IINNDDEEXX

Introduction 2 History 2 1949-1980 (pre-antivirus days) 2 1980-1990 period (early days) 3 1990-2000 period (boom of the antivirus industry) 5 2000-2005 period 6 2005 to present 6 The Components In The System Unit 7 The Four Steps To Process Data 7 Bit and data representation 8 The Various Types Of Memory 9 Types Of Expansion Slots And Cards In The System Unit 9 Difference among Serial, Parallel, and USB Port 10 Buses Contribution 10

1

AANNTTIIVVIIRRUUSS

INTRODUCTION

Antivirus or anti-virus software (often abbreviated as AV), sometimes known as anti- malware software, is computer software used to prevent, detect and remove malicious software.

Antivirus software was originally developed to detect and remove computer viruses, hence the name. However, with the proliferation of other kinds of malware, antivirus software started to provide protection from other computer threats. In particular, modern antivirus software can protect from: malicious Browser Helper Objects (BHOs), browser hijackers, ransom ware, key loggers, backdoors, root kits, Trojan horses, worms, malicious LSPs, dialers, fraud tools, adware and spyware. Some products also include protection from other computer threats, such as infected and malicious URLs, spam, scam and phishing attacks, online identity (privacy), online banking attacks, social engineering techniques, Advanced Persistent Threat (APT), botnets, DDoS attacks. HISTORY
1949-1980 PERIOD (PRE-ANTIVIRUS DAYS)

Although we can date the first idea of a computer virus in 1949, when the Hungarian scientist John von Neumann published the "Theory of self-reproducing automata", the first known computer virus appeared in 1971 and was dubbed the "Creeper virus". This computer virus infected Digital Equipment Corporation's (DEC) PDP-10 mainframe computers running the TENEX operating system.

The Creeper virus was eventually deleted by a program created by Ray Tomlinson and known as "The Reaper". Some people consider "The Reaper" the first antivirus software ever written - it may be the case, but it is important to note that the Reaper was actually a virus itself specifically designed to remove the Creeper virus.

The Creeper virus was followed by several other viruses. The first known that appeared "in the wild" was "Elk Cloner", in 1981, which infected Apple II computers.

2

In 1983, the term "computer virus" was coined by Fred Cohen in one of the first ever published academic papers on computer viruses. Cohen used the term "computer virus" to describe a program that: "affect other computer programs by modifying them in such a way as to include a (possibly evolved) copy of itself." (note that a more recent, and precise, definition of computer virus has been given by the Hungarian security researcher Péter Szőr: "a code that recursively replicates a possibly evolved copy of itself")

The first IBM PC-compatible "in the wild" computer virus, and one of the first real widespread infections, was "Brain" in 1986. From then, the number of viruses has grown exponentially. Most of the computer viruses written in the early and mid-1980s were limited to self-reproduction and had no specific damage routine built into the code. That changed when more and more programmers became acquainted with computer virus programming and created viruses that manipulated or even destroyed data on infected computers.

Before internet connectivity was widespread, computer viruses were typically spread by infected floppy disks. Antivirus software came into use, but was updated relatively infrequently. During this time, virus checkers essentially had to check executable files and the boot sectors of floppy disks and hard disks. However, as internet usage became common, viruses began to spread online.
1980-1990 PERIOD (EARLY DAYS)

There are competing claims for the innovator of the first antivirus product. Possibly, the first publicly documented removal of an "in the wild" computer virus (i.e. the "Vienna virus") was performed by Bernd Fix in 1987.

• In 1987, Andreas Lüning and Kai Figge founded G Data Software and released their first antivirus product for the Atari ST platform. Later in the same year, also the Ultimate Virus Killer (UVK) 2000 antivirus was released. • In 1987, in USA, John McAfee founded the McAfee company (now part of Intel Security) and, at the end of that year, he released the first version of Virus Scan. In the meanwhile, in Slovakia, Peter Paško and Miroslav Trnka created the first version of NOD32 antivirus (albeit they established ESET only in 1992). • In 1987, Fred Cohen wrote that there is no algorithm that can perfectly detect all possible computer viruses.

The first antivirus signatures were simply hashes of the entire files or sequences of bytes that represented the particular malware.

3

Finally, in the end of 1987, the first two heuristic antivirus utilities were released: FluShot Plus by Ross Greenbergand Anti4us by Erwin Lanting. However, the kind of heuristic they were using was totally different from the one used today by many antivirus products. The first antivirus product with an heuristic engine which resembles the ones used nowadays was F- PROT in 1991. The early heuristic engines were based on dividing the binary in different sections: data section, code section (in legitimate binary it usually starts always from the same location). Indeed the initial viruses re-organize the layout of the sections, or override the initial portion of section in order to jump to the very end of the file where malicious code was located and then, later on, go back to resume the execution of the original code. This was a very specific pattern, not used at the time by any legitimate software, that initially represented a very nice heuristic to catch where something was suspicious or not. Later, in time, other kind of more advanced heuristics have been added, such as: suspicious sections name, incorrect header size, wildcards and regular expressions and partial pattern in-mermory metching.

In 1988, the growth of antivirus companies continued. In Germany, Tjark Auerbach founded Avira (H+BEDV at the time) and released the first version of AntiVir (named "Luke Filewalker" at the time). In Bulgaria, Dr. Vesselin Bontchev released his first freeware antivirus program (he later joined FRISK Software). Also Frans Veldman released the first version of ThunderByte Antivirus, also known as TBAV (he sold his company to Norman Safeground in 1998). In Czech Republic, Pavel Baudiš and Eduard Kučera started avast! (at the time ALWIL Software) and released their first version of avast! antivirus. In June 1988, in South Korea, Dr. Ahn Cheol-Soo released its first antivirus software, called V1 (he founded AhnLab later in 1995). Finally, in the Autumn 1988, in United Kingdom, Alan Solomon founded S&S International and created his Dr. Solomon's Anti-Virus Toolkit (although he launched it commercially only in 1991 - in 1998 Dr. Solomon’s company was acquired by McAfee). At the end of the year, in the USA, Ross M. Greenberg released his second antivirus program, called VirexPC.[citation needed]

Also in 1988, a mailing list named VIRUS-L was started on the BITNET/EARN network where new viruses and the possibilities of detecting and eliminating viruses were discussed. Some members of this mailing list were: Alan Solomon, Eugene Kaspersky (Kaspersky Lab), Friðrik Skúlason (FRISK Software), John McAfee (McAfee), Luis Corrons (Panda Security), Mikko Hyppönen (F-Secure), Péter Szőr, Tjark Auerbach (Avira) and Dr. Vesselin Bontchev (FRISK Software).

In 1989, in Iceland, Friðrik Skúlason created the first version of F-PROT Anti-Virus back in 1989 (he founded FRISK Software only in 1993). In the meanwhile, in USA, Symantec (founded by Gary Hendrix in 1982) launched its first Symantec antivirus for Macintosh (SAM). SAM 2.0, released March 1990, incorporated technology allowing users to easily update SAM to intercept and eliminate new viruses, including many that didn't exist at the time of the program's release.

4

In the end of the 1980s, in United Kingdom, Jan Hruska and Peter Lammer founded the security firm Sophos and began producing their first antivirus and encryption products. In the same period, in Hungary, also VirusBuster was founded (which has recently being incorporated by Sophos).
1990-2000 PERIOD (BOOM OF THE ANTIVIRUS INDUSTRY)

In 1990, in Spain, Mikel Urizarbarrena founded Panda Security (Panda Software at the time). In Hungary, the security researcher Péter Szőr released the first version of Pasteur antivirus. In Italy, Gianfranco Tonello created the first version of VirIT eXplorer antivirus (he founded TG Soft one year later). Finally, in the end of the year, Trend Micro released its first antivirus software, named PC-Cillin.

In 1990, the Computer Antivirus Research Organization (CARO) was founded. In 1991, CARO released the "Virus Naming Scheme", originally written by Friðrik Skúlason and Vesselin Bontchev. Although this naming scheme is now outdated, it remains the only existing standard that most computer security companies and researchers ever attempted to adopt. CARO members includes: Alan Solomon, Costin Raiu, Dmitry Gryaznov, Eugene Kaspersky, Friðrik Skúlason, Igor Muttik, Mikko Hyppönen, Morton Swimmer, Nick FitzGerald, Padgett Peterson, Peter Ferrie, Righard Zwienenberg and Dr. Vesselin Bontchev.

In 1991, in the USA, Symantec released the first version of Norton Anti-Virus. In the same year, in Czechoslovakia, Jan Gritzbach and Tomáš Hofer founded AVG Technologies (Grisoft at the time), although they released the first version of their Anti-Virus Guard (AVG) only in 1992. On the other hand, in Finland, F-Secure (founded in 1988 by Petri Allas and Risto Siilasmaa - with the name of Data Fellows) released the first version of their antivirus product. F-Secure claims to be the first antivirus firm to establish a presence on the World Wide Web.

• In 1991, the European Institute for Computer Antivirus Research (EICAR) was been founded to further antivirus research and improve development of antivirus software. • In 1992, in Russia, Igor Danilov released the first version of SpiderWeb, which later became Dr. Web. • In 1994, AV-TEST reported that there were 28,613 unique malware samples (based on MD5) in their database.

Over time other companies were been founded. In 1996, in Romania, Bitdefender was founded and released the first version of Anti-Virus expert (AVX). In 1997, in Russia, Eugene Kaspersky and Natalia Kaspersky co-founded security firm Kaspersky Lab.

In 1996, there was also the first "in the wild" Linux virus, known as "Staog".

5

In 1999, AV-TEST reported that there were 98,428 unique malware samples (based on MD5) in their database.
2000-2005 PERIOD • In 2000, Rainer Link and Howard Fuhs started the first open source antivirus engine, called OpenAntivirus Project. • In 2001, Tomasz Kojm released the first version of ClamAV, the first ever open source antivirus engine to be commercialised. In 2007, ClamAV was bought by Sourcefire,[50] which in turn was acquired by Cisco Systems in 2013. • In 2002, in United Kingdom, Morten Lund and Theis Søndergaard co-founded the antivirus firm BullGuard. • In 2005, AV-TEST reported that there were 333,425 unique malware samples (based on MD5) in their database.
2005 TO PRESENT

As always-on broadband connections became the norm, and more and more viruses were released, it became essential to update antivirus more and more frequently. Even then, a new zero-day or next-generation malware could become widespread before antivirus firms released an update to protect against it.

In 2007, AV-TEST reported a number of 5,490,960 new unique malware samples (based on MD5) only for that year. In 2012 and 2013, antivirus firms reported a new malware samples range from 300.000 to over 500.000 per day.

Slowly, in order to catch up with the malware productions, antivirus firms have moved to more and more complex algorithms.

Over the years it has become necessary for antivirus software to use several different strategies (e.g. specific email and network protection or low level modules) and detections algorithms, as well as to check an increasing variety of files, rather than just executables, for several reasons:

Powerful macros used in word processor applications, such as Microsoft Word, presented a risk. Virus writers could use the macros to write viruses embedded within documents. This meant that computers could now also be at risk from infection by opening documents with hidden attached macros.

The possibility of embedding executable objects inside otherwise non-executable file formats can make opening those files a risk.

6

Later email programs, in particular Microsoft's Outlook Express and Outlook, were vulnerable to viruses embedded in the email body itself. A user's computer could be infected by just opening or previewing a message.

In 2005, F-Secure was the first security firm that developed an Anti-Rootkit technology, called BlackLight.

Given the consideration that most of the people is nowadays connected to the Internet round-the-clock, in 2008, Jon Oberheide first proposed a Cloud-based antivirus design.

In November 2009, Panda Security unveiled its first Cloud-based antivirus technology, the first commercial CloudAV ever released. A year after, Sophos also added to its host-based antivirus product a Cloud-based one. In the following years, many other antivirus firms have added a CloudAV to their security products (see Comparison of antivirus software for a complete overview). THE COMPONENTS IN THE SYSTEM UNIT

The system unit , sometimes called the chassis , is a box-like case housing the electronic components of a computer that are used to process data. System unit components include the processor, memory module, cards, ports, and connectors. Many of the system unit’s components reside on a circuit board called the motherboard. The motherboard contains many different types of chips, or small pieces of semiconducting material, on which one or more integrated circuits (IC) are etched. An integrated circuit is a microscopic pathway capable of carrying electronic current. Each IC can contain millions of transistors, which act as switches for electronic signals. • THE FOUR STEPS TO PROCESS DATA

The central processing unit (CPU) , also called a processor , significantly impacts overall computing power and manages most of a computer’s operations. The CPU contains the control unit and the arithmetic/logic unit. The control unit directs and coordinates most of the operations in the computer. For every instruction, the control unit repeats a set of four basic operations called the machine cycle: (1) fetching the instruction or data item from memory,

(2) decoding the instruction into commands the computer understands, (3) executing the commands, and, if necessary, (4) storing , or writing the result to memory. The arithmetic/logic unit (ALU) performs the execution part of the machine cycle. Specifically, the ALU carries out three operations:

7

• Arithmetic operations – performing calculations, which include addition, subtraction, multiplication, and division • Comparison operations – comparing data items to determine if the first item is greater than, equal to, or less than the other item • Logical operations – working with conditions and logical operators such as AND, OR, and NOT • Compare and contrast various personal computer processors on the market today

A personal computer’s CPU usually is contained on a single chip, which some call a microprocessor. Intel is a leading manufacturer of personal computer processors. Most high- performance PCs use a processor from Intel called the Pentium® processor. A second Intel brand, called the Celeron™, is designed for less expensive PCs. Two more brands, called the Xeon™ and Itanium™ processors, are ideal for workstations and low-end servers. Intel- compatible processors have the same internal design as Intel processors and perform the same functions, but are made by other companies and often are less expensive. An alternative design to the Intel-style processor, the Motorola processor, is found in Apple Macintosh and Power Macintosh systems. A new type of processor designed for lower-costing personal computers and Internet appliances, called an integrated CPU, combines functions of a processor, memory, and a video card on a single chip. Today’s processors are equipped with MMX™ technology, a built-in set of instructions that manipulates and processes multimedia data more efficiently. Intel’s SSE instructions and AMD’s 3DNow!™ are two other technologies that improve a processor’s performance of multimedia, the Web, and 3-D graphics. To optimize and extend battery life for notebook computers, Intel® mobile processors use SpeedStep™ technology and AMD processors use PowerNow!™ technology. • BIT AND DATA REPRESENTATION

Most computers are digital , meaning they understand only two discrete states: on and off. These states are represented using two digits, 0 (off) and 1 (on). Each on or off value is called a bit (short for binary digit), the smallest unit of data a computer can handle. Eight bits grouped together as a unit form a byte. A byte provides enough different combinations of 0s and 1s to represent 256 individual characters including numbers, letters of the alphabet, punctuation marks, and other characters.

The combinations of 0s and 1s used to represent data are defined by patterns called coding schemes. Popular coding schemes are ASCII , EBCDIC , and Unicode . Coding schemes make it possible for humans to interact with a digital computer that recognizes only bits. Every character you type on a keyboard is converted into a corresponding byte, a series of on/off electrical states the computer can process.

8

• THE VARIOUS TYPES OF MEMORY

Memory is a temporary storage place for data, instructions, and information. Memory stores the operating system, application programs, and the data processed by application programs. A byte is the basic storage unit in memory. Memory size is measured by the number of bytes available for use. A kilobyte (KB or K) of memory is approximately one thousand bytes, a megabyte (MB ) is approximately one million bytes, and a gigabyte (GB ) is approximately one billion bytes. The system unit contains several types of memory.

RAM (random access memory) consists of memory chips that the processor can read from and write to. Most RAM is volatile memory, meaning that its contents are lost when the computer’s power is turned off. Two basic types of RAM chips are dynamic RAM and static RAM. Dynamic RAM (DRAM ) must be re-energized constantly or it loses its contents. Static RAM (SRAM ) is faster and more reliable than DRAM and has to be re-energized less often, but it is much more expensive.

Memory cache , also called a cache store or RAM cache , improves processing time by storing frequently used instructions and data. ROM (read-only memory) refers to memory chips that only can be read and used; that is, they cannot be modified. ROM is nonvolatile memory (NVM), meaning that its contents are not lost when the computer’s power is turned off. A variation of the ROM chip, called programmable read-only memory (PROM), is a blank chip on which you can place items permanently.

Flash memory, also known as flash ROM or flash RAM, is nonvolatile memory that can be erased electronically and reprogrammed. Complementary metal-oxide semiconductor (CMOS) memory, another type of memory chip, stores configuration information about the computer and uses battery power to retain information when the power to the computer is off. • TYPES OF EXPANSION SLOTS AND CARDS IN THE SYSTEM UNIT

An expansion slot is an opening, or socket, where you can insert a circuit board into the motherboard. These circuit boards – called cards, expansion cards, boards, expansion boards, adapters, adapter cards, interface cards, add-ins, or add-ons -- add new devices or capabilities to the computer. Four types of expansion cards found in most computers are a video card, a sound card, a network interface card, and a modem card.

A video card converts computer output into a video signal that is sent through a cable to the monitor, which displays an image. A sound card enhances the sound-generating capabilities of a personal computer by allowing sound to be input through a microphone and output through speakers.

9

A network interface card (NIC) is a communications device that allows the computer to communicate via a network. A modem card is a communications device that enables computers to communicate via telephone lines or other means. Many of today’s computers support Plug and Play, a capability with which the computer automatically can configure expansion boards and other devices as you install them.

Notebook and other portable computers have a special type of expansion slot used for installing a PC Card, which is a thin credit card-sized device that adds memory, disk drives, sound, fax/modem, and communications capabilities to a mobile computer.

• DIFFERENCE AMONG SERIAL, PARALLEL, AND USB PORT

A cable often attaches external devices to the system unit. A port is the interface, or point of attachment, to the system unit. Ports have different types of connectors, which are used to join a cable to a device. Male connectors have one or more exposed pins, while female connectors have matching holes to accept the pins. Most computers have three types of ports: serial, parallel, and USB. A serial port is a type of interface that connects a device to the system unit by transmitting data only one bit at a time. Serial ports usually connect devices that do not require fast data transmission rates, such as a mouse, keyboard, or modem. A parallel port is an interface that connects devices by transferring more than one bit at a time. Many printers connect to the system unit using a parallel port. A universal serial bus (USB) port can connect up to 127 different peripheral devices with a single connector type, greatly simplifying the process of attaching devices to a personal computer. • BUSES CONTRIBUTION

Bits are transferred internally within the circuitry of the computer along electrical channels. Each channel, called a bus, allows various devices inside and attached to the system unit to communicate with each other. The bus width, or size of the bus, determines the number of bits that can be transferred at one time. The larger the bus width, the fewer number of transfer steps required and the faster the transfer of data. In most computers word size (the number of bits the CPU can process at a given time) is the same as the bus width. Every bus also has a clock speed. The higher the bus clock speed, the faster the transmission of data, which results in applications running faster. A computer has two basic types of buses. A system bus connects the CPU to main memory. An expansion bus allows the CPU to communicate with peripheral devices.

10