kingscliff & murwillumbah it€¦ · web viewhow does anti-virus software work? 6. scanning...

Unit NotesICASAS301A Run standard diagnostic tests

Topic 3

© Copyright, 2023 by TAFE NSW - North Coast Institute

Date last saved: 28 May 2013 by Tracy Norris Version: 1.2 # of Pages = 4

Copyright of this material is reserved to the Crown in the right of the State of New South Wales. Reproduction or transmittal in whole, or in part, other than in accordance with the provisions of the Copyright Act, is prohibited without written authority of TAFE NSW - North Coast Institute.

Disclaimer: In compiling the information contained within, and accessed through, this document ("Information") DET has used its best endeavours to ensure that the Information is correct and current at the time of publication but takes no responsibility for any error, omission or defect therein. To the extent permitted by law, DET and its employees, agents and consultants exclude all liability for any loss or damage (including indirect, special or consequential loss or damage) arising from the use of, or reliance on, the Information whether or not caused by any negligent act or omission. If any law prohibits the exclusion of such liability, DET limits its liability to the extent permitted by law, to the re-supply of the Information.

Third party sites/links disclaimer: This document may contain website contains links to third party sites. DET is not responsible for the condition or the content of those sites as they are not under DET's control. The link(s) are provided solely for your convenience and do not indicate, expressly or impliedly, any endorsement of the site(s) or the products or services provided there. You access those sites and use their products and services solely at your own risk.

Acknowledgements:

Graphic Design: Mark Keevers (Template design)

of 17ICASAS301A Run standard diagnostic tests

Table of ContentsTable of Contents 3Getting Started 4Using these notes 4

Detect and remove viruses 5Before you start 5

What is a virus? 5Types of viruses 5

Hard disk based viruses 5

Executable file based viruses 5

Document file-based viruses 6

Web-based viruses 6

Email-based viruses 6

Detecting and removing a virus 6How does anti-virus software work? 6

Scanning for viruses 7

Reporting the virus infection 8

Removing viruses 8

Data mining software 9Summary 9Check your progress - Questions 10

Activity 1: Prepare a new computer for the workplace 10

Activity 2: Detect a virus 10

Activity 3: Check anti-virus support 11

Activity 4: Create an anti-virus resource 11

Check your progress - Answers 12Activity 1: Prepare a new computer for the workplace 12

Activity 2: Detect a virus 12

Activity 3: Check anti-virus support 12

Activity 4: Create an anti-virus resource 12

Research 13Terms 13Check your understanding - Questions 15Check your understanding - Answers 17


Getting StartedThese unit notes have been developed to provide a learning pathway to competence in ICASAS301A Run standard diagnostic tests. The notes contain all the skills and knowledge learning required to achieve competence.

Using these notesIcons and symbols are used throughout this guide to provide quick visual references. They indicate the following:

Icon Meaning Icon Meaning

ACTIVITY: An activity is listed to be completed

ACTIVITY: A Learning activity requiring some physical action

WWW: A web link is listed REFLECTION: A point is to be considered and thought about more deeply

IMPORTANT: A pivotal point is detailed

SEARCH: A particular item / book etc needs to be found and applied


Detect and remove virusesViruses are one of the fastest growing problems or issues affecting the Information Technology industry. The main problem for you, as an IT worker, is the fact that the virus threat is always changing. As computer systems change, so do the weaknesses that a virus may attempt to exploit. In terms of viruses, your job will be to help manage the threats to your employer’s computer systems.

After completing this topic you will be able to: Scan a system to check and maintain virus protection. Report identified viruses to an appropriate person. Remove virus infections found by the scan using software tools

and/or procedures by restoring back-ups.

Before you startYou should already be able to use an operating system, install software and access the Internet before you start this topic.

What is a virus?A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately, those tasks are often not the sort of things we would allow if we had a choice. A virus may do any of the following:

install itself on a computer in a way that makes it difficult to detect and remove

replicate itself from the infected computer to other computers

perform routine system file management processes such as file deletion and boot record modification

copy information across a network link

carry out its activities without any regard for the system or network resources it is utilizing.

Types of virusesThere are many types of viruses found in the IT workplace. They are divided into different categories related to how they infect a computer.

Hard disk based viruses These viruses infect the boot or partition sectors of a hard disk drive. They can be particularly damaging, as they are capable of changing information about the logical drive structure of your computer. They become active before your operating system as they form part of the first area read on a drive when a computer is booted. Boot sector viruses are based upon the weaknesses of a particular drive format such as FAT, HFS, EXT2, or NTFS.

Executable file based virusesA virus can also attach itself to an executable file. An executable file is a program that is designed to have instructions for the computer to follow. By adding itself to the code of such files, a virus is easily activated every time that particular program is run. Executable files in


the Microsoft world normally have a ‘.exe’ file extension. A common target for a virus designed to infect an executable file is the anti-virus software itself.

Document file-based virusesNormally a computer does not execute a data file. Rather, it is read and the contents of that file are opened by another program for editing. However, a number of data files, such as those made by word processors or spreadsheets, do have executable code in the form of macros as part of their standard format. Macros are executed by the host program when the data file is read. By attaching itself to a data file, in the form of a macro, the virus is then executed every time the infected data file is opened.

Web-based virusesThe increased access to the Internet combined with the increasing complexity of website scripting has allowed many new areas for viruses. An Internet browser is designed to read and execute scripts saved on websites. These scripts provide the content of web pages. However, if a website script includes a virus script as part of the page, infections can occur. This type of script is often in the form of a Java script, VB script or even an applet. Simply visiting a site using a browser with low security settings will lead to virus infections.

Email-based virusesEmail viruses often appear in the form of an attachment. The simple act of opening an attachment or even viewing an infected email may be sufficient to execute the virus code. Email is quickly growing as one of the fastest transmission methods of viruses. When installed on a computer, one of the first targets of an email-based virus is the address book of the email client software. Viruses are capable of emailing themselves to every contact in the address book of the computer.

Detecting and removing a virusUnfortunately, the most common way of detecting the presence of a virus is through its effects on an infected computer. While computers can never be completely protected by viruses, most infections occur on computers that either have no anti-virus software or anti-virus software which has not been kept up-to-date.

The use of anti-virus software, and the procedures to be followed if a virus is discovered, will usually be covered by policies and procedures developed by your organisation. It is important to become familiar with these procedures so that you will know what to do, and what not to do, in the event of a virus attack.

How does anti-virus software work?The three basic ways in which anti-virus software works are:

1. scans for viruses

2. removes viruses

3. offers limited protection against the installation of new viruses.

All of these tasks are limited to the anti-virus software being programmed to identify the virus. The latest virus will always be ahead of the anti-virus software. Anti-virus software requires the user to download updates that list known viruses. This information is stored in a data file, sometimes known as the Virus Definition File. This file contains a list of known virus signatures.


Figure 1: AntiVirus software

Virus packages provide information about the version or date of the Virus Definition File. It is vital that anti-virus software be kept up-to-date to maximise the computer’s protection against a virus threat.

Scanning for virusesTypically, an anti-virus program checks a number of items when it does a scan for new viruses. It checks that the software itself has not been altered by a virus. It will also check the computer’s Random Access Memory (RAM), hard disk drive (HDD) boot sector and each file on the drive.

Figure 2: Scanning for viruses in Windows

When your anti-virus program scans for viruses, it is looking for signs that a file has become infected. Symptoms may be that a file has changed size unexpectedly or that the date may have changed without user intervention. The anti-virus program will also scan for patterns of bits, called signatures, which are known to match the program code of a virus.


These ‘bit patterns’ are stored in a database called a Virus Definition File. Since new viruses are detected each day, it is important to keep your virus program up-to-date by obtaining the latest versions of these definitions.

Some anti-virus software will check for viruses as you work. This means that when a file or document is accessed, the anti-virus program will automatically scan it.

It is important for you to become familiar with the virus scanning software available on your computer or used in your organisation.

Reporting the virus infectionYour organisation will usually have procedures in place to control what actions are to be taken in the event of a virus being discovered.

The first action will normally be to report the results of the virus scan to the appropriate person, usually a Systems Administrator or member of the Information Technology Support section. This person will initiate the appropriate response to the virus, which may include quarantining the machine by disconnecting it from the network, as well as attempting to remove the virus, or at least stopping it from spreading.

The job of removing the virus may come back to you, but by following procedures and reporting the virus you will assist in maintaining the organisation’s virus protection.

The Administrator may also log the virus details, and conduct an investigation into the likely source of the virus and the method of infection. This is particularly important if the organisation has anti-virus protection systems installed, as it may indicate that either the anti-virus systems are faulty, or that some member of staff is doing something that breaches the security of the organisation and allows a virus to bypass the anti-virus systems. In either case, the Administrator may be able to identify the cause of the infection and take action to stop it happening again.

Removing virusesMethods for removing viruses vary greatly. Many virus programs come equipped with procedures to remove common viruses from the system. If they cannot remove a virus, the next step taken by the anti-virus software is to quarantine the infected file for action at a later date.

The support site of the anti-virus software company will also provide tools, such as documents, detailing virus cleaning procedures or utility programs that can be downloaded to the infected computer to clean it.

The type of actions required to remove a virus is different for each version of a virus. There are too many variations of viruses to even start to describe every removal procedure here. However, the most common methods of virus removal are:

1. removal by the anti-virus program that detected it

2. removal by a software utility from the anti-virus software support site

3. manual removal following a written procedure.

The support site should be your first point of contact if the anti-virus software on the computer fails to clean the identified virus.


However, when all else fails and a virus damages the computer there is no substitute for accurate backups. Any system installed should have a backup of the original state of the computer system as well as backups of data.

Data mining softwareViruses represent one of the most immediate and dangerous threats to your computer system. There are, however, other threats to computer systems that are connected to the Internet or commonly have ‘shareware’ programs installed on them.

Data mining software are programs that are not commonly recognised as viruses. Many types of anti-virus software will not detect them. Data mining software is often installed on a computer without the user’s consent as part of another action, such as visiting a website. Such software remains on a computer undetected and transmits information about the computer over the Internet to a pre-configured network address.

Information gathered by data mining software may be harmless, but it may also contain confidential information that has been gathered from data files on the computer.

Products such as ‘Ad-Aware’ and ‘Spyware’ are programs that can be purchased to detect the presence of data mining software. They work in a similar way to anti-virus software. They scan the computer, detect the presence of suspect software and will attempt to remove it. They also have identification updates that should be downloaded on a regular basis.

SummaryAs an IT Support person, it is important that you should understand the threat posed by viruses and the range of anti-virus software and virus prevention measures available to you.

In particular, you should be able to:

Scan a device for the presence of viruses.

Follow organisational procedures regarding virus attacks, including reporting the virus information to an appropriate person for action.

Visit the support site for the anti-virus software installed on your computer.

Download updates from the anti-virus software support site.

Download virus removal tools from the anti-virus software support site.


Check your progress - Questions

Activity 1: Prepare a new computer for the workplace

You have been provided with a new computer for your business. Your job is to complete a series of tasks that will prepare it for the workplace.

Number the following tasks in correct order:

Partition and format the hard disk drive.

Install and configure the operating system.

Install the company’s preferred anti-virus software.

Update the anti-virus software with the latest virus identification files.

Install application software.

Test the system.

Backup the system.

Install the computer into the office environment.

Activity 2: Detect a virus

You have been called to a computer that has recently shown symptoms of a possible virus infection. However, the anti-virus software does not detect any viruses on the computer. The main screen of the installed anti-virus software is shown below:


The items following are problems with the anti-virus software installation as shown above. Which of the following is most likely to have led to an infection occurring?

A. There are no automatic startup scans.

B. There are no scheduled system scans.

C. The date of the virus definition file.

D. The version of the scan engine.

Activity 3: Check anti-virus support 1. Using the anti-virus software installed on your computer, find the date or version of

the virus definition file. Record this information. 2. Then, using the Internet, go to the website that supports your anti-virus software and

identify the latest virus definition file available for it. Download and install the file if possible.

3. Finally, run a system scan using your anti-virus software.

Activity 4: Create an anti-virus resource

Complete these steps related to the maintenance of stand-alone computers:

1. Create a list of files which you would place on a CD as an anti-virus resource. These tools should include the latest set of virus update files for your anti-virus software, cleaning utilities for common viruses and procedures for the manual removal of viruses.

2. To accompany the files, produce a text file called README.TXT which describes each of the files you have collected, the target operating system, the anti-virus software the files are intended for and websites that each file was down loaded from.

To limit the scope of this exercise include a maximum of 10 files in total.


Check your progress - Answers

Activity 1: Prepare a new computer for the workplace

The steps in the correct order are:

1 Partition and format the hard disk drive.

2 Install and configure the operating system.

3 Install the company’s preferred anti-virus software.

4 Update the anti-virus software with the latest virus identification files.

5 Install application software.

6 Test the system.

7 Backup the system.

8 Install the computer into the office environment.

Activity 2: Detect a virus

C: The date of the virus definition file is crucial. It is old and out of date, allowing newer viruses to infect the computer.

Activity 3: Check anti-virus support

The purpose of this exercise is to ensure you are able to access the support website for the anti-virus software you are using. It is very important to check that you have identified the latest virus definition files for your anti-virus software and applied the update. Finally, you should be able to complete a system scan.

Activity 4: Create an anti-virus resource

The purpose of this exercise is to ensure you are able to access the support website for the anti-virus software you are using. It is very important to check that you have identified the latest virus definition files, identified appropriate virus cleaning utilities and written procedures for removing common viruses.


ResearchThere are many websites that provide information, tools and updates for the prevention of virus infections. They can be divided into three categories. These are:

1. Vendor anti-virus software support sites such as http://www.symantec.com.au/, http://www.vet.com.au/, http://www.macafee.com/ are locations where the latest patches and tools for their software are found. These tools include removal utilities, virus definition update files and removal procedures.

2. Virus information centres such as the European Institute for Computer Anti Virus research http://www.eicar.com/, and the Computer Associates Security Advisor section of their support website at http://www3.ca.com/support. These sites contain information about virus threats and commonly available removal tools.

3. Operating system vendor sites which also contain information about patches and updates for their software that may assist in the prevention of virus infections.

It is always useful to have a link to a good PC dictionary, such as: http://www.webopedia.com http://www.techweb.com/encyclopedia .

Terms

Antivirus software

software used to detect and eliminate computer viruses

Boot sector a sector of a hard disk that contains a loader program for starting an operating system

Backup a copy of a computer program or file stored separately from the original

Background scanning

automatic scanning of files and documents as they are created, opened, closed, or executed

Data file a file consisting of data in the form of text, numbers, or graphics, as distinct from a program file containing commands and instructions

Executable (EXE) file

programs or self-extracting files with an.exe filename extension. Clicking on an executable file will start the program running

Infection (by virus)

entry of a virus into a computer

Macro an instruction (usually a keystroke or keystroke combination) that signals the computer to perform a predefined sequence of instructions

Macro virus a macro containing virus code that a user may execute unknowingly, which replicates and may cause damage on the affected system

Operating system

program, such as Windows or Unix, that manages all other programs in a computer

Replication (of virus)

viruses spread by making copies of themselves

Trojan horse a destructive program that pretends to be a harmless one


http://www.techweb.com/encyclopedia

http://www.webopedia.com/

http://www3.ca.com/support

http://www.eicar.com/

http://www.macafee.com/

http://www.vet.com.au/

http://www.symantec.com.au/

Virus program that is very damaging to your computer should it infect your system

Virus signature

a unique string of binary digits of a virus (like a fingerprint)

Worm a program that replicates from machine to machine across network connections often clogging networks and information systems as it spreads


Check your understanding - QuestionsThis topic applies to a range of study areas as well as previous IT experience, and you may already have the skills required to deal with the virus threat at this level. Try and answer the following questions to check what you may already know.

Question 1What is a computer virus? Is it:

A. A biological infection?B. Software that effects all computers regardless of type?C. Software that uses normal computer functions without your consent?D. Software that makes the computer perform abnormal functions?

Question 2Which of the following are not types of viruses?

A. Boot sector virusesB. Word data file virusesC. Web based virusesD. JPEG file viruses

Question 3

Answer true or false for the following statement.

Viruses can be transmitted through the Internet?

Question 4


Viruses can be transmitted by sharing an electrical power point with an infected computer.

Question 5Here is a list of computer hardware and software items:

partition sector of a hard disk drive boot sector of a floppy disk drive an executable file on a CDROM a data file which includes macros stored on a USB memory stick a USB optical, cordless mouse a hard disk with no partition information on it.

From the list above identify which components can commonly carry a virus from one computer to another.


Question 6


All virus software should have its virus recognition files updated every month.

Question 7

The manufacturers of anti-virus software have Internet sites that provide:

A. Virus updates for their programsB. Utility tools to assist in the removal of certain virusesC. Written procedures for the manual removal of certain virusesD. All of the above

Question 8


A computer with up-to-date anti-virus software is totally protected.


Check your understanding - AnswersQuestion 1C: Correct. A virus is simply a computer program that uses the normal range of computer functions. The problem occurs because the user has not requested that these tasks be done – the virus does them without consent.

Question 2D: Correct. Viruses contain computer code that needs to be executed. Straight data files do not normally contain viruses.

Question 3

True. The Internet is currently the largest source of virus infections in IT Industry.

Question 4

False. This is a false statement. Information transfer must occur for a virus to be shared. Commonly this happens through a network or through storage devices.

Question 5Common methods for virus transfer can occur through a network or through shared storage devices. For example:

partition sector of a hard disk drive boot sector of a floppy disk drive an executable file on a CDROM a data file which includes macros stored on a USB memory stick.

Question 6

True. An anti-virus program is most effective when kept up to date with its virus recognition files.

Question 7

D: Correct. Manufacturers of anti-virus software provide a range of support tools including updates, virus removal utility tools and manual procedures for virus removal.

Question 8

False. This is a false statement. A computer is never totally protected. A recent virus may infect a computer before a suitable update is available for the anti-virus software.


kingscliff & murwillumbah it€¦ · web viewhow does anti-virus software work? 6. scanning...

Documents