Precise Identification Tools

Precise identification tools are a means by which viruses are named with a much higher degree of assurance. These tools are intended to augment detection tools. Once a virus has been detected, a precise identification tool would be invoked in order to more accurately identify the virus.

Functionality

Virus scanners, currently the most common virus detection method, generally employ signature scanning to detect and identify viruses. This method, however, can lead to misidentifications. The signature that the scanner matched could appear in more than one variant of the virus. To avoid mis-identification the whole virus must match, not just a subset of the virus (i.e., the signature). It is neither feasible nor desirable for identification software to be distributed containing the code to all viruses it can detect. Therefore, prototype precise identification tools utilize a ``virus map'' to represent the contents of the virus. The virus map contains checksum values for all constant parts of the virus code. The map skips over sections of the virus that contain variable information such as text or system dependent data values.

If the checksums generated by the corresponding portions of the program match, the program is almost certainly infected by the virus corresponding to the map. If none of the maps in the database correspond, the program is infected by a new virus (or is uninfected.)

Selection Factors

The quality of the results produced by a precise identification tool is dependent upon the quality of the virus map database. If that has been done well and kept current, these tools are extremely accurate and precise when identifying known viruses. Conversely, if the virus is new or has no corresponding entry in the database, the precise identification tool should always ``fail'' to identify the viruses.

This type of tool is easy to use. The user simply specifies an executable, and the tool returns a name, if known. The results are straightforward; it is virus ``X,'' or unknown.

Precise identification tools are slow due to the intensive nature of the computations. These tools may be used to perform an identification pass after the use of a more efficient detection tool. Such a plan would provide the user with the benefits of precise identification without great overhead. Once a virus has been detected, the user wants to know exactly what virus he has and time is not a significant factor.

Summary

Users want to know more about the virus infecting their systems. Precise identification will help them obtain more complete information and can also facilitate automated removal.

Researchers will also wish to use this type of tool. It will allow them to separate samples of known viruses from new ones without performing analysis.