McAfee AVDCDE-AA-AA User Guide - Page 26
“Double heuristics” analysis, Wide-spectrum coverage, combination - observer
View all McAfee AVDCDE-AA-AA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 26 highlights
About VirusScan Software This meant that the simple pattern-matching method that earlier scan engine incarnations used to find many viruses simply no longer worked, since no constant sequence of bytes existed to detect. To respond to this threat, McAfee researchers developed the PolyScan Decryption Engine, which locates and analyzes the algorithm that these types of viruses use to encrypt and decrypt themselves. It then runs this code through its paces in an emulated virtual machine in order to understand how the viruses mutate themselves. Once it does so, the engine can spot the "undisguised" nature of these viruses, and thereby detect them reliably no matter how they try to hide themselves. "Double heuristics" analysis As a further engine enhancement, McAfee researchers have honed early heuristic scanning technologies-originally developed to detect the astonishing flood of macro virus variants that erupted after 1995-into a set of precision instruments. Heuristic scanning techniques rely on the engine's experience with previous viruses to predict the likelihood that a suspicious file is an as-yet unidentified or unclassified new virus. The scan engine now incorporates ViruLogic, a heuristic technique that can observe a program's behavior and evaluate how closely it resembles either a macro virus or a file-infecting virus. ViruLogic looks for virus-like behaviors in program functions, such as covert file modifications, background calls or invocations of e-mail clients, and other methods that viruses can use to replicate themselves. When the number of these types of behaviors-or their inherent quality-reaches a predetermined threshold of tolerance, the engine fingers the program as a likely virus. The engine also "triangulates" its evaluation by looking for program behavior that no virus would display-prompting for some types of user input, for example-in order to eliminate false positive detections. This double-heuristic combination of "positive" and "negative" techniques results in an unsurpassed detection rate with few, if any, costly misidentifications. Wide-spectrum coverage As malicious agents have evolved to take advantage of the instant communication and pervasive reach of the Internet, so VirusScan software has evolved to counter the threats they present. A computer "virus" once meant a specific type of agent-one designed to replicate on its own and cause a limited type of havoc on the unlucky recipient's computer. In recent years, however, an astounding range of malicious agents has emerged to assault personal computer users from nearly every conceivable angle. Many of these agents-some of the fastest-spreading worms, for instance-use updated versions of vintage techniques to infect systems, but many others make full use of the new opportunities that web-based scripting and application hosting present. 26 McAfee VirusScan Anti-Virus Software