Antivirus & Firewalls

Antivirus & Firewalls

Antivirus

Antivirus is a software utility used to prevent, detect and remove viruses, worms and other malware from the computer. It generally scans the hard drive or external media attached to computer. It is an important defence against viruses. Good antivirus software performs the following tasks:

»      Scans your drive, looking for viruses

»      Checks every executable file as when it is opened to make sure that no virus is attached to it

»      Checks your e-mail to find viruses as messages are brought into your inbox

»      Removes any virus code it finds (or deletes the file if it cannot remove the virus)

E.g.: Norton Antivirus, PC-Cillin, McAfee Virus Scan

Antivirus software has two main components:

• Antivirus Engine.
• Virus Information Data files.

Antivirus engine:  The antivirus engine or the program itself has the following parts:

»      The on-access component, which runs all the time and automatically checks files as they’re received or opened

»      The scanning component, which checks all the files on your computer when you initiate a scan. The scanning process involves the following steps:

1.    Matching the contents of the file against the information that’s in the virus data information files. The software looks for a known signature, called a marker, which is a string of characters or bytes that’s found in every instance of a specific virus.

2.    Looking for unusual file attributes, such as unexpected changes in the size of existing executable files.

3.    Looking for suspicious behaviour to find out suspicious code.

Virus Information Data files: It includes the information about known viruses, making it possible for the software to spot virus file. New viruses are invented all the time. Usually, the cures are found and are put into the virus data files, which can be download from antivirus software vendor website. Alternatively we can configure antivirus to check for updates for virus data files on a regular basis or manually check for updates every day.

Firewalls:

A firewall is a software program or a piece of hardware that protects computer from users on other networks generally Internet. In fact, a firewall can protect computers from other computers i.e., if you have a network, you don’t want to isolate your computer from the other computers on your network.

Generally Firewalls can be of two types

»      Hardware Firewall: They are available as a standalone product or available as routers with built-in firewalls. The hardware firewall is placed between modem and the network, separating the Internet and network as two independent, unconnected networks. The only device that’s seen from the Internet is the router, which has a firewall. All the computers on the network are invisible to the Internet. Popular manufacturers who offer hardware firewall devices like Link-Sys, D-link, NetGear…

»      Software Firewall:  Software firewall is individual software which protects computer from outside attempts to gain or control access of computer. Some of firewalls even provide protection against common threats like Trojans, e-mail worms. Most of the Operating systems include software firewall. E.g. Zone Alarm, Windows Firewall ….

Need of Firewall – Significance:

Whenever a Computer is connected to Internet, an Internet Protocol (IP) address is needed for communicating with other computers on the Internet. A malicious hacker can access your computer through that IP address. Hackers select an IP address and then try to connect to that IP address. They use software that selects an IP address at random, and then it tries to access the computer using that address. If attempt fails, the software picks another IP address. If the attempt succeeds, the intruders have access to the computer and its contents. User won’t know anything because everything happens in the background. Here are some of the common actions performed by intruders:

»      Sending executable files that contain viruses to your computer

»      Renaming or deleting the files those run at start-up and to run software.

»      Copy documents in orders to find personal and sensitive information.

»      Sending enormous files or a massive number of small files.

Working of Firewalls:

A firewall blocks communication in both directions i.e., to and from the Internet. The software used to access the Internet, such as browser & e-mail, must have permission to do its job. Any computer that tries to access your computer is either stopped permanently or it is stopped temporarily until user gives permission to gain access to the computer.

Inn general Computers send and receive data via ports. Ports can be of two types

»      Physical Ports E.g.: Parallel port, Serial port, USB port...

»      Virtual ports

Both ports are used to send or receive the data. A Virtual port is a software service rather than physical and computer can use thousands of virtual ports for communication. They are generally numbered from 0- 65536(E.g. http uses 80). Every port is used for a specific service.  Internet hackers use these ports to move data between their computers and user computer. They use certain ports by pretending to be sending data of a type supported by that port.

Firewall uses a process called as “Stateful Inspection”, which examine whether the type of data is appropriate for the port that’s being used. And also checks the data that is passing through the port. Stateful Inspection can catch data that is identified itself as being appropriate for the port by recognizing that the actual data stream contains a false data type. Since the data doesn’t match the type that it pretends to be.

Configuring a Firewall:  By default, the firewall is enabled and permits exceptions. These are the normal settings for a computer running in a network environment because the exceptions permit the exchange of data between this computer and the other computers on the network. Firewall allows us to create exceptions for programs and ports which need to be opened for common communications. Most of the times Firewall knows which port to opened when you add an exception for a program otherwise port has to define manually. Exception can be edited which involves changing of the scope of a port (or ports). Generally following scopes are available:

»      Any computer (including those on the Internet): It is enabled by default which means allow data into computer through this port from any computer anywhere. This is dangerous and must disabled. Only reason to choose this level of traffic is to maintain a Web site. Any computer with a firewall that’s been opened this wide should be configured for all sorts of security.

»      My network (subnet) only: If the computer is part of a network, this is the appropriate setting, and it means that traffic is allowed only from IP addresses that match the local network segment (subnet). E.g. If the network connection has an IP address of 192.168.0.03 and a subnet mask of 255.255.0.0, excepted traffic is allowed only from IP addresses in the range 192.168.0.1 to 192.168.255.254. In order to share an Internet connection, IP addresses assigned to computers on the network must match the range defined.

»      Custom list: This option is used to specify allowed traffic from one or more IP addresses or range of address. For example, if the computers on your network have fixed IP addresses, you can determine which computers can or cannot send data to this computer. Don’t use this option if your network computers obtain IP addresses automatically since address changes dynamically.