How to set up smartphones and PCs. Informational portal
  • home
  • Iron
  • Antivirus programs for Windows. Antivirus engines

Antivirus programs for Windows. Antivirus engines

04.07.2019 Iron

Undoubtedly, one of the most important programs on a computer is an antivirus. Even one "accidentally" virus on a PC can make work unbearable! In addition, it's "good" if the virus just shows ads, but there are viruses that can destroy dozens of files on a disk (which may have been worked on for more than one month).

About 10-15 years ago, the number of antiviruses was relatively small and the choice was limited to some dozen. Now there are hundreds of them!

In this article I want to focus on the most popular today (in my opinion). I think that for many this information will be useful for cleaning and protecting their home PCs. And so let's get started...

Keys for antiviruses at affordable prices below market prices you can buy at …

10 best antivirus programs to protect your computer

Malwarebytes Anti-Malware

Malwarebytes Anti-Malware is not quite the antivirus that most users are used to. This program (in my opinion) is more suitable as an addition to the main antivirus, but nevertheless, it will help to do one important job!

Malwarebytes 3.0 is equipped with a number of specialized modules:

  • Anti-Malware
  • Ransomware Protection
  • Exploit Protection
  • Malicious website protection

Most antiviruses are bad (at least for now) at finding and removing various adware that are often embedded in browsers (for example). Because of this, various advertising windows, teasers, banners (sometimes from adult sites), etc. begin to appear. Malwarebytes Anti-Malware will quickly and easily clean your PC from such “garbage”.

Features of Malwarebytes Free (free version)

  • Ability to scan all drives for a complete system check.
  • Signature database updated daily to protect against the latest malware.
  • Intelligent heuristic detection of even the most persistent threats without significant impact on system resources.
  • Adding detected threats to Quarantine and the ability to restore them at a convenient time.
  • Black list of exclusions for scanning and protection modules.
  • List of additional utilities for manual malware removal (Malwarebytes Anti-Rootkit, Malwarebytes FileASSASSIN, StartupLite, Chameleon).
  • Malwarebytes Chameleon dynamic technology that allows Malwarebytes Anti-Malware to run when it is blocked by malware.
  • Multilingual support.
  • Context menu integration for checking files on demand.

Features of Malwarebytes Premium

Malwarebytes is free, but you can upgrade to a Premium version that provides real-time protection, scans, and scheduled updates.

  • Real-time protection works in conjunction with leading antivirus programs to make your computer more secure.
  • Real-time protection detects and blocks threats as they attempt to execute.
  • Real-time exploit protection: Eliminates zero-day exploits and malware vulnerabilities
  • Real-time ransomware protection: Prevents ransomware from encrypting your files.
  • Malicious website blocking prevents access to malicious and infected web resources.
  • The presence of the “Quick scan” mode for checking critical areas of the system - RAM and startup objects.
  • Extra options. Customize Malwarebytes Premium Protection Behavior for Advanced Users.
  • Scheduled updates to automatically use the latest protection.
  • Scheduled scans for regular checks at your convenience.
  • Password protection of settings to prevent unauthorized changes to Malwarebytes Premium security components.

It should be borne in mind that not everything written will be available or work in the free version of the program. In order for the software to work at the proper level, you need to install the Premium version

Advanced SystemCare Ultimate

It seems to me that many users are often dissatisfied with one “quality” of most antiviruses - they slow down the computer ... So, in this regard, Advanced SystemCare Ultimate is a very interesting product - an antivirus with built-in programs for optimizing, cleaning and speeding up Windows.

The antivirus, I must tell you, is quite reliable (BitDefender technologies are used) + the program's own algorithms. Protects PC from: spyware, Trojans, dangerous scripts, ensures safe work with payment systems on the Internet (relevant, especially recently with the development of Internet banks).

By the way, the program is compatible with many antiviruses (that is, it can be installed in addition to provide additional protection). Moreover, it will not greatly affect the speed and performance of your PC. We have described how to maximize speed and performance using Advanced SystemCare Ultimate.

Maximum protection and maximum performance

  • Protection against viruses, spyware, hackers, phishing, botnets, etc.
  • Online payment and banking security
  • Optimizes, cleans and fixes all PC problems in 1 click
  • Works fast, compatible with other antiviruses

New in IObit Malware Fighter

  • Added antivirus engine Bitdefender;
  • Improved IObit engine;
  • The database of signatures has been updated and significantly expanded;
  • Improved scanning speed by adapting the caching mechanism;
  • Minimized resource consumption during scanning and cleaning;
  • Improved real-time protection;
  • New quarantine method;
  • New simplified and convenient user interface;
  • Improved web protection;
  • Full support for Windows 10.

Main components of IObit Malware Fighter

Security

Startup Protection
· Network protection
· File protection
Checking files in the cloud
・Cookie Protection
Browser ad blocker
Antivirus engine Bitdefender Pro
Process Protection Pro
USB drive protection Pro
Tracking malicious activities Pro

Browser protection

· Homepage Defender protects your homepage and search engine from malicious modification.
· DNS Protection: Prevent malware from modifying DNS system settings.
· Surf Protection: Block various online threats to ensure you surf the web safely.
· Browser protection from malicious plugins / toolbars.
· Anti-Spying: Auto-clean your browser data from malicious tracking as soon as it closes. Pro

One of the best free antivirus. Every year it is gaining more and more popularity. The advantages of antivirus are obvious:

  1. some of the best algorithms for searching and detecting viruses (even those that are not yet known to the antivirus and are not included in the update databases);
  2. support for all popular Windows operating systems (including Windows 10);
  3. low system requirements for a PC (works fast enough even on older machines);
  4. fully functional free version of the antivirus.

Main components of Avast Free Antivirus

(1) The component is available for an additional fee (1500 RUB/year)
(2) The component is available for an additional fee (from 650 rubles / year)

Version comparison

Functions / VersionsFreeProIS*Premier
Antivirus
Spy protection
Stream updates
Power Mode
cybercapture
Do Not Track, SiteCorrect
Phishing and malware protection
Home network security
HTTPS scanning
Smart Scan
Passwords
SafeZone Browser
Software Updater**
Sandbox
SecureDNS
Antispam
Firewall
file shredder
Cleanup***
SecureLine VPN***

* IS is the version of Internet Security.
** Software Updater is installed automatically in Premier, manually in other versions.
***Cleanup, SecureLine VPN - paid add-ons for all versions

New in Avast Free Antivirus Nitro Update

New features and technologies

New features: CyberCapture, SafeZone browser.

Improvements: Home network security, Antivirus and malware protection.

Key features of Avast Free Antivirus

New! cybercapture

This proprietary technology developed by AVAST Software allows you to automatically submit unknown files to the Avast Online Threat Lab. Potentially dangerous files are carefully checked by our analysts in real time, which eliminates the slightest risk of infection on your PC.

New! SafeZone Browser

Designed for a safer and more comfortable browsing experience, SafeZone is also the most secure browser in the world. The secure payment mode ensures complete privacy when shopping and banking online, the Ad Blocker ensures that you are not bothered by ads, and the Video Downloader allows you to watch videos offline at your convenience.

Improved! Home network security

Even more advanced protection for your home network and all devices connected to it. Thanks to the new Nitro technology, Avast Free Antivirus is able to detect more types of router vulnerabilities, which will provide even more reliable protection for Wi-Fi cameras, SMART TVs, printers, network drives and routers.

Avast Passwords

It's time to break the bad habit of storing your passwords in your browser or using the same password for multiple services. Avast's new password manager lets you store all your passwords in a secure, easy-to-use vault that only requires you to remember one master password to access.

HTTPS scanning

The improved Web Shield allows Avast Free Antivirus to thoroughly scan HTTPS sites for malware and other threats. You can whitelist the websites and certificates of your online banking so that scanning does not slow down access to services.

Browser cleaning

Don't let outsiders change your search engine without your permission. Cleaning your browser will remove all questionable plugins and toolbars so you can return to your original browser configuration.

Unique! 230 million users

Avast is the choice of 230 million users around the world, which allows the antivirus to detect malware much faster than others, regardless of where it appears. The combination of the state-of-the-art AI engine at the heart of the antivirus program and millions of virus sensors around the world allows Avast Free Antivirus to continuously detect and eliminate the latest cyber threats, keeping you 100% safe.

Improved! Antivirus and malware protection

The developers are constantly working on improving the innovative anti-virus engine to provide you with reliable protection against all types of cyber threats. Through continuous updates no larger than a text message, Avast distributes new threat intelligence several times an hour to keep your antivirus up to date.

Smart Scan technology

Comprehensive intelligent scanning for all types of problems. Scan your PC for performance status, check for online threats, malware or viruses, and find outdated programs with just one click. The easiest way to stay completely safe.

Software Updater

Hackers love to exploit vulnerabilities in outdated software to get into a system. Software Updater notifies you when updates are available for your programs so you can fix any vulnerabilities before attackers can exploit them.

Integration with MyAvast

Smartphone, PC and tablet protected by Avast? Amazing! You can control and manage devices through your personal account directly in the user interface of the program

AVG

A very, very good antivirus, which, by the way, has won many awards. There is a free version available that can cover the needs of most users. Judge for yourself, the free version includes: an antivirus (which protects in real time from viruses, spyware, etc.), a complex for protecting against dangerous links on the Internet, as well as a complex for protecting e-mail.

By the way, the antivirus can be installed not only on a laptop (computer), but also on a phone! In general, the antivirus is very worthy, protecting the PC well (while working fast enough)!

Bitdefender Antivirus

A very well-known antivirus that provides comprehensive computer protection: antivirus, firewall, complex for enhanced protection of personal data. By the way, in many independent ratings, this antivirus is on the top lines.

Among the features of this antivirus, I can highlight the following:

  • protection of everything and everything (the user, in practice, can not be distracted by thoughts about protecting the PC - the program itself knows everything: what, where and when to block ...);
  • low consumption of system resources (for example, 100-200 MB of RAM when working in Windows 10 with documents);
  • convenient and intuitive interface.

Key features of Bitdefender Antivirus Free Edition

real time protection– Real-time screen provides protection during access. All files are checked at the moment they are launched or copied. For example, files that you have just downloaded from the Internet are scanned immediately.

Cloud technologies- Bitdefender Antivirus Free Edition uses cloud-based scanning to speed up detection and detect new or unknown threats that other antiviruses miss.

Active virus control is an innovative proactive detection technology that uses advanced heuristics to identify new potential threats in real time. Bitdefender's free antivirus heuristic provides a high level of protection against new threats that have not yet been added to virus signatures. Active Virus Control in Bitdefender Antivirus Free Edition monitors every program running on your computer and detects malware based on their actions.

HTTP scanning- Bitdefender free antivirus analyzes and blocks fraudulent and phishing websites.

Antirootkit The technology is used to search for hidden malware, also known as rootkits. Rootkits are a hidden type of software, often malicious, aimed at hiding certain processes or programs from conventional detection methods, while rootkits allow you to gain privileged access to a computer.

Periodic update– Bitdefender Antivirus Free Edition is updated periodically without user intervention, providing an optimal level of protection against new threats.

Early Scan at System Boot- This technology ensures that the system is checked at boot time, once all important services have been started. It allows you to improve virus detection at system startup, as well as speed up system boot time.

Scan while idle- Free antivirus Bitdefender detects when the use of computer resources is minimal in order to scan the system without affecting the user's activities. System resource usage is calculated based on the processor (CPU) and hard disk drive (HDD) usage.

Smart Scan Technology- Files that were previously scanned by Bitdefender Antivirus Free Edition will not be scanned again using the smart file scan skip engine.

Avira Free 2015

The most famous German-made antivirus (“umbrella”, “red umbrella”, as many in our country called it). It provides a good degree of PC protection (by the way, virus search and detection algorithms are among the best among programs of this kind), high performance (I remember recommending installing this antivirus even on budget laptops 5-6 years ago),

  1. Russian language support;
  2. support for all popular Windows OS: XP, 7, 8, 10 (32/64 bits);
  3. low system requirements;
  4. excellent algorithms for searching and detecting viruses and potential threats for PCs;
  5. user-friendly interface (everything unnecessary is hidden from beginners, but nevertheless accessible to experienced users).

Main features of Avira Free Antivirus

Antivirus and antispyware

Effective real-time and on-demand protection against various kinds of malware: viruses, trojans, worms, spyware and adware. Constant automatic updates and AHeAD heuristic technology reliably protect against known and new threats.

Cloud protection

Avira Protection Cloud - real-time threat classification and fast system scan.

Rootkit protection

Avira's anti-rootkit protects against difficult-to-detect threats - rootkits.

Windows Firewall Management

Avira Free Antivirus allows you to edit network rules for applications, change network profiles (Private, Public) and manage advanced settings for Windows Firewall with Advanced Security.

Internet protection **

Safe search, blocking of phishing and malicious websites, tracking protection.

** This feature is part of the toolbar Avira Browser Safety for Chrome, Firefox and Opera browsers (installed separately from Avira Free Antivirus).

Parental control

Not available in the Russian version. For use, you can use the link to the service in the description.

With the function of social networks based on technology Avira Free Social Shield you can monitor your children's online activities: check their social media accounts for comments, photos, etc. that may affect your child in a negative way.

Protecting Android Devices

Antivirus solution Avira Free Antivirus, in addition to protecting your computer from various threats, offers to install the application Avira Antivirus Security for Android, which will protect your smartphone or tablet from loss and theft, as well as block unwanted calls and SMS messages.

Kaspersky Anti-Virus

I'm not afraid to say that Kaspersky Anti-Virus is the most famous and popular anti-virus in the post-Soviet space. The anti-virus database of Kaspersky is really huge. It easily catches all possible viruses available on the network. But, as the developers did not declare about acceleration and, most importantly, about a radical decrease in computer resources, they did not complete this task to the end.

Kaspersky Anti-Virus, as it slowed down the PC earlier, so it continues to do so now. Moreover, using it on a fairly powerful machine does not save you from slowdowns - Kaspersky's gluttony is unlimited, this can only be fixed by very careful tuning of the program.

New in Antivirus Kaspersky Free 2017

Kaspersky Free Anti-Virus 2017 has the following new features:

  • Improved program update in the background. Now, when upgrading, you do not need to re-accept the terms of the License Agreement if it has not changed.
  • Improved Mail Anti-Virus. The default heuristic analysis depth has been increased to medium.

Version comparison

Comparison of the functions and capabilities of the free antivirus Kaspersky Free with paid solutions Kaspersky Anti-Virus(K.A.V.), internet security(KIS) and Total Security(KTS).

Functions / VersionsFreeKAVKISKTS
File Anti-Virus
Web Anti-Virus
IM Antivirus
Mail antivirus
Anti-Phishing
Screen keyboard
Kaspersky Security Network
Kaspersky Secure Connection*
Network monitoring
Activity monitoring
Internet management
Application Control (HIPS)
OS change control
Webcam access
Firewall
Protection against network attacks
Anti-Spam
Anti-Banner
Data collection protection
Secure payments
Secure data entry
Trusted Applications Mode
Software update
Uninstalling programs
Parental control
Backup
Virtual safes
Password manager

Main features of Kaspersky Free Anti-Virus

File Anti-Virus

File Anti-Virus Kaspersky Free Anti-Virus allows you to avoid infection of the computer's file system. The component starts at the start of the operating system, resides permanently in the computer's RAM, and checks all opened, saved, and run files on your computer and on all attached drives.

Mail Antivirus

Mail Anti-Virus scans incoming and outgoing mail messages on your computer. The letter will be available to the addressee only if it does not contain dangerous objects.

Web Anti-Virus

Web Anti-Virus intercepts and blocks the execution of scripts located on websites if these scripts pose a threat to the computer's security. Web Anti-Virus in Kaspersky Free Anti-Virus also monitors all web traffic and blocks access to dangerous websites.

IM Antivirus

IM Anti-Virus ensures the security of working with IM clients. The component protects information received on your computer via IM client protocols. IM Anti-Virus ensures safe work with many instant messaging programs.

Secure connection

The VPN client Kaspersky Secure Connection, which is installed with the antivirus, is designed for a secure connection. The application protects your data when using public Wi-Fi networks, provides anonymity on the Internet and allows you to visit blocked sites.

* The Kaspersky Secure Connection component has a traffic limit of 200 MB per day. Removing the restriction and the ability to select VPN servers are available with an additional subscription.

Participation in Kaspersky Security Network

To improve the protection of your computer, Kaspersky Free Anti-Virus uses protection from the cloud. Protection from the cloud is implemented using the infrastructure Kaspersky Security Network using data received from users around the world.

Benefits of Kaspersky Free Anti-Virus

One of the best antiviruses in terms of searching and detecting unknown viruses (i.e. the heuristic analysis in the program is so advanced that thanks to it this antivirus finds dangerous files, even if the antivirus databases do not yet have this threat).

After installing Dr.Web, access to the Internet is often blocked, which can only be corrected by proper configuration and making exceptions to the program. So before installing this software, do not be lazy and read the setup instructions and help on the developers' website.

Main features of Dr.Web Anti-virus for Windows

· Dr.Web Scanner for Windows is an anti-virus scanner with a graphical interface that runs at the user's request or according to a schedule and performs an anti-virus scan of the computer.

· Anti-rootkit Dr.Web (Anti-rootkit API, arkapi)- background scanning for rootkits and the new arkapi. A subsystem for background scanning and neutralization of active threats has been implemented. The implementation of the subsystem required significant reworking of the Dr.Web software libraries.

· Preventive protection– advanced features of preventive protection of Dr.Web Anti-virus user's computer from infection by blocking automatic modification of critical Windows objects, as well as control of some unsafe actions.

Dr.Web anti-virus provides control over the following objects using preventive protection:

– HOSTS file;
– Possibility of low-level disk access;
- the ability to download drivers;
– access to Image File Execution Options;
– access to User Drivers;
– parameters of the Winlogon shell;
– Winlogon notifiers;
– Windows shell autorun;
– associations of executable files;
– Program Restriction Policies (SRP);
– Internet Explorer plug-ins (BHO);
- autostart programs;
– autostart policies;
– safe mode configuration;
– Session Manager parameters;
- system services.

The improved Dr.Web ShellGuard technology of the Dr.Web Process Heuristic non-signature (behavioral) blocking in the Dr.Web Preventive Protection system will protect against attacks using zero-day vulnerabilities.

· Dr.Web HyperVisor is a component that made it possible to improve the system for detecting and curing threats, as well as to strengthen Dr.Web self-defense by using the capabilities of modern processors. The component starts and runs below the operating system level, which ensures control of all programs, processes, and operation of the OS itself, as well as the impossibility of malicious programs intercepting control over the protected Dr.Web system.

· SpIDer Guard– anti-virus watchman, which is constantly in the RAM, checking files and memory on the fly, as well as detecting manifestations of virus activity;

· SpIDer Mail– a mail anti-virus guard that intercepts requests from any computer mail clients to mail servers using the POP3/SMTP/IMAP4/NNTP protocols (IMAP4 means IMAPv4rev1), detects and neutralizes mail viruses before the mail client receives messages from the server or before sending the letter to mail server. The mail watchman can also check correspondence for spam using Dr.Web Antispam;

· Dr. Web Firewall– a personal firewall of Dr.Web Anti-virus designed to protect your computer from unauthorized access from the outside and prevent leakage of important data over the network;

· Update module, which allows registered users to receive updates of virus databases and other files of the complex, and also installs them automatically; allows unregistered users to register or receive a demo key.

· SpIDer Agent– a module used to configure and manage the operation of Dr.Web Anti-virus components.

Dr.Web CureIt! is a free anti-virus scanner based on the core of the Dr.Web anti-virus program, which will quickly and efficiently scan and cure your computer without installing the Dr.Web anti-virus itself.

Antivirus Dr.Web CureIt! detects and removes mail and network worms, file viruses, Trojans, stealth viruses, polymorphic, incorporeal and macro viruses, viruses that infect MS Office documents, script viruses, spyware (Spyware), password stealers, dialers, adware, hack tools, potentially dangerous software and any other unwanted code.

Using the utility, you can check the computer's BIOS for infection with "bios kits" - malware that infects the PC BIOS, and a new rootkit search subsystem allows you to detect complex hidden threats.

Free payment:

1. Does not provide real-time protection.

2. The program does not include a module for automatically updating anti-virus databases, so in order to scan your computer next time with the latest anti-virus database updates, you will need to download again Dr.Web CureIt!

Installation and use rights

– Use of the special free version of the software is only legal on your personal computer. If you use a special free version of the software, you are fully subject to the terms License Agreement, with the exception of paragraphs 6.1-6.3.

Dr.Web also has one wonderful utility - Dr.Web Cureit (which does not need to be installed)! The portable utility can be run even from a flash drive, it is absolutely free and does not require any activation. Finds all viruses available and paid versions of Dr.Web. It often helps to detect both and when on a computer.

But be careful before treatment, carefully read the detected Dr.Web Cureit threats. All processes that monitor the computer in real time, such as CCleaner or Advanced SystemCare Ultimate, are determined by the utility to be unsafe. During treatment, the software is not completely removed, but only some files, but the program no longer starts after that, and is also not subject to standard removal - you will have to clean it manually.

360 Total Security is a modern free antivirus from Qihoo with full protection against all types of threats in real time, a Sandboxi virtual environment with additional optimization and system cleaning functions.

Qihoo introduced its powerful product 360 Total Security, which replaced the previous version of the comprehensive antivirus 360 Internet Security, it also used several antivirus engines to protect the computer, including its own well-established cloud development. In the new product, the number of engines has increased to five. All of them are reliable, powerful and time-tested: QVM II (responsible for proactive protection), 360 Cloud (cloud protection), System Repair (system analysis for vulnerabilities and recovery), BitDefender, Avira AntiVir, the last two can be enabled and disabled at will ( by default, they are disabled after installation). The load on the system has been optimized, which allows you to almost ignore the work of the antivirus.

Pleasant and friendly interface 360 ​​Total Security is implemented in the style of Windows 8. Difficulties in operation and maintenance should not arise, everything is intuitive. The set of possible settings is quite sufficient to tailor the antivirus to your own needs. Everything is in its place and easy to find.


The level of protection is easily configured in the corresponding "Protection" menu, which is called up by clicking on the large icon (where it says "protection: on") and then "Settings". The user can choose a level from ready-made sets of rules or set his own, enabling or disabling selected protection modules: whether to use the BitDefender and Avira AntiVir anti-virus engines, file scanning conditions (when saving or also every time they are opened), whether to use behavioral analysis, scan files on loading from the Internet, enable or disable banking protection and other functions. By default, the balanced mode is set, which provides the optimal load and protection mode.


From the settings menu, you can optionally install the 360 ​​Web Threat Protection web protection plugin, which detects malicious links and sites based on a cloud link database from the 360 ​​Cloud Security Center. The web protection plugin is very good at protecting against malicious, phishing (fake) and fraudulent sites. In the Tools menu, you can additionally install a firewall (firewall) GlassWire, which is reliable and easy to configure rules, unlike other firewalls designed for good user training. There you can also add a system file compression module, a web browser protection plugin, set up a sandbox and fix system vulnerabilities.


It has its own secure virtual environment - the Sandbox sandbox, in which you can safely run any program, by the way, Windows 8.1 is supported. You can set up automatic launch of certain programs in such a Sandbox environment so that at any time you can remove all traces of the dangerous program, as if it had not started at all, since Sandbox is an isolated environment and works separately from the main system without making changes to it.


You can selectively launch programs in the sandbox from the Explorer context menu. You can also remove programs and all data from their sandbox manually or according to the rules in the Sandbox settings, for example, automatically clear the sandbox on reboot.

One of the key changes in 360 Total Security is the addition of a system cleaning and optimization feature, at least to the extent necessary to increase the protection of the computer. Moreover, the cleaning and acceleration function allows you to do this in one click with the largest button of the main program window, or to carry out these operations sequentially separately in the corresponding sections. For example, acceleration and optimization of the system:


Finding and solving problems with system vulnerabilities:


With such actions, it is advisable to carefully look at what is being deleted or corrected there, so as not to delete anything necessary.

You can also manage the antivirus through the context menu in the system tray (the icon on the panel at the bottom next to the clock).

360 Total Security is first and foremost a great computer protection tool, a powerful antivirus with a high level of protection, based on several antivirus engines and web protection extensions, as well as a built-in Sandbox secure virtual sandbox environment. With all this, it is very easy to use and pleasant to work with.

Qihoo has begun additionally releasing a light version of the antivirus without optimization and acceleration elements - . This product contains only anti-virus components, that is, all anti-virus engines, including BitDefender and Avira, as well as a sandbox. The Russian-language interface is also supported. Many people like the light version more.

You don't have to look far to use free antivirus as an alternative to paid products to protect your computer from viruses, spyware, and other threats. The operating system from Microsoft has its own antivirus - a standard application that provides a basic level of computer protection. Many do not take this seriously for various reasons, but it is reasonable to talk about the insufficient effectiveness of Windows Defender, relying only on various independent tests, where the standard antivirus of the system shows, alas, far from perfect results. Fortunately, the software market today has an abundance of free, and even sensible solutions to protect your computer from malware. An overview of these will be given below. In this article, we will look at the features of seven free antiviruses for the Windows operating system.

Participants of the review (a link is provided for downloading programs from their official sites):

  1. Nano Antivirus (http://www.nanoav.ru/index.php?option=com_content&view=article&id=23391&Itemid=74&lang=ru);
  2. Avira Free Antivirus (http://www.avira.com/ru/avira-free-antivirus);
  3. Zilla! Antivirus (http://zillya.ua/ru);
  4. Panda Free Antivirus (http://www.pandasecurity.com/russia/homeusers/solutions/free-antivirus);
  5. Kaspersky 365 (http://www.kaspersky.ru/free-antivirus);
  6. 360 Total Security (http://www.360totalsecurity.com/en);
  7. Comodo Internet Security (http://www.comodorus.ru/free_versions/detal/comodo_free/8).

1. Nano Antivirus

Let's start the review with a domestic product. Nano Antivirus is a full-fledged software product from Russian developers based on its own antivirus engine. It has a standard set of functions for a basic level of computer protection - customizable types of scans (including scheduled scans), real-time protection against all types of threats, web protection. In addition to the standard set of features, Nano Anti-Virus offers an enable/disable file protection function similar to the standard Windows SmartScreen filter. Nano Anti-Virus is undemanding to the system resources of the computer, has a simple, unprepossessing, but user-friendly interface.

More features than in the free version, we get in a more functional version of Nano Antivirus Pro. True, from the functionality of the latter, and these are various interface design themes, the game mode of the antivirus, the creation of more than 3 tasks in the scheduler, the only technical support from the developer through personal communication channels is really worthwhile, in fact.

As befits a serious antivirus project, Nano Antivirus has its own so-called cloud scanner - a free online scan of individual files to detect threats. The cloud scanner is available on the official website of the Nanoav.Ru antivirus, as well as in the format of the Nano Antivirus Sky Scan metro application for Windows 8.1 and 10. This application can be installed for free in the Windows store.

2. Avira Free Antivirus

The brainchild of German developers - Avira Free Antivirus - is an old-timer in the security software market for Windows. A few years ago, it was very popular due to the smaller number of free offers among worthwhile antiviruses. The basic level of protection in Avira Free Antivirus is represented by a virus scanner with the ability to select different areas of the computer, real-time protection, and a built-in firewall. In addition to various scanning areas, scanning can be carried out as part of the search for a separate type of threat - rootkits.

The free version of this antivirus lacks mail and web protection modules, but the latter can be implemented by installing Avira extensions in Internet Explorer, Google Chrome, Mozilla Firefox, as well as clone browsers that support working with the latter extensions. Such extensions duplicate the protection built into browsers against malicious codes on the Internet and fraudulent sites.

In the paid version of Avira Antivirus Pro, we get improved web protection, the ability to check individual files using cloud technology in real time, game mode, mail protection, preventing malware from disabling the antivirus, as well as technical support.

At the moment, Avira Free Antivirus is not the best solution for low-end computers. On the free antivirus market, there are solutions that are more economical in terms of using system resources. This, in particular, is the Nano Anti-Virus discussed above or, for example, the next participant in the review - Zillya! Antivirus.

3. Zilla! Antivirus

Zilla! Antivirus is a response to Russians and Germans from Ukrainian developers in the form of a security product for Windows based on its own antivirus engine. Like the previous participants in the review, in the free version, the Ukrainian antivirus provides a basic level of computer protection. This antivirus is ideal for novice users, because Zillya! Antivirus nice intuitive interface. Plus, the large controls make this antivirus a convenient solution for small-screen touch devices. The basic level of protection is traditionally represented by the function of scanning certain areas of the computer (including the ability to assign tasks in the scheduler) and real-time protection ("Watchdog" function). On top of that, we will also get the default email threat scanning module and a USB filter for checking connected USB drives, which are still active by default.

Free Zilla! The anti-virus also provides a choice of computer protection mode - economical, optimal, maximum. To gain access to advanced settings, the antivirus must be registered by logging in to it using e-mail or through accounts of popular social networks.

Paid continuation of Zillya! Antivirus is Zillya's comprehensive protection package! Internet Security, which already contains modules for a web filter, parental control, a file shredder (wiping files on a hard drive) and other functions that are unnecessary for the average person.

4Panda Free Antivirus

Panda Free Antivirus is a free version of an antivirus from a number of numerous PC protection software products from the Spanish developer Panda Security SL. A feature of this antivirus is cloud protection technology, which provides for the location of anti-virus databases on the Internet - on the servers of the anti-virus creator, which are updated there in real time. Whereas on the computers of users there is only the client part of the software product. The client part - the antivirus software interface installed in the system - uses a minimum of computer system resources, since all work is carried out not locally on the user's computer, but on remote Panda Security SL servers.

The client side of Panda Free Antivirus has a nice intuitive interface with large controls. You can move the program module tiles in the main window to customize the interface to your preferences.

Panda Free Antivirus, in comparison with other participants in this review, provides perhaps the most non-standard set of protection modules for a free antivirus product. Of the standard modules, we will only find the ability to scan for threats in various areas of the computer (with a scheduled scan scheduler).

What are non-standard protection modules? Anti-Virus is installed with the default option to start scanning when USB devices are connected to the computer. And if necessary, the latter can be “vaccinated” at all. When Panda Free Antivirus activates the USB vaccination function, autorun will be disabled for all media connected via the USB port. Seeing a process monitor in a free antivirus is a fairly rare occurrence, and we can see it by choosing Panda Free Antivirus to protect your computer. In the process monitor window, we will see a table with running system processes that use the network. Each of the processes will be displayed with an assigned security classification. Suspicious processes in the full report window can be blocked.

Panda Free Antivirus will try to help even in a critical situation when its work on the computer is blocked by malware. To do this, however, you will need to install this antivirus on another computer and create an emergency USB drive with the antivirus. Or foresee one in advance.

5.Kaspersky Free

Kaspersky Free, formerly known as Kaspersky 365, is a free edition of the antivirus product from Kaspersky Lab. The free Kaspersky Free is based on the same anti-virus engine as the developer's paid products, and, accordingly, just like the latter, it is effective in protecting against threats. True, the free use of the antivirus has limits, and they are temporary. The free license is activated at the time of installation of the program and is valid for one year only.

Kaspersky Free has an optimal list of modules to protect the computer of an ordinary ordinary user. Such a harmony of functionality is a rarity for free products, because we get a full-fledged anti-virus scanner with a task scheduler, and real-time protection, and web protection, and email scanning, and even monitoring messenger programs installed in the system for malicious links in the inbox. messages.

Both in paid solutions and in the free edition of Kaspersky Free, we can count on solving the long-known problem of active absorption of computer system resources by Kaspersky Lab products. In the antivirus settings, in addition to the pre-installed option to yield resources when loading Windows, we can also activate the function of giving priority to the use of computer resources by other programs for their needs during system operation.

6. 360 Total Security

360 Total Security is a free functional software package for protecting your computer and improving its performance with an anti-virus module on board from the Chinese developer Qihoo. We will see many functions in it, some of which in other assemblies of security software are offered only in paid versions, and some are completely provided in separate software. This, in particular, the "Sandbox" mode (Sandbox, a virtual environment for the isolated launch of executable files), the functions of cleaning and optimizing the system, compressing disk space, protecting browser settings, and even managing Windows system updates. If necessary, you can also activate a third-party free GlassWire firewall, as well as use the 360 ​​Connect function, within which computer protection can be controlled through a mobile application for iOS and Android devices.

The developers also made up their minds with the anti-virus module. There are five anti-virus engines in 360 Total Security, however, two of them - the engines of the well-known antiviruses Avira and BitDefender - are initially inactive and can be activated at the request of the user. What are the three engines active by preset? One of them is the 360 ​​Cloud scanner, the other is an engine for fixing problems in the operating system, the third is designed to provide real-time protection.

To the standard set in the form of real-time protection, scanning of various areas of the computer and web protection, if desired, you can also add extensions for Google Chrome, Mozilla Firefox, Opera and Yandex Browser that prevent web threats.

The interface of 360 Total Security can be decorated with different themes at least every day. The program is undemanding to the system resources of the computer.

7Comodo Internet Security

Comodo Internet Security is a no-nonsense software product from an American developer, Comodo Group Inc. Like the previous participant in the review, Comodo Internet Security is a rare free software with advanced functionality. But, unlike 360 ​​Total Security, the Comodo product has all the functionality provided, so to speak, on business. Comodo Internet Security works to protect your computer from threats, not to clean and optimize the system. On board we will find an anti-virus module with real-time protection, web protection and a set of areas for scanning (including the scheduler) and the so-called reputational scanning. The latter is a cloud-based scan of areas of the computer that are frequently affected by malware and obtains a security rating for the scanned files.

Comodo Internet Security also includes a firewall, Sandbox mode, and a unique feature not found in any of the antiviruses included in this review (as, indeed, in a host of other security software) - a virtual desktop. A virtual desktop is an isolated sandbox-type space where you can visit any Internet sites and run dubious applications. In tablet virtual desktop mode, we will also get the opportunity to work with web applications like Chrome OS. The list of pre-installed web applications can be replenished with any other from the Google Chrome store.

But those will not work directly with Google Chrome, but with its "tuned" clone - the Chromodo browser, in fact, the same Chrome, but with pre-installed extensions for safe web surfing from Comodo. The Chromodo browser is installed by default with Comodo Internet Security.

The interface of Comodo Internet Security is simple and only superficially intuitive. If you want to delve into the settings, we will find their somewhat inconvenient organization. And in the abundance of various options, many will not immediately understand what's what. Comodo Internet Security is flexible and customizable, so much so that the settings provide their own export-import in case of reinstalling the program.

With the installation of Comodo Internet Security, you can experiment on weak PCs and laptops. It's not the lightest product we've reviewed so far, but it will be lighter than Avira Free Antivirus and Kaspersky Free.

Have a great day!

One of the main parts of any antivirus is the so-called antivirus "engine" - a module responsible for scanning objects and detecting malware. The quality of malware detection and, as a result, the level of protection provided by the antivirus depends on the antivirus engine, how it is developed, what detection methods and heuristics it uses.

This article describes in detail the standard technologies and some original approaches of various anti-virus developers implemented in the anti-virus "engine". Along the way, some related technical issues will be considered that are necessary to assess the quality of the anti-virus "engine" and clarify the technologies used in it.

Good or bad engine?

Unfortunately, anti-virus software developers very rarely reveal the details of the implementation of their "engines". However, by indirect signs, you can determine whether the "engine" is good or not. Here are the main criteria by which you can determine the quality of the anti-virus "engine":

Detection quality. How well the antivirus detects viruses. This criterion can be evaluated by the results of various tests that are conducted by several organizations and are usually presented on the developer's web resources.

Level of detection by heuristic analyzers. Unfortunately, without testing for a collection of viruses, it is impossible to determine this parameter, but you can quite easily determine what the level of false positives is for a particular "engine".

False positive rate. If on 100% uninfected files the antivirus reports that it has found a possibly infected file, then this is a false positive. Is it worth trusting such a heuristic analyzer that worries the user with false alarms? Indeed, due to a large number of false positives, a user can miss a really new virus.

Support for a large number of packers and archivers. This is a very important factor, since the creators of malicious programs often, after writing a virus, package it with several executable module packaging utilities and, having received several different viruses, release them into the public. Essentially, all of these viruses are instances of the same variant. For an anti-virus "engine" that supports all or almost all popular packaging utilities, it will not be difficult to identify all these instances of the same virus, naming them with the same name, while other "engines" will need to update the anti-virus database ( as well as the time for analysis of a virus instance by antivirus experts).

Frequency and size of anti-virus database updates. These parameters are indirect signs of the quality of the "engine". Since the frequent release of updates ensures that the user will always be protected from viruses that have just appeared. The size of an update (and the number of detected viruses in this update) speaks volumes about the quality of the design of the anti-virus database and, to some extent, the "engine".

The ability to update the "engine" without updating the anti-virus program itself. Sometimes, in order to detect a virus, it is necessary to update not only the anti-virus database, but also the "engine" itself. If the antivirus does not support this feature, then the user may be left without protection in the face of a new virus. In addition, this feature allows you to quickly improve the "engine" and fix errors in it.

Antivirus "engine": existing technologies

With the advent of the first computer viruses, programmers quickly figured out the principles of their work and created the first anti-virus programs. Quite a lot of time has passed since then, and a modern antivirus differs from those first antiviruses, just as a personal computer differs from a calculator.

In the first paragraph of this article, a somewhat "naive" definition of an anti-virus "engine" was given. Next, a number of precise definitions and technological descriptions will be given, which, ultimately, will make it possible to fully understand the structure and algorithms of the anti-virus "engine".

The Anti-Virus Engine is a software module that is designed to detect malicious software. "Engine" is the main component of any anti-virus program, regardless of its purpose. The engine is used both in personal products - a personal scanner or monitor, and in server solutions - a scanner for a mail or file server, a firewall or a proxy server. As a rule, for the detection of malicious programs, most of the "engines" implement the following technologies:

Search by "signatures" (a unique sequence of bytes);
Search by checksums or CRC (checksum from a unique sequence of bytes);
Using a reduced mask;
Cryptanalysis;
Statistical analysis;
Heuristic analysis;
Emulation.

Let's consider each of these methods in more detail.

Search by "signatures"


A signature is a unique "string" of bytes that uniquely characterizes a particular malicious program. Signature search, in one form or another, has been used to detect viruses and other malware from the earliest anti-virus programs to the present day. The indisputable advantage of signature search is the speed of work (when using specially developed algorithms, of course) and the ability to detect several viruses with one signature. The disadvantage is that the signature size for reliable detection should be quite large, at least 8-12 bytes (usually much longer signatures, up to 64 bytes, are used for accurate detection), therefore, the size of the anti-virus database will be quite large. In addition, recently, malware written in high-level languages ​​(C++, Delphi, Visual Basic) has become more widespread, and such programs have separate parts of the code that practically do not change (the so-called Run Time Library). An incorrectly chosen signature will inevitably lead to a false positive - detection of a "clean", uninfected file as infected with a virus. As a solution to this problem, it is proposed to use either very large signatures or use detection in some data areas, for example, relocation tables or text strings, which is not always good.

Checksum search (CRC)


Checksum search (CRC - cyclic redundancy check), in fact, is a modification of signature search. The method was developed to avoid the main disadvantages of signature search - the size of the database and to reduce the likelihood of false positives. The essence of the method is that to search for malicious code, not only the "reference" string is taken - the signature, or rather, the checksum of this string, but also the location of the signature in the body of the malicious program. The location is used in order not to calculate checksums for the entire file. Thus, instead of 10-12 bytes of signature (minimum), 4 bytes are used to store the checksum and another 4 bytes for the location. However, the checksum search method is somewhat slower than the signature search.
The use of masks to detect malicious code is quite often complicated by the presence of encrypted code (the so-called polymorphic viruses), since either it is impossible to choose a mask, or the mask of the maximum size does not satisfy the condition for uniquely identifying a virus without false positives.
The impossibility of choosing a mask of sufficient size in the case of a polymorphic virus is easily explained. By encrypting its body, the virus ensures that most of its code in the affected object is variable, and, accordingly, cannot be chosen as a mask. (For more details on self-encrypting and polymorphic viruses, see the appendix at the end of the article).
The following methods are used to detect such viruses: the use of a reduced mask, cryptanalysis, and statistical analysis. Let's consider these methods in more detail.

Using the Reduced Mask


When infecting objects, a virus that uses encryption converts its code into an encrypted data sequence:
S = F(T), where
T is the base code of the virus;
S - encrypted virus codes;
F - virus encryption function, randomly selected from a set of transformations (F).
The reduced mask method consists in choosing a transformation R of the encrypted codes of the virus S, such that the result of the transformation (that is, some data sequence S") will not depend on the transformation keys F, i.e.
S=F(T)
S" \u003d R (S) \u003d R (F (T)) \u003d R "(T).
When applying the transformation R to all possible variants of the cipher code S, the result S" will be constant at a constant T. Thus, the identification of affected objects is performed by choosing S" as a reduced mask and applying the transformation R to the affected objects.

Cryptanalysis


This method is as follows: using the known base code of the virus and the known encrypted code (or using a "suspicious" code similar to the encrypted body of the virus), the keys and algorithm of the decryptor are restored. This algorithm is then applied to the encrypted section, resulting in the decrypted body of the virus. When solving this problem, one has to deal with a system of equations.
As a rule, this method is much faster and takes much less memory than virus instructions emulation. However, the solution of such systems is often a task of high complexity.
Moreover, the main problem is the mathematical analysis of the resulting equation or the resulting system of equations. In many ways, the problem of solving systems of equations when recovering the encrypted body of a virus resembles the classical cryptographic problem of recovering ciphertext with unknown keys. However, here this problem sounds somewhat different: it is necessary to find out whether the given encrypted code is the result of applying some function known up to the keys. Moreover, many data for solving this problem are known in advance: a section of an encrypted code, a section of an unencrypted code, and possible options for the conversion function. Moreover, the algorithm of this transformation and the keys are also present in the analyzed codes. However, there is a significant limitation, which consists in the fact that this problem must be solved within the specific boundaries of RAM and the solution procedure should not take much time.

Statistical analysis


Also used for detection of polymorphic viruses. During its operation, the scanner analyzes the frequency of use of processor commands, builds a table of encountered processor commands (opcodes), and based on this information, it concludes that the file is infected with a virus. This method is effective for searching for some polymorphic viruses, since these viruses use a limited set of commands in the decryptor, while "clean" files use completely different commands with a different frequency. For example, all programs for MS-DOS often use interrupt 21h (opcode CDh 21h), but this command is almost never found in the decryptor of polymorphic DOS viruses.
The main disadvantage of this method is that there are a number of complex polymorphic viruses that use almost all processor commands and the set of commands used varies greatly from copy to copy, that is, it is not possible to detect a virus from the constructed frequency table.

Heuristic analysis


When the number of viruses exceeded several hundred, anti-virus experts thought about the idea of ​​detecting malicious programs that the anti-virus program does not yet know about (there are no corresponding signatures). As a result, so-called heuristic analyzers were created. A heuristic analyzer is a set of routines that analyze the code of executable files, macros, scripts, memory or boot sectors to detect different types of malicious computer programs in it. There are two principles of analyzer operation.

static method. Search for common short signatures that are present in most viruses (the so-called "suspicious" commands). For example, a large number of viruses search for viruses using the *.EXE mask, open the found file, and write to the opened file. The task of heuristics in this case is to find signatures that reflect these actions. Then the found signatures are analyzed, and if a certain number of necessary and sufficient "suspicious commands" are found, then a decision is made that the file is infected. A big plus of this method is the ease of implementation and good speed, but the level of detection of new malware is quite low.

dynamic method. This method appeared simultaneously with the introduction of processor command emulation into anti-virus programs (the emulator is described in more detail below). The essence of the method consists in emulating the execution of the program and logging all "suspicious" actions of the program. Based on this protocol, a decision is made about the possible infection of the program with a virus. Unlike the static method, the dynamic method is more demanding on computer resources, however, the detection level of the dynamic method is much higher.

Emulation


Program code emulation technology (or Sandboxing) was a response to the emergence of a large number of polymorphic viruses. The idea of ​​this method is to emulate the execution of a program (both infected with a virus and "clean") in a special "environment", also called an emulation buffer or "sandbox". If a file infected with a polymorphic virus enters the emulator, then after emulation the decrypted virus body is in the buffer, ready for detection by standard methods (signature or CRC search).
Modern emulators emulate not only processor instructions, but also operating system calls. The task of writing a full-fledged emulator is quite laborious, not to mention the fact that when using the emulator, you have to constantly monitor the actions of each command. This is necessary in order not to accidentally execute the destructive components of the virus algorithm.
It should be specially noted that it is necessary to emulate the operation of the instructions of the virus, and not trace them, since when tracing the virus, the probability of calling destructive instructions or codes responsible for the spread of the virus is too high.

Database of anti-virus "engine"


The database is an integral part of the anti-virus "engine". Moreover, if we assume that a well-designed "engine" changes not so often, then the anti-virus database changes constantly, because it is in the anti-virus database that signatures, checksums and special software modules for detecting malicious programs are located. As you know, new viruses, network worms and other malicious programs appear with an enviable frequency, and therefore it is very important that the anti-virus database be updated as often as possible. If five years ago weekly updates were sufficient, today it is simply necessary to receive at least daily updates of the anti-virus database.
It is also very important what exactly is in the anti-virus database: whether it is only entries about viruses or also additional program procedures. In the second case, it is much easier to update the functionality of the anti-virus "engine" by simply updating the databases.

Support for "complex", nested objects


Over the past few years, antivirus "engines" have changed a lot. If the first antiviruses, in order to be considered a first-class program, it was enough to check system memory, executable files and boot sectors, then a few years later, due to the growing popularity of special utilities for packaging executable modules, developers faced the task of unpacking a packed file before scan.
Then a new problem - viruses have learned to infect archive files (and users themselves often sent infected files in archives). Antiviruses were forced to learn how to process archive files as well. In 1995, the first macro virus appeared that infects Microsoft Word documents. It is worth noting that the document format used by Microsoft Word is proprietary and very complex. A number of anti-virus companies still do not know how to fully process such files.
Today, due to the huge popularity of e-mail, anti-virus "engines" also process both databases of mail messages and the messages themselves.

Detection methods


A typical anti-virus "engine", which is implemented in every anti-virus program, uses all the necessary technologies for detecting malware: an efficient heuristic analyzer, a high-performance emulator, and, most importantly, a competent and flexible malware detection subsystem architecture that allows you to use all the methods listed above detection.
In almost every anti-virus "engine", the base method is checksum detection. This method was chosen based on the requirement to minimize the size of anti-virus databases. However, the architecture of the "engine" is often so flexible that it allows using any of the detection methods listed above, which is done for some particularly complex viruses. This allows a high level of virus detection to be achieved. The architecture of the anti-virus "engine" is presented in more detail in the diagram further in the text.
The practical application of methods for detecting polymorphic viruses (cryptanalysis and statistical analysis, the use of a reduced mask and emulation) is reduced to choosing the most optimal method in terms of speed and amount of required memory. The code of most self-encrypting viruses is quite easily restored by the emulation procedure. If the use of an emulator is not the optimal solution, then the virus code is restored using a subroutine that implements the inverse transformation - cryptanalysis. To detect viruses that cannot be emulated, and viruses for which it is not possible to construct an inverse transformation, the method of constructing reduced masks is used.
In some, the most difficult, cases, a combination of the above methods is used. Part of the decryptor's code is emulated, and the commands that are actually responsible for the decryption algorithm are extracted from the decryptor. Then, based on the information received, a system of equations is constructed and solved to recover the virus code and detect it.
The combination of methods is also used for multiple encryption, when the virus encrypts its body several times using different encryption algorithms. The combined method of information recovery or "pure" emulation of the decryptor code is often used for the reason that each new virus must be analyzed and included in the anti-virus database in the shortest possible time, which does not always fit the necessary mathematical analysis. And as a result, one has to use more cumbersome methods for detecting a virus, despite the fact that the methods of mathematical analysis of the decryptor algorithm are quite applicable.

Working with "complex" objects


Anti-virus "engines" support a huge number of packaging and archiving formats. Developers rarely publish a complete (or at least fairly detailed) list of supported formats. Below is the officially published information about the support of "complex" formats in Kaspersky Anti-Virus. In other antivirus products, the list of supported formats should be approximately the same.
The "engine" of Kaspersky Anti-Virus supports more than 400 different utilities for packaging executable files, installers and archivers (more than 900 modifications in total, as of May 2003). Among them:

Executable packers and encryption systems. The most popular ones are: Diet, AVPACK, COMPACK, Epack, ExeLock, ExePack, Expert, HackStop, Jam, LzExe, LzCom, PaquetBuilder, PGMPAK, PkLite, PackWin, Pksmart, Protect, ProtEXE, RelPack, Rerp, Rjcrush, Rucc, Scramb , SCRNCH, Shrink, Six-2-Four, Syspack, Trap, UCEXE, Univac, UPD, UPX (multiple versions), WWPACK, ASPack (multiple versions), ASProtect (multiple versions), Astrum, BitArts, BJFnt, Cexe, Cheaters , Dialect, DXPack, Gleam, CodeSafe, ELFCrypt, JDPack, JDProtect, INFTool, Krypton, Neolite, ExeLock, NFO, NoodleCrypt, OptLink, PCPEC, PEBundle, PECompact (several versions), PCShrink, PE-Crypt, PE-Diminisher, PELock , PEncrypt, PE-Pack (several versions), PE-Protect, PE-Shield, Petite, Pex, PKLite32, SuperCede, TeLock, VBox, WWPack32, XLok, Yoda.
Support for so many packers and archivers allows to reduce the time of analysis of new viruses, which leads to an increase in the speed of response to the appearance of a new virus, and to achieve a high level of detection of already known viruses.

Archivers and installers (more than 60 in total). The most popular ones are: CAB, ARJ, ZIP, GZIP, Tar, AIN, HA, LHA, RAR, ACE, BZIP2, WiseSFX (several versions), CreateInstall, Inno Installer, StarDust Installer, MS Expand, GKWare Setup, SetupFactory, SetupSpecialist , NSIS, Astrum, PCInstall, Effect Office.
Support for a large number of types of archivers is especially important for scanning mail systems, since the vast majority of viruses are sent by mail in archived form. Unpacking of objects occurs regardless of the level of nesting of archives. For example, if an infected file is packaged with the UPX utility, and then the file is packaged in a ZIP archive, which is packaged in a CAB archive, etc., then the anti-virus "engine" should still be able to retrieve the original file and detect the virus.
It should be noted that such reasoning is by no means theoretical. For example, the Backdoor.Rbot Trojan program is widely known, which was distributed packaged by many different programs (Ezip, Exe32Pack, ExeStealth, PecBundle, PECompact, FSG, UPX, Morphine, ASPack, Petite, PE-Pack, PE-Diminisher, PELock, PESpin, TeLock , Molebox, Yoda, Ezip, Krypton, etc.).
The algorithm for extracting archives is usually smart enough not to unpack all sorts of "archive bombs" - small archives that pack huge files (with a very high compression ratio) or several identical files. It usually takes a long time to check such an archive, but modern anti-virus "engines" often recognize such "bombs".

Mechanism for updating anti-virus databases and their size


Anti-virus databases are usually updated several times a day. Some are able to release updates once an hour, some - every two hours. In any case, with today's high level of danger on the Internet, such frequent updating of anti-virus databases is quite justified.
The size of the updates indicates the thoughtfulness of the architecture of the anti-virus "engine". Thus, the size of regular updates of leading companies in the industry, as a rule, does not exceed 30 KB. At the same time, anti-virus databases usually contain about 70% of the functionality of the entire anti-virus "engine". Any update of the anti-virus database may add support for a new packer or archiver. Thus, by updating anti-virus databases daily, the user receives not only new procedures for detecting new malicious programs, but also an update of the entire anti-virus. This allows a very flexible reaction to the situation and guarantees the user maximum protection.

Heuristic analyzer


The heuristic analyzer, which is part of almost every antivirus, uses both of the analysis methods described above - cryptanalysis and statistical analysis. A modern heuristic analyzer is designed from the outset to be extensible (unlike most first-generation heuristic analyzers, which were designed to detect malware only in executable modules).
Currently, the heuristic analyzer can detect malicious codes in executable files, sectors, and memory, as well as new script viruses and malware for Microsoft Office (and other programs that use VBA), and, finally, malicious code written in high-level languages , such as Microsoft Visual Basic.
A flexible architecture and a combination of different methods make it possible to achieve a sufficiently high level of detection of new malware. At the same time, developers are making every effort to minimize the number of false alarms. Products presented by the leaders of the anti-virus industry extremely rarely make mistakes in detecting malicious codes.

Scheme of the anti-virus "engine"


The diagram below describes an exemplary algorithm for the operation of an anti-virus "engine". It should be noted that emulation, search for known and unknown malware occurs simultaneously.


Scheme of operation of a typical anti-virus "engine" using the example of Kaspersky Anti-Virus


As mentioned above, during the update of the anti-virus database, the modules for unpacking packed files and archives, the heuristic analyzer and other modules of the anti-virus "engine" are also updated and added.

Original technologies in anti-virus "engines"


Almost every developer of anti-virus products implements some of their own technologies to make the program work more efficiently and productively. Some of these technologies are directly related to the "engine" device, since the performance of the entire solution often depends on its operation. Next, we will consider a number of technologies that can significantly speed up the scanning of objects and at the same time guarantee the high quality of detection, as well as improve the detection and treatment of malicious software in archive files.
You should start with iChecker technology. This technology and its analogues are implemented in almost every modern antivirus. It should be noted that iChecker is the name proposed by Kaspersky Lab specialists. Experts like Panda Software call it UltraFast. This technology makes it possible to achieve a reasonable balance between the reliability of protection of workstations (and especially servers) and the use of system resources of the protected computer. Thanks to this technology, the boot time (up to 30-40%) of the operating system (compared to traditional anti-virus protection) and application launch time with active anti-virus protection are significantly reduced. This ensures that all files on the computer's disks have been scanned and not infected. The main idea of ​​this technology is that it is not necessary to check what has not changed and has already been checked. The anti-virus "engine" maintains a special database that stores the checksums of all scanned (and not infected) files. Now, before submitting the file for verification, the "engine" calculates and compares the checksum of the file with the data stored in the database. If the data matches, it means that the file has been checked and re-checking is not required. It is worth noting that the time spent on calculating the checksums of a file is much less than the time of an anti-virus scan.
A special place in the work of the antivirus is occupied by the treatment of archived infected objects. This is what will be discussed next. iCure is a technology for curing infected files in archives. Thanks to this technology, infected objects inside archive files will be successfully disinfected (or deleted, depending on the antivirus settings) without the use of external archiving utilities. To date, most antiviruses support the following types of archives: ARJ, CAB, RAR, ZIP. Thanks to the modular architecture and technologies for updating the anti-virus "engine", the user, as a rule, can easily update and expand the list of supported types of archivers without restarting the anti-virus.
iArc is another technology for working with archive files. This technology is necessary for working with multi-volume archives. iArc allows you to scan multi-volume archives and detect viruses even if they are packed into a multi-volume archive, which, in turn, will also be packed into a multi-volume archive.
Multithreading. The anti-virus "engine" is a multi-threaded module and can simultaneously process (check for malicious codes) several objects (files, sectors, scripts, etc.).
Most of the technologies listed above are implemented in one form or another in every modern anti-virus product.

Polymorphic viruses


Throughout the article, the terms "polymorphic" and "self-encrypting" viruses have often been used. As should have become clear from the previous discussion, it was this type of malicious code that had a strong influence on the development of anti-virus technologies. The following is information about polymorphic viruses provided by Kaspersky Lab experts.

Basic definitions: self-encryption and polymorphism. They are used by almost all types of viruses in order to complicate the virus detection procedure as much as possible. Polymorphic viruses (polymorphic) are rather difficult to detect viruses that do not have signatures, that is, do not contain a single permanent code section. In most cases, two samples of the same polymorphic virus will not have a single match. This is achieved by encrypting the main body of the virus and modifying the decryptor program (decryptor). Polymorphic viruses include those whose detection is impossible (or extremely difficult) using the so-called virus masks - sections of a permanent code specific to a particular virus. This is achieved in two main ways - by encrypting the main virus code with a non-permanent key and a random set of decryptor commands, or by changing the actual virus code being executed. There are also other rather exotic examples of polymorphism: the DOS virus "Bomber", for example, is not encrypted, but the sequence of commands that transfers control to the virus code is completely polymorphic.
Polymorphism of varying degrees of complexity is found in viruses of all types - from boot and file DOS viruses to Windows viruses and even macro viruses.

Polymorphic decryptors


The simplest example of a partially polymorphic decryptor is the following set of commands, as a result of which not a single byte of the code of the virus itself and its decryptor is constant when infecting different files:

MOV reg_1, count ; reg_1, reg_2, reg_3 are selected from
MOV reg_2 key ; AX,BX,CX,DX,SI,DI,BP
MOV reg_3, _offset ; count, key, _offset can also change
_loop:
xxx byte ptr , reg_2 ; xor, add or sub
DEC reg_1
Jxx_loop ; ja or jnc
; followed by the encrypted code and data of the virus

Complex polymorphic viruses use much more complex algorithms to generate the code of their decryptors: the above instructions (or their equivalents) are rearranged from infection to infection, diluted with commands that do not change anything like NOP, STI, CLI, STC, CLC, etc.
Full-fledged polymorphic viruses use even more complex algorithms, as a result of which the virus decryptor may encounter the operations SUB, ADD, XOR, ROR, ROL, and others in an arbitrary number and order. Loading and changing keys and other encryption parameters is also performed by an arbitrary set of operations, in which almost all Intel processor instructions can occur (ADD, SUB, TEST, XOR, OR, SHR, SHL, ROR, MOV, XCHG, JNZ, PUSH, POP . ..) with all possible addressing modes. Polymorphic viruses also appear, the decryptor of which uses instructions up to Intel386, and in the summer of 1997 a 32-bit polymorphic virus was discovered that infects Windows 95 EXE files.
As a result, at the beginning of a file infected with such a virus, there is a set of seemingly meaningless instructions. Interestingly, some combinations that are quite efficient are not taken by proprietary disassemblers (for example, the combination CS:CS: or CS:NOP). And among this "porridge" of commands and data, MOV, XOR, LOOP, JMP occasionally slip through - instructions that are really "working".

Levels of polymorphism


There is a division of polymorphic viruses into levels depending on the complexity of the code that is found in the decoders of these viruses. Such a division was first proposed by Dr. Alan Solomon, after a while Vesselin Bonchev expanded it:

Level 1: Viruses that have some set of decryptors with a permanent code; when infected, choose one of them. Such viruses are "semi-polymorphic" and are also called "oligomorphic" (oligomorphic). Examples: "Cheeba", "Slovakia", "Whale".

Level 2: The virus decoder contains one or more permanent instructions, but the main part of it is not permanent.

Level 3: The decoder contains unused instructions - "garbage" like NOP, CLI, STI, etc.

Level 4: The decryptor uses interchangeable instructions and reordering (shuffling) instructions. The decryption algorithm does not change.

Level 5: All of the above techniques are used, the decryption algorithm is unstable, it is possible to re-encrypt the virus code and even partially encrypt the decryptor code itself.

Level 6: Permutating viruses. The main code of the virus is subject to change - it is divided into blocks, which are rearranged in an arbitrary order during infection. The virus remains active. Such viruses may be unencrypted.

The above classification has its drawbacks, since it is made according to a single criterion - the ability to detect a virus by the decryptor code using the standard virus mask technique:

Level 1: to detect the virus, it is enough to have several masks;
Level 2: mask detection using "wildcards";
Level 3: detection by mask after removal of "garbage" instructions;
Level 4: the mask contains several variants of possible code, that is, it becomes algorithmic;
Level 5: the inability to detect the virus by mask.

The insufficiency of such a division is demonstrated in the virus of the 3rd level of polymorphism, which is called "Level3". This virus, being one of the most complex polymorphic viruses, falls into Level 3 according to the above division, since it has a constant decryption algorithm, which is preceded by a large number of "garbage" commands. However, in this virus, the "garbage" generation algorithm has been brought to perfection: almost all i8086 processor instructions can be found in the decryptor code.
If we divide into levels in terms of antiviruses that use systems for automatic decryption of the virus code (emulators), then the division into levels will depend on the complexity of emulating the virus code. It is also possible to detect a virus by other methods, for example, decryption using elementary mathematical laws, etc.
A classification will be more objective, in which, in addition to the criterion of virus masks, other parameters also participate, for example:

The degree of complexity of the polymorphic code (the percentage of all processor instructions that can be found in the decoder code);
The use of special techniques that make it difficult to emulate antiviruses;
The constancy of the decryptor algorithm;
Decoder length constancy.


Changing the executable code


Most often, such a method of polymorphism is used by macro viruses that, when creating new copies of themselves, randomly change the names of their variables, insert empty lines, or change their code in some other way. Thus, the algorithm of the virus remains unchanged, but the code of the virus almost completely changes from infection to infection.
Less commonly, this method is used by complex boot viruses. Such viruses inject into the boot sectors only a fairly short procedure that reads the main code of the virus from the disk and transfers control to it. The code for this procedure is selected from several different options (which can also be diluted with "empty" commands), the commands are rearranged among themselves, and so on.
This technique is even rarer for file viruses, because they have to completely change their code, and this requires rather complex algorithms. To date, only two such viruses are known, one of which ("Ply") randomly moves its commands around its body and replaces them with JMP or CALL commands. Another virus ("TMC") uses a more complex method - every time it infects, the virus swaps blocks of its code and data, inserts "garbage", sets new offset values ​​for data in its assembler instructions, changes constants, etc. As a result, although the virus does not encrypt its code, it is a polymorphic virus - the code does not contain a permanent set of commands. Moreover, when creating new copies of itself, the virus changes its length.
Nowadays, every day a huge number of new viruses appear, which, moreover, are more harmful and cunning than their counterparts of previous generations.
Viruses are malicious codes which are able to read information from your computer. If your PC is infected, then you cannot be sure that your personal data is safe.

Without an antivirus, a computer, like without hands, is absolutely defenseless. It only takes one visit to the Internet and a virus can end up on your computer. Viruses can replicate and spread their copies to other computers.

Viruses are the product of human hands. Many viruses are created by hackers, teenagers just for fun, but it happens that viruses are created to steal information from a particular computer. Malicious software developers don't care that not just one computer, but millions can be affected.

To protect against viruses, you need to install real-time protection on your computer, since computer viruses interfere with the normal operation of Windows.

Installing free antiviruses does not incur any financial costs. The anti-virus will update itself, scan disks and removable media (CDs and DVDs, flash drives), scan emails and do a lot of things, and most importantly, completely free.

The best free antivirus programs that you can download and install on your computer.
- Superantivirus running on five engines. This software provides highly reliable computer protection, and also has options for restoring and optimizing Windows. It is the #1 choice for many advanced users.

One of the most reliable free antiviruses. The latest version is equipped with a unique Home Network Security technology - to secure your home Wi-Fi network and devices connected to it.

A worthy answer to paid counterparts. It has all the necessary tools for reliable computer protection. Conducts constant monitoring of the system, downloaded files and emails. Updates virus databases around the clock.

Norton AntiVirus is a powerful antivirus that keeps your computer safe and protects your system from various types of malware: Internet viruses, copying Trojans from removable media, and so on.

Norton Internet Security is a multifunctional program for maximum protection of your computer from viruses. This utility has a high malware detection rate.

A package of tools that provides an ultra-secure environment for the user's computer and mobile gadgets. You can install protection not only for a Windows desktop, but also for a MacBook Pro laptop or Android tablet.

The latest generation antivirus that works without signatures. It is designed to prevent new and unknown threats. With it, you will not be afraid of either zero-day vulnerabilities or targeted attempts to penetrate your system.

Avira Free Antivirus is a reliable antivirus that is most effective with an active Internet connection, as thanks to cloud technology it blocks 99.99% of viruses. It has the "Parental Control" function.

A package of anti-virus applications designed for high-level protection of licensed versions of Windows. During the deletion of dangerous files, it creates restore points for the backup.

Dr.Web CureIt is a free program from the well-known anti-virus brand Dr.Web, which allows you to cure an infected computer of viruses.

A tool to determine the level of computer protection. Checks the defenses of anti-virus software and firewall, and also searches for threats in running applications.

ESET NOD32 Antivirus is a popular antivirus for reliable protection of your computer against various types of virus threats. It allows you to scan the system and ensure safe browsing on the Internet.

AVZ is a free antivirus utility that allows you to perform a deep scan and then treat your computer for viruses and other malware infections.

A tool for emergency system recovery from a disk or flash drive. It helps to start a computer that has been "covered" as a result of a virus attack, get rid of malicious components and cure infected files.

Kaspersky Anti-Virus 2016 is a world-famous anti-virus program developed by Kaspersky Lab to protect your personal computer from viruses and malware.

ESET NOD32 Smart Security is a powerful antivirus system that provides comprehensive computer protection against various types of malware. It has a built-in firewall for secure Internet browsing.

Avast! Internet Security is an anti-virus system that combines the ability to detect and neutralize various types of viruses, trojans, spyware, rootkits and worms.

One of the most popular antiviruses. Includes scanner, real-time monitoring, anti-spyware, download and mail check. Updates the database several times a day.

Kaspersky Internet Security 2016 is a powerful anti-virus program from the well-known company Kaspersky Lab, which will help keep your system stable and secure.

Avast! Pro Antivirus is a powerful antivirus tool to protect your system from virus threats. Unlike avast! Internet Security does not have a built-in firewall and anti-spam function.

DrWeb LiveUSB is a free program for creating a rescue disk on a flash drive.

Kaspersky PURE is a program for protecting home network computers from all types of virus threats, malware and fraud.

Comodo Antivirus is a free antivirus application that allows you to browse the Internet safely, block online threats, and scan your computer for virus threats.

AVG Internet Security is a set of programs with which you can ensure the safe operation of your computer. These programs provide protection against viruses, worms, banner ads, spam and more.

Kaspersky Virus Removal Tool is a free program for Windows, a well-known anti-virus product from Kaspersky Lab, which ensures the removal of viruses from your computer.

Bitdefender Antivirus Free Edition is a free program for Windows, a lightweight version of a well-known antivirus that will keep your computer safe from external and internal threats.

Norman Malware Cleaner is an easy-to-use utility that helps you remove malicious files from your computer. It does not require installation and can stop infected programs from running.

Panda Cloud Antivirus is a free version of antivirus from The Cloud Security Company, which specializes in cloud security technologies.

Spyware Doctor is an antivirus utility that protects the system from spyware, viruses, trojans and other misfortunes. In addition, the antivirus has several types of system scans and a task scheduler.

Top Related Articles

About the mus-tv award Voting for mus tv nominees
About the mus-tv award Voting for mus tv nominees
Prize
Prize "For contribution to the development of the music industry"
How does the influenza virus work: why do we get sick?
How does the influenza virus work: why do we get sick?
Categories:
© 2022 bumotors.ru. How to set up smartphones and PCs. Informational portal.