Once a virus enters circulation, do AV software makers have a time period where they’ll consider it a threat and then no longer include it in libraries, or is it pretty much considered a virus forever?
I got to thinking about this the other day, and it strikes me as quite a wonder that as much as AV software slows down a machine, there’s quite a bit being done. Each file in the scan, I presume, has to be checked against all known virus signatures, and as time goes on that collection of signatures has got to get quite scary.
I’ve wondered the same thing. I know that at least some AV software downloads new files every day, sometimes more often.
One answer, I suppose, is that speed and memory capacity tend to grow over time, but I’d doubt that it’s fast enough to keep up with the constant growth in viruses. I’m sure that the algorithms have improved over time also but again it doesn’t seem like it could keep up and there’s a limit to how far that can go without trading off too much accuracy.
It used to be that all threats were kept in the virus definition file, but I’m seeing that older viruses are culled. We actually had a couple of computers infected this year with the NYB virus, which hadn’t been prevalent since Windows 95 replaced Windows 3.1. Our antivirus couldn’t clean it.
I’m still trying to figure out how it got infected – it required that someone boot from an infected floppy drive, and the computers infected were set so that they would boot from the hard drive before looking at the floppy (they did have them, though).
Is another source of culling the database OS patches and updates? If Windows closes a security hole (hey, stop laughing), there is no need to worry about that particular virus. I imagine, given the dollars at stake in the security world, that performance tweaks are a factor. What would it take to keep an internal table of viruses and the holes they exploit? How much processing time/power could be shaved by keeping the database free of extraneous viri?
This assumes they’re assuming a patched computer, of course. Maybe patched to two generations ago?
I’ve scanned disks from 10 years ago and more and found viruses with my current software (I was such a bad boy). So no, it’s like herpes - it never goes away, just into remission.
Alas, some computers haven’t been patched in years.
However, they may cull old viruses that have never been seen “in the wild.” There often are “proof of concept” viruses, or ones that never have been seen outside of test computers. I’d say that after several years, they can safely be removed from the database.