Select countryThe best way of obtaining a proactive antivirus solution is to execute the suspicious file in a safe environment. In other words - simply to let the virus execute its game.
 |
By doing this, any unknown and suspicious file that is trying to enter the computer, is isolated and prevented from infecting the computer system during analysis. As the virus unfolds, the proactive solution will monitor and assess the behaviour of the suspicious file.
Based on the analysis, the system will determine whether to quarantine the file or to allow the file to enter the computer itself. Doing this on a real system is hardly feasible.
Many operating system settings may have to be altered before potential virus will spread (dependencies as date, time, build number, security settings, system-directory, etc). Using a real system would require many adjustments and, most likely, several reboots. In short: It would be very time-consuming and very inefficient.
To be able to do this within an acceptable time frame and with efficient system resources, a separate module (SandBox) with its own operating system is needed. Norman SandBox functions as a part of Norman antivirus scanner engine and is compatible with Windows functions such as Winsock, Kernel and MPR. It also supports network and Internet functions like HTTP, FTP, SMTP, DNS, IRC, and P2P.
In other words: We are talking about a fully simulated computer, isolated within the real computer - as part of the Norman antivirus scanner engine - there is no need for any extra hardware to accomplish this!
The simulator uses full ROM BIOS capacities, simulated hardware, simulated hard drives, etc. This simulator emulates the entire bootstrap of a regular system at boot-time, starting by loading the operating system files and the command shell from the simulated drive. This drive will contain directories and files that are necessary parts of the system, conforming to system files on physical hard drives.
The suspicious file is placed on the simulated hard disk and will be started in the simulated environment. The suspicious file is unaware of the fact that it is operating in a simulated world...
Inside the simulated environment the file may do whatever it wants. It can infect files. It can delete files. It can copy itself over networks. It can connect to an IRC server. It can send e-mails. It can set up listening ports. Every action it takes is being registered by the antivirus program, because it is effectively the emulator that does the actions based on the code in the file. No code is executed on the real CPU except for the antivirus emulator engine; even the hardware in the simulated PC is emulated.
The issue is not to monitor and stop potentially harmful actions at runtime, the issue is to figure out what the program would have done if it had been allowed to run wild on an unprotected machine, in an unprotected network, even if it is running on a Netware server, on Linux, OS/2 or DOS.
Norman’s solution: Let the virus execute its game. Then control the game!
|
|
Medium risk
Low risk