Classification.
Antivirus products can be classified according to several criteria at once, such as: anti-virus protection technologies used, product functionality, target platforms.
By the anti-virus protection technologies used:
- Classic antivirus products (products that use only signature detection method)
- Proactive anti-virus protection products (products that use only proactive anti-virus protection technologies);
- Combined products (products using both classic, signature-based protection methods and proactive ones)
By product functionality:
- Antivirus products (products that provide only antivirus protection)
- Combined products (products that provide more than just protection against malware, but also spam filtering, encryption and data backup and other functions)
By target platforms:
- Antivirus products for Windows operating systems
- Antivirus products for OS * NIX family (to this family include OS BSD, Linux, etc.)
- Antivirus products for macOS
- Antivirus products for mobile platforms (Windows Mobile, Symbian, iOS, BlackBerry, Android, Windows Phone 7, etc.)
Antivirus products for corporate users can also be classified according to their objects of protection:
- Antivirus products for protecting workstations
- Antivirus products for protecting file and terminal servers
- Antivirus products for protecting mail and Internet gateways
- Antivirus products for protecting virtualization servers
- etc.
Characteristic antivirus software.
Antivirus programs are divided into: programs-detectors, programs-doctors, programs-auditors, programs-filters, programs-vaccines.
Detection programs provide search and detection of viruses in random access memory and on external media, and upon detection, they issue a corresponding message. Distinguish between universal and specialized detectors.
Universal detectors in their work use the check of the immutability of files by counting and comparing with the standard checksum. The disadvantage of universal detectors is associated with the impossibility of determining the causes of file corruption.
Specialized detectors search for known viruses by their signature (a repeated piece of code). The disadvantage of such detectors is that they are unable to detect all known viruses.
A detector that detects multiple viruses is called a polydetector.
The disadvantage of such antivirus programs is that they can only find viruses that are known to the developers of such programs.
Doctor programs (phages) not only find files infected with viruses, but also "cure" them, i.e. remove the virus program body from the file, returning the files to their original state. At the beginning of their work, phages look for viruses in the RAM, destroying them, and only then proceed to "cure" files. Among the phages, polyphages are distinguished, i.e. Doctor programs designed to search for and destroy a large number of viruses.
Considering that new viruses are constantly appearing, detector programs and doctor programs quickly become outdated, and their versions need to be regularly updated.
Auditor programs are among the most reliable means of protection against viruses. Auditors remember the initial state of programs, directories and system areas of the disk when the computer is not infected with a virus, and then periodically, or at the user's request, compare the current state with the initial one. The detected changes are displayed on the video monitor screen. As a rule, states are compared immediately after the operating system is loaded. When comparing, the file length is checked, the cyclic control code ( check sum file), date and time of modification, other parameters.
Auditor programs have quite advanced algorithms, detect stealth viruses and can even distinguish changes in the version of the program being scanned from changes made by a virus.
Filters (watchdogs) are small resident programs designed to detect suspicious actions during computer operation, typical of viruses. Such actions can be:
Attempts to correct files with COM and ЕХЕ extensions;
Change of file attributes;
Direct write to disk at absolute address;
When a program tries to perform the specified actions, the "watchman" sends a message to the user and offers to prohibit or allow the corresponding action. Filter programs are very useful as they can detect a virus at a very early stage of its existence, before it multiplies. However, they do not "cure" files and disks. To destroy viruses, you need to use other programs, such as phages. The disadvantages of watchdog programs can be attributed to their "intrusiveness" (for example, they constantly issue a warning about any attempt to copy an executable file), as well as possible conflicts with other software.
Vaccines (immunizers) are memory resident programs that prevent files from infecting. Vaccines are used if there are no doctor programs that "cure" this virus. Vaccination is possible only against known viruses. The vaccine modifies the program or disk in such a way that it does not affect their work, and the virus will perceive them as infected and therefore will not be introduced. Vaccine programs are currently of limited use.
A significant drawback of such programs is their limited ability to prevent infection from a wide variety of viruses.
Examples of antivirus programs
When choosing an antivirus program, it is necessary to take into account not only the percentage of virus detection, but also the ability to detect new viruses, the number of viruses in anti-virus database, the frequency of its updates, the availability of additional functions.
Currently, a serious antivirus must be able to recognize at least 25,000 viruses. This does not mean that they are all "at will". In fact, most of them either have already ceased to exist or are in laboratories and are not distributed. In reality, you can find 200-300 viruses, and only a few dozen of them are dangerous.
There are many antivirus programs available. Let's consider the most famous of them.
Norton AntiVirus 4.0 and 5.0 (vendor: Symantec).
One of the most famous and popular antiviruses. The virus detection rate is very high (close to 100%). The program uses a mechanism that allows it to recognize new unknown viruses.
In the interface Norton programs AntiVirus has a LiveUpdate feature that lets you update both a program and a set of virus signatures via the Web with the click of a single button. The Anti-Virus Wizard provides detailed information about the detected virus, and also gives you the choice: to remove the virus either automatically, or more carefully, through a step-by-step procedure that allows you to see each of the actions performed during the removal process.
The anti-virus databases are updated very often (sometimes updates appear several times a week). There is a resident monitor.
The disadvantage of this program is the complexity of the setup (although basic settings change is practically not required).
Dr Solomon "s AntiVirus (Producer:" Dr Solomon "s Software).
It is considered one of the best antiviruses (Evgeny Kaspersky once said that this is the only competitor to his AVP). Detects almost 100% of known and new viruses. A large number of functions, a scanner, a monitor, heuristics and everything you need to successfully resist viruses.
McAfee VirusScan (manufacturer: McAfee Associates).
This is one of the most famous antivirus packages... Very good at removing viruses, but VirusScan is worse than other packages in detecting new varieties file viruses... It's quick and easy to install using the default settings, but you can customize it as you see fit. You can scan all files or only software files, distribute or not distribute scanning to compressed files. Has many functions for working with the Internet.
.Dr.Web (producer: "Dialogue Science")
Popular domestic antivirus. It recognizes viruses well, but there are much fewer of them in its database than other antivirus programs.
Antiviral Toolkit Pro (manufacturer: Kaspersky Lab).
This antivirus is recognized worldwide as one of the most reliable. Despite being easy to use, it has all the arsenal you need to fight viruses. The heuristic mechanism, redundant scanning, scanning of archives and packed files - this is not a complete list of its capabilities.
Kaspersky Lab closely monitors the emergence of new viruses and timely releases anti-virus database updates. There is a resident monitor for monitoring executable files.
The abundance of threats ("infected" flash drives, the Internet, local networks, incorrectly configured OS) led to the need to use antivirus programs. Most users prefer a universal all-inclusive solution that combines a full range of routines to scan potential sources of threats (mail, websites, external media, and so on). But there are also specific solutions tailored only for certain threats.
There are the following types of antivirus programs
— Antispyware. A popular type of threat today. Today, the overwhelming majority of anti-virus packages do not classify such software as malicious, since it is "borderline". This led to the emergence of a whole class of utilities for cleaning the system from spyware. In addition, some professional antivirus software (eg AVZ) does contain spyware detection modules. Sample anti-spyware packages - Search & Destroy, Pestpatrol, Ad-aware.
— Online scanner. There are services that allow you to check your computer connected to the Internet for viruses. They work through ActiveX technologies (then it works only in Internet Explorer) or Java. Their main advantage is the ability to search (and for the most advanced ones - to cure) infected files without installing an anti-virus package. The main disadvantage of this type of services is that there are no means of preventing infection. Here are the most famous online scanners - ESET Online Scanner, Trend Micro HouseCall, Comodo AV Scanner.
— Online "single file" scanner. Analyzes what you think are malicious files. You simply upload the selected file system object to the server of the anti-virus laboratory and the answer comes almost instantly. The waiting time also depends on the number of heuristic programs used to check and the load on the server. This solution is ideal for those PCs where the antivirus is not installed, but you need to check the files brought in, say, from a neighboring machine. Among the most famous are Dr.Web online check, avast! Online Scanner, VirusTotal, Online malware scan.
— Antivirus scanners without a monitor. Scanning and cleaning local and external media from malware. Unlike "combines" containing a whole set of firewalls and heuristics do not have a built-in module. This results in good performance. The most popular are Cure it, Clam AntiVirus, Norton Security Scan, Microworld.
— Firewall. The program can also be classified as a type of antivirus, as it repels automated attempts to penetrate the system. Mechanism - blocking network traffic and ensuring the invisibility of PCs on the network (by blocking ping and other services). It can also be useful in cases of an infection that has already occurred (blocks outgoing connection attempts). Outpost Firewall is the most popular one today.
1)detector programs: are designed to find infected files by one of the known viruses. Some detector programs can also cure files for viruses or destroy infected files. There are specialized, that is, detectors and polyphages designed to fight one virus, which can fight many viruses;
2) healer programs: designed to cure infected drives and programs. Treatment of the program consists in removing the body of the virus from the infected program. They can also be both polyphages and specialized;
3) auditor programs: designed to detect virus infection of files, as well as find damaged files. These programs remember data about the state of the program and the system areas of disks in the normal state (before infection) and compare these data while the computer is running. In case of data inconsistency, a message about the possibility of infection is displayed;
4) healers-auditors: are designed to detect changes in files and system areas disks and, in case of changes, return them to their initial state.
5) filter programs: designed to intercept calls to operating system that are used by viruses to propagate and inform the user about it. The user can enable or disable the corresponding operation. Such programs are resident, that is, they are located in the computer's RAM.
6) vaccine programs: used to process files and boot sectors in order to prevent infection by known viruses (in Lately this method is being used more and more).
It should be noted that the choice of one "best" antivirus is an extremely erroneous decision. It is recommended to use several different anti-virus packages at the same time. When choosing an anti-virus program, you should pay attention to such a parameter as the number of recognizing signatures (a sequence of characters that are guaranteed to recognize a virus). The second parameter is the presence of a heuristic analyzer unknown viruses, its presence is very useful, but it significantly slows down the program's running time. Today there are a wide variety of anti-virus programs. Consider briefly, common in the CIS countries.
Lecture 9.
Topic: "Architecture of modern computing technology."
There are two main classes of computers:
- digital computers that process data in the form of numerical binary codes;
- analog computers that process continuously changing physical quantities (electric voltage, time, etc.), which are analogous to calculated quantities.
Any computer program is a sequence of separate teams.
The result of the command is generated according to the rules that are precisely defined for the given command and incorporated into the design of the computer.
Under computer architecture is understood its logical organization, structure and resources, i.e. computing system means that can be allocated to the data processing process for a certain time interval.
Most computers are based on the principles formulated in 1945 by John von Neumann:
1. The principle of programmed control (the program consists of a set of commands that are executed by the processor automatically one after the other in a certain sequence).
2. The principle of memory homogeneity (programs and data are stored in the same memory; instructions can be performed in the same way as data).
3. The principle of addressing (main memory structurally consists of numbered cells).
Computers built on these principles have a classical architecture (von Neumann architecture).
The architecture of the PC determines the principle of operation, information links and the interconnection of the main logical nodes of the computer:
The main electronic components that determine the architecture of the processor are located on the main board of the computer, which is called systemic or maternal (Motherboard ). And controllers and adapters of additional devices, or these devices themselves, are performed in the form expansion boards (DаughterBoard- daughter board) and are connected to the bus using connectors enlargement also called expansion slots(eng. slot- slot, groove).
Functional and structural organization.
Basic PC blocks and their meaning
Computer architecture is usually determined by a set of its properties that are essential to the user. The main focus is on the structure and functionality of the machine, which can be divided into basic and additional.
The main functions determine the purpose of the computer: processing and storage of information, exchange of information with external objects. Additional functions increase the efficiency of the main functions: provide effective modes of its operation, dialogue with the user, high reliability, etc. The named computer functions are implemented using its components: hardware and software.
Computer structure- this is some model that establishes the composition, order and principles of interaction of its components.
Personal Computer is a desktop or portable computer that meets the requirements of general availability and versatility of use.
Merits PCs are:
Low cost, within reach for the individual buyer;
Autonomy of operation without special requirements for environmental conditions;
Flexibility of architecture, ensuring its adaptability to a variety of applications in the field of management, science, education, in everyday life;
- the "friendliness" of the operating system and other things software, which makes it possible for the user to work with it without special professional training;
High operational reliability (more than 5 thousand hours of MTBF).
The structure of a personal computer
Consider the composition and purpose of the main PC blocks.
Block diagram of the PC in Fig. one.
Microprocessor (MP)... This is the central unit of the PC, designed to control the operation of all units of the machine and to perform arithmetic and logical operations over information.
The microprocessor includes:
control device(UU) - forms and delivers to all blocks of the machine in the right moments time certain control signals (control pulses), due to the specifics of the operation being performed and the results of previous operations; generates the addresses of memory cells used by the operation being performed, and transfers these addresses to the corresponding computer blocks; the control device receives the reference sequence of pulses from the clock pulse generator;
arithmetic logic unit(ALU) -designed to perform all arithmetic and logical operations on numerical and symbolic information (in some PC models, to speed up the execution of operations, an additional math coprocessor);
microprocessor memory(MPP) - serves for a short-term nature, recording and issuing information directly used in calculations in the next clock cycles of the machine, because the main memory (OP) does not always provide the speed of writing, searching and reading information necessary for the efficient operation of a high-speed microprocessor. Registers- high-speed memory cells of various lengths (as opposed to OP cells, which have a standard length of 1 byte and lower performance);
microprocessor interface system- implements pairing and communication with other PC devices; includes an internal interface MP, buffer storage registers and control circuits for input-output ports (IO) and the system bus. Interface (interface) - a set of means of interface and communication of computer devices, ensuring their effective interaction. I / O port(I / O - Input / Output port) - interface equipment that allows you to connect another PC device to the microprocessor.
Clock pulse generator. It generates a sequence of electrical impulses; the frequency of the generated pulses determines the clock frequency of the machine.
The time interval between adjacent pulses determines the time of one cycle of the machine operation, or simply the cycle of the machine.
The frequency of the clock pulse generator is one of the main characteristics of a personal computer and largely determines the speed of its operation, since each operation in the machine is performed in a certain number of cycles.
System bus. This is the main interface system of a computer, which provides interfacing and communication of all its devices with each other.
The system bus includes:
data code bus(KShD), containing wires and interface circuits for parallel transmission of all bits of the numeric code (machine word) of the operand;
address code bus(CSA), including wires and interface circuits for parallel transmission of all bits of the code of the address of the main memory cell or the input-output port of an external device;
instruction code bus(KSHI), containing wires and interface circuits for transmitting instructions (control signals, pulses) to all blocks of the machine;
power bus, which has wires and interface circuits for connecting PC units to the power supply system.
The system bus provides three directions of information transfer:
Between microprocessor and main memory;
Between the microprocessor and the I / O ports of external devices;
Between the main memory and the I / O ports of external devices (in the direct access to memory).
Not blocks, but rather their input-output ports, through the corresponding unified connectors (joints) are connected to the bus uniformly: Directly or through controllers (adapters)... The system bus is controlled by a microprocessor either directly or, more often, through an additional microcircuit. bus controller forming the main control signals.
Main memory (RAM)... It is designed to store and quickly exchange information with other units of the machine. OP contains two types of storage devices: read-only memory (ROM) and random access memory (RAM).
ROM serves to store unchangeable (permanent) program and reference information, allows you to quickly read the information stored in it (you cannot change the information in the ROM).
RAM is intended for operational recording, storage and reading of information (programs and data) directly involved in the information and computing process performed by the PC in the current period of time. The main virtues RAM is its high performance and the ability to access each memory cell separately (direct address access to the cell). As lack RAM should be canceled inability to save information in it after turning off the power of the machine (volatility).
External memory. It refers to external devices PC and is used for long-term storage of any information that may ever be required to solve problems. In particular, all computer software is stored in external memory. External memory contains a wide variety of storage devices, but the most common storage devices found on virtually any computer are hard disk drives (HDD) and floppy disk drives (HD).
Source of power... This is a block containing autonomous and network power supply systems for a PC.
Timer... This is an in-machine electronic clock that, if necessary, provides automatic reading of the current moment in time (year, month, hours, minutes, seconds and fractions of seconds). The timer is connected to an autonomous power source - the battery and, when the machine is disconnected from the network, it continues to work.
External devices (VU)... This is the most important component any computing complex. Suffice it to say that in terms of cost, VUs sometimes account for 50-80% of the total PC. The possibility and efficiency of the PC application largely depend on the composition and characteristics of the VU.
VU PC provide interaction of the machine with the environment by users, control objects and other computers. VUs are very diverse and can be classified according to a number of characteristics. So, according to the purpose, the following types of VU can be distinguished:
External storage devices (OVC) or external PC memory;
Dialogue means of the user;
Information input devices;
Information output devices;
Communication facilities and telecommunications.
Dialogue means users include video monitors (displays), less often console typewriters (printers with keyboards) and speech input-output devices.
Video monitor (display)- a device for displaying information input and output from a PC.
Voice input-output devices belong to the media. Speech input devices are various microphone acoustic systems, "sound mice", for example, with sophisticated software that makes it possible to recognize letters and words spoken by a person, identify them and encode them.
Voice output devices are various sound synthesizers that convert digital codes into letters and words, which are played through speakers or speakers connected to a computer.
TO input devices relate:
keyboard - device for manual input numerical, textual and control information in the PC;
graphic tablets (digitizers)- for manual input of graphic information, images by moving a special pointer (pen) on the tablet; when you move the pen, the coordinates of its location are automatically read and these coordinates are entered into the PC;
scanners- for automatic reading from paper carriers and entering typewritten texts, graphs, drawings, drawings into a PC; in the scanner encoder in text mode the read characters after comparison with the reference contours are converted by special programs into ASCII codes, and in the graphic mode, the read-out graphs and drawings are converted into a sequence of two-dimensional coordinates;
manipulators(pointing devices): joystick-lever, mouse, trackball-ball in a frame, light pen, etc. - to enter graphic information on the display screen by controlling the movement of the cursor across the screen, followed by coding of the cursor coordinates and entering them into the PC;
touch screens- to enter individual image elements, programs or commands from the split-screen display into a PC.
TO output devices relate:
Printers- printing devices for registering information on paper;
plotters (plotters)- for outputting graphic information (graphs, drawings, figures) from a PC to a paper medium; plotters are vector with drawing an image with a pen and raster: thermographic, electrostatic, inkjet and laser. By design, plotters are divided into flatbed and drum plotters. The main characteristics of all plotters are approximately the same: the drawing speed is 100-1000 mm / s, at best models color image and halftone transmission are possible; laser plotters have the highest resolution and image clarity, but they are the most expensive.
Devices communications and telecommunications for communication with devices and other automation equipment (interface adapters, adapters, digital-to-analog and analog-to-digital converters, etc.) and for connecting a PC to communication channels, to other computers and computer networks (network interface cards, "joints", multiplexers data transmission, modems).
In particular network adapter is an external interface PC and serves to connect it to a communication channel for the exchange of information with other computers, to work as part of a computer network. In global networks, the functions of a network adapter are performed by a modulator-demodulator.
Many of the devices named above belong to a conventionally allocated group - multimedia tools.
Multimedia tools(multimedia) is a complex of hardware and software that allows a person to communicate with a computer using a variety of natural environments: sound, video, graphics, texts, animation, etc.
Multimedia means include devices for speech input and output of information; widespread scanners already now (since they allow you to automatically enter printed texts and drawings into a computer); high-quality video (video-) and sound (sound-) cards, video capture cards (videograbber), which take an image from a VCR or camcorder and enter it into a PC; high-quality acoustic and video reproducing systems with amplifiers, sound speakers, large video screens. But, perhaps, with even more reason, external storage devices of large capacity on optical disks, often used for recording audio and video information, are referred to as multimedia.
Interrupt- temporary stoppage of the execution of one program in order to promptly execute another, and in this moment more important (priority) program.
Interrupts occur when computers are running all the time. Suffice it to say that all information input-output procedures are executed by interrupts, for example, timer interrupts occur and are serviced by the interrupt controller 18 times per second (of course, the user does not notice them).
.
Intra-machine system interface- a system of communication and interfacing of nodes and computer units with each other - is a set of electrical communication lines (wires), interfacing circuits with computer components, protocols (algorithms) for transmission and conversion of signals.
There are two options for organizing the in-machine interface.
1. Multiple interface: each PC unit is linked to other units by its own local wires; the interface is used, as a rule, only in the simplest household.
2.Singly linked interface: All PC units are connected to each other via a common or system bus.
In the overwhelming majority of modern PCs, the system interface is used systemic tire.
PC functional devices
The main characteristics of a PC are:
1.Speed, performance, clock frequency.
The units of performance are:
MIPS (MIPC -Vega Instruction Per Second) - one million operations on numbers with a fixed point (point):
MFLOPS (MFLOPS- Mega Floating Operations Second) - one million operations on floating point numbers;
KOPS (KOPS- Kilo Operations Per Second) -for low-performance computers - a thousand of some averaged operations on numbers;
GFLOPS (GFLOPS - Giga Floating Operations Per Second) -billion operations per second over floating point numbers.
Evaluation of the performance of a computer is always approximate, because in this case they are guided by some averaged ones or, conversely, by specific types of operations. In reality, when solving various problems, and different sets operations. Therefore, for the characteristics of a PC, instead of performance, they usually indicate the clock frequency, which more objectively determines the speed of the machine. And since each operation requires a very specific number of clock cycles for its execution. Knowing the clock frequency, you can fairly accurately determine the execution time of any machine operation.
2. The capacity of the machine and the code buses of the interface.
Bit depth- this is the maximum number of bits of a binary number, over which a machine operation can be performed simultaneously, including the operation of transferring information; the greater the bit depth, the more the performance of the PC will be, all other things being equal.
3. System and local interface types.
Different types of interfaces provide different terms for transferring information between machine nodes, allow you to connect a different number of external devices and their different types.
4. The capacity of the RAM.
Memory capacity is most commonly measured in megabytes (MB). As a reminder: 1 MB = 1024 KB = 1024 bytes.
Many modern application programs simply do not work with a RAM capacity of less than 32 Mb, or they work, but very slowly.
5. The capacity of the hard disk drive. (hard drive).
Hard drive capacity is usually measured in megabytes or gigabytes (1 GB = 1024 MB).
6. The type and capacity of floppy disk drives and laser CDs.
Nowadays, floppy disk drives are used that use floppy disks of 3.5 and 5.25 inches (they are practically not used anymore) (1 inch = 25.4 mm). The former have a standard capacity of 1.44 MB, the latter 1.2 MB. Also used are compact disc drives due to their low cost and large capacity, 650 and 700 Mb in size, laser rewritable CD-RW discs with a capacity of 650 - 700 Mb are used. Such type of drive as DVD is also used. High technology and high cost, but also large capacity up to 24 Gb.
7. Types and capacity of cache memory.
Cache memory is a buffer memory that is inaccessible to users and is automatically used by a computer to speed up operations with information stored in slower-acting memory devices. For example, to speed up operations with the main memory, register cache memory is organized inside the microprocessor (cache memory of the first level) or outside the microprocessor on the motherboard (cache memory of the second level); to speed up operations with disk memory, cache memory is organized per electronic memory cell.
It should be borne in mind that the presence of cache memory with a capacity of 256 KB increases PC performance by about 20%. There is a cache memory capacity and 512 KB.
8. Type of video monitor (display) and video adapter.
9.Printer type.
10. The presence of a mathematical coprocessor.
The math coprocessor makes it possible to speed up operations on binary numbers floating point and over binary coded decimal numbers.
11. Available software and type of operating system.
12... Hardware and software compatibility with other types of computers.
Hardware and software compatibility with other types of computers means the ability to use the same technical elements and software on a computer as on other types of machines.
13. Ability to work in a computer network.
14. Ability to work in multitasking mode.
Multitasking mode allows you to perform calculations simultaneously for several programs (multi-program mode) or for several users (multi-user mode). The combination in time of operation of several machine devices, which is possible in this mode, makes it possible to significantly increase the effective speed of the computer.
15. Reliability.
Reliability is the ability of the system to fully and correctly perform all the functions assigned to it. The reliability of a PC is usually measured by the mean time between failures.
16.Price.
17... Dimensions and weight
Arithmetic logic unit
Arithmeticiano-logical device is intended for performing arithmetic and logical operations of information transformation.
Functionally, the ALU (Fig. 2) usually consists of two registers, an adder and control circuits (local control device).
Adder - a computational circuit that performs the procedure for adding binary codes arriving at its input; the adder has a double word length.
Registers are high-speed memory cells of various lengths: register 1 (Pr1) has a double word width, and register 2 (Pr2) has a word length.
When the operation is performed, the first number participating in the operation is placed in Pr1, and after the operation is completed, the result; in Pr2 - the second number participating in the operation (after the completion of the operation, the information in it does not change). Register 1 can receive information from the data code lines, and output information from these buses.
The control circuits receive control signals from the control device via the instruction code buses and convert them into signals to control the operation of the ALU registers and adder.
ALU performs arithmetic operations (+, -, *, :) only on binary information with a comma fixed after the last digit, i.e. only over binary integers.
Operations on binary floating-point numbers and on binary-coded decimal numbers are carried out either with the assistance of a mathematical coprocessor, or according to specially compiled programs.
Microprocessor memory
Microprocessor memory - memory of small capacity, but extremely high speed (the time of access to the MPP, i.e. the time required to search, write or read information from this memory, is measured in nanoseconds).
It is intended for short-term storage, recording and issuance of information, directly in the next clock cycles of the machine participating in the calculations; MPP is used to ensure high speed of the machine, because the main one does not always provide the speed of writing, searching and reading information necessary for the efficient operation of a high-speed microprocessor.
Microprocessor memory consists of high-speed registers with a capacity of at least a machine word. The number and length of registers in different microprocessors are different.
Microprocessor registers are divided into general-purpose and special-purpose registers.
Special registers are used to store various addresses (command addresses, for example), signs of the results of operations and PC operating modes (flags register, for example), etc.
General purpose registers are universal and can be used to store any information, but some of them must also be necessarily involved when performing a number of procedures.
Microprocessor interface
The interface part of the MP is intended for communication and coordination of the MP with the PC system bus, as well as for receiving, preliminary analysis of the commands of the program being executed and the formation of full addresses of operands and commands.
The interface part includes the MPP address registers, the address formation unit, the command register block, which is the command buffer in the MP, the MP internal interface bus and control circuits for the bus and I / O ports.
I / O ports- these are the points of the PC system interface through which the MP exchanges information with other devices. In total, the MP can have 65536 ports. Each port has an address - a port number corresponding to the address of a memory cell that is part of the I / O device using this port, and not part of the main computer memory.
The device port contains the interface equipment and two memory registers - for data exchange and exchange management information... Some external devices also use main memory to store large amounts of information to be exchanged. Many standard devices (HDD, floppy disk drive, keyboard, printer, coprocessor, etc.) have I / O ports permanently assigned to them.
The bus and port control circuitry performs the following functions:
Formation of the port address and control information for it (switching the port to receive or transmit, etc.);
Reception of control information from the port, information about the readiness of the port and its state;
Organization of an end-to-end channel in the system interface for data between the port of the I / O device and the MP.
The bus and port control scheme uses the code buses of instructions, addresses and data of the system bus to communicate with the ports: when accessing the port, the MP sends a signal via the KSHI, which notifies all I / O devices that the address on the KSA is the port address, and then sends and the port address itself. The device, the port address of which is the same, gives a readiness response, after which data is exchanged via the KShD.
PC storage devices.
Computer memory is built from binary storage elements - bits grouped into groups of 8 bits called bytes ... (The units of memory are the same as the units of information). All bytes are numbered. The byte number is called it address .
Bytes can be combined into cells, which are also called in words . Each computer has a specific word length - two, four, or eight bytes. This does not preclude the use of memory cells of other lengths (eg, half-word, double-word).
As a rule, one machine word can represent either one integer or one instruction. However, variable presentation formats are allowed.
Larger ones are also widely used derived units memory size: Kilobyte, Megabyte, Gigabyte and also, lately, Terabyte and Petabyte.
Modern computers have many different storage devices, which differ greatly in their purpose, timing, amount of stored information and the cost of storing the same amount of information.
There are two main types of memory - internal and external .
Internal memory includes RAM, cache and special memory.
RAM.
RAM is used only for temporary storage of data and programs, because when the machine is turned off, everything that was in RAM is lost. Access to the elements of random access memory - this means that each byte of memory has its own individual address.
The amount of RAM is usually 32 - 512 MB, and for efficient operation of modern software, it is desirable to have at least 256 MB of RAM. Usually RAM is executed from integrated circuits DRAM (Dynamic RAM) memory. DRAM chips are slower than other types of memory, but they are cheaper.
Cache memory.
The cache is managed by a special device - controller , which, analyzing the executable program, tries to foresee what data and instructions the processor is most likely to need in the near future, and pumps them into the cache memory. In this case, both "hits" and "misses" are possible. In the event of a hit, that is, if the necessary data has been pumped into the cache, they are retrieved from memory without delay. If the required information is not in the cache, then the processor reads it directly from the RAM. The ratio of hits to misses determines the effectiveness of caching.
Special memory.
Special memory devices include read-only memory (ROM), programmable read-only memory ( Flash Memory), battery-powered CMOS RAM, video memory and some other types of memory.
|
Flash memory is non-volatile memory that can be repeatedly overwritten from a floppy disk. |
First of all, a program for controlling the operation of the processor itself is written into the permanent memory. The ROM contains programs for controlling the display, keyboard, printer, external memory, programs for starting and stopping the computer, and testing devices.
The most important chip of permanent or Flash memory is the BIOS module.
The role of BIOS is twofold: on the one hand, it is an integral part of the hardware (Hardware), and on the other hand, it is an important module of any operating system (Software).
A kind of permanent memory - CMOS RAM.
The CMOS content is changed by a special Setup program located in the BIOS (English Set-up - to set, the "setup" is read).
Video memory is used to store graphic information.
External memory.
External memory (OVC) is designed for long-term storage of programs and data, and the integrity of its contents does not depend on whether the computer is turned on or off. Unlike RAM, external memory has no direct connection to the processor.
Floppy disk drives
Compact disc drives
The CD-ROM consists of a transparent polymer base with a diameter of 12 cm and a thickness of 1.2 mm. One side is covered with a thin aluminum layer, protected from damage by a layer of varnish. Binary information is represented by a sequential alternation of pits (pits) and the base layer (land).
One inch (2.54 cm) along the radius of the disk contains 16 thousand tracks with information. For comparison, there are only 96 tracks per inch along the radius of a floppy disk. CD capacity up to 780 MB. The information is recorded on the disc at the factory and cannot be changed.
Advantages of CD-ROM:
With small physical dimensions, CD-ROMs have a high information capacity, which allows them to be used in help systems and in educational complexes with rich illustrative material; one CD, about the size of a floppy disk, is equal in information volume to almost 500 such floppy disks;
Reading information from CD occurs at a high speed, comparable to the speed of a hard drive;
CDs are simple and easy to use, practically do not wear out;
CDs cannot be infected with viruses;
You cannot accidentally erase information on a CD-ROM;
The cost of data storage (per MB) is low.
Unlike magnetic disks, compact disks do not have many circular tracks, but one spiral, like gramophone records. In this regard, the angular speed of rotation of the disk is not constant. It decreases linearly as the reading head moves towards the center of the disk.
There are CD-RW for recording on special CD-R discs from 650 - 700 Mb and CD-RW for repeated recording with a capacity of 650 - 700 Mb.
Tape drives (tape drives) and removable disk drives
Lecture 10.11.
Topic: "Text editorMSWord»
A word processor is a word processing program that is used to create new documents (letters, reports, newsletters) or modify existing ones. Modern word processors (including the Word editor) are sometimes called word processors because they contain a very large number of word processing functions.
Microsoft Word allows you to enter, edit, format and format text and correctly place it on the page. With this program, you can insert graphics, tables and diagrams into your document, as well as automatically correct spelling and grammatical errors.
Graph, Equation, WordArt - thanks to this group of programs it is possible to insert various diagrams (Graph), mathematical formulas (Equation - formula editor) and text effects (WordArt) into the document.
Checking tools are programs designed to check spelling, correct typos and find synonyms.
Envelopes, filters - for documents created in other text editors, file formats differ from the format used by the Word editor.
Help and Examples - Word Help System. It contains information about each command and describes the steps you need to follow to get the desired result.
Wizards, templates and letters - wizards and templates save time when preparing standard documents. With Word templates, you can quickly create letters, facts, lettering on envelopes.
Tools - this group includes the installer that allows you to change the configuration of MS Word.
Graphics (Clip Art) —the graphics library contains more than 50 drawings that can be used to design documents.
Interface word processor Microsoft Word
Launching a word processor Microsoft Word can be done with the command Start \ Programs \Microsoft Word. After starting the word processor, the application window will be displayed on the screen, which may contain the following elements: title line; main menu bar; toolbars; rulers; scroll bars; working area of the document window; status bar
V title bar the system menu button is located, the name of the application (Microsoft Word) and the name of the document being processed.
Main menu bar starts with a file button and ends with a Help button. The menu items are organized according to a multi-level scheme: the selection of each item causes the appearance of a list of commands (menus):
FILE- contains commands for working with documents at the level of file operations. Using the commands of this menu, new documents are created, existing documents are opened and edited documents are saved. The menu contains commands for preparing documents for printing and finishing work with a document Word... At the bottom of the menu, there is a list of documents that the user has worked with recently;
EDIT- provides processing (editing) of the active document. This menu contains commands for undoing and redoing previously entered commands, performing actions on selected text fragments using the clipboard, searching and replacing text, moving to a specified page by its number;
VIEW- serves to select different modes of viewing the document on the screen. The commands of this menu allow you to change the appearance of the window, set the rulers, the status bar, change the scale, etc .;
INSERT- contains commands that allow you to include various objects in the text (page numbers, footnotes, notes, fragments, figures, etc.).
FORMAT- offers the possibility of document design: changing fonts, the size of line spacing, paragraph indents, changing case (uppercase and lowercase), setting different styles, background color of the document, etc.;
SERVICE- contains commands with the help of which the document is checked for spelling errors, the auto-correction mode is turned on to correct typical errors, the macros are launched and the transition to the mode of recording macros in the language is carried out VBA, as well as setting parameters that determine the mode of operation and state of the word processor;
TABLE- used to create and process tables;
WINDOW- contains commands that allow you to organize and create document windows, as well as switch from one document to another;
REFERENCE- serves to obtain reference information about working with the application.
Toolbar buttons duplicate the most frequently used menu commands. When a button is pressed, a specific word processor command is executed. V Word there are a number of toolbars available for performing different groups teams. The user has the ability to hide or show the desired panel or a separate button by selecting the command View \ Toolbars... The displayed panel is marked with a check mark. The checkbox is set or unchecked by left-clicking on the selected panel. Typically, when working with text, panels are used. STANDARD and FORMATTING.
Horizontal ruler located above the document window and allows you to change the size of paragraph indents and the width of table columns, as well as set tab stops. The vertical ruler is used to set the top and bottom margins of the page and the height of the table rows.
Scroll bars (horizontal and vertical) are used to view the document if the text does not fit completely on the screen.
V work area of the document window the input and formatting of texts, the embedding of figures and the creation of tables are carried out.
Status bar located at the bottom of the word processor window Word, which displays information about the current position of the input cursor in the document, editing mode, etc.
Editing and formatting a text document
The created document can be viewed in various modes, which are set using menu commands VIEW... For example, the command View \ Normal allows you to display a simplified version of the document (only text and tables), View \ Page Layout intended for viewing the document in the mode WYSIWYG... To create and change the structure of the document (the hierarchy of headings and sections of text), use the command View \ Structure.
Oftentimes, generated documents cannot be fully viewed on the screen. In this case, if you want to place the input cursor at a certain position, you need to scroll the text in the document window. Positioning the input cursor to the desired position can be done in two ways:
with the mouse- scroll the text using the scroll bars, set the mouse pointer to the desired location and left-click;
using the keyboard- use the cursor keys and their combinations with the key
Editing a text document is carried out both when typing and after creating it. When typing, you can perform actions such as deleting a mistakenly entered character or adding a new one. To delete the character to the left of the input cursor, use the key
Any text Word contains the so-called non-printable characters, i.e. characters that are displayed on the screen but cannot be printed. These are symbols for paragraphs, spaces, tabs, etc. To display them on the screen, use the command Service \ Options(VIEW tab) or toolbar button Non-printable characters... Using non-printable characters, you can, for example, delete extra spaces or lines created by the pressed key
After the text has already been typed, you can perform various actions on its fragments. The text fragment in which you want to make changes must be selected. To select, place the mouse pointer at the beginning of the fragment, then, while holding down left button, "drag" the pointer to the end of the fragment. You can also use the cursor keys to select at the same time as the pressed key.
The following actions can be performed on the selected text fragment:
deletion- the selected fragment is removed from the text by pressing the key
moving- fragments of text are moved from one place to another. To move the text, the clipboard can be used, in which the selected fragment is placed with the command Edit \ Cut(this removes the fragment from the document). The contents of the clipboard can be pasted several times to any place in the document with the command Edit \ Paste... If the move operation is carried out within visible text, then it is preferable to use the technology Drag-and-Drop: position the mouse pointer over the selected fragment and, while holding down the left mouse button, move it to the desired location;
copying- a copy of the text fragment is created. For copying, the clipboard is also used, in which the selected fragment is placed with the command Edit \ Copy... Inserting a fragment is performed in the same way as when moving text. If technology is used Drag-and-Drop, then dragging the text with the mouse is performed while the key is pressed
creating an autotext item- is used for the subsequent insertion of a frequently used fragment into the text. To create a new AutoText element, the required (for multiple repetition) fragment is highlighted, then the command is selected Insert \ Autotext \ New... After executing the command, a window appears in which you need to specify a name for the new autotext element and click the button OK... To insert an element into the text, place the cursor at the insertion point, select the command Insert \ Autotext \ Autotext and in the dialog box that appears on the AUTOTEXT tab, select the name of the autotext element and click the button Insert;
change font- setting for the selected fragment of other types of fonts, style, color, etc. To change the font, use the command Format \ Font;
change case- change uppercase letters to lowercase and vice versa. Changing the case for the selected fragment is carried out by the command Format \ Case;
changing paragraph parameters- setting new paragraph parameters for several selected adjacent paragraphs. Command used Format \ Paragraph or a horizontal ruler.
To reduce the preparation time of the document, such opportunities can be used. Word like finding and replacing text, formatting and special characters... The search is carried out by the command Edit \ Find... In the dialog box that appears FIND AND REPLACE in field Find you must enter the text you are looking for (up to 255 characters). Button press Find Next will highlight the first one found from the given fragments. To continue the search, press the button again. Find Next.
For contextual replacement, use the command Edit \ Replace, which searches for the specified text and at the same time allows you to replace the found fragment with another. After selecting a command in the dialog box that appears, enter in the field Find the search text, and in the field Replace- replacement text. After pressing the button Find Next, you can replace the found text by clicking on the button Replace... If replacement is not required, you can continue your search. Using the button Replace all allows you to replace all occurrences of the desired text. It is also possible to perform search and replace with additional parameters: whole word search, case sensitive search, setting the search direction, setting the desired format or the desired special character... These parameters are set in the dialog box FIND AND REPLACE after pressing the button More.
Drawing tools.
Drawing Tools Word allow the user to create various logos, business cards and other elements that will make the document more attractive. To create a picture in the text, use the panel PAINTING(Fig.4.6), which is displayed on the screen by the command View \ Toolbar \ Drawing... This panel offers features such as drawing lines, arrows, rectangles, ovals, labels, and more. With its help, you can set the color and type of lines, the color of the background (fill) of objects. In order to draw any object, you need to click on the corresponding button on the panel PAINTING, then place the mouse pointer in the place where the object should be (the mouse pointer will take the form of a cross), and, holding down the left mouse button, stretch it to the required size. To change the parameters of an object, select it by clicking on the object with the left mouse button, and then select it in the panel PAINTING required formatting parameters (for example, color, fill, etc.).
Panel PAINTING also allows you to group individual drawing objects into a single object. In the future, the group can be operated as a single object. To group, you must first select a group of objects: click on the button Object selection, then set the mouse pointer to any point outside the selected objects, press the left mouse button and "drag" the mouse pointer, creating a dotted border around the group of objects. Selected objects are grouped with the command Group from the dropdown list of the button Actions. The reverse action is performed by the command Ungroup of the same drop-down list.
If the user needs to insert a ready-made picture into the text, place the insertion cursor at the insertion point and select one of the commands: Insert \ Picture \ Pictures or Insert \ Picture \ From File... The command Insert \ Ri-suns \ Pictures opens a dialog box MICROSOFT CLIP GALLERY 3.0 , in which you should select the GRAPHICS tab, highlight the image and press the button Insert.
Team Insert \ Picture \ From File opens a dialog box ADD PICTURE, in which you should select the folder containing the inserted picture file, then select the found file and press the button Add.
In addition to the drawings in the document Word you can insert objects created in other applications: artistic text from Microsoft Word Art, complex mathematical formulas created in Microsoft Equation, diagrams from Microsoft Graph etc. To insert these objects, use the command Insert \ Object which opens a dialog box INSERTING OBJECT... On the CREATE tab of this window, you can select the application in which the user needs to create an object of interest. At the same time, without leaving Word 97, you can create an object using a given application. To return to the previous mode of operation, click with the mouse outside the object. On the CREATE FROM FILE tab of the dialog box INSERTING OBJECT it is possible to insert a file created earlier in another application. To search for the required file, use the button Overview of this window.
If necessary, you can resize graphic objects and move them within the document window. To do this, the object must first be selected. To change the size, use the handles located on the boundaries of the object, which appear after its selection. The mouse pointer should be placed on the marker and with the left button pressed, drag the marker in the desired direction. Inserted graphics can be positioned in a document in a variety of ways. Selected objects can be left-aligned, right-aligned, or centered. You can also position the object within the text of the document. To do this, you can set how text flows around the object on the WRAPPING tab, for example, in the dialog box OBJECT FORMAT called by the command Format \ Object(depending on the type of object, these can also be commands Format \ AutoShape, Format \ Inscription, Format \ ObjectWordArt, Format \ Picture ).
Creation and design of tables.
Tables are used to present information in a structured manner and improve its perception.
To add a table to the document, use the command Table \ Add Table... In the opened dialog box INSERT TABLE
it is necessary to set the required number of rows and columns and press the button OK.
The text is entered into the cell of the table where the cursor is positioned. To move to another cell, use both the cursor keys and the key
Before you can insert or delete a cell, row or column, you must select them. To select a row or column where the cursor is located, or to select an entire table, use the corresponding menu commands TABLE... Then the commands of this menu are executed, which determine the required actions depending on the selection: to add - Add Rows, Add Columns, Add Cells; for removing - Delete Rows, Delete Columns, Delete Cells.
Keyboard shortcuts
Help key
Keyboard shortcuts for document management:
Keyboard shortcuts for working with a document:
Keyboard shortcuts for formatting text:
Keyboard shortcuts for formatting paragraphs:
Select a paragraph into a block, and then apply one of the following commands to it:
Lecture 12.
Topic: "Tabular ProcessorMSExcel»
Basic concepts. Entering, editing and formatting data.
Microsoft Excel is part of the Microsoft Office software package and is designed to create spreadsheets, calculate in them and create charts. As in the Microsoft Word program in Excel, you can create ordinary text documents, forms, price lists, sort, select and group data, analyze, etc.
An antivirus program is specialized software for a computer, preventing infection of the operating system with dangerous files, in other words, viruses. A computer virus is malicious software that creates copies of itself and injects them into various channels for the purpose of causing harm or complete destruction hardware complex computer. Each virus carries an individual code - it is this code that is contained in the anti-virus database. Using these codes, the antivirus finds infected files.
How does antivirus work?
Modern antivirus programs are developed mostly for the system Windows software Microsoft, which is due to the prevalence and popularity of this platform.
Antivirus program in Microsoft system works according to a simple scheme. First, the computer database is scanned and virus signatures are searched for. If a file with malicious code is found, the process is blocked and sent to "quarantine". Next, the antivirus program neutralizes or destroys the virus. For correct work anti-virus, he needs a timely database update. The base itself is a collection of all information about dangerous files... Accurate information makes them easy to find and destroy.
Viruses are constantly being written, and there are special networks for their detection that collect all the necessary information. After collecting information, an analysis of the harmfulness of the virus and its behavior is carried out, on the basis of which a way is found to destroy it.
Types of antivirus
The most common are two types of antivirus programs:
scanner- this type performs on-demand scanning of all files that are contained on the hard disk. You can run such a check at any convenient time.
monitor- this kind produces constant check all running programs (scanned, copied, portable, deleted files). It runs along with the operating system and controls all processes in RAM.
Antivirus products are also classified according to such characteristics as:
- technologies used;
- target platform;
- objects of protection.
Of course, for more successful work the anti-virus program must have auxiliary modules - modules for updating, scheduling, management and "quarantine". However, the constant creation of new viruses leads to the fact that these modules cannot guarantee 100% protection of the operating system.
Anything above is nonsense for hamsters.
In fact, no antivirus is needed. It only eats up computer resources. If you always download software from official and / or trusted sites, you will never have any viruses. I guarantee it. I have been working on a computer for 10 years without antivirus software. Reinstall OS on exit only new version and / or when changing computers.
Which is what I wish for you.
Modern Windows PC security products are complex applications. The number of specialized features offered can be confusing to the end user. Each software vendor strives to use its own name for the same feature, which may appear in other products with a different name. The confusion is heightened when it becomes clear that two various options quite often have the same name in products from different vendors.
This series of articles is intended to clarify the basics and actual functionality of the most common options. modern packages security for Windows. We're going to describe what you can expect from a particular solution, whether it's a toolkit for protecting against malware, surfing the web safely, or preventing unwanted intrusion. By using the information gathered in the articles, you can compare the feature sets offered by products from different vendors and get a better understanding of how security suites work.
In the first part of this article series, we will discuss the most basic components: antivirus engine and firewall (firewall).
-
-
-
-
-
-
-
-
-
Anti-virus Engine
Also called: antivirus protection real-time, real-time protection, file monitoring, anti-malwareThe antivirus engine is a core component included in most of the security packages on the market. The main role of the engine is to scan the data store, it penetrates the computer in order to detect and remove malware. Malicious code can be stored in files on hard drives, portable USB drives, in the computer's RAM, network drivers, boot sector disk or as part of network traffic.
Determination methods
The antivirus engine uses a large number of methods for detecting malware. Antivirus programs contain an extensive database of virus samples that must be detected during a scan. Each sample can either identify unique malicious code or, more commonly, describe an entire family of viruses. The main feature of detecting viruses by comparison with samples is that the antivirus program can only detect well known virus while new threats may not be detected.Heuristic analysis method(heuristic-based detection) is used to detect even those viruses for which there are no samples in the anti-virus program database. There are many different methods of heuristic analysis. The basic principle is to identify program code which is highly undesirable for safe software products... However, this method is imprecise and can cause many false alarms. Good heuristic analysis is well balanced and produces a minimum of false alarms with a high rate of malware detection. The sensitivity of the heuristic can be customized.
Virtualization(creation virtual environment, Virtualization) or sandboxing (sandboxing) are more advanced methods of identifying threats. For a certain time, code samples are executed in a virtual machine or other safe environment, from which scanned samples cannot get out and harm the operating system. The behavior of the test specimen in the sandbox is monitored and analyzed. This method is convenient when malware is packed with an unknown algorithm (this the usual way be invulnerable to the virus detection system), and it cannot be decompressed antivirus system... Inside the virtual environment, the virus decompresses itself as if it were running on real system and the anti-virus engine can scan the unpacked code and data.
One of the newest advances in antivirus toolkit is cloud scan(scanning in the cloud). This method is based on the fact that PCs are limited in their computing power, while anti-virus vendors have the ability to create large systems with enormous performance. Computer power is required to perform sophisticated heuristic analysis as well as analysis using virtual machines... Vendor servers can handle much larger databases of virus samples than PCs in real time. When performing cloud scans, the only requirement is a fast and stable internet connections. When the client machine needs to scan a file, this file is sent to the vendor's server via network connection and a response is expected. In the meantime, the client machine can perform its own scan.
Scan types and settings
From the user's point of view, there are several types of antivirus scanning, which depend on the events that triggered the scanning process:- On-Access Scan(On access scan) - a scan that occurs when a resource becomes available. For example, when a file is copied to the hard drive or when the executable file(Starting the scan process in this case is sometimes referred to as scan at startup). Only the resource to which access appears is scanned in this case.
- On-demand scan(On demand scan) provoked end user- for example, when the user invokes scanning with the corresponding menu command in Windows Explorer... This scan is also called manual. Only selected folders and files are scanned with this method.
- Scheduled Scan(Scheduled scan) is a commonly repeated action that continuously checks the system for malware. User can customize scan time and frequency. This scan is usually used for a complete scan of the system.
- Scan at boot(Startup scan) - a scan initiated by the antivirus program when the OS starts up. This scan is fast and affects the startup folder, running processes, system memory, system services and the boot sector.
Most products allow users to configure each scan separately. Some of the most basic antivirus scanning parameters are summarized below:
File extensions for scanning - scan all files or only executable ones (.exe, .dll, .vbs, .cmd and others.);
- Maximum file size — files over this parameter are not scanned;
- Scanning files in archives - whether to scan files in archives such as .zip, .rar, .7z and others;
- Using heuristic analysis - setting the use of heuristics and, optionally, setting the sensitivity;
- Types of programs to report as alarms - There are many programs that can be imprecisely identified as malware. Typically vendors use terms such as Potentially Unwanted Software or a program with some risk of a threat;
- Media types to scan - whether to scan files to network storage or portable storage devices;
- Action to take when threat is detected - try to cure the sample if possible, remove the sample, quarantine ( special folder, from which malicious code cannot be executed, but can be sent directly to the vendor for further investigation), block access or ask the user for action.
Many of these parameters can affect the scan speed. A set of automatic scanning rules for fast, but at the same time effective scanning called Intelligent scan (Smart Scan) or Fast scan(Quick Scan). Otherwise, the scan is called Full Scan or Deep Scan. We can also come across a scan of portable devices, which is used to check optical discs, floppy disks, USB drives, flash cards and similar devices. Custom Scan is also available and is fully customizable by the end user.
Specialized scanners
Rootkit scanning(or anti-rootkit scanning) is an option offered by some anti-virus vendors in their products. Rootkits have become extremely common over the past decade. A rootkit is a special type of malware that uses cunning techniques to remain invisible to the user and to the main methods of virus detection. It uses the internal mechanisms of the OS to make itself unattainable. Fighting rootkits requires antivirus software developers to create special detection methods. Rootkit scans try to find operating system discrepancies that may serve as evidence of a rootkit in the system. Some implementations of checks for rootkits rely on constant monitoring of the system, while other implementations of anti-rootkit tools can be called on demand.Scanning files Microsoft Office (or scanning for macro viruses) - an option that protects the user from malicious code inside office documents. Internal scanning principles are similar to general scanning methods, they simply specialize in looking for viruses inside macros. The scan option can be provided as a plugin for Microsoft Office.
Additional related options
The antivirus engine is usually tightly coupled with the rest of the security suite. Some products provide additional functionality as part of antivirus engine others display them separately. Web control is an option that is a typical representative of the second group. We will discuss this option separately.Firewall
Also called: personal firewall, firewall, advanced firewall, two-way firewall.
The main role of the firewall is to control access to the PC from the outside external network, i.e. incoming traffic and, conversely, control access from the PC to the network, i.e. outgoing traffic.
Network traffic filtering can occur at several levels. Most of the firewalls included in PC security kits have a set of rules for at least two layers - the lower Internet layer controlled by IP rules and the upper application layer. Speaking of the top level, the firewall contains a set of rules to allow or deny access. specific application to the network. Terms like network rules Network Rules, Expert Rules or IP Rule Setting are used at the lower level of the rules. At the top level, we meet with the terms Application control(Program Control) or application rules(Application Rules).
Networks
Many modern products allow the user to customize the level of trust for all networks connected to the computer. Even if there is only one physical connection, a PC can be connected to multiple networks - for example, when a PC is connected to a local network that has gateways to the Internet. The anti-virus complex will separately manage local and Internet traffic. Each of the found networks can be either trusted or untrusted and various system services such as general access for files or printers can be allowed or denied. By default, only computers from trusted networks can access the protected computer. Connections registered from untrusted networks are usually blocked if the corresponding option does not allow access. This is why the internet connection is usually marked as untrusted. However, some products do not distinguish between networks within the same user interface and the trusted / untrusted network settings can be specified separately for each interface. The term Network Zone or simply Zone is usually used instead of a logical network.For untrusted networks, it is possible to configure stealth mode. This mode allows you to change the behavior of the system, as if its address is not available to the network. This measure is capable of misleading hackers, who first find targets for attack. The default behavior of the system is to reply to all messages, even those sent from closed ports. Stealth mode (also known as stealth ports) prevents the PC from being detected during port scans.
Intrusion Detection / Prevention
Also called: Attack detection, Intrusion detection system, IP blocking, malicious ports.While not all of the above terms are equivalent, they refer to a set of properties that can prevent or detect special types attacks from remote computers. These include options such as scan port detection, spoof IP detection, blocking access to well-known ports of malware used by programs remote administration, Trojan horses, botnet clients. Some terms include mechanisms for protecting against ARP (Extension Protocol Address Spoofing) attacks - this option may be called APR protection, protection against ARP cache etc. The main ability of this type of defense is to automatically block the attacking machine. This option can be directly linked to the following function.
IP Blacklist
The use of this simple option consists in maintaining a database of network addresses in the anti-virus product, with which the protected computer should not communicate. This database can be replenished both by the user himself, upon detection of viruses (see Intrusion Detection and Prevention), and automatically updated from an extensive list. dangerous systems and anti-virus vendor networks.Block All Traffic
In the event of a sudden infection of the system, some antivirus solutions offer to "press the emergency brake button", i.e. block all incoming and outgoing traffic. This option can appear as a big red button, either as part of the firewall's security policy settings, or as an icon in system menu... It is assumed that this function is used when the user learns that the PC is infected and wants to prevent unwanted use of the computer by malware: theft of personal data and the download of additional viruses via the Internet. Blocking network traffic can be combined with the completion of all unknowns system processes... This option should be used with care.Program Control
Also called: app control, app inspectorSoftware filtering of network traffic allows security software to separately control network access for each application on a PC. The antivirus product contains a database of application properties, which determines whether the network is available to the application or not. These properties differ between client programs that initialize the connection from the local machine to the remote servers (outgoing direction) and server programs that scan the network port and accept connections from remote computers (inbound direction). Modern antivirus solutions allow the user to define detailed rules for each specific application.
In general, the behavior of Application Control depends on the Firewall Policy selected in the firewall and can include the following behavior modes:
- Quiet mode (automatic mode) works without user intervention. All decisions are made automatically using the anti-virus product database. If there is no explicit rule for a program that wants to gain access to the network, this access can be either always allowed (Allow All mode), or always blocked (Block All mode), or a special heuristic analysis is used to determine further action... The decision-making algorithm can be very complex and can depend on additional conditions such as the recommendations of the online community. Be that as it may, some products use the terms: full allow / block mode bypassing existing rulesets in the database and simply allow or block access to any application on the system.
- Custom mode(Custom mode - Advanced mode, Custom mode) is intended for advanced users who want to control every action. In this mode, the product automatically handles only those situations for which there are exceptional rules in the database. In case of any other action, the user is prompted to make a decision. Some antivirus solutions offer to define a policy of behavior when it is impossible to ask the user - for example, when starting the computer, shutting down, when graphical interface the program is unavailable or during special conditions - the game starts in full screen when the user does not want to be distracted (sometimes called Game Mode- Gaming mode). Usually only two options are available in these cases: full resolution mode and full block mode.
- Normal mode (safe mode- Normal mode, Safe mode) allows the antivirus product to handle most situations on its own. Even when there are no explicit rules in the database, the action of the program is allowed if the program is considered safe. Likewise automatic mode the decision can be made based on heuristic analysis. In the case when the security program cannot determine whether the application is safe or not, it displays an alert, as in user mode.
- Learning Mode(training mode, installation mode - Learning mode, Training mode, Installation mode) is mainly used immediately after installing the anti-virus product or in cases when the user installs new software on the computer. In this mode antivirus product allows all actions for which there are no entries in the ruleset database and adds new rules that will allow corresponding actions in the future after a security change. Using the learning mode allows you to reduce the number of alarms after installing new software.
Application Control usually contains settings that can help the product resolve disputes, regardless of which operating mode is enabled. This feature is known as Automatic rule creation. A typical option in this case allows any action for digitally signed applications from trusted vendors, even if there is no corresponding entry in the database. This option can be extended with another function that allows applications to perform any actions without digital signature but familiar to the antivirus product. Program control is usually closely related to other features that we will cover later, in particular the behavioral control option.
