to perform the scans themselves.

Network firewall
Network firewalls prevent unknown programs and processes from accessing the system.
However, they are not antivirus systems and make no attempt to identify or remove anything. They may
protect against infection from outside the protected computer or network, and limit the activity of any
malicious software which is present by blocking incoming or outgoing requests on certain TCP/IP ports.
A firewall is designed to deal with broader system threats that come from network connections into the
system and is not an alternative to a virus protection system.

Online scanning
Some antivirus vendors maintain websites with free online scanning capability of the entire
computer, critical areas only, local disks, folders or files. Periodic online scanning is a good idea for
those that run antivirus applications on their computers because those applications are frequently slow to
catch threats. One of the first things that malicious software does in an attack is disable any existing
antivirus software and sometimes the only way to know of an attack is by turning to an online resource
that isn't already installed on the infected computer.

Specialist tools

Using rkhunter to scan for rootkits on anUbuntu Linux computer.

Virus removal tools are available to help remove stubborn infections or certain types of
infection. Examples include Trend Micro's Rootkit Buster, and rkhunter for the detection
of rootkits, Avira's AntiVir Removal Tool,  PCTools Threat Removal Tool, and AVG's Anti-Virus Free
2011.

A rescue disk that is bootable, such as a CD or USB storage device, can be used to run
antivirus software outside of the installed operating system, in order to remove infections while they are
dormant. A bootable antivirus disk can be useful when, for example, the installed operating system
is no longer bootable or has malware that is resisting all attempts to be removed by the installed
antivirus software.
Learning Guide Date: 04/07/2018 Page 18 of 21
3rd Edition Author: All ICT Trainers’
Debre Birhan Polytechnic College
Training, Teaching and Learning Materials Development
Examples of some of these bootable disks include the Avira AntiVir Rescue System, PCTools
Alternate Operating System Scanner, and AVG Rescue CD.  The AVG Rescue CD software can also
be installed onto a USB storage device, that is bootable on newer computers.

A survey by Symantec in 2009 found that a third of small to medium sized business did not use
antivirus protection at that time, whereas more than 80% of home users had some kind of antivirus
installed.

Operation Sheet 1 Protecting your computer from Viruses

Learning Guide Date: 04/07/2018 Page 19 of 21

3rd Edition Author: All ICT Trainers’
Debre Birhan Polytechnic College
Training, Teaching and Learning Materials Development

You can protect yourself against viruses with a few simple steps:
 If you are truly worried about traditional (as opposed to e-mail) viruses, you should be
running a more secure operating system like UNIX. You never hear about viruses on these
operating systems because the security features keep viruses (and unwanted human visitors)
away from your hard disk.
 If you are using an unsecured operating system, then buying virus protection software is a
nice safeguard.
 If you simply avoid programs from unknown sources (like the Internet), and instead stick
with commercial software purchased on CDs, you eliminate almost all of the risk from
traditional viruses.
 You should make sure that Macro Virus Protection is enabled in all Microsoft applications,
and you should NEVER run macros in a document unless you know what they do. There is
seldom a good reason to add macros to a document, so avoiding all macros is a great policy.
 You should never double-click on an e-mail attachment that contains an
executable. Attachments that come in as Word files (.DOC), spreadsheets (.XLS), images
(.GIF), etc., are data files and they can do no damage (noting the macro virus problem in Word
and Excel documents mentioned above). However, some viruses can now come in through
.JPG graphic file attachments. A file with an extension like EXE, COM or VBS is an
executable, and an executable can do any sort of damage it wants. Once you run it, you have
given it permission to do anything on your machine. The only defense is never to run
executables that arrive via e-mail.

Open the Options dialog from the

Tools menu in Microsoft Word and make
sure that Macro Virus Protection is enabled.
Newer versions of Word allow you to
customize the level of macro protection you
use.

Setting Automatic Updates in your computer

 Ask the trainer for the copy of the video on how to set Automatic Updates.

Turn the firewall on

 Ask the trainer for the copy of the video on how to turn on the firewall.

Setting Internet Level of Security

Learning Guide Date: 04/07/2018 Page 20 of 21
3rd Edition Author: All ICT Trainers’
Debre Birhan Polytechnic College
Training, Teaching and Learning Materials Development
 Ask the trainer for the copy of the video on how to set Internet Level Security.

Setting Macro Level of Security

 Ask the trainer for the copy of the video on how to set Macro Level Security.

Learning Guide Date: 04/07/2018 Page 21 of 21

3rd Edition Author: All ICT Trainers’