Author: Umakant Mishra
Abstract:
The macro viruses are easy to create but difficult to
detect. Even for a virus scanner it is difficult to decide which macro is a
virus and which macro is not, as a user macro may also create files, send
emails and do all such activities that a macro virus can do. It is difficult to
differentiate a genuine macro and a virus macro as both of them do similar type
of jobs. Suspecting a macro to be virus just because it is “writing to a file”
may result in false positives. It is necessary to improve the emulation method,
like statically analyzing macro operations within a document, to save system
resources and detect macro viruses more effectively.
Signature scanning can detect macro viruses. But this
method is not very effective as there are plenty of new macro viruses created
on every day whose signatures are yet to be updated in the signature database. Integrity
checking does not work for detecting macro viruses, as comparing checksums
is not possible for document files, which are usually modified by users on a
regular basis. A heuristic scanning is most effective to detect macro
viruses of all types, old and new. The heuristic technique does not require
exact signatures of known viruses. It just examines a target program and
analyzes its code to determine if the code appears virus-like.
Keywords: computer virus, anti-virus, anti-virus software,
computer security, anti-virus design, anti-virus development, inoculation,
virus scanning, virus detection, signature scanning, integrity checking,
heuristic scanning, emulation, activity monitoring, generic scanning, behavior
monitoring, resident scanning, virus database, macro virus, word macro,
Mishra, Umakant, Detecting Macro Viruses- A TRIZ Based
Analysis (January 9, 2012). Available at SSRN: http://ssrn.com/abstract=1981892 or http://dx.doi.org/10.2139/ssrn.1981892
No comments:
Post a Comment