¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.

KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 1 of 38

KOMBOLCHA POLYTECHNIC COLLEGE

DEPARTMENT OF INFORMATION
TECHNOLOGY

WEB DEVELOPMENT AND DATABASE

ADMINISTRATION
LEVEL – I
LEARNING GUIDE # 1
Unit of Competence : Protecting Application or System software

Module Title : Protecting Application or System software

TTLM Code : EIS WDDBA1 M05 0322

1
TTLM Development Manual Date: May 2011
 ¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.
KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 2 of 38

LO1-
Ensure
user
accounts

2
TTLM Development Manual Date: May 2011
 ¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.
KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 3 of 38

are
controlled Introduction
LO1- Ensure user accounts are
controlled

This learning guide is developed to provide you the necessary information regarding the

following content coverage and topics –

 User Account Control/ Security Considerations in Computer Support and Operations

This guide will also assist you to attain the learning outcome stated in the cover page.

Specifically, upon completion of this Learning Guide, you will be able to –

 Modifying default user settings to ensure that they conform to security policy
 Modifying previously created user settings to ensure they conform to updated security
policy.
 Ensuring legal notices displayed at logon are appropriate.
 Checking the appropriate utilities for strength passwords and consider tightening rules
for password complexity.
 Monitoring emails uncover breaches in compliance with legislation.
 Accessing information services to identify security gaps and take appropriate action
using hardware and software or patches

Learning Activities:

*Your teacher will evaluate your output either satisfactory or unsatisfactory. If

unsatisfactory, your teacher shall advice you on additional work. But if satisfactory
3
TTLM Development Manual Date: May 2011
 ¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.
KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 4 of 38

you can proceed to the next topic.

User Account Control/ Security Considerations in

Information Sheet – 1 Computer Support and Operations

User Account Control (UAC) is a security component that allows an administrator to enter
credentials during a non-administrator's user session to perform occasional administrative tasks.
This is intended for the following audiences:

 IT planners and analysts who are evaluating the product

 Security architects who are responsible for implementing trustworthy computing

 Administrators who need to control the behavior of UAC

What is User Account Control?

User Account Control (UAC) is a security component that enables users to perform common
tasks as non-administrators (called standard users in Windows Vista), and as administrators
without having to switch users, log off, or use Run As. User accounts that are members of the
local Administrators group run most applications as a standard user. By separating user and
administrator functions, UAC helps users move toward using standard user rights by default.

When an administrator logs on to a computer that is running Windows 7 or Windows Vista, the

user is assigned two separate access tokens. Access tokens, which contain a user's group
membership and authorization and access control data, are used by the Windows operating
system to control what resources and tasks the user can access. The access control model in
earlier Windows operating systems did not include any failsafe checks to ensure that users truly
wanted to perform a task that required their administrative access token. As a result, malicious
software could install on users' computers without notifying the users. (This is sometimes
referred to as a "silent" installation.)

Even more damaging, because the user is an administrator, the malicious software could use the
administrator's access control data to infect core operating system files, and in some instances,
become nearly impossible to remove.

The primary difference between a standard user and an administrator is the level of access that
the user has over core, protected areas of the computer. Administrators can change the system
state, turn off the firewall, configure security policies, install a service or a driver that affects

4
TTLM Development Manual Date: May 2011
 ¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.
KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 5 of 38

every user on the computer, and install software for the entire computer. Standard users cannot
perform these tasks, and they can only install per-user software.

Unlike earlier versions of Windows, when an administrator logs on to a computer running

Windows 7 or Windows Vista, the user’s full administrator access token is split into two access
tokens: a full administrator access token and a standard user access token. During the logon
process, authorization and access control components that identify an administrator are removed,
resulting in a standard user access token. The standard user access token is then used to start the
desktop, the Explorer.exe process. Because all applications inherit their access control data from
the initial launch of the desktop, they all run as a standard user.

After an administrator logs on, the full administrator access token is not invoked until the user
attempts to perform an administrative task. When a standard user logs on, only a standard user
access token is created. This standard user access token is then used to start the desktop.

SECURITY CONSIDERATIONS IN COMPUTER SUPPORT AND OPERATIONS

Computer support and operations refers to everything done to run a computersystem. This
includes both system administration and tasks external to the system that support its operation
(e.g., maintaining documentation). It does not in clude system planning or design. Support and
operations are routine activities that enable computer systems to function correctly. These
include fixing software or hardware problems, loading and maintaining software, and helping
users resolve problems.

The support and operation of any computer system, from a three-person local area network to a
worldwide application serving thousands of users, is critical to maintaining the security of a
system. This bulletin discusses security issues in computer support and operations activities.

The failure to consider security as part of the support and operations of computer systems is, for
many organizations, their Achilles heel. Computer security system literature includes many
examples of how organizations undermined their often expensive security measures because of
poor documentation, old user accounts, conflicting software, or poor control of maintenance
accounts. Also, an organization's policies and procedures often fail to address many of these
important issues. The important security considerations within some of the major categories of
support and
operations are:
-user support,
-software support,
-configuration management,
-backups,
-media controls,

5
TTLM Development Manual Date: May 2011
 ¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.
KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 6 of 38

-documentation, and maintenance.

Some special considerations are noted for larger or smaller systems. In general, larger systems
include mainframes, large minicomputers, and WANs.
Smaller systems include PCs and LANs.

USER SUPPORT
In many organizations, user support takes place through a Help Desk. Help Desks can support
an entire organization, a subunit, a specific system, or a combination of these. For smaller
systems, the system administrator normally provides direct user support. Experienced users
provide informal user support on most systems. User support should be closely linked to the
organization's incident handling capability. In many cases, the same personnel perform these
functions.

An important security consideration for user support personnel is being able to recognize which
problems (brought to their attention by users) are security- related. For example, users' inability
to log onto a computer system may result from the disabling of their accounts due to too many
failed access attempts. This could indicate the presence of hackers trying to guess users'
passwords.

In general, system support and operations staff need to be able to identify security problems,
respond appropriately, and inform appropriate individuals. A wide range of possible security
problems exist. Some will be internal to custom applications, while others apply to off-the-shelf
products. Additionally, problems can be software- or hardware-based. Small systems are
especially susceptible to viruses, while networks are particularly susceptible to hacker attacks,
which can be targeted at multiple systems. System support personnel should be able to recognize
attacks and know how to respond.

The more responsive and knowledgeable system support and operation staff personnel are, the
less user support will be provided informally. The support other users provide is important, but
they may not be aware of the
"whole picture."

SOFTWARE SUPPORT
Software is the heart of an organization's computer operations, whatever the size and complexity
of the system. Therefore, it is essential that software function correctly and be protected from
corruption. There are many elements of software support.

One is controlling what software is used on a system. If users or systems personnel can load and
execute any software on a system, the system is more vulnerable to viruses, to unexpected
software interactions, and to software that may subvert or bypass security controls. One method
6
TTLM Development Manual Date: May 2011
 ¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.
KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 7 of 38

of controlling software is to inspect or test software before it is loaded (e.g., to determine

compatibility with custom applications or identify other unforeseen interactions). This can apply
to new software packages, to upgrades, to off-the-shelf products, or to custom software, as
deemed
appropriate. In addition to controlling the loading and execution of new software, organizations
should also give care to the configuration and use of powerful system utilities. System utilities
can compromise the integrity of operating systems and logical access controls.

Viruses take advantage of the weak software controls in personal computers. Also, there are
powerful utilities available for PCs that can restore deleted files, find hidden files, and interface
directly with PC hardware, bypassing the operating system. Some organizations use personal
computers without floppy drives in order to have better control over the system. There are
several widely available utilities that look for security
problems in both networks and the systems attached to them. Some utilities look for and try to
exploit security vulnerabilities.

A second element in software support can be to ensure that software has not been modified
without proper authorization. This involves the protection of software and backup copies. This
can be done with a combination of logical and physical access controls.

Many organizations also include a program to ensure that software is properly licensed, as
required. For example, an organization may audit systems for illegal copies of copyrighted
software. This problem is primarily associated with PCs and LANs, but can apply to any type of
system.

CONFIGURATION MANAGEMENT
Closely related to software support is configuration management – the process of keeping track
of changes to the system and, if needed, approving them. Configuration management normally
addresses hardware, software, networking, and other changes; it can be formal or informal. The
primary security goal of configuration management is ensuring that changes to the system do not
unintentionally or unknowingly diminish security. Some of the methods discussed under
software support, such as inspecting and testing software changes, can be used.

For networked systems, configuration management should include external connections. Is the
computer system connected? To what other systems? In
turn, to what systems are these systems and organizations connected? Note that the security
goal is to know what changes occur, not to prevent security from being changed. There may be
circumstances when security will be reduced. However, the decrease in security should be the
result of a decision based on all appropriate factors.

7
TTLM Development Manual Date: May 2011
 ¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.
KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 8 of 38

A second security goal of configuration management is ensuring that changes to the system are
reflected in other documentation, such as the contingency plan. If the change is major, it may be
necessary to reanalyze some or all of the security of the system.

BACKUPS
Support and operations personnel and sometimes users back up software and
data. This function is critical to contingency planning. Frequency of
backups will depend upon how often data changes and how important those changes are.
Program managers should be consulted to determine what backup schedule is appropriate. Also,
as a safety measure, it is useful to test that backup copies are actually usable. Finally, backups
should be stored securely, as appropriate.

Users of smaller systems are often responsible for their own backups. However, in reality, they
do not always perform backups regularly. Some organizations, therefore, task support personnel
with making backups periodically for smaller systems, either automatically (through server
software) or manually (by visiting each machine).

MEDIA CONTROLS
Media controls include a variety of measures to provide physical and environmental protection
and accountability for tapes, diskettes, printouts, and other media. From a security perspective,
media controls should be designed to prevent the loss of confidentiality, integrity, or availability
of information, including data or software, when stored outside the system. This can include
storage of information before it is
input to the system and after it is output.

The extent of media control depends upon many factors, including the type of data, the quantity
of media, and the nature of the user environment. Physical and environmental protection is used
to prevent unauthorized individuals from accessing the media. It also protects against such
factors as heat, cold, or harmful magnetic fields. When necessary, logging the use of individual
media (e.g., a tape cartridge) provides detailed
accountability -- to hold authorized people responsible for their actions.

Marking
Controlling media may require some form of physical labeling. The labels can be used to
identify media with special handling instructions, to locate needed information, or to log media
(e.g., with serial/control numbers or bar codes) to support accountability. Identification is often
by colored labels on diskettes or tapes or banner pages on printouts.

8
TTLM Development Manual Date: May 2011
 ¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.
KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 9 of 38

If labeling is used for special handling instructions, it is critical that people be appropriately
trained. The marking of PC input and output is generally the responsibility of the user, not the
system support staff. Marking backup diskettes can help prevent them from being accidentally
overwritten.

Logging
The logging of media is used to support accountability. Logs can include control numbers (or
other tracking data), the times and dates of transfers, names and signatures of individuals
involved, and other relevant information. Periodic spot checks or audits may be conducted to
determine that no controlled items have been lost and that all are in the custody of individuals
named in control logs. Automated media tracking systems may be
helpful for maintaining inventories of tape and disk libraries.

Integrity Verification
When electronically stored information is read into a computer system, it may be necessary to
determine whether it has been read correctly or subject to any modification. The integrity of
electronic information can be verified using error detection and correction or, if intentional
modifications are a threat, cryptographic-based technologies.

Physical Access Protection

Media can be stolen, destroyed, replaced with a look-alike copy, or lost. Physical access controls
which can limit these problems include locked doors, desks, file cabinets, or safes. If the media
requires protection at all times, it may be necessary to actually output data to the media in a
secure location (e.g., printing to a printer in a locked room instead of to a general-purpose printer
in a common area).

Physical protection of media should be extended to backup copies stored offsite. They generally
should be accorded an equivalent level of protection to media containing the same information
stored onsite. (Equivalent protection does not mean that the security measures need to be exactly
the same. The controls at the off-site location are quite likely to be different from the controls at
the regular site.)

Environmental Protection
Magnetic media, such as diskettes or magnetic tape, require environmental protection, since they
are sensitive to temperature, liquids, magnetism, smoke, and dust. Other media (e.g., paper and
optical storage) may have different sensitivities to environmental factors.

Transmittal
Media control may be transferred both within the organization and to outside elements.
Possibilities for securing such transmittal include sealed and marked envelopes, authorized
messenger or courier, or U.S. certified or registered mail.
9
TTLM Development Manual Date: May 2011
 ¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.
KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 10 of 38

Disposition
When media is disposed of, it may be important to ensure that information is not improperly
disclosed. This applies both to media that is external to a computer system (such as a diskette)
and to media inside a computer system, such as a hard disk. The process of removing
information from media is called sanitization.

Three techniques are commonly used for media sanitization: overwriting, degaussing, and
destruction. Overwriting is an effective method for clearing data from magnetic media. As the
name implies, overwriting uses a program to write (1s, 0s, or a combination) onto the media.
Common practice is to overwrite the media three times. Overwriting should not be confused
with merely deleting the pointer to a file (which typically
happens when a delete command is used). Overwriting requires that the media be in working
order. Degaussing is a method to magnetically erase data from magnetic media. Two types of
degausser exist: strong permanent magnets and electric degaussers. The final method of
sanitization is destruction of the media by shredding or burning.

Many people throw away old diskettes, believing that erasing the files on the diskette has made
the data unretrievable. In reality, however, erasing a file simply removes the pointer to that file.
The pointer tells the computer where the file is physically stored. Without this pointer, the files
will not appear on a directory listing. This does not mean that the file was removed. Commonly
available utility programs can often retrieve
information that is presumed deleted.

DOCUMENTATION
Documentation of all aspects of computer support and operations is important to ensure
continuity and consistency. Formalizing operational practices and procedures with sufficient
detail helps to eliminate security lapses and oversights, gives new personnel sufficiently detailed
instructions, and provides a quality assurance function to help ensure that operations will be
performed correctly and efficiently.

The security of a system also needs to be documented. This includes many types of
documentation, such as security plans, contingency plans, risk analyses, and security policies and
procedures. Much of this information, particularly risk and threat analyses, has to be protected
against unauthorized disclosure. Security documentation also needs to be both current and
accessible. Accessibility should take special factors into
account (such as the need to find the contingency plan during a disaster).

Security documentation should be designed to fulfill the needs of the different types of people
who use it. For this reason, many organizations separate documentation into policy and
procedures. A security procedures manual should be written to inform various system users how
10
TTLM Development Manual Date: May 2011
 ¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.
KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 11 of 38

to do their jobs securely. A security procedures manual for systems operations and support staff
may address a wide variety of technical and operational concerns in considerable detail.

MAINTENANCE
System maintenance requires either physical or logical access to the system. Support and
operations staff, hardware or software vendors, or third-party service providers may maintain a
system. Maintenance may be performed on site, or it may be necessary to move equipment to a
repair site. Maintenance may also be performed remotely via communications connections. If
someone who does not normally have access to the system performs maintenance, then a security
vulnerability is introduced.

In some circumstances, it may be necessary to take additional precautions, such as conducting

background investigations of service personnel. Supervision of maintenance personnel may
prevent some problems, such as "snooping around" the physical area. However, once someone
has access to the system, it is very difficult for supervision to prevent damage done through the
maintenance process.

Many computer systems provide maintenance accounts. These special log-in accounts are
normally preconfigured at the factory with pre-set, widely known passwords. One of the most
common methods hackers use to break into systems is through maintenance accounts that still
have factory-set or easily guessed passwords. It is critical to change these passwords or
otherwise disable the accounts until they are needed. Procedures should be developed to ensure
that only authorized maintenance personnel can use
these accounts. If the account is to be used remotely, authentication of the maintenance provider
can be performed using call-back confirmation. This helps ensure that remote diagnostic
activities actually originate from an established telephone number at the vendor's site. Other
techniques can also help, including encryption and decryption of diagnostic communications;
strong identification and authentication techniques, such as tokens; and remote disconnect
verification.
Larger systems may have diagnostic ports. In addition, manufacturers of
larger systems and third-party providers may offer more diagnostic and support services. It is
critical to ensure that these ports are only used by authorized personnel and cannot be accessed
by hackers.

INTERDEPENDENCIES
Support and operations components coexist in most computer security controls.

Personnel. Most support and operations staff have special access to the system. Some
organizations conduct background checks on individuals filling these positions to screen out
possibly untrustworthy individuals.

11
TTLM Development Manual Date: May 2011
 ¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.
KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 12 of 38

Incident Handling. Support and operations may include an organization's incident handling
staff. Even if they are separate organizations, they need to work together to recognize and
respond to incidents.
Contingency Planning. Support and operations normally provides technical input to
contingency planning and carries out the activities of making backups, updating documentation,
and practicing responding to contingencies.
Security Awareness, Training, and Education. Support and operations staff should be trained
in security procedures and should be aware of the importance of security. In addition, they
provide technical expertise needed to teach users how to secure their systems.
Physical and Environmental. Support and operations staff often control the immediate
physical area around the computer system.
Technical Controls. The technical controls are installed, maintained, and used by support and
operations staff. They create the user accounts, add users to access control lists, review audit
logs for unusual activity control bulk encryption over telecommunications links, and perform the
countless operational tasks needed to use technical controls effectively. In addition, support and
operations staff provide needed input to the selection of controls based on their knowledge of
system capabilities and
operational constraints.
Assurance. Support and operations staff ensure that changes to a system do not introduce
security vulnerabilities by using assurance methods to evaluate or test the changes and their
effect on the system. Operational assurance is normally performed by support and operations
staff.

COST CONSIDERATIONS
The cost of ensuring adequate security in day-to-day support and operations is largely dependent
upon the size and characteristics of the operating environment and the nature of the processing
being performed. If sufficient support personnel are already available, it is important thatthey be
trained in the security aspects of their assigned jobs; it isusually not necessary to hire additional
support and operations security
specialists. Training, both initial and ongoing, is a cost of successfullyincorporating security
measures into support and operations activities.

12
TTLM Development Manual Date: May 2011
 ¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.
KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 13 of 38

Self Check 1 Written Test

Name:____________________ Date:_________________

Directions: Answer all the questions listed below. Illustrations may be necessary to aid
some explanations/answers.

 Identify the following:

1. User Support

2. Documentation

3. Maintenance

4. Transmittal

13
TTLM Development Manual Date: May 2011
 ¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.
KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 14 of 38

5. Disposition

6. Back Up

7. Software Support

8. User Support

9. User Account Control

10. Environmental Protection

11. Integrity Verification

12. Marking

13. Media Controls

14. Logging

15. Configuation Management

Note: Satisfactory rating – 10 points above / Unsatisfactory - below 10 points

You can ask you teacher for the copy of the correct answers

LO2- Detect and Removed Destructive

Introduction
Software
This learning guide is developed to provide you the necessary information regarding the

following content coverage and topics –

This guide will also assist you to attain the learning outcome stated in the cover page.

Specifically, upon completion of this Learning Guide, you will be able to –

 Defining and identifying the common types of destructive software

 Selecting and installing the virus protection compatible with the operating system.
 Describing advanced system of protection in order to understand further options.
 Installing software updates on regular basis.
 Configuring the software security setting to prevent destructive software from
infecting computer.
 Scheduling virus protection software are run on a regular basis.

14
TTLM Development Manual Date: May 2011
 ¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.
KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 15 of 38

 Reporting detected destructive software to appropriate person and removing the

destructive software.
Learning Activities

*Your teacher will evaluate your output either satisfactory or unsatisfactory. If

unsatisfactory, your teacher shall advice you on additional work. But if satisfactory
you can proceed to the next topic.

Information Sheet – 1 Computer Virus

Virus can spell doom for your computer.

Strange as it may sound, the computer virus is something of an Information Age marvel. On one
hand, viruses show us how vulnerable we are -- a properly engineered virus can have a
devastating effect, disrupting productivity and doing billions of dollars in damages. On the other
hand, they show us how sophisticated and interconnected human beings have become.
For example, experts estimate that the Mydoom worm infected approximately a quarter-million
computers in a single day in January 2004. Back in March 1999, theMelissa virus was so
powerful that it forced Microsoft and a number of other very large companies to completely turn
off their e-mail systems until the virus could be contained. The ILOVEYOU virus in 2000 had a
similarly devastating effect. In January 2007, a worm called Storm appeared -- by October,
experts believed up to 50 million computers were infected. That's pretty impressive when you
consider that many viruses are incredibly simple.

15
TTLM Development Manual Date: May 2011
 ¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.
KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 16 of 38

When you listen to the news, you hear about many different forms of electronic infection. The
most common are:

 Viruses - A virus is a small piece of software that piggybacks on real programs. For
example, a virus might attach itself to a program such as a spreadsheet program. Each
time the spreadsheet program runs, the virus runs, too, and it has the chance to
reproduce (by attaching to other programs) or wreak havoc.
 E-mail viruses - An e-mail virus travels as an attachment to e-mail messages, and
usually replicates itself by automatically mailing itself to dozens of people in the
victim's e-mail address book. Some e-mail viruses don't even require a double-click --
they launch when you view the infected message in the preview pane of your e-mail
software [source: Johnson].
 Trojan horses - A Trojan horse is simply a computer program. The program claims to
do one thing (it may claim to be a game) but instead does damage when you run it (it
may erase your hard disk). Trojan horses have no way to replicate automatically.
 Worms - A worm is a small piece of software that uses computer networks and
security holes to replicate itself. A copy of the worm scans the network for another
machine that has a specific security hole. It copies itself to the new machine using the
security hole, and then starts replicating from there, as well.

Virus Origins
Computer viruses are called viruses because they share some of the traits of biological viruses. A
computer virus passes from computer to computer like a biological virus passes from person to
person.
Unlike a cell, a virus has no way to reproduce by itself. Instead, a biological virus must inject its
DNA into a cell. The viral DNA then uses the cell's existing machinery to reproduce itself. In
some cases, the cell fills with new viral particles until it bursts, releasing the virus. In other cases,
the new virus particles bud off the cell one at a time, and the cell remains alive.
A computer virus shares some of these traits. A computer virus must piggyback on top of some
other program or document in order to launch. Once it is running, it can infect other programs or
documents. Obviously, the analogy between computer and biological viruses stretches things a
bit, but there are enough similarities that the name sticks.

People write computer viruses. A person has to write the code, test it to make sure it spreads
properly and then release it. A person also designs the virus's attack phase, whether it's a silly
message or the destruction of a hard disk. Why do they do it?

There are at least three reasons. The first is the same psychology that drives vandals
and arsonists. Why would someone want to break a window on someone's car, paint signs on
16
TTLM Development Manual Date: May 2011
 ¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.
KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 17 of 38

buildings or burn down a beautiful forest? For some people, that seems to be a thrill. If that sort
of person knows computer programming, then he or she may funnel energy into the creation of
destructive viruses.
The second reason has to do with the thrill of watching things blow up. Some people have a
fascination with things like explosions and car wrecks. When you were growing up, there might
have been a kid in your neighborhood who learned how to make gunpowder. And that kid
probably built bigger and bigger bombs until he either got bored or did some serious damage to
himself. Creating a virus is a little like that -- it creates a bomb inside a computer, and the more
computers that get infected the more "fun" the explosion.
The third reason involves bragging rights, or the thrill of doing it. Sort of like Mount Everest --
the mountain is there, so someone is compelled to climb it. If you are a certain type of
programmer who sees a security hole that could be exploited, you might simply be compelled to
exploit the hole yourself before someone else beats you to it.
Of course, most virus creators seem to miss the point that they cause real damage to real people
with their creations. Destroying everything on a person's hard disk is real damage. Forcing a
large company to waste thousands of hours cleaning up after a virus is real damage. Even a silly
message is real damage because someone has to waste time getting rid of it. For this reason, the
legal system is getting much harsher in punishing the people who create viruses.
Virus History
Traditional computer viruses were first widely seen in the late 1980s, and they came about
because of several factors. The first factor was the spread of personal computers (PCs). Prior to
the 1980s, home computers were nearly non-existent or they were toys. Real computers were
rare, and they were locked away for use by "experts." During the 1980s, real computers started to
spread to businesses and homes because of the popularity of the IBM PC (released in 1982) and
the Apple Macintosh (released in 1984). By the late 1980s, PCs were widespread in businesses,
homes and college campuses.
The second factor was the use of computer bulletin boards. People could dial up a bulletin
board with a modemand download programs of all types. Games were extremely popular, and so
were simple word processors, spreadsheets and other productivity software. Bulletin boards led
to the precursor of the virus known as the Trojan horse. A Trojan horse is a program with a
cool-sounding name and description. So you download it. When you run the program, however,
it does something uncool like erasing your disk. You think you are getting a neat game, but it
wipes out your system. Trojan horses only hit a small number of people because they are quickly
discovered, the infected programs are removed and word of the danger spreads among users.

17
TTLM Development Manual Date: May 2011
 ¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.
KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 18 of 38

Floppy disks were factors in the spread of computer viruses.

The third factor that led to the creation of viruses was the floppy disk. In the 1980s, programs
were small, and you could fit the entire operating system, a few programs and some documents
onto a floppy disk or two. Many computers did not have hard disks, so when you turned on your
machine it would load the operating system and everything else from the floppy disk. Virus
authors took advantage of this to create the first self-replicating programs.

Early viruses were pieces of code attached to a common program like a popular game or a
popular word processor. A person might download an infected game from a bulletin board and
run it. A virus like this is a small piece of code embedded in a larger, legitimate program. When
the user runs the legitimate program, the virus loads itself into memory and looks around to see if
it can find any other programs on the disk. If it can find one, it modifies the program to add the
virus's code into the program. Then the virus launches the "real program." The user really has no
way to know that the virus ever ran. Unfortunately, the virus has now reproduced itself, so two
programs are infected. The next time the user launches either of those programs, they infect other
programs, and the cycle continues.
If one of the infected programs is given to another person on a floppy disk, or if it is uploaded to
a bulletin board, then other programs get infected. This is how the virus spreads.
The spreading part is the infection phase of the virus. Viruses wouldn't be so violently despised
if all they did was replicate themselves. Most viruses also have a destructive attack phase where
they do damage. Some sort of trigger will activate the attack phase, and the virus will then do
something -- anything from printing a silly message on the screen to erasing all of your data. The
trigger might be a specific date, the number of times the virus has been replicated or something
similar.
In the next section, we will look at how viruses have evolved over the years.

Virus Evolution
Other Threats
Viruses and worms get a lot of publicity, but they aren't the only threats to your computer's
health. Malware is just another name for software that has an evil intent. Here are some

18
TTLM Development Manual Date: May 2011
 ¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.
KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 19 of 38

common types of malware and what they might do to your infected computer:
 Adware puts ads up on your screen.
 Spyware collects personal information about you, like your passwords or other
information you type into your computer.
 Hijackers turn your machine into azombie computer.
 Dialers force your computer to make phone calls. For example, one might call toll
900-numbers and run up your phone bill, while boosting revenue for the owners of the
900-numbers. [source:Baratz and McLaughlin]
As virus creators became more sophisticated, they learned new tricks. One important trick was
the ability to load viruses into memory so they could keep running in the background as long as
the computer remained on. This gave viruses a much more effective way to replicate themselves.
Another trick was the ability to infect the boot sector on floppy disks and hard disks. The boot
sector is a small program that is the first part of the operating system that the computer loads. It
contains a tiny program that tells the computer how to load the rest of the operating system. By
putting its code in the boot sector, a virus can guarantee it is executed. It can load itself into
memory immediately and run whenever the computer is on. Boot sector viruses can infect the
boot sector of any floppy disk inserted in the machine, and on college campuses, where lots of
people share machines, they could spread like wildfire.
In general, neither executable nor boot sector viruses are very threatening any longer. The first
reason for the decline has been the huge size of today's programs. Nearly every program you buy
today comes on a compact disc. Compact discs (CDs) cannot be modified, and that makes viral
infection of a CD unlikely, unless the manufacturer permits a virus to be burned onto the CD
during production. The programs are so big that the only easy way to move them around is to
buy the CD. People certainly can't carry applications around on floppy disks like they did in the
1980s, when floppies full of programs were traded like baseball cards. Boot sector viruses have
also declined because operating systems now protect the boot sector.
Infection from boot sector viruses and executable viruses is still possible. Even so, it is a lot
harder, and these viruses don't spread nearly as quickly as they once did. Call it "shrinking
habitat," if you want to use a biological analogy. The environment of floppy disks, small
programs and weak operating systems made these viruses possible in the 1980s, but that
environmental niche has been largely eliminated by huge executables, unchangeable CDs and
better operating system safeguards.
E-mail viruses are probably the most familiar to you. We'll look at some in the next section.
E-mail Viruses
Virus authors adapted to the changing computing environment by creating the e-mail virus. For
example, theMelissa virus in March 1999 was spectacular. Melissa spread in Microsoft Word
documents sent via e-mail, and it worked like this:

19
TTLM Development Manual Date: May 2011
 ¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.
KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 20 of 38

Someone created the virus as a Word document and uploaded it to an Internet newsgroup.
Anyone who downloaded the document and opened it would trigger the virus. The virus would
then send the document (and therefore itself) in an e-mail message to the first 50 people in the
person's address book. The e-mail message contained a friendly note that included the person's
name, so the recipient would open the document, thinking it was harmless. The virus would then
create 50 new messages from the recipient's machine. At that rate, the Melissa virus quickly
became the fastest-spreading virus anyone had seen at the time. As mentioned earlier, it forced a
number of large companies to shut down their e-mail systems.
The ILOVEYOU virus, which appeared on May 4, 200
Worms
A worm is a computer program that has the ability to copy itself from machine to machine.
Worms use up computer time and network bandwidth when they replicate, and often carry
payloads that do considerable damage. A worm called Code Red made huge headlines in 2001.
Experts predicted that this worm could clog the Internet so effectively that things would
completely grind to a halt.
A worm usually exploits some sort of security hole in a piece of software or the operating
system. For example, the Slammer worm (which caused mayhem in January 2003) exploited a
hole in Microsoft's SQL server. "Wired" magazine took a fascinating look inside Slammer's tiny
(376 byte) program.
Worms normally move around and infect other machines through computer networks. Using a
network, a worm can expand from a single copy incredibly quickly. The Code Red worm
replicated itself more than 250,000 times in approximately nine hours on July 19, 2001
[Source: Rhodes].
The Code Red worm slowed down Internet traffic when it began to replicate itself, but not nearly
as badly as predicted. Each copy of the worm scanned the Internet for Windows NT or Windows
2000 servers that did not have the Microsoft security patch installed. Each time it found an
unsecured server, the worm copied itself to that server. The new copy then scanned for other
servers to infect. Depending on the number of unsecured servers, a worm could conceivably
create hundreds of thousands of copies.
The Code Red worm had instructions to do three things:
 Replicate itself for the first 20 days of each month
 Replace Web pages on infected servers with a page featuring the message "Hacked by
Chinese"
 Launch a concerted attack on the White House Web site in an attempt to overwhelm it
[Source: eEye Digital Security]

20
TTLM Development Manual Date: May 2011
 ¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.
KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 21 of 38

Upon successful infection, Code Red would wait for the appointed hour and connect to
the www.whitehouse.govdomain. This attack would consist of the infected systems
simultaneously sending 100 connections to port 80 of www.whitehouse.gov (198.137.240.91).
The U.S. government changed the IP address of www.whitehouse.gov to circumvent that
particular threat from the worm and issued a general warning about the worm, advising users of
Windows NT or Windows 2000 Web servers to make sure they installed the security patch. .
A worm called Storm, which showed up in 2007, immediately started making a name for itself.
Storm uses social engineering techniques to trick users into loading the worm on their
computers. So far, it's working -- experts believe between one million and 50 million computers
have been infected [source: Schneier].
When the worm is launched, it opens a back door into the computer, adds the infected machine
to a botnet and installs code that hides itself. The botnets are smallpeer-to-peer groups rather than
a larger, more easily identified network. Experts think the people controlling Storm rent out their
micro-botnets to deliver spam or adware, or for denial-of-service attacks on Web sites.
In the next section, we'll look at patching your system and other things you can do to protect
your computer

How to Protect Your Computer from Viruses

An Anti-virus Virus?
As we've discussed, worms attack known vulnerabilities in computer operating systems. Someone
came up with the idea of turning worm tech around and created a variation of the MSBlast worm that
would automatically patch the hole in the operating system and send itself out to other computers to do
the same. Sounds like a good idea, right? Not so fast. MSBlast.D, Nachi or Welchia, as it was known,
turned out to be more trouble than good. As it multiplied and scanned corporate networks for the
vulnerability, it clogged network traffic[source: Lemos].

You can protect yourself against viruses with a few simple steps:
 If you are truly worried about traditional (as opposed to e-mail) viruses, you should be
running a more secure operating system likeUNIX. You never hear about viruses on
these operating systems because the security features keep viruses (and unwanted
human visitors) away from your hard disk.
 If you are using an unsecured operating system, then buying virus protection
software is a nice safeguard.
 If you simply avoid programs from unknown sources (like the Internet), and instead
stick withcommercial software purchased on CDs, you eliminate almost all of the risk
from traditional viruses.

21
TTLM Development Manual Date: May 2011
 ¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.
KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 22 of 38

 You should make sure that Macro Virus Protection is enabled in all Microsoft
applications, and you should NEVER run macros in a document unless you know what
they do. There is seldom a good reason to add macros to a document, so avoiding all
macros is a great policy.
 You should never double-click on an e-mail attachment that contains an
executable. Attachments that come in as Word files (.DOC), spreadsheets (.XLS), images
(.GIF), etc., are data files and they can do no damage (noting the macro virus problem in Word
and Excel documents mentioned above). However, some viruses can now come in
through .JPG graphic file attachments. A file with an extension like EXE, COM or VBS is an
executable, and an executable can do any sort of damage it wants. Once you run it, you have
given it permission to do anything on your machine. The only defense is never to run
executables that arrive via e-mail.

 
Open the Options dialog from the Tools menu in 
Microsoft Word and make sure that Macro Virus Protection is enabled. Newer versions of
Word allow you to customize 
the level of macro protection you use.

Information Sheet – 2 Anti Virus Software

22
TTLM Development Manual Date: May 2011
 ¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.
KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 23 of 38

Antivirus software
Antivirus or anti-virus software is used to prevent, detect, and remove malware, including but
not limited to computer viruses, computer worm, trojan horses, spyware and adware. This page
talks about the software used for the prevention and removal of such threats, rather
than computer security implemented by software methods.

A variety of strategies are typically employed. Signature-based detection involves searching for
known patterns of data within executable code. However, it is possible for a computer to be
infected with new malware for which no signature is yet known. To counter such so-called zero-
day threats, heuristics can be used. One type of heuristic approach, generic signatures, can
identify new viruses or variants of existing viruses by looking for known malicious code, or
slight variations of such code, in files. Some antivirus software can also predict what a file will
do by running it in a sandbox and analyzing what it does to see if it performs any malicious
actions.

No matter how useful antivirus software can be, it can sometimes have drawbacks. Antivirus
software can impair a computer's performance. Inexperienced users may also have trouble
understanding the prompts and decisions that antivirus software presents them with. An incorrect
decision may lead to a security breach. If the antivirus software employs heuristic detection,
success depends on achieving the right balance between false positives and false negatives. False
positives can be as destructive as false negatives [citation needed]. Finally, antivirus software generally
runs at the highly trusted kernel level of the operating system, creating a potential avenue
of attack.[1]

An example of free antivirus software:ClamTk 3.08.

23
TTLM Development Manual Date: May 2011
 ¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.
KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 24 of 38

Most of the computer viruses written in the early and mid 1980s were limited to self-
reproduction and had no specific damage routine built into the code.[2] That changed when more
and more programmers became acquainted with virus programming and created viruses that
manipulated or even destroyed data on infected computers.

There are competing claims for the innovator of the first antivirus product. Possibly the first
publicly documented removal of a computer virus in the wild was performed byBernd Fix in
1987.[3][4]

Fred Cohen, who published one of the first academic papers on computer viruses in 1984,
[5]
 began to develop strategies for antivirus software in 1988 [6] that were picked up and continued
by later antivirus software developers.

Also in 1988 a mailing list named VIRUS-L [7] was started on the BITNET/EARN network where
new viruses and the possibilities of detecting and eliminating viruses were discussed. Some
members of this mailing list like John McAfee or Eugene Kaspersky later founded software
companies that developed and sold commercial antivirus software.

Before internet connectivity was widespread, viruses were typically spread by infected floppy

disks. Antivirus software came into use, but was updated relatively infrequently. During this
time, virus checkers essentially had to check executable files and the boot sectors of floppy disks
and hard disks. However, as internet usage became common, viruses began to spread online.[8]

Over the years it has become necessary for antivirus software to check an increasing variety of
files, rather than just executables, for several reasons:


Powerful macros used in word processor applications, such as Microsoft Word, presented
a risk. Virus writers could use the macros to write viruses embedded within documents. This
meant that computers could now also be at risk from infection by opening documents with
hidden attached macros.[9]

Later email programs, in particular Microsoft's Outlook Express and Outlook,
were vulnerable to viruses embedded in the email body itself. A user's computer could be
infected by just opening or previewing a message.[10]

24
TTLM Development Manual Date: May 2011
 ¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.
KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 25 of 38

As always-on broadband connections became the norm, and more and more viruses were
released, it became essential to update virus checkers more and more frequently. Even then, a
new zero-day virus could become widespread before antivirus companies released an update to
protect against it.

Malwarebytes' Anti-Malware version 1.46 - a proprietary freeware antimalware product

There are several methods which antivirus software can use to identify malware.

Signature based detection is the most common method. To identify viruses and other malware,
antivirus software compares the contents of a file to a dictionary of virus signatures. Because
viruses can embed themselves in existing files, the entire file is searched, not just as a whole, but
also in pieces.[11]

Heuristic-based detection, like malicious activity detection, can be used to identify unknown
viruses.

File emulation is another heuristic approach. File emulation involves executing a program in
a virtual environment and logging what actions the program performs. Depending on the actions
logged, the antivirus software can determine if the program is malicious or not and then carry out
the appropriate disinfection actions.[12]

Signature-based detection
Traditionally, antivirus software heavily relied upon signatures to identify malware. This can be
very effective, but cannot defend against malware unless samples have already been obtained
and signatures created. Because of this, signature-based approaches are not effective against
new, unknown viruses.

As new viruses are being created each day, the signature-based detection approach requires
frequent updates of the virus signature dictionary. To assist the antivirus software companies, the
25
TTLM Development Manual Date: May 2011
 ¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.
KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 26 of 38

software may allow the user to upload new viruses or variants to the company, allowing the virus
to be analyzed and the signature added to the dictionary.[11]

Although the signature-based approach can effectively contain virus outbreaks, virus authors
have tried to stay a step ahead of such software by writing "oligomorphic", "polymorphic" and,
more recently, "metamorphic" viruses, which encrypt parts of themselves or otherwise modify
themselves as a method of disguise, so as to not match virus signatures in the dictionary.[13]

Heuristics
Some more sophisticated antivirus software uses heuristic analysis to identify new malware or
variants of known malware.

Many viruses start as a single infection and through either mutation or refinements by other
attackers, can grow into dozens of slightly different strains, called variants. Generic detection
refers to the detection and removal of multiple threats using a single virus definition.[14]

For example, the Vundo trojan has several family members, depending on the antivirus vendor's
classification. Symantec classifies members of the Vundo family into two distinct
categories, Trojan.Vundo andTrojan.Vundo.B.[15][16]

While it may be advantageous to identify a specific virus, it can be quicker to detect a virus
family through a generic signature or through an inexact match to an existing signature. Virus
researchers find common areas that all viruses in a family share uniquely and can thus create a
single generic signature. These signatures often contain non-contiguous code, using wildcard
characters where differences lie. These wildcards allow the scanner to detect viruses even if they
are padded with extra, meaningless code.[17] A detection that uses this method is said to be
"heuristic detection."

Rootkit detection
Anti-virus software can also scan for rootkits; a rootkit is a type of malware that is designed to
gain administrative-level control over a computer system without being detected. Rootkits can
change how theoperating system functions and in some cases can tamper with the anti-virus
program and render it ineffective. Rootkits are also difficult to remove, in some cases requiring a
complete re-installation of the operating system.[18][19]

26
TTLM Development Manual Date: May 2011
 ¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.
KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 27 of 38

Unexpected renewal costs

Some commercial antivirus software end-user license agreements include a clause that
the subscription will be automatically renewed, and the purchaser's credit card automatically
billed, at the renewal time without explicit approval. For example, McAfee requires users to
unsubscribe at least 60 days before the expiration of the present
subscription  while BitDefender sends notifications to unsubscribe 30 days before the renewal.
[20]

[21]
 Norton Antivirus also renews subscriptions automatically by default.[22]
Rogue security applications
Some apparent antivirus programs are actually malware masquerading as legitimate software,
such as WinFixer and MS Antivirus.[23]

Problems caused by false positives

A "false positive" is when antivirus software identifies a non-malicious file as a virus. When this
happens, it can cause serious problems. For example, if an antivirus program is configured to
immediately delete or quarantine infected files, a false positive in an essential file can render
the operating system or some applications unusable.[24] In May 2007, a faulty virus signature
issued by Symantec mistakenly removed essential operating system files, leaving thousands of
PCs unable to boot.[25] Also in May 2007, the executable file required by Pegasus Mail was
falsely detected by Norton AntiVirus as being a Trojan and it was automatically removed,
preventing Pegasus Mail from running. Norton anti-virus had falsely identified three releases of
Pegasus Mail as malware, and would delete the Pegasus Mail installer file when that happened.
[26]
 In response to this Pegasus Mail stated:

“ On the basis that Norton/Symantec has done this for every one of the last three releases
of Pegasus Mail, we can only condemn this product as too flawed to use, and
recommend in the strongest terms that our users cease using it in favour of alternative,
less buggy anti-virus packages.[26] ”

In April 2010, McAfee VirusScan detected svchost.exe, a normal Windows binary, as a virus on

machines running Windows XP with Service Pack 3, causing a reboot loop and loss of all
network access.[27][28]

27
TTLM Development Manual Date: May 2011
 ¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.
KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 28 of 38

In December 2010, a faulty update on the AVG anti-virus suite damaged 64-bit versions of

Windows 7, rendering it unable to boot, due to an endless boot loop created.[29]

When Microsoft Windows becomes damaged by faulty anti-virus products, fixing the damage to
Microsoft Windows incurs technical support costs and businesses can be forced to close whilst
remedial action is undertaken.[30][31]

System and interoperability related issues

Running multiple antivirus programs concurrently can degrade performance and create conflicts.
[32]
 However, using a concept called multiscanning, several companies (including G
Data[33] and Microsoft[34]) have created applications which can run multiple engines concurrently.

It is sometimes necessary to temporarily disable virus protection when installing major updates
such as Windows Service Packs or updating graphics card drivers. [35] Active antivirus protection
may partially or completely prevent the installation of a major update.

A minority of software programs are not compatible with anti-virus software. For example,
the TrueCrypt troubleshooting page reports that anti-virus programs can conflict with TrueCrypt
and cause it to malfunction.[36]

Support issues also exist around antivirus application interoperability with common solutions
like SSL VPN remote access and network access control products.[37] These technology solutions
often have policy assessment applications which require that an up to date antivirus is installed
and running. If the antivirus application is not recognized by the policy assessment, whether
because the antivirus application has been updated or because it is not part of the policy
assessment library, the user will be unable to connect.

Effectiveness
Studies in December 2007 showed that the effectiveness of antivirus software had decreased in
the previous year, particularly against unknown or zero day attacks. The computer
magazine c't found that detection rates for these threats had dropped from 40-50% in 2006 to 20-
30% in 2007. At that time, the only exception was the NOD32 antivirus, which managed a
detection rate of 68 percent.[38]

28
TTLM Development Manual Date: May 2011
 ¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.
KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 29 of 38

The problem is magnified by the changing intent of virus authors. Some years ago it was obvious
when a virus infection was present. The viruses of the day, written by amateurs, exhibited
destructive behavior orpop-ups. Modern viruses are often written by professionals, financed
by criminal organizations.[39]

Independent testing on all the major virus scanners consistently shows that none provide 100%
virus detection. The best ones provided as high as 99.6% detection, while the lowest provided
only 81.8% in tests conducted in February 2010. All virus scanners produce false positive results
as well, identifying benign files as malware.[40]

Although methodologies may differ, some notable independent quality testing agencies include
AV-Comparatives, ICSA Labs, West Coast Labs, VB100 and other members of the Anti-
Malware Testing Standards Organization.[41]

New viruses
Anti-virus programs are not always effective against new viruses, even those that use non-
signature-based methods that should detect new viruses. The reason for this is that the virus
designers test their new viruses on the major anti-virus applications to make sure that they are
not detected before releasing them into the wild.[42]

Some new viruses, particularly ransomware, use polymorphic code to avoid detection by virus

scanners. Jerome Segura, a security analyst with ParetoLogic, explained:[43]

“ It's something that they miss a lot of the time because this type of [ransomware virus]
comes from sites that use a polymorphism, which means they basically randomize the
file they send you and it gets by well-known antivirus products very easily. I've seen
people firsthand getting infected, having all the pop-ups and yet they have antivirus
software running and it's not detecting anything. It actually can be pretty hard to get rid
of, as well, and you're never really sure if it's really gone. When we see something like
that usually we advise to reinstall the operating system or reinstall backups.[43] ”

A proof of concept virus has used the Graphics Processing Unit (GPU) to avoid detection from
anti-virus software. The potential success of this involves bypassing the CPU in order to make it
much harder for security researchers to analyse the inner workings of such malware.[44]

29
TTLM Development Manual Date: May 2011
 ¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.
KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 30 of 38

Rootkits
Detecting rootkits is a major challenge for anti-virus programs. Rootkits have full administrative
access to the computer and are invisible to users and hidden from the list of running processes in
the task manager. Rootkits can modify the inner workings of the operating system[45] and tamper
with antivirus programs.[18]

Damaged files
Files which have been damaged by computer viruses are normally damaged beyond recovery.
Anti-virus software removes the virus code from the file during disinfection, but this does not
always restore the file to its undamaged state. In such circumstances, damaged files can only be
restored from existing backups; installed software that is damaged requires re-installation.[46]

Firmware issues
Active anti-virus software can interfere with a firmware update process.[47] Any writeable
firmware in the computer can be infected by malicious code. [48] This is a major concern, as an
infected BIOS could require the actual BIOS chip to be replaced to ensure the malicious code is
completely removed.[49] Anti-virus software is not effective at protecting firmware and
the motherboard BIOS from infection.[50]

A command-line virus scanner, Clam AV 0.95.2, running a virus signature definition update,

scanning a file and identifying a Trojan

Installed antivirus software running on an individual computer is only one method of guarding
against viruses. Other methods are also used, including cloud-based antivirus, firewalls and on-
line scanners.

30
TTLM Development Manual Date: May 2011
 ¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.
KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 31 of 38

Cloud antivirus
Cloud antivirus is a technology that uses lightweight agent software on the protected computer,
while offloading the majority of data analysis to the provider's infrastructure.[51]

One approach to implementing cloud antivirus involves scanning suspicious files using multiple
antivirus engines. This approach was proposed by an early implementation of the cloud antivirus
concept called CloudAV. CloudAV was designed to send programs or documents to a network
cloud where multiple antivirus and behavioral detection programs are used simultaneously in
order to improve detection rates. Parallel scanning of files using potentially incompatible
antivirus scanners is achieved by spawning a virtual machine per detection engine and therefore
eliminating any possible issues. CloudAV can also perform "retrospective detection," whereby
the cloud detection engine rescans all files in its file access history when a new threat is
identified thus improving new threat detection speed. Finally, CloudAV is a solution for
effective virus scanning on devices that lack the computing power to perform the scans
themselves.[52]

Network firewall
Network firewalls prevent unknown programs and processes from accessing the system.
However, they are not antivirus systems and make no attempt to identify or remove anything.
They may protect against infection from outside the protected computer or network, and limit the
activity of any malicious software which is present by blocking incoming or outgoing requests
on certain TCP/IP ports. A firewall is designed to deal with broader system threats that come
from network connections into the system and is not an alternative to a virus protection system.

Online scanning
Some antivirus vendors maintain websites with free online scanning capability of the entire
computer, critical areas only, local disks, folders or files. Periodic online scanning is a good idea
for those that run antivirus applications on their computers because those applications are
frequently slow to catch threats. One of the first things that malicious software does in an attack
is disable any existing antivirus software and sometimes the only way to know of an attack is by
turning to an online resource that isn't already installed on the infected computer.[53]

31
TTLM Development Manual Date: May 2011
 ¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.
KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 32 of 38

[edit]Specialist tools

Using rkhunter to scan for rootkits on anUbuntu Linux computer.

Virus removal tools are available to help remove stubborn infections or certain types of
infection. Examples include Trend Micro's Rootkit Buster,[54] and rkhunter for the detection
of rootkits, Avira's AntiVir Removal Tool,[55] PCTools Threat Removal Tool,[56] and AVG's Anti-
Virus Free 2011.[57]

A rescue disk that is bootable, such as a CD or USB storage device, can be used to run antivirus
software outside of the installed operating system, in order to remove infections while they are
dormant. A bootable antivirus disk can be useful when, for example, the installed operating
system is no longer bootable or has malware that is resisting all attempts to be removed by the
installed antivirus software. Examples of some of these bootable disks include the Avira AntiVir
Rescue System,[55] PCToolsAlternate Operating System Scanner,[58] and AVG Rescue CD.[59] The
AVG Rescue CD software can also be installed onto a USB storage device, that is bootable on
newer computers.[59]

A survey by Symantec in 2009 found that a third of small to medium sized business did not use
antivirus protection at that time, whereas more than 80% of home users had some kind of
antivirus installed.[60]

32
TTLM Development Manual Date: May 2011
 ¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.
KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 33 of 38

Self Check Written Test

Name:____________________ Date:_________________

Directions: Answer all the questions listed below. Illustrations may be necessary to aid
some explanations/answers.

 Identify the following:

1. Trojan Horse

2. Worm

3. Spyware

4. File Emulation

5. Diallers

6. Adware

7. Antivirus

8. Heuristics

9. Code Red

10. Signature based Detection

Note: Satisfactory rating – 10 points above / Unsatisfactory - below 10 points

33
TTLM Development Manual Date: May 2011
 ¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.
KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 34 of 38

You can ask you teacher for the copy of the correct answers

Introduction LO3- Identify and take action to stop spam

This learning guide is developed to provide you the necessary information regarding the

following content coverage and topics –

This guide will also assist you to attain the learning outcome stated in the cover page.

Specifically, upon completion of this Learning Guide, you will be able to –

 Defining and identifying common types of spam.

 Taking Appropriate action in order to protect unauthorized
access of spammers.

 Configuring and using spam filters.

 Reporting and documenting spams to identify the security threats and be able to
perform recommended action
Learning Activities

*Your teacher will evaluate your output either satisfactory or unsatisfactory. If

unsatisfactory, your teacher shall advice you on additional work. But if satisfactory
you can proceed to the next topic

34
TTLM Development Manual Date: May 2011
 ¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.
KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 35 of 38

Information Sheet – 1 Analysing, Determining Client Requirments

Definitions of Spam - SEO Tips

Through the course of optimisation of a website you will come across bright ideas of how to
optimse your own site. Firstly not to be rude, but they are probably lame idesa such as making
the text the same colour as the background - that one used to work in 1998. If you can think it up
it has probably been done and the search engines are aware of it. If they are aware of it they
probably have a filter in place to sift through the results in order to push the sites lower in the
results that use such tactics. I plan to outline some of more common and not so common
techniques people are using in order to get rankings.

 hidden text & links

The act of making the text the same colour as the background, people seem to think that the
search engines are dim enough to over look white text on a white back ground. This one is as
old as they come and the search engines are aware of it. Sites may rank using these methods for
a while as it can take a little while for the engines to catch up with them. The same goes for
white text links on a white back ground! People have now taken to hiding text and links behind
invisable CSS divs and even using the Z index to hide the text off the page

 Double tags
Duplicate title tags, duplicate Meta tags are an old trick that again do not give any real boosts in
the search engines.

 Cloaking
The art of delivering the search engine one page and giving the user a different page. For the
best effect the server will scan the IP address of the incoming connection to the web server. If it
matches an IP address that is known to belong to a search engine it will get a text rich page
with heavily descriptive title tags, Meta tags and text copy. If the next IP address is not
recognised it must belong to a user, if so the server will deliver it a normal page - with graphics
etc... If cloaking is done correctly it is undetectable, the search engines will continue to get the
text heavy pages while the normal visitors get the nice looking graphics site. 

Poor mans cloaking is looking for the user agent string and then delivering content based on
that alone, this is really easy to detect as it is simple to spoof your user agent and then detect
the cloaking.

35
TTLM Development Manual Date: May 2011
 ¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.
KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 36 of 38

 Blog & Wiki spamming

As you know search engines place great importance on links (if not where have you been for
the last 18 months) that point to your website, so much so that people will place their text links
anywhere just to increase their backlink count. Blogs are sites enable site owners to easily post
their thoughts to as it is all done with a content management system. One of the unique selling
points of a blog is that it lets any person comment to the site, it enables you to have a full and
open discussion about any topic in such a way that has never been seen before. With the
openness of a blog you may leave yourself wide open to blog spammers, people who run
automated crawlers who hunt out blogs and then post keyworded text links, these guys dont
just hit a few a day - we are talking hundreds of thousands maybe even millions. 

These sorts of tactics are live fast die young, as the search engines can close down the benefits
of the links maybe with in a few months and then eventually knock out the domain the links are
pointing to. There are a few things that are out there to stop the blog spammers but all seem to
be falling short - spammers hit the blogs that are old and not updated any more and hit
thousands at a time.

Wiki's are sites that will let anyone add or update the content of any page on the site, great for
adding links to! Some people say the knew choice of blog spammers.

 Hijacking/pagejacking
The latest and nastiest of spamming there currently is. The way that Google currently reads 302
redirects has a slight fault in it, if a page that has a 302 redirect to another site of a lower PR
there is every chance that the page doing the redirecting will start to rank for the other pages
keyphrases dependant on several other factors. I dont want to go into to much detail on this
one, dont want any more hijackers out there than there already are ;o)Webmasterworld
pagejacking thread

Information Sheet – 2 Different Types of Spam

36
TTLM Development Manual Date: May 2011
 ¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.
KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 37 of 38

6 Different Types of Spam and How to Avoid Them

We try to cover all aspects of spam here such as new developments on the phishing and malware front,
technical know-how, preventive measures, and maybe even a dash of humour too.  Beyond the email
spam that we are all-too-familiar with however, administrators and IT managers are often tasked to tackle
other forms of digital trash as well.

With that in mind, let’s take a look at some other forms of spam out there including tips on how to avoid
them.

Email Spam
As noted earlier, email spam is something that we are very familiar with.  In fact, in my blog post Why
You Should Invest in Spam Protection I explain the importance of not allowing spam free reign in your
business.  There are many techniques that can be deployed, ranging from advanced Bayesian Spam
Filtering that can be implemented on your own email server, or a hosted spam filtering service.  The
battle is never-ending though, so do check back often for new developments on this blog!

Comment Spam
Corporate blogs have quickly become an indispensible means of spreading the word on new products and
services, as well as a means to obtain timely feedback from customers.  As you might expect, spammers
have been quick to subvert the ability to post comments for their nefarious purpose.

Fortunately, there is a plethora of tools with which to battle comment spam.  Cloud-based web services
like Akismet exists to sieve out comment spam and trackback spam, for which plug-ins have already been
developed for most blog or CMS implementations. Enabling the use of CAPTCHAS is also reasonably
effective against automated postings.

Other tips for popular sites would be to automatically close comments on articles after a reasonable
number of days and holding a comment in moderation until approved – at least for the first time.  Of
course, more advanced techniques like Bayesian filtering, blacklisting of IPs and comment throttling can
also be employed at heavily trafficked sites.

Instant Messenger Spam

While not as prevalent as in the past, the occasional instant messaging (IM) spam run continue to take
place periodically. The easiest way to stay on top of the situation would be to ignore any invites from
unknown persons, and to consider links from strangers to be outright hostile, or a phishing attempt.  Even
when offered a URL from existing friends, one important precaution to take (especially if it’s a shortened
URL) would be to first verify that your pal’s account has not fallen victim to a successful phishing
attempt and commandeered by a mindless script.

37
TTLM Development Manual Date: May 2011
 ¾}sS< eU/ Institution Name ¾Ê¡S”ƒ lØ`/ Document No.
KPC/OF/EDU/041
ኮምቦልቻ ፖሊቴክኒክ ኮሌጅ
KOMBOLCHA POLYTECHNIC COLLEGE
ርዕስ/Title Issue No. Page No.
Information Sheet 3 Page 38 of 38

Also, a lesser known fact is that practically every IM service has some sort of profile page or directory
listing from which spammers might harvest your contact details.  As such, it makes sense to take the
effort to configure your configuration accordingly.  Privacy options vary, but AIM allows you to disable
determining your screen name by using your e-mail address (Default: Linked), while Yahoo! Messenger
allows you to hide your profile from others (Default: Visible to everyone).

Junk Fax
The fax machine is certainly not used as much as it was in its heyday, though many businesses still find
themselves forced to rely on it occasionally.  The presence of the odd fax does mean that some businesses
become the unwitting recipient of junk fax transmissions, however.

Thankfully, there are many ways to combat junk fax, assuming businesses are aware of them. For
example, most fax machines these days come with the ability to store incoming fax transmissions in
memory, giving users a chance to preview them prior to printing; more advanced models could even be
configured to forward them as a PDF attachment to specified e-mail accounts.  Yet another alternative
involves subscribing to an electronic fax service, foregoing any hardware investment altogether.

Unsolicited Text Messages

Unsolicited text messages (SMS) is one of those vectors that is hard to filter against.  As a preventive
measure, it’s always good not to give out one’s contact details by filling up “lucky draw” forms or
surveys.  On the positive front, the costs of sending text messages means spamming can become
expensive quickly, and it is (comparatively) easy to trace the source of text messages and file a complaint
with your provider.  What is critical here is that users are trained not to click on any proffered links, given
the popularity of smartphones that might be prone to malware spread using it.

Social Networking Spam

As with practically every new medium, spammers have started to flood social networking sites with spam
and phishing attempts.  Efforts for now are limited to messages or wall posts, though this will certainly
evolve over time.  For now, Twitter offers a great number of tools to protect its users, and it is possible to
block or un-join accounts used to spam without notifying them about it.  Where Facebook is concerned,
my advice would be to impose a policy of only befriending those that you know explicitly.  Ultimately,
users need to be wary of clicking on URLs, given the widespread use of shortened URLs on most social
networking media.

38
TTLM Development Manual Date: May 2011