There are some symptoms of a computer "disease". Many users observe them constantly, but do not pay attention to them.

One of the main symptoms is the appearance of new unknown processes in the output of the task manager. Most users do not know which of the hundreds of processes is the product of a malicious program. It happened to many that the executable file did not start, the computer restarted after starting a program. Or worse, the device was randomly shutting down. And, of course, the most common one is the accidental crash of programs.

All of the above can be the result of the actions of malicious programs. But, you should be aware that even without the manifestation of symptoms, the computer can be infected.

Let's consider the main methods of protection against malicious software. Today there is no one hundred percent, absolute protection against viruses, worms and Trojans. Any user can become a victim of them. There are some effective security measures.

• 1) Use modern operating systems and install updates in a timely manner to make it harder for malware creators to "pick a key" for your device. If there is a fresh update, then the old virus will not work and you should work hard to create a new one.
• 2) Try to work as rarely as possible on the computer under administrator rights. Because it is the administrator's right that allows many malicious programs to install themselves on a personal computer.
• 3) Check external storage media before copying information from them.
• 4) Do not open computer files received from unreliable sources on the work computer. For example, files from the Internet, from unreliable, unverified sites.
• 5) If possible, use a second computer that does not have valuable information to open and run applications from unreliable sources.
• 6) Use basic means of protection - antivirus software.

Thus, only a set of complex measures, including the installation of antivirus software, competent administration of a personal computer and reasonable behavior on the Internet, will reliably protect the computer from the effects of malicious code.

Types of antivirus programs

Eugene Kaspersky in 1992 used the following classification of antiviruses depending on their operating principle (which determines functionality):

Scanners- antiviruses that determine the presence of a virus using a signature database that stores signatures (or their checksums) of viruses. Their effectiveness is determined by the relevance of the virus database.

Auditors- programs that remember the state of the file system, which makes it possible to analyze changes in the future.

Watchman(monitors) - monitor potentially dangerous operations, issuing a corresponding request to the user to allow / deny the operation.

Vaccines- change the inoculated file so that the virus against which the vaccine is being inoculated already considers the file to be infected. In modern conditions, when the number of possible viruses is measured in hundreds of thousands, this approach is inapplicable.

Anti-malware methods

The main method of combating malware, as in medicine, is timely prevention. Computer prophylaxis implies adherence to the rules of "computer hygiene", which can significantly reduce the likelihood of infection and loss of any data. Understanding and strictly adhering to the basic rules of conduct when using an individual computer and on the network is an important method of protecting against computer intruders. There are three basic rules in total that are true for both individual and corporate users.

• 1. Mandatory use of anti-virus protection. If you are not an expert in the field of computer security, then it is better to use reliable anti-virus protection and protection against network attacks (firewall) - entrust your security to professionals. Most modern antivirus programs protect against a wide variety of computer threats - viruses, worms, Trojans, and ad systems. Integrated security solutions also put a filter against spam, network attacks, visits to unwanted and dangerous Internet resources.
• 2. You should not trust all information coming to your computer - emails, links to websites, messages to Internet pagers. You should definitely not open files and links coming from an unknown source. The risk of infection is also reduced by organizational measures. These measures include various restrictions in the work of users, both individual and corporate, for example:
  • a ban on the use of Internet pagers;
  • access to only a limited number of web pages;
  • physical disconnection of the internal network of the enterprise from the Internet and the use of dedicated computers for Internet access, etc.

Unfortunately, severe restrictive measures can conflict with the wishes of each individual user or with the business processes of the enterprise. In such cases, it is necessary to seek a balance, and in each case, this balance may be different.

3. Pay enough attention on information from antivirus companies and computer security experts. They usually promptly report new types of online fraud, new virus threats, epidemics, etc. - pay more attention to such information.

Factors Determining the Quality of Antivirus Programs

The quality of an antivirus program is determined by several factors; we list them in order of importance.

• 1. Reliability and usability - no antivirus freezes and other technical problems that require special training from the user.
• 2. Quality of detection of viruses of all common types, scanning inside document files / tables, packed and archived files. Lack of "false positives". Ability to disinfect infected objects.
• 3. The existence of antivirus versions for the main popular platforms (DOS, Windows, Linux, etc.).
• 4. The ability to scan "on the fly".
• 5. The existence of server versions with the ability to administer the network.
• 6. Speed ​​of work.

A malicious program is a computer program or portable code designed to implement threats to information stored in a computer system, or for the hidden misuse of system resources, or other impact that interferes with the normal functioning of a computer system.

Malicious software includes network worms, classic file viruses, Trojans, hacker utilities, and other programs that deliberately harm the computer on which they are run or other computers on the network.

Regardless of the type, malicious programs are capable of causing significant damage, realizing any threats to information - threats of violation of integrity, confidentiality, availability.

The global spread of malware is, of course, the Internet.

The Internet, no doubt, is a necessary thing in our time, for someone it is simply necessary. In a short period of time, you can find the information you need, read the latest news, as well as communicate with many people, and all this without leaving your home, office, etc. But do not forget that through this "thick pipe" hackers can easily break into your computer and gain access to your personal information.

While hardware and software vendors, and government officials adopt a privacy-friendly posture, there are strong reasons to fear that our Internet surfing will not be overlooked by someone's "watchful" eyes, anonymity and security. not guaranteed. Hackers can easily read e-mail messages, and Web servers log anything and everything, including even the list of Web pages viewed.

Evolution of viral systems

1949 year. American scientist of Hungarian origin John von Naumann developed a mathematical theory of creating self-replicating programs. It was the first theory of computer viruses to generate very limited interest in the scientific community.

In the early 60s, engineers from the American company Bell Telephone Laboratories - V.A. Vysotsky, G. D. McIlroy and Robert Morris - created the game "Darwin". The game assumed the presence in the memory of the computer of the so-called supervisor, who determined the rules and order of the struggle between the rival programs created by the players. The programs had the functions of space exploration, reproduction and destruction. The point of the game was to delete all copies of the enemy's program and capture the battlefield.

Late 60s - early 70s. The appearance of the first viruses. In some cases, these were errors in programs that led to the fact that programs copied themselves, clogging up the hard disk of computers, which reduced their productivity, but it is believed that in most cases viruses were deliberately created to destroy. Probably the first victim of a real virus, written by a programmer for fun, was the Univax 1108 computer. The virus was called the Pervading Animal and only infected one computer - on which it was created.

The problem of malware - adware and spyware - deserves increased attention as one of the biggest troubles that modern computer users face on a daily basis. Their detrimental effect is manifested in the fact that they undermine the principle of the reliability of the computer and violate the inviolability of personal life, violate confidentiality and sever relations between the protected mechanisms of the computer, through some combination of spyware actions. Such programs often appear without the knowledge of the recipient, and even if found, they are difficult to get rid of. Noticeable performance degradation, erratic user preferences, and the appearance of new questionable toolbars or add-ons are just a few of the dire consequences of a spyware or adware infection. Spyware and other malware can also adapt to more subtle modes of operation of the computer and penetrate deeply into the complex mechanisms of the operating system so as to greatly complicate their detection and elimination.

Decreased performance is probably the most visible consequence of malware, as it directly affects computer performance to the point that even a non-professional can detect it. If users are not so alert when advertising windows pop up every now and then, even if the computer is not connected to the Internet, then a decrease in the responsiveness of the operating system, since streams of malicious code compete with the system and useful programs, clearly indicates the appearance of problems. Software settings change, new features are mysteriously added, unusual processes appear in the task manager (sometimes there are a dozen of them), or programs behave as if someone else is using them and you have lost control of them. The side effects of malware (be it adware or spyware) have serious consequences, and yet many users continue to act lightheaded by opening the door wide to their computer.

On the modern Internet, on average, every 30th letter is infected with an email worm, about 70% of all correspondence is unwanted. With the growth of the Internet, the number of potential victims of virus writers increases, the release of new operating systems entails an expansion of the range of possible ways of penetrating the system and options for a possible malicious load for viruses. A modern computer user cannot feel safe in the face of the threat of becoming the object of someone's cruel joke - for example, the destruction of information on the hard drive - the results of long and painstaking work, or theft of the password for the mail system. Likewise, it is frustrating to find yourself the victim of a mass mailing of confidential files or links to a porn site. In addition to the theft of credit card numbers that have already become commonplace, cases of theft of personal data of players of various online games - Ultima Online, Legend of Mir, Lineage, Gamania - have become more frequent. In Russia, there are also recorded cases of the game "Fight Club", where the real cost of some items at auctions reaches thousands of US dollars. Viral technologies for mobile devices also developed. As a way of penetration, not only Bluetooth devices are used, but also ordinary MMS messages (the ComWar worm).

Types of malware

A computer virus is a type of computer program, a distinctive feature of which is the ability to reproduce (self-replication). In addition, viruses can damage or completely destroy all files and data under the control of the user on whose behalf the infected program was launched, as well as damage or even destroy the operating system with all files as a whole.

Other types of malware, such as Trojans, spyware, and even spam, are sometimes referred to as computer viruses by laymen. (Spam) is the distribution of commercial, political and other advertisements or other types of messages to persons who did not express a desire to receive them. The legality of mass mailing of certain types of messages, for which the consent of the recipients is not required, may be enshrined in the legislation of the country. For example, this may relate to messages about impending natural disasters, mass mobilization of citizens, etc. In the generally accepted sense, the term "spam" in Russian was first used in relation to sending emails) There are tens of thousands of computer viruses that spread through the Internet around the world, organizing viral epidemics.

Viruses spread by injecting themselves into the executable code of other programs or by replacing other programs. For some time it was even believed that, being a program, a virus can only infect a program - any change in a non-program is not an infection, but simply data corruption. The implication was that such copies of the virus would not gain control, being information not used by the processor as instructions. So, for example, unformatted text could not carry a virus.

However, later the cybercriminals achieved that not only the executable code containing the machine code of the processor could have viral behavior. Viruses were written in the language of batch files. Then macro viruses appeared, which were introduced through macros into documents of programs such as Microsoft Word and Excel.

Some time later, attackers created viruses that exploited vulnerabilities in popular software (for example, Adobe Photoshop, Internet Explorer, Outlook), which generally processes ordinary data. Viruses began to spread by injecting special code into a sequence of data (for example, pictures, texts, etc.) that exploited software vulnerabilities.

A Trojan horse (also known as a Trojan, Trojan, Trojan Horse, Trojan) is a malicious program that infiltrates a computer disguised as harmless - a codec, screensaver, hacker software, etc.

Trojan horses do not have their own propagation mechanism, and this is different from viruses, which spread by attaching themselves to harmless software or documents, and worms, which copy themselves over the network. However, a Trojan program can carry a viral body - then the Trojan that launched it turns into a hotbed of "infection".

Trojans are extremely easy to write: the simplest of them consist of several dozen lines of code in Visual Basic or C ++.

The name "Trojan program" comes from the name "Trojan horse" - a wooden horse, according to legend, donated by the ancient Greeks to the inhabitants of Troy, inside which soldiers were hiding, who later opened the gates of the city to the conquerors. This name, first of all, reflects the secrecy and potential cunning of the true intentions of the program developer.

When launched on a computer, a Trojan horse can:

interfere with the user's work (as a joke, by mistake, or to achieve any other purpose);

spy on the user;

use computer resources for any illegal (and sometimes directly damaging) activity, etc.

Trojan horse masking. In order to provoke the user to launch the Trojan, the program file (its name, program icon) is called a service name, disguised as another program (for example, installing another program), a file of a different type, or simply give an attractive name, icon, etc. ... An attacker can recompile an existing program, add malicious code to its source code, and then pass it off as the original or replace it.

In order to successfully perform these functions, the Trojan can, to one degree or another, imitate (or even fully replace) the task or data file under which it is disguised (setup program, application program, game, application document, picture). Similar malicious and camouflaging functions are also used by computer viruses, but unlike them, Trojans cannot spread on their own.

Trojans are placed by an attacker on open resources (file servers, storage devices of the computer itself open for writing), storage media, or sent using messaging services (for example, e-mail) with the expectation of their launch on a specific, included in a certain circle or arbitrary " target "computer.

Sometimes the use of Trojans is only part of a planned multi-stage attack on certain computers, networks or resources (including others).

Removal methods. Trojans have many types and forms, so there is no absolutely reliable protection against them.

Antivirus software must be used to detect and remove Trojans. If the antivirus reports that when it detects a trojan it cannot remove it, then you can try to boot the OS from an alternative source and repeat the scan with the antivirus. If the Trojan is detected on the system, then it can also be removed manually ("safe mode" is recommended).

It is extremely important to regularly update the anti-virus database of the anti-virus installed on the computer in order to detect Trojans and other malware, as many new malicious programs appear every day.

A network worm is a type of self-replicating computer programs that spread in local and global computer networks. The worm is a standalone program.

Some of the earliest experiments to use computer worms in distributed computing were conducted at the Xerox Palo Alto Research Center by John Shoch and Jon Hupp in 1978. The term originated from the science fiction novels by David Gerrold "When HARLEY Was year "and John Brunner" On the shockwave "

One of the more famous computer worms is the Morris Worm, written by Robert Morris Jr., who was a student at Cornell University at the time. The spread of the worm began on November 2, 1988, after which the worm quickly infected a large number of computers connected to the Internet.

Worms can use various propagation mechanisms ("vectors"). Some worms require a specific user action to spread (for example, opening an infected message in an email client). Other worms can spread autonomously, targeting and attacking computers in a fully automatic manner. Sometimes there are worms with a whole range of different vectors of propagation, strategies for choosing a victim, and even exploits for various operating systems.

So-called RAM-resident worms are often identified, which can infect a running program and reside in RAM without affecting hard drives. You can get rid of such worms by restarting your computer (and, accordingly, resetting the RAM). Such worms mainly consist of an "infectious" part: an exploit (shellcode) and a small payload (the worm's body itself), which is placed entirely in RAM. The specificity of such worms is that they are not loaded through the loader like all ordinary executable files, which means that they can only rely on those dynamic libraries that have already been loaded into memory by other programs.

There are also worms that, after a successful memory infection, save the code on the hard disk and take measures to subsequently run this code (for example, by writing the appropriate keys in the Windows registry). You can get rid of such worms only with the help of antivirus or similar tools. Often, the infectious part of such worms (exploit, shellcode) contains a small payload that is loaded into RAM and can download the worm's body itself as a separate file over the network. To do this, some worms can contain a simple TFTP client in the infectious part. The worm body loaded in this way (usually a separate executable file) is now responsible for further scanning and propagation from the already infected system, and may also contain a more serious, full-fledged payload, the purpose of which may be, for example, causing any harm (for example, DoS -attacks).

Most email worms spread as a single file. They do not need a separate "infectious" part, since usually the victim user voluntarily downloads and launches the entire worm using a mail client.

Analysis of antivirus programs

Eugene Kaspersky in 1992 used the following classification of antiviruses depending on their operating principle (which determines functionality):

Scanners (outdated version - "polyphages") - determine the presence of a virus using a signature database that stores signatures (or their checksums) of viruses. Their effectiveness is determined by the relevance of the virus database and the presence of a heuristic analyzer (see: Heuristic scanning).

Auditors (a class similar to IDS) - remember the state of the file system, which makes it possible to analyze changes in the future.

Watchmen (monitors) - monitor potentially dangerous operations, giving the user an appropriate request for permission / prohibition of the operation.

Vaccines - modify the file to be vaccinated so that the virus against which the vaccine is being vaccinated already considers the file to be infected. In modern (2007) conditions, when the number of possible viruses is measured in hundreds of thousands, this approach is inapplicable.

Modern antiviruses combine all of the above functions.

Antiviruses can also be divided into:

Products for home users:

Antiviruses themselves;

Combined products (for example, anti-spam, firewall, anti-rootkit, etc. have been added to the classic anti-virus);

Corporate products:

Server antiviruses;

Antiviruses on workstations ("endpoint").

Avast! Home Edition

Instead of a simple "gray" window, we see the original plastic interface in dark blue. To start, just select what exactly you want to check - local, removable drives or individual directories - and click the "Start" button. You can also define the quality of the scan (Quick, Standard or Thorough) and whether the archives are included in it. Naturally, there is also a memory resident monitor that intercepts viruses on the fly.

Antivirus has all the necessary functions to protect your computer from viruses. The anti-virus includes the following components: a scanner, a monitor, an e-mail scanner, a system for automatic updating of the anti-virus database via the Internet. The program can both find and disinfect files infected with viruses. For safe storage and treatment of infected files, this anti-virus program implements the Virus storage function, in which all operations with files infected with viruses take place. This antivirus can work in conjunction with third-party firewalls (it supports work with Kerio Personal, Zone Alarm Pro and the firewall built into Windows XP), which allows you to reliably protect your computer from various Internet threats and virus attacks.

AVIRA Antivirus for Windows Desktop

Easy to use antivirus. Detects email viruses, Trojans, spyware, worms, double file extension, etc. There is an automatic database update and real-time monitoring. Scheduler and heuristic analysis.

A good domestic antivirus with a high degree of suspicion. Differs in high speed. Features: - full scan of all Windows system memory; - automatic update via the Internet; - resident antivirus control of files (SpIDer watchdog); - intelligent technology for monitoring virus activity SpIDer-Netting. Like Kaspersky Anti-Virus, it "hangs in memory", scanning all files for viruses. Compared to Kaspersky Anti-Virus, it is faster, but it can skip viruses if you do not download updates to the anti-virus database. Checking of mail files encoded with UENCODE and MIME programs and checking of alternative data streams (ADS) for the NTFS file system has been implemented.

A free analogue of the well-known anti-virus package Dr.Web with somewhat reduced functionality.

NOD32 is a fully integrated suite of software products featuring the highest detection rates, scan rates and phenomenal low system resource utilization, earned by many prestigious international awards.

Kaspersky Antivirus

Kaspersky Lab antivirus toolkit. It includes a resident program, a disk scanner, ScriptChecker, a set of virus databases. Numerous settings for the time of automatic launch of the virus scanning program, for the types of files to scan. Powerful heuristic search algorithms. Kaspersky Anti-Virus Monitor is a program that resides in the computer's RAM and monitors everything that happens in it. Kaspersky Anti-Virus Scanner is a module for high-quality scanning of the contents of your computer's disks with the ability to customize the depth, priority, and a host of other scan parameters. Kaspersky Anti-Virus Updater is a program for updating virus databases that are used by other modules to detect infected objects. Kaspersky Anti-Virus Control Center is a control shell for Kaspersky Anti-Virus that acts as an intelligent scheduler. Kaspersky Anti-Virus Mail Checker is a program designed to provide anti-virus protection for users who use Microsoft Outlook to work with e-mail. Kaspersky Anti-Virus Rescue Disk is a component of the Kaspersky Anti-Virus package designed to create a set of rescue discs. Kaspersky Anti-Virus Script Checker is a service for protecting against script viruses that may be contained in letters and on web pages. Kaspersky Anti-Virus detects viruses in archived and packed files of over 700 formats, and also disinfects files in ZIP, ARJ, CAB and RAR formats.

Kaspersky Worm Removal Tool

Free utility to neutralize the most common worm viruses. If a virus is detected, Kaspersky Worm Removal Tool removes it and restores damaged registry entries. When starting the program from the command line, it is possible to configure scanning parameters using keys. You can check both local and network drives.

Norton AntiVirus

Norton AntiVirus is one of the best antivirus software on the global market. Automatically removes viruses, Internet worms and Trojans without interfering with the user's work. There is a function of Norton Internet Worm Protection (Protection against Internet worms) allows you to block some of the most complex and dangerous worms (for example, Blaster and Sasser) before they enter the computer system. In addition, Norton AntiVirus can detect spyware and other threats that are not viral in nature.

Panda Antivirus Platinum

Convenient and easy to configure antivirus. Panda has functions for checking outgoing and incoming mail, heuristic analysis and the ability to create emergency floppies. There are also features to keep your computer safe from nasty things like hidden management utilities, programs that automatically dial your ISP, and joke programs.

USB Disk Security

A program that provides you with 100% protection against malware and viruses spread through removable media (USB flash drives, memory cards, external hard drives and other media connected via a USB port). The program is easy to use, not demanding on system resources and belongs to the "set and forget" category. The program is fully compatible with modern antiviruses, which allows you to provide the greatest protection when used together.

As you might expect, it is impossible to name the best antivirus program among the programs reviewed here, because there are many criteria that users can use when choosing. One thing is certain - all solutions deserve the attention of users and are among the worthy ones. The most functional among them is Kaspersky Anti-Virus, which provides comprehensive protection against the widest range of threats and has impressive customization capabilities. But in terms of combining high functionality and ease of use (that is, ease of use and minimal "noticeability" in the background work), we liked Eset NOD32 to a greater extent. Avast! Antiviruses AntiVirus and Avira AntiVir are also undemanding to system resources and therefore behave modestly when working in the background, but their capabilities will not suit all users. In the first, for example, the level of heuristic analysis is insufficient, in the second there is no Russian-language localization yet and, in our opinion, the management of the modules is not very convenient.

As for Norton AntiVirus and Dr.Web, despite all the popularity of the first in the world and well-deserved recognition for the former merits of the second, the palm tree in the perspective we are considering is clearly not on their side. Norton AntiVirus, despite the fact that its latest version is much faster (in comparison with the previous ones) in operation and has a better thought-out interface, still significantly loads the system and responds rather slowly to the launch of certain functions. Although in fairness, it should be noted that he performs scanning itself quickly. And Dr.Web is not very impressive compared to other antiviruses, because its capabilities are limited to protecting files and mail, but it has its own plus - it is the simplest among the reviewed antiviruses.

Table 1 - Comparison of the functionality of anti-virus solutions

Spyware

Spyware (spyware) - a program that is secretly installed on a computer for the purpose of full or partial control over the work of the computer and the user without the consent of the latter.

Currently, there are many definitions and interpretations of the term spyware. The Anti-Spyware Coalition, which includes many major manufacturers of anti-spyware and anti-virus software, defines it as a monitoring software product installed and used without proper user notification, consent and control by the user, that is, unauthorized installation.

Features of functioning

Spyware can perform a wide range of tasks, for example:

collect information about your Internet usage habits and the most frequently visited sites (tracking program);

remember keystrokes on the keyboard (keyloggers) and record screenshots (screen scraper) and then send information to the spyware creator;

unauthorized and remote control of the computer (remote control software) - backdoors, botnets, droneware;

install additional programs on the user's computer;

used for unauthorized analysis of the state of security systems (security analysis software) - port and vulnerability scanners and password crackers;

change the parameters of the operating system (system modifying software) - rootkits, control interceptors (hijackers), etc. - which results in a decrease in the speed of the Internet connection or loss of the connection as such, opening other home pages or removing certain programs;

redirect browser activity, which entails blind visits to websites with the risk of viruses.

Legitimate uses of "potentially unwanted technology":

Tracking Software is widely and legally used to monitor personal computers.

Adware can be openly included in free and shareware software, and the user agrees to view ads in order to have any additional opportunity (for example, to use this program for free). In such a case, the availability of a program to serve ads must be explicitly stated in an end user agreement (EULA).

Remote control and management programs can be used for remote technical support or access to their own resources located on a remote computer.

Dialers (dialers) can make it possible to get access to the resources needed by the user (for example, dialing to an Internet provider to connect to the Internet).

System modification programs can also be used to personalize as desired by the user.

Auto-download programs can be used to automatically download application and OS updates.

Programs for analyzing the state of the security system are used to study the security of computer systems and for other completely legitimate purposes.

Passive tracking technologies can be useful for personalizing the web pages that a user visits.

According to 2005 data from AOL and the National Cyber-Security Alliance, 61% of responding computers contained some form of spyware, of which 92% were unaware of the presence of spyware on their machines, and 91% reported that they did not give permission to install spyware.

By 2006, spyware had become one of the prevailing security threats to computer systems using Windows. Computers that use Internet Explorer as their primary browser are partially vulnerable, not because Internet Explorer is the most widely used, but because its tight integration with Windows allows spyware to gain access to key operating systems.

Prior to the release of Internet Explorer 7, the browser automatically presented an installation window for any ActiveX component that a website wanted to install. A combination of naive user ignorance of spyware and Internet Explorer's assumption that all ActiveX components are harmless contributed to the massive spread of spyware. Many spyware components also exploit flaws in JavaScript, Internet Explorer and Windows to install without the user's knowledge and / or permission.

The Windows registry contains many sections that, after modifying the key values, allow the program to execute automatically when the OS boots. Spyware can use this pattern to bypass uninstallation and removal attempts.

Spyware usually attach itself from every location in the registry to allow execution. Once launched, spyware periodically monitors whether one of these links has been removed. If so, it is automatically restored. This ensures that spyware will be executed at boot time, even if some (or most) of the entries in the startup registry are removed.

Unlike viruses and network worms, spyware usually does not replicate itself. Like many viruses today, spyware infiltrates computers primarily for commercial purposes. Typical manifestations include displaying advertising pop-ups, stealing personal information (including financial information such as credit card numbers), tracking website browsing habits, or redirecting an address request in the browser to advertising or porn sites.

Phone fraud. Spyware creators can cheat on telephone lines using dialer-type programs. The dialer can reconfigure the modem to dial expensive phone numbers instead of the regular ISP. These untrustworthy numbers are connected at international or intercontinental rates, resulting in prohibitive telephone bills. The dialer is ineffective on computers without a modem or connected to a telephone line.

If the threat from spyware becomes more than intrusive, there are a number of methods to deal with it. These include programs designed to remove or block spyware infiltration, as well as various user tips to reduce the likelihood of spyware getting into the system.

However, spyware remains a costly problem. When a significant number of spyware elements have infected the OS, the only option is to save the user's data files and completely reinstall the OS.

Analysis of anti-spyware programs

Programs such as Lavasoft's Ad-Aware (free for non-commercial use, premium services) and PC Tools' Spyware Doctor (free scanning, spyware removal, paid) have rapidly gained popularity as effective removal tools and, in some cases, obstacles to spyware infiltration. In 2004, Microsoft acquired GIANT AntiSpyware, renaming it Windows AntiSpyware beta and releasing it as a free download for registered users of Windows XP and Windows Server 2003. In 2006 Microsoft renamed the beta to Windows Defender which was released as a free download (for registered users) since October 2006 and is included as a standard tool in Windows Vista.

For quite a long time, AdAware and Spybot S&D were the leaders among free anti-spyware. And if the first program basically continues to show excellent results, then the second has somewhat lost its position. The advantage of both programs is the presence of real-time protection, which the free versions of the following two programs cannot boast of.

The first of these programs is the relatively new Malwarebytes Anti-Malware. It has a very fast scanner and pleases the user with fairly frequent updates to the malware database, which allows the program to be kept in a "combat" state.

Another candidate for presence on your computer is SuperAntiSpyware. This is an infrequent case when a loud name of a program matches its characteristics. SuperAntiSpyware has a very good record of detecting and removing unwanted programs.

Unfortunately, the recent leader among anti-spyware programs, Spyware Terminator, does not perform well in recent tests. In the meantime, it can still be used in conjunction with Malwarebytes Anti-Malware or SuperAntiSpyware to provide real-time protection.

It is also worth mentioning a rather popular program from Microsoft - Windows Defender. Despite frequent criticism of this program, its modules that track suspicious system changes in real time are still at their best.

Using more than one anti-spyware for real-time protection can cause conflicts and overuse of system resources.

SuperAntiSpyware - scans the system for spyware and other malware.

Ad-Aware Free Internet Security is a popular multifunctional free anti-spyware and antivirus program.

AVZ Antiviral Toolkit is a program for removing spyware and adware modules, worms, Trojans, dialers.

Spyware Terminator is one of the best spyware removal software.

Malwarebytes "Anti-Malware is a program for detecting and removing malicious software.

Emsisoft Anti-Malware is a program for detecting and destroying malicious software.

Windows Defender is a program for removing, isolating and preventing the appearance of spyware modules.

Spybot - Search & Destroy is a program for detecting and removing spyware.

A Rootkit is a program or a set of programs that use technologies to hide system objects (files, processes, drivers, services, registry keys, open ports, connections, etc.) by bypassing the system mechanisms.

The term rootkit has historically come from the Unix world, where this term refers to a set of utilities that a hacker installs on a compromised computer after gaining initial access. These are, as a rule, hacker tools (sniffers, scanners) and Trojans that replace the main Unix utilities. A rootkit allows a hacker to gain a foothold in a compromised system and hide their traces.

In the Windows system, the term rootkit is considered to be a program that is introduced into the system and intercepts system functions, or replaces system libraries. Interception and modification of low-level API functions first of all allows such a program to mask its presence in the system with sufficient quality, protecting it from detection by the user and anti-virus software. In addition, many rootkits can mask the presence in the system of any processes described in its configuration, folders and files on the disk, keys in the registry. Many rootkits install their own drivers and services on the system (of course, they are also "invisible").

Recently, the threat of rootkits has become more and more urgent as the developers of viruses, Trojans and spyware are starting to build rootkit technologies into their malware. One of the classic examples is the Trojan-Spy. Win32. Qukart, which masks its presence in the system using rootkit technology. Its RootKit engine works great on Windows 95, 98, ME, 2000 and XP.

Rootkit classification

All rootkit technologies can be conventionally divided into two categories:

User-mode rootkits

Kernel-mode rootkits

Also, rootkits can be classified according to their principle of action and persistence. By the principle of action:

Anti-malware methods

There is no 100% protection against all malware: no one is immune from exploits like Sasser or Conficker. To reduce the risk of losses from exposure to malware, it is recommended:

use modern operating systems with a serious level of protection against malware;

install patches in a timely manner; if there is an automatic update mode, enable it;

constantly work on a personal computer exclusively under the rights of a user, not an administrator, which will prevent most malicious programs from being installed on a personal computer;

use specialized software products that use so-called heuristic (behavioral) analyzers to counteract malicious programs, that is, they do not require a signature base;

use anti-virus software products from well-known manufacturers with automatic signature database updates;

use a personal Firewall that controls access to the Internet from a personal computer based on policies set by the user himself;

restrict physical access to the computer for unauthorized persons;

use external media only from trusted sources;

do not open computer files obtained from unreliable sources;

disable autorun from removable media, which will not allow codes that are on it to start without the user's knowledge (for Windows you need gpedit. msc-> Administrative Templates (User Configuration) -> System-> Disable autorun-> Enabled "on all drives") ...

Modern defenses against various forms of malware include many software components and methods for detecting "good" and "bad" applications. Antivirus vendors today build scanners into their programs to detect spyware and other malicious code, so everything is done to protect the end user. However, no anti-spyware package is perfect. One product may be overly intent on programs, blocking them at the slightest suspicion, including "cleaning up" and useful utilities that you regularly use. Another product is more loyal to the software, but may allow some spyware to pass through. So, alas, there is no panacea.

Unlike antivirus suites, which regularly show 100% virus detection efficiency in professional testing by experts such as Virus Bulletin, no anti-adware suite scores more than 90%, and many other products measure between 70% efficiency. and 80%.

This explains why the simultaneous use of, for example, antivirus and anti-spyware is the best way to provide comprehensive system protection against dangers that may come unexpectedly. Practice shows that one package should be used as a permanent "blocker" that is loaded every time the computer is turned on (for example, AVP 6.0), while another package (or more) should be launched at least once a week. to provide additional scanning (e.g. Ad-Aware). That way, what one packet misses can be detected by another.

Everyone knows that you need to use antivirus software to protect yourself from malware. But at the same time, you can often hear about cases of viruses penetrating into computers protected by antivirus. In each case, the reasons why the antivirus did not cope with its task may be different, for example:

• Antivirus has been disabled by the user
• The anti-virus databases were too old
• Weak protection settings have been set
• The virus used an infection technology against which the antivirus had no protection
• The virus hit the computer before the antivirus was installed and was able to neutralize the antivirus tool
• It was a new virus for which no anti-virus databases had yet been released.

But in general, we can conclude that just having an installed antivirus may not be enough for full protection, and that additional methods need to be used. Well, if the antivirus is not installed on the computer, then you cannot do without additional protection methods.

If you look at the reasons given for the antivirus omission of a virus for example, you can see that the first three reasons are associated with improper use of the antivirus, the next three - with the shortcomings of the antivirus itself and the work of the antivirus manufacturer. Accordingly, the methods of protection are divided into two types - organizational and technical.

Organizational methods are primarily aimed at the computer user. Their goal is to change user behavior, because it is no secret that often malicious programs get to the computer due to rash actions of the user. The simplest example of an organizational method is developing computer rules that all users must abide by.

Techniques, on the other hand, are aimed at changes in the computer system. Most of the technical methods involve the use of additional protection tools that expand and supplement the capabilities of anti-virus programs. Such means of protection can be:

• Firewalls - programs that protect against network attacks
• Anti-spam tools
• Fixes fixing "holes" in the operating system through which viruses can penetrate

All of the methods listed below are discussed in more detail.

Organizational methods

Rules for working at the computer

As already mentioned, the simplest example of organizational methods for protecting against viruses is the development and adherence of certain rules for processing information. Moreover, the rules can also be roughly divided into two categories:

• Information processing rules
• Rules for the use of programs

The first group of rules may include, for example, the following:

• Don't open mail messages from unknown senders
• Check removable drives (floppy disks, CDs, flash drives) for viruses before use
• Scan files downloaded from the Internet for viruses
• Working on the Internet, do not agree to unsolicited offers to download a file or install a program

The common place for all such rules is two principles:

• Use only those programs and files that you trust, the origin of which is known
• All data coming from external sources - from external media or over the network - must be carefully checked

The second group of rules usually includes the following characteristic points:

• Ensure that security programs are constantly running and that security functions are activated
• Update anti-virus databases regularly
• Regularly install patches for the operating system and frequently used programs
• Do not change the default settings of programs that provide protection without the need and full understanding of the nature of the changes

Two general principles can also be traced here:

• Use the most up-to-date versions of security software - since the methods of penetrating and activating malicious programs are constantly improving, security software developers are constantly adding new protection technologies and replenishing the databases of known malicious programs and attacks. Therefore, for the best protection, it is recommended to use the most recent version.
• Do not interfere with antivirus and other security programs to perform their functions - very often users believe that security programs unnecessarily slow down the computer, and seek to increase performance at the expense of security. As a result, the chances of a virus infecting your computer are significantly increased.

Security policy

On the home computer, the user sets the rules for himself, which he considers it necessary to follow. As he gains knowledge about the operation of a computer and about malicious programs, he can deliberately change the protection settings or make a decision about the danger of certain files and programs.

In a large organization, things are more complicated. When a team brings together a large number of employees performing different functions and having different specializations, it is difficult to expect reasonable behavior from a safety point of view from everyone. Therefore, in each organization, the rules for working with a computer must be general for all employees and officially approved. Usually, a document containing these rules is called a user manual. In addition to the basic rules listed above, it must necessarily include information about where the user should contact when a situation arises that requires specialist intervention.

Wherein User's Manual in most cases contains only rules restricting its actions. The rules for using programs in the instruction can be included only in the most limited form. Since most users are not competent enough in security matters, they should not, and often cannot, change the settings of protection tools and somehow influence their work.

But if not users, then someone else should still be responsible for configuring and managing protections. Typically, this is a dedicated employee or group of employees who are focused on one task - keeping the network secure.

Security officers have to install and configure security software on a large number of computers. If you decide again on each computer which security settings should be installed, it is easy to assume that different employees at different times and on different computers will install albeit similar, but slightly different settings. In such a situation, it will be very difficult to assess how secure the organization as a whole is, since no one knows all the established protection parameters.

To avoid the described situation in organizations, the choice of protection parameters is carried out not at the discretion of the responsible employees, but in accordance with a special document - the security policy. This document describes the dangers of malware and how you need to protect yourself from them. In particular, the security policy should provide answers to the following questions:

• Which computers should be protected by antiviruses and other programs
• What objects should be scanned by the antivirus - should it scan archived files, network drives, incoming and outgoing mail messages, etc.
• What actions should the antivirus take when an infected object is detected - since ordinary users cannot always correctly decide what to do with an infected file, the antivirus should perform actions automatically without asking the user