Chapter 15: Protecting Your Computer with Windows Defender and Windows Firewall
the infected host computer, but they always replicate themselves to other comput-
ers. They act in very much the same way as a virus acts in the human body, which is
how they received their name. The good news is that since the popularity of the
Internet, many viruses have been permanently eradicated from the industry, due to
the capability to transfer code to eliminate the viruses from infected computers.
Introducing Antivirus Programs
The intent of an antivirus program is to identify, inoculate, disinfect, or clean a virus
or other malware program from a computer. Antivirus programs usually work in two
different ways. Most scan a computer in its entirety, looking for known viruses based
on their databases of virus listings, and then they delete, inoculate, remove, or quar-
antine the infected file. Other antivirus programs watch file behavior on the com-
puter. If the program detects unusual behavior, it will usually capture the file, scan it,
and then either ask the user for input on how to handle the issue or quarantine the
file for further inspection and possible deletion.
Most current commercial antivirus programs use both of these methods to detect
and eradicate viruses from infected computers. This helps eliminate the threat of
infection by watching the most consistent way viruses try to infiltrate computers.
The most common elements of virus removal involve repair of the file itself. This
consists of the antivirus program trying to remove the offending code from the
infected file. If the removal process does not work, the antivirus program usually will
quarantine the file discovered and prompt you for further instructions on how to
handle the problem with the infected file. When you log on to the computer after the
quarantine process, you must decide whether to try to repair the file again or delete
the infected file.
It should be noted that you should always attempt to use multiple antivirus pro-
grams to repair either files of a sensitive nature or those used by the operating sys-
tem before deleting the files. If you have a virus in a file you want to keep, you
should try to use multiple antivirus engines to repair the file. This also holds true for
operating system files. Operating system files infected with viruses may render the
infected computer incapable of operating correctly, sometimes to the point where the
infected computer will not boot into the operating system. Infections of this type
require a boot disk with an antivirus program to remove the virus from the com-
puter. McAfee Stinger is one example of this type of antivirus program.
Antivirus programs detect viruses via dictionary scans, behavior analysis, and other
methods. Each detection technique follows a specific type of logic in order to find,
repair, remove, or delete an infected file. Each approach is unique. Most antivirus
engines employ at least two of these types of analysis in order to identify viruses. The
third category is usually used only when specific types of viruses are encountered.
Each approach helps us to identify the methods virus writers employ to launch their
code so that we can begin the process of eradicating viruses from our environment.

Get Windows Vista Security: Praxisorientierte Sicherheit für Profis now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.