How to Prevent Your PC from Catching Cold

During my time in the computer industry I have had a number of jobs, one of which was to be the company Computer Virus Expert. [Strictly speaking it should have been the Anti-Virus Expert, but that's job titles for you. :-)]. At the time computer viruses were a new concept and very few people understood them. These days everyone knows about viruses but it appears that most people still do not understand them.

To give you an example, the other day I received an e-mail warning me about a new virus, which was so dangerous it would, at the very least, wipe out my hard disk, and probably, do a lot worse. As usual with this type of warning all I had to do was open an e-mail and that would be it - no more PC.

The message which had been forward on to me by someone who was worried about it and wanted me to tell him how to stop it attacking his system.

There were a number of pointers in the original message which made it obvious it was a hoax message. Now, I get a fair number of such messages and my standard response in such a situation is to send email back pointing out that it is a hoax and not to worry about it. What made this particular email different was the person who sent it. He was a support analyst and one of his specific jobs was to deal with computer viruses.

It turned out that all this analyst had been trained to do was use a specific anti-virus package to clean up any infection found. He actually knew very little about how viruses work, or even how to protect computers from them. Now, I don't know about you but that worried me, after all if computer support professionals don't understand about computer viruses how can the ordinary user hope to? And, more importantly, how can the ordinary user protect his/her computer from viruses?

OK I know you can get an anti-virus program and install it on your PC. But how can you tell if it's any good? After all if you get no warning messages is it because you have not had a virus or is it because you have but your anti-virus package did not detect it?

Now you could rely on informed articles in the computer magazines, advice from friends, the bloke in the shop you bought your computer from, or even from on line articles like this one. The trouble is how do you know that the person you are getting the advice from know what she is talking about?

This is, of course, a problem with getting advice about anything.

The only real solution I can think of is to know a bit about the subject you want advice on. You do not need a lot of knowledge, which is just as well since then you would not need advice, but would be giving it instead. Hopefully in this article I will give you just enough knowledge that you will be able to know if the advice you are getting is good or bad.

OK the first thing is what actually is a Computer Virus?

This is one of those simple questions with a very complicated answer. It's a bit like asking "What is a car ?" At first glance the answer is obvious, but how do you describe a car with out describing a van, or a lorry, or a quad bike, or even a tractor. The problem with a computer virus is exactly the same. You can have a very simple definition, but if you do it might well describe other things. Fortunately, for our purposes we can get away with the following simple definition:-

A computer virus is a program that replicates
without the users knowledge

Now this is a very simple definition which basically classes all programs that copy themselves without telling you as a virus. This is not strictly true since it could include installation and setup programs, but it will do for us.

The other thing to note is that I have not said anything about damage. With my definition a virus does not necessarily do any 'harm' to you machine such as deleting data to be classed as a virus. Personally I think a virus by its very presence is doing harm to my system. However, there have been many discussions about weather a virus can be 'good' or not, and I do not want to get into that area in this article.

One of the problems with the simple definition above is that it does not describe the various types of virus. The most obvious type and, these days, the most common, is the so called e-mail virus. However that is a relatively new type of virus and there are many other types, such as:-


Viruses that use e-mail to spread. It should be noted that most e-mail viruses are actually one of the other types which has been attached to an e-mail
At one time this was the most common type of virus. It makes use of the fact that all disks, including floppy diskettes can be used to start a computer.
A File Virus is one which attaches itself to a another program so that when you run the program the virus runs first.
This type of virus renames a program, then calls itself the program name. Thus when you run the program you are running the virus.
A virus which pretends to be a program.
A virus that attempts to hide from anti-virus programs
A virus which changes each time it copies itself. This is an attempt to hide from virus scanners
Viruses written in an applications macro language, for example word viruses
Technically worms are not viruses, they are programs that copy them selves, without the need for a 'host' program. They are only viable in a network environment, such as the internet
As far as I know there are no actual HTML viruses. It is, however theoretically possible to use HTML and associated bits and pieces to write a virus
Hoaxes are technically not viruses, but the actual hoax message can cause as many problems as a virus

Click on the virus type for more information.

So how do you detect a virus ?

Well, there are four main ways:-

Scanners,
Heuristics,
Behaviour Blockers, and
Integrity Checkers.

Scanners

A computer program is simply a series of instructions to the computer to do something. If we know which instructions a specific program uses we can examine all programs to see if that set of instructions exists. If it does then we know we have found the program. Since a virus is a program we can use this method to find the virus.

This is a very effective method of identifying viruses, and these days is by far the most common method of virus detection. However, it does have one major problem, you can't find a virus unless you know what instructions it uses. In other words it is wonderful for detecting known viruses but not much use for new ones.

The current solution is to update the scanner at frequent intervals, often daily and sometimes hourly.

Scanners come in two flavours,:-

On Access   scanners which check files when you use them.
On Demand scanners which check files only when you ask them too.

Heuristics

It is fairly intuitive to assume that a virus will do something that a legitimate program will not do, for example attach itself to another program. It follows on from this that all virus programs will have instructions for doing virus like activity which 'proper' programs will not. Thus if you scan for such instructions you will find viruses, even if you have not seen them previously.

In practice it is not quite a simple as it appears. Take the example above of appending to another program. You might think that this is only done by viruses but in fact many programs do it. For example when you apply a patch it will often modify an existing program. If you use a download manager to download files a bit at a time it will append to the download file each time it is run, until the whole file has been downloaded.

Heuristics, while being a nice idea, are very difficult to implement without a lot of false alarms. That having been said most scanners these days do have some form of heuristic capability.

Behaviour Blockers

Behaviour Blockers are similar to heuristics in that they look for virus like behaviour. The difference is that rather than scanning programs for the instructions, they prevent the computer from actually carrying out the instruction.

Again this can work very well. But it can also interfere with the normal working of the machine. As far as I know no-one has yet produced a behaviour blocker that is actually useable.

Integrity Checkers.

One thing that all viruses do is change something. Given that why not check your system each day and see if anything has changed? If it has you might have a virus.

In the early days of viruses this was an excellent approach. When you started up you machine in the morning you ran a small program which checked to see if any program had changed. If one or more had it shouted and you could investigate further. It worked because programs rarely changed, and viruses only infected programs.

Then macro viruses can along and the whole idea became useless. Macro viruses infect data and data changes, constantly.

Prevention is Better then Cure

To be honest, it is not possible to totally prevent a virus from attacking your system, just like you cannot prevent yourself from catching a cold. You can, however, take steps to minimise the risk and ensure that the worst that can happen is a loss of your time.

The first thing to do is get, install and keep up to date, a good virus scanner. To find one try looking in the computer magazines for reviews. On the web try the Virus Bulletin web site and the University of Hamburg site, both places do a review of anti-virus products on a fairly regular basis. In general any of the top names will do the job, but if you must have a recommendation I personally use Sophos anti-virus, but that is a bit expensive.

The second thing to do is set-up your e-mail reader so that it will not read HTML messages. Yes, I know that HTML messages look nice, but most of the time a simple text message will not only give you the same information but also download quicker. And with some e-mail readers just looking at an HTML message could infect your machine.

The next thing to do is NEVER, and I mean never, run an e-mail attachment. The majority of viruses these days spread via e-mail, but in general you will have to choose to run the virus for it to infect you.

If you get e-mail with an attachment from someone you do not know it is probably a virus.

If you get e-mail with an attachment from some you know, and you are not expecting it, it is probably a virus.

In fact, if you get e-mail with an attachment from some you know, and you are not expecting it, it still might contain a virus.

If you simply must have an attachment sent to you insist that it is 'zipped' up and sent. That way you can be fairly sure you are getting what you expect.

Finally keep good backups. That way if a virus does get in and trash your system you can rebuild your system.