home » IT technologies » Heuristic analysis of viruses. What is a heuristic analyzer? Search for viruses on floppy disks

Heuristic analysis of viruses. What is a heuristic analyzer? Search for viruses on floppy disks

The anti-virus program searches for viruses and malicious objects based on the comparison of the program under investigation with its database with virus descriptions. If a match is found, the antivirus can cure the found virus, and the rules and cure methods are usually stored in the same database.

However, this database becomes a vulnerability of the antivirus - it can only detect viruses described in its database. This problem can be partially eliminated using a heuristic analyzer, a special antivirus subsystem that tries to detect new types of viruses that are not described in the database. In addition to viruses, the AVZ heuristic analyzer tries to detect spyware, hijacker and Trojans.

The work of the heuristic analyzer is based on searching for viruses and spyware features (fragments program code, specific registry keys, files and processes). In addition, the heuristic analyzer tries to assess the degree of similarity of the object under investigation to known viruses.

To search for spyware, RootKit and Hijacker, the most effective heuristic analysis is not individual files on the disk, but the entire system as a whole. It analyzes the totality of data in the registry, files on disk, processes and libraries in memory, listening TCP and UDP ports, active services and loaded drivers.

A feature of the heuristic analysis is a fairly high percentage of errors - the heuristic can report the detection of suspicious objects, but this information needs to be checked by virologists. As a result of the scan, the object is recognized as malicious and is included in the databases, or a false alarm is recorded and an amendment is introduced into the heuristic analyzer's algorithms.

Most antiviruses (including AVZ) have the ability to adjust the sensitivity of the heuristic analyzer. In this case, a contradiction always arises - the higher the sensitivity, the higher the probability of detecting an unknown malicious object by the heuristic. But with increasing sensitivity, the likelihood of false alarms increases, so you need to look for some kind of "golden mean".

The heuristic analyzer has several sensitivity levels and two special modes:

blocking the heuristic analyzer. In this case, the analyzer is completely shut down. In AVZ, in addition to adjusting the sensitivity level of the heuristic analyzer, it is possible to enable and disable heuristic system analysis;

"paranoid" mode - in this mode, the maximum possible sensitivity is turned on and warnings are displayed at the slightest suspicion. This mode is naturally unacceptable due to the very high number of false positives, but it is sometimes useful.

The main messages of the AVZ heuristic analyzer are shown in the following list:

"File name \u003e\u003e\u003e suspicion of virus_name (brief information about the object)"A similar message is issued when an object is detected that, according to AVZ, is similar to a known malicious object. The data in brackets allows the developer to find the entry in the anti-virus database that led to the issuance of this message;

"File name \u003e\u003e\u003e PE file with non-standard extension"- this means that program file, but instead of the typical EXE, DLL, SYS extension, it has a different, non-standard extension. It is not dangerous, but many viruses mask their PE files by giving them PIF, COM extensions. This message is displayed at any heuristic level for PE files with the PIF, COM extensions, for the rest - only at the maximum heuristic level;

"File name \u003e\u003e\u003e File name contains more than 5 spaces"- lots of spaces in the file name are rare, but many viruses use spaces to mask the real extension, creating files with names like" photo.jpeg .exe ";

"Filename \u003e\u003e\u003e Extension Masking Detected"- similar to the previous message, but issued when more than 15 spaces are found in the name;

"Filename \u003e\u003e\u003e file has no visible name"- issued for files that do not have a name (that is, the file name has the form" .exe "or" .pif ");

"Process Filename can work with network"- displayed for processes that use libraries such as wininet.dll, rasapi32.dll, ws2_32.dll - that is, system libraries containing functions for working with the network or controlling the dialing and connection process. This check is performed only at the maximum heuristic level The fact of using network libraries is naturally not a sign of program malware, but it is worth paying attention to incomprehensible processes in this list;

After the message, a number can be displayed that represents the degree of danger in percent. You should pay special attention to files for which a severity level of more than 30 is issued.

Changes in the conditions and tasks of development of business entities, determined by modern economic situations and challenges of the time, have a fundamental impact on the methods of substantiating management decisions, the organization of management processes and methods of assessing the effectiveness of decisions.

Considering that "the method of economic analysis is understood as a dialectical approach to the study of economic processes in their formation and development", changes in product life cycles, technological structures, types of business and the depth of ongoing transformations require significant reform of the methods of economic analysis.

Taking into account the need to clearly define their competitive advantages and their consolidation for a long period, organizations pay special attention to development strategies, putting forward strategic guidelines (for example: mastering leadership positions in the market, ensuring customer loyalty, increasing the social significance of the organization), which have clear qualitative characteristics. Their quantitative parameters are often rather arbitrary and cannot be directly estimated.

Analysis and substantiation of trends in these groups of indicators require a significant change even in such traditional methods of analysis as comparison, detailing, grouping, etc., but more often involve the use of other methods of analysis, often purely logical.

The development of methods of economic analysis was especially influenced by the possibility of multivariate solutions, each of which is irrational and sometimes impossible to calculate in detail. This determined the accelerated use of new accounting methods. So, for example, for perspective, strategic analysis it is much more efficient to use the marginal method of calculating costs, which, with all its conventionality, allows you to form an optimal range of products. Accounting and analysis of the full cost of individual types of products are carried out only for the assortment items included in the production plan.

Since in the conditions of innovative development all stages of the reproduction cycle are significantly intensified, it is often necessary to ensure the parallel implementation of its individual stages. Many authors focus on assessing the behavior of individual indicators at different stages of the reproductive cycle, highlighting leading indicators. This is typical, first of all, for managerial work in the formation of development indicator panels. However, this approach to the classification of indicators is becoming more common.

To objectify the assessment of the development opportunities of an organization and determine its production, economic and financial potential, it is important that the indicators change according to the stages of the reproduction cycle: growth - during the period of recovery; decrease or increase - during a recession; stability - during stagnation, etc. In this regard, procyclical, countercyclical and acyclic indicators are distinguished, the dynamics of which is practically not associated with the reproductive cycle.

The increasing complexity of classifications of the indicator system presupposes the logical development and refinement of traditional methods of analysis.

So, when using the comparison method, it becomes increasingly important to compare the main financial and economic characteristics over a long period, since this allows you to identify cyclical fluctuations characteristic of different types of business processes. In the horizontal analysis, a qualitative comparison of the sources of attracted funds and changes in individual groups of assets of the organization is used combination of horizontal and vertical analysis.

With the further development of economic analysis, it is important to classify indicators according to their role in making and justifying decisions of different classes and levels. In this regard, for each decision, a target indicator is allocated, the factors that determine its level, and, which is especially important for the objectivity of the decisions made, the limitations in which decisions are made.

Deterministic methods of analysis, including factorial, still prevail, but at the same time they are actively supplemented by methods of lengthening and expanding characteristics, which is associated with the detailing of factor indicators, taking into account their significance.

When factor analysis it is necessary to identify the links between the change in the indicators-factors and the need to better use existing resources or introduce new resources, and this requires additional funding. For this purpose, this group of indicators is divided into factors of extensive and intensive growth, which is especially important for assessing the financial strength of an organization and assessing its economic potential.

Thus, in modern conditions, the professional judgment of an analyst is increasingly important when setting tasks and choosing methods of economic analysis.

The methods of logical heuristic analysis based on professional judgment, experience and intuition of specialists, and their individual or collective conclusions are gradually being used more and more. Among them, one can single out evaluative and evaluative-search methods of analysis (Fig.2.2)

Figure: 2.2.

Heuristic methods are widely used in personnel management, management organization and selection of organizational behavior.

Conditions that predetermine the need to use heuristic methods:

  • o the qualitative nature of the initial information, described using economic and social parameters, the lack of sufficiently representative and reliable information on the characteristics of the research object;
  • o large uncertainty of the initial data for analysis;
  • o lack of a clear subject description and mathematical formalization of the subject of assessment;
  • o inexpediency and lack of time and funds for research using formal models at the first stages of substantiating management decisions;
  • o lack of technical means with appropriate characteristics for analytical modeling;
  • o extremeness of the analyzed situation.

Heuristic methods of analysis represent a special group of methods for collecting and processing information based on the professional judgment of a group of specialists. They are often called creative.

The basis for the application of heuristic methods are expert assessments of the processes, operations, and results under consideration.

Expert analysis methods are methods of organizing work with expert specialists and processing their opinions. Many analytical tasks require an independent opinion (s), i.e. involvement of experts. Information received from experts cannot be considered ready for use, it must be processed and only then used for making management decisions.

When organizing the work of experts, it is necessary:

  • - select qualified experts;
  • - interview experts and get information of interest to analytics;
  • - to define methods of processing and interpretation of information received from experts.

When selecting experts, one should take into account their competence and professional skills in the field of activity to be studied, the ability to think creatively, and the ability to work in a group (if several experts are involved).

When recruiting experts, it is advisable to be guided by such requirements as:

  • o high level general erudition;
  • o possession of special knowledge in the analyzed area;
  • o the presence of certain practical and (or) research experience on the problem under consideration;
  • o the ability to adequately assess the development trends of the object under study;
  • o lack of bias, interest in a specific result of the assessment.

In this case, the members of the group can be equal or have a different rank, taken into account when deriving the results of the examination.

The method of the expert commission is based on the development of a single collective opinion by specially selected experts when discussing the problem posed and the alternatives for its solution as a result of certain compromises.

When using the method of the expert commission, not only the statistical processing of the results of the individual scoring of all experts is carried out, but also the exchange of views on the results of the examination, the refinement of the estimates. The disadvantage is the strong influence of authorities on the opinion of the majority of participants in the examination.

The conclusions obtained in the analysis based on heuristic methods have a logical basis and can take the form of: direct assessment (useful, harmful, acceptable, unacceptable); defining assumptions, i.e. the choice of the first-priority or the most successful decisions (this can be revealed through the ranking of assumptions, their scoring, etc.); selection of specific events for competitive study. Quite often, the group of experts includes professional consultants - professionals in the analyzed area.

Depending on the goals and focus, the expert group can be homogeneous or include representatives different groups specialists, and sometimes just interested persons. For example, when developing a technical solution at the first stage, only specialists of the corresponding profile are included in the expert group. When forming a group of experts to analyze technological developments, it includes: technologists who can professionally assess the technical novelty of a solution; economists evaluating the effectiveness of a solution; mechanics who can assess the feasibility new technology on the existing production base; workers - performers of new technology.

When assessing the quality of products and the demand for them, the group of experts includes not only commodity experts, but also manufacturers and consumers of products.

In practice, quite complex ways of forming a group of experts have developed:

  • o according to formal criteria - the specialty, work experience, length of stay in one team, as well as psychological assessments of the individual according to the sociological service of the organization (if any) are taken into account, for example, the ability to think creatively, constructive thinking, etc.;
  • o on the basis of the self-assessment of the individual obtained during the questionnaire - the future expert himself assesses his capabilities, including qualifications, analytical and constructive thinking, the ability to adapt to certain situations, etc. Supplemented by a special psychological selection of experts to determine the level of their self-esteem - underestimated, overestimated or adequate;
  • o based on the assessment of persons associated with the applicant - the professional and personal qualities of a specialist are assessed by specialists of a similar profile, consumers of services, employees who implement the expert's decisions;
  • o by random selection (sampling), if many persons (for example, consumers of products and services) can act as experts.

Quite often, when analyzing the activities of an economic entity, managers of different levels and employees are included in the expert group. For example, this is how a group of experts is formed when choosing a production development strategy, changing the incentive system, reforming accounting and reporting, and restructuring organizational structures.

Thus, both formal and psychological methods are widely used in the selection of experts, and heuristic methods are often called psychological.

When interviewing experts, individualized and group methods can be used. In the case of an individual survey, work with each expert is carried out separately, which allows the expert to express his opinion independently of others. In a group survey, experts work in groups, agree on their opinions and develop a common expert conclusion based on a common position. Group methods are preferable from the point of view of increasing the reliability of examination, but more complex.

The information obtained in the process of an expert survey should be processed by special or traditional methods of analysis, after which it can be used to make management decisions.

There are many ways to obtain expert assessments: Delphi methods, control questions, risk assessment, scenarios, business games, SWOT analysis, functional value analysis (FSA), etc.

The Delphi method is an absentee and anonymous survey of an expert group (5-10 people) in several rounds with the agreement of experts' opinions. Each expert is assigned a specific task, for example, to determine the direction of the enterprise's development. Experts fill out questionnaires on the problem under study. The results of each intermediate round of the survey are communicated to the participants in the examination in the form of averaged statistical values. When receiving answers from experts, different situations may arise:

  • a) all experts have come to the same opinion;
  • b) the opinion of the experts was divided.

In the first case, the experts' opinion is taken as a result of solving the problem, in the second, the examination process will continue.

The test question method is the search for an analytical solution using a specially prepared list (list) of leading questions. The advantage of this method is its simplicity and versatility. Test questions are drawn up on the basis of the experience of already solved problems, which ensures the effectiveness of the method.

The use of the test questions method is implemented in several stages:

  • 1) a task is formulated, in the solution of which control questions will be used;
  • 2) a list of control questions is drawn up that most correspond to the nature of the problem being solved, and each of them is considered in order to use the information contained in it to solve the problem;
  • 3) all the ideas that can be used to solve the problem are considered;
  • 4) ideas are selected with the help of which the task can be solved, and a program of events is developed.

Typically, analysts use a table containing in each row a question (parameter) and answer options (parameter values) for a specific aspect of the analysis. Answering the questions posed, the analyst makes a note in the column corresponding to his conclusion. The table, as a rule, is structured in such a way that the marks in the columns on the left show the weak points of the research object, and on the right - strengths or special features. Regular use of such tables allows you to determine trends in the change in the subject of analysis over time and compare its position in relation to other objects of analysis.

Questionnaires significantly reduce the time required for the analysis, reduce the dependence of its results on the level of the analyst's qualifications. When using this method, more correct results are obtained than with a point assessment, which is explained by the following circumstances. Instead of assigning points, the expert chooses the statement that most clearly characterizes the object of assessment. The answers can be presented with quantitative data, for example, reflecting the age of the employee, or characterize the tendency of changes in any parameter (growth, decline), give an assessment ("excellent", "satisfactory", etc.).

Selection by comparison, as a rule, is more accurate than direct measurement, when in a particular situation each expert has his own concept of the optimal state of the estimated parameters.

Experience has shown that it initially fails to create effective questionnaires. Analysts need to be prepared for the fact that only after repeated interviews and a thorough analysis of the assessment results and analytical documents, it is possible to create methods containing not only universal initial lists-dictionaries, but also highly specialized questionnaires for certain categories of workers with similar tasks, reflecting the essence of relations and activities people.

Scenario method - a set of techniques and procedures for the preparation and implementation of any business decisions. The method is used primarily for expert forecasting. It is useful in choosing the goals of the organization and forecasting when the organization is not satisfied with the current situation and there is a need to expand the business.

The scenario is developed by a group of specialists in the organization and contains a description of the sequence of steps leading to the predicted state of the organization, as well as the factors and events that have a decisive influence on this process. The starting point for developing a scenario is an accurate assessment of the organization's current situation, based on a retrospective analysis of activities. Such an assessment leads to an understanding of the dynamics of the influence of factors on production processes and what factors ensure the rise in activity, and which - its decline. For uncontrollable development factors, special assessments should be made.

Stages of script development:

  • 1) determination of the system of indicators, on the basis of which the scenario for the development of the organization will be formed;
  • 2) highlighting the factors that determine the development of the organization;
  • 3) identification of development trends;
  • 4) development of alternative development scenarios and selection of the main development option.

Business games. The most common form of a business game is modeling the analyzed processes and the future development of the predicted phenomenon in different versions and considering the data obtained. Business games are used both in the educational process and in production. Games that are held in groups of organizations are called organizational-activity (organizational activity). In a certain form, they include the ideology of Delphi methods and scenarios.

All participants in the game are divided into groups, each group is invited to write a scenario for the development of events in the organization. The team is led by an expert whose task is to ensure that team members do not deviate from the assigned task. The next day, a conference is held at which a representative of each group makes a presentation that reflects the group's vision of the development of events in the organization. Members of other groups actively participate in the discussion of the report and try to convince others that their perspective is more concrete and convincing. At the end of the day, the game leader and experts summarize the results of the conference and draw the team's attention to the lack of consensus on the issues discussed. The groups disperse and prepare a new scenario. The next day, a conference is held again, at which new reports are heard. Experts should lead the participants to ensure that they achieve their goals together. When it manifests itself at conferences, i.e. most of the reports express the unanimity of opinions, the participants in the game stop working in groups and work out a common scenario as a single team. As a result of the game, the team rallies, which can serve as the basis for successful activity.

To ensure the accuracy of the risk assessment, the maximum spread of their assessment is allowed, i.e. a tighter approach to expert consistency is provided.

One of the most common heuristic methods is the analogy method, when a group of experts considers a possible method for solving a problem or looks for the cause of the current situation, relying on the past experience of their own or similar business entities. In this case, experts think over their experience and the situations that they had to face, and, based on it, suggest ways to solve the problem, finding out the reasons for the current situation and ways to eliminate them.

Naturally, in this case, the use of materials describing similar situations in different periods and at different objects is of great help. They can be obtained from periodicals, scientific literature, as well as from minutes of meetings of founders, board of directors, meetings of departments and specialized groups working in the organization. From this point of view, the bank of situations analyzed and generalized by specialized consulting firms is of considerable interest. Such data banks have been created in many consulting firms around the world. It should be noted that the first steps to create similar materials were made in the 1980s. at consulting firms of the USSR. Currently, this work continues in the Association of Scientific Consultants of Russia and consulting firms.

In the case when the experts receive materials of situations that develop in other objects, their task is to select those that are similar in principle to the one being solved, i.e. the similarity of the object, situation, goals pursued by the analysis is assessed. After such a selection, the possibility of using experience to resolve the problem and the readiness of the facility to implement specific measures are determined: the state of the production and technical base, the qualifications of personnel, the availability of financial resources and the possibility of attracting them, the period for solving the problem, etc.

The analogy method allows only to determine the main directions of economic analysis and at the next stages it needs a deeper analysis using quantitative methods. However, the preliminary use of such a method prevents an unjustifiably detailed analysis in the direction that does not reveal the main reasons for the current situation. The analogy method is often called synectic.

The group of methods that use assessment criteria include target assessment, "spider web", typology and repertoire grids.

Target assessment - assessment of objects of analysis by certain criteria (components of the target system). When using it:

  • o Criteria (components of the target system) for evaluating alternatives are selected;
  • o all decision options for each criterion are assigned a preference rank (ordinal number of acceptability);
  • o for each alternative, the total rank is calculated for all criteria;
  • o the options are ranked according to the total rank.

The method of multi-criteria comparison of alternatives is the graphical quantitative-qualitative method "web". It can be used in all cases when it is advisable to evaluate the objects of analysis based on a variety of quantitative and qualitative characteristics. The main advantage of the method is the visualization of the analysis results, which is especially valuable when presenting research materials not to narrow specialists, but to managers.

Heuristic methods of analysis that provide for both the generation of options for analytical solutions and their assessment include: brainstorming (brainstorming), commissions and conferences, a bank of ideas, a collective notebook, active sociological tested analysis and control, functional-value analysis, business games and etc.

The brainstorming method can be very effective for analyzing especially difficult situations. Brainstorming is the free generation of ideas expressed in a group of interested experts. Typically, an effective brainstorming session is short enough (no more than an hour). It can be attended not only by highly qualified specialists, but also by young people who are able to make unexpected extraordinary proposals. However, for the results of the brainstorming to be realizable, the participation of decision-makers is important. In this case, having systematized the proposals of the participants, you can immediately discard some of them as ideal, and discuss the rest in more detail with specialists of the corresponding profile.

The selection of ideas is carried out gradually. At the first stage, none of them is discarded and, as a rule, no assessments are expressed at all. Then the ideas are assessed according to the level of elaboration, timing and cost of implementation, efficiency, etc. At the second stage of the analysis, one or more of the previously discussed methods for assessing and choosing decisions can be used. Brainstorming can be an integral part of analytical work, especially in perspective analysis.

Brainstorming is a way to find new solutions to a problem situation. It is based on the separation in time of the process of finding ideas and their evaluation. It is a relatively quick and cost-effective method of analysis designed to resolve difficulties and contradictions that management personnel have encountered or are likely to face in the near future, as well as to remove bottlenecks that hold back the development of the management system. The method is effective in solving non-traditional strategic search problems. Brainstorming should be organized when the problem defies traditional solutions. First of all, we are talking about structural policies, improving existing ways of working.

The method of commissions and conferences is the most common form of group work, in the process of which ideas are freely put forward and criticized. It is based mainly on the habit of critically evaluating new and insufficiently substantiated ideas, acquired in the course of numerous meetings and discussions. The disadvantage of this method is that analysts in their judgments are initially focused on compromise, which increases the risk of obtaining distorted analysis results.

The collective notebook method ensures that the members of the collective put forward independent ideas with the subsequent evaluation of proposals. To this end, each member of the team receives a notebook, which outlines the essence of the issue being analyzed, provides the necessary auxiliary and reference materials (for example, workflow schemes, job descriptions, etc.).

During a predetermined time, they write down the results of the analysis and proposals in their notebooks, and in the end they evaluate their ideas, highlighting the best ones. Notepads are handed over to the coordinator to prepare a summary note. Assessment of group analytical alternatives is carried out by any of the previously considered assessment methods.

The collective notepad method is convenient in cases where it is impossible to organize a long joint work, attract experienced consultants. To use the method, it is necessary to have creatively thinking, experienced specialists in the team of the organization.

Such a method of work as a bank of ideas involves referring to a card index or an automated database created in the course of practical activities. These repositories collect and organize the most interesting examples solving problems. This includes both original and typical versions with an assessment of their applicability. The method can be useful when solving search problems of current (more often) and strategic (less often) analysis.

The method of active sociological tested analysis and control (MASTAK) consists in the development and application of a manual containing specific recommendations for improving the activities of users of this material. The game-based team method of developing a manual involves several steps:

  • 1) the organizer announces a topic for making recommendations based on the analysis results, for example: "The organizational structure of the enterprise";
  • 2) each member of the expert group, within a predetermined time, formulates recommendations on the specified topic, trying to work them out stylistically accurately and clearly;
  • 3) each expert in turn calls the number of his recommendation (first, second, etc.) and reads it out loud. The rest of the team members put a score on this recommendation. The points system can be arbitrary - from 7 to 10, but pre-established by the organizer. If the evaluating group members find the recommendation extremely useful, they give it one of the highest points, if it is absurd, they indicate zero points. The next developer then reads their recommendation. And so on until all the differing advice is announced and appreciated. The organizer makes sure that everyone calls the numbers and the order is observed;
  • 4) the coordinator collects all the proposals of the group members, calculates the total score of each recommendation, distributes the proposals by headings, placing them inside the headings in a sequence corresponding to the descending scores received. Recommendations that received an insignificant number of points in comparison with other proposals are excluded from consideration.

SWOT analysis takes a special place in heuristic methods. The name of the analysis consists of the first letters of the expressions: strength - strength, weakness - weakness, opportunity - opportunity, threats - risks and restrictions.

This method, which is a special kind of expert methods, has shown high efficiency in the development of solutions in systems that are characterized by dynamism, controllability, dependence on internal and external factors, cyclicity, etc.

SWOT analysis is the definition of the strengths and weaknesses of an organization, as well as the opportunities and threats emanating from its market environment (external factors). These components mean:

  • o strengths - advantages of the organization;
  • o weaknesses - weaknesses of the organization;
  • o opportunities - environmental factors, the use of which will create advantages for the organization in the market;
  • o Threats - factors that can potentially worsen the position of the organization in the market.

Conducting a SWOT analysis is reduced to filling out a matrix, in the corresponding cells of which the strengths and weaknesses of the organization, as well as market opportunities and threats are reflected (Fig. 2.3).

Stages of SWOT analysis:

  • 1) a group of enterprise specialists is selected, who will act as experts in the SWOT analysis, and a team leader is appointed;
  • 2) at the meeting of the group, a system of indicators is determined by which each component of the analysis will be evaluated;
  • 3) questionnaires are prepared to assess the selected indicators for each component of the analysis;
  • 4) a survey of experts is conducted and an assessment of each indicator is displayed;
  • 5) ranking of estimates for each component of the analysis is performed;
  • 6) based on the ranking, the development strategy of the organization is developed.

Figure: 2.3.

Matrix filling - difficult processrequiring highly qualified experts. This is because the same measure of an organization's performance can be both a threat and an opportunity. But when the matrix is \u200b\u200bfilled in and a consensus of experts is expressed, the organization has sufficient information about the situation in which it is located to determine its prospects.

To make the matrix more objective, when filling it out, it is necessary to characterize all aspects of the organization's activities, including production, financial, marketing, organizational, and investment. With this approach, SWOT analysis will allow you to choose the optimal path for the organization's development, avoid dangers and make the most efficient use of available resources.

As noted, in recent years, considerable attention has been paid to the use of functional cost analysis (FSA) as a method of systematic study of the functions of an object (product, process, structure) aimed at minimizing costs at all stages. life cycle while maintaining (improving) the quality and usefulness of the object for consumers.

FSA gives the greatest results at the stage of product development. But given view analysis can also be applied when the product has already been introduced to the market. This is due to the need to support the competitiveness of products, and at this stage, the use of FSA contributes to the improvement of its cost characteristics.

FSA aims to detect, prevent, reduce or eliminate unnecessary costs. This is achieved through a comprehensive study of the functions performed by the object, and the costs required to carry them out. In this case, it is customary to highlight:

  • o main functions - ensure the performance of the facility;
  • o auxiliary functions - contribute to the implementation of the main functions or supplement them;
  • o unnecessary functions - do not contribute to the performance of basic functions, but, on the contrary, worsen technical specifications or the economic indicators of the object.

Revealing functions requires high professional training of experts, knowledge of the essence of the object under study and analysis techniques.

The work of experts is built, as a rule, on the basis of a checklist.

When conducting FSA, it is customary to distinguish several stages: preparatory, informational, analytical, creative, research, recommendation and implementation.

At the first two stages, general preparation for the VFA is carried out: the object of analysis is specified; a group of competent specialists is selected to solve the task; the collection and generalization of data on the object under study is carried out.

At the next three stages, the studied object is detailed into functions, their classification and the cost of each of them; the tasks of combining functions, eliminating unnecessary functions, reducing the cost of object elements and selecting the most realistic options in terms of their implementation are being solved.

At the final two stages, all the necessary documentation for the selected version of the improved facility is prepared, its economic effect is determined and a report on the results of the FSA is drawn up.

The main thing in conducting VFA is the analytical stage, at which the functions of the object (product) are studied in detail and the possibilities of reducing the costs of their implementation are analyzed by eliminating or regrouping (if possible) secondary and unnecessary functions.

Reducing costs as a result of VAS can have a significant impact on profits at all stages of an organization's development. If we assume that as a result of the FSA, the costs of the product at the stage of its development were reduced, then it will enter the market at a lower cost.

Thus, the use of heuristic methods of analysis makes it possible to effectively carry out both current and strategic analysis in an unstable environment of functioning and high innovation in the development of organizations; give a balanced assessment of the property, financial condition of the organization and justify the prospects for its development.

Before starting to consider the concept of "heuristic analysis", it is necessary to understand what the word "heuristic" itself means. For this we need to return to history, namely to Ancient Greece. The word "heuristic" comes from the word "find", translated from Greek. The main point of all is that all solutions to any problems, according to these methods, are based on assumptions that, perhaps, are true.

They do not use hard facts or premises.

The above sounds rather vague and probably incomprehensible. Therefore, we will try to understand what a heuristic analysis is using specific examples. So.

There are a large number of viruses on the Internet that have very similar properties. Thus, modern antivirus software look for files whose signatures are very similar to malware code. This can significantly reduce the volume of databases used for virus scanning. Using heuristic analysis, anti-virus vendors significantly save the resources of computers on which they are installed software... It also becomes possible to find new viruses even before the signatures are updated.

The next example is also related to the fight against viruses. Its logic lies in the very name "malware". With this approach, the assumption is made that all viruses cause, one way or another, there is an approximate list of actions that the heuristic analysis checks before making a decision. These are writing, deleting, writing to the system registry, reading clicks, opening ports, sending spam. Naturally, when one action is performed, this is not a reason for panic, but when they take place simultaneously and at a particularly fast pace, then there are reasons to think. The main advantage of this process is the ability to identify viruses, even if they are not similar to the signatures already in the database.

Another industry where heuristic analysis is applied is economics. Moreover, its application is very wide. Economic analysis is one of the many subsectors where these techniques are of great help. At its core, it is a detailed and comprehensive study. It is based on information from various sources that are available. Many internal aspects of the functioning of a particular organization are also evaluated. Carrying out these actions is aimed at improving the work, which is achieved by introducing and developing new optimal management decisions.

The widespread use of heuristic methods can significantly simplify decision-making processes, as well as eliminate a variety of problems that can be removed by using statistical data. This allows significant savings in resources and time. The experience gained earlier can be safely used in the daily activities of the organization.

Scanning

Antivirus protection.

Antivirus programs have been and remain the main means of fighting viruses. You can use antivirus software (antivirus software) without knowing how they work. However, without understanding the principles of anti-virus devices, knowledge of the types of viruses, as well as the methods of their distribution, it is impossible to organize reliable computer protection. As a result, the computer can be infected even if antivirus software is installed on it.

Several fundamental methods of virus detection and protection are used today:

· Scanning;

· Heuristic analysis;

· Use of anti-virus monitors;

· Detection of changes;

· Use of antiviruses built into the computer BIOS.

In addition, almost all anti-virus programs provide automatic recovery infected programs and boot sectors. Of course, if possible.

The simplest method of scanning for viruses is that the antivirus program sequentially scans the scanned files in search of signatures known viruses... A signature is understood as a unique sequence of bytes belonging to a virus and not found in other programs.

Antivirus scanners can only find viruses already known and studied for which a signature has been defined. Using simple scanners does not protect your computer from new viruses.

For encrypted and polymorphic virusescapable of completely changing their code upon infection new program or boot sector, the signature cannot be extracted. Therefore, simple antivirus scanners cannot detect polymorphic viruses.

Heuristic analysis allows detecting previously unknown viruses, and for this you do not need to collect data on file system, as required, for example, by the change detection method discussed below.

Antivirus programs that implement the heuristic analysis method check programs and boot sectors disks and floppy disks, trying to detect in them code typical for viruses. The heuristic analyzer can detect, for example, that the program being scanned installs a resident module in memory or writes data to the executable file of the program.

Almost all modern anti-virus programs implement their own methods of heuristic analysis. In fig. 1 we have shown one of such programs - the McAffee VirusScan scanner, launched manually to scan the disk for viruses.

When antivirus detects an infected file, it usually displays a message on the monitor screen and makes an entry in its own or system log. Depending on the settings, the antivirus can also send a message about the detected virus to the network administrator.

If possible, the antivirus disinfects the file, restoring its contents. Otherwise, only one option is offered - delete the infected file and then restore it from backup (if, of course, you have it).

Search for viruses similar to known

Heuristic means "find". The heuristic analysis is based on the (very plausible) assumption that new viruses often turn out to be similar to those already known. Therefore, the anti-virus databases contain signatures for detecting not one, but several viruses at once. Therefore, the heuristic method is to search for files that do not completely, but very closely match the signatures of known viruses.

Advantages: the ability to detect new viruses even before signatures are allocated for them.

Disadvantage:

  • · The probability of mistakenly detecting the presence of a virus in a file, when in fact the file is clean - such events are called false positives;
  • · Impossibility of treatment - both due to possible false positives, and due to a possible inaccurate determination of the type of virus, an attempt to treat can lead to greater loss of information than the virus itself, and this is unacceptable;
  • · Low efficiency - against truly innovative viruses that cause the largest epidemics, this type of heuristic analysis is of little use.

Scanning for viruses that perform suspicious actions

Another heuristic-based method assumes that malware is trying to harm the computer in one way or another, and is based on highlighting the main malicious actions.

For instance:

  • · Deleting a file;
  • · Writing to a file;
  • Recording in specific areas system registry;
  • · Opening the port for listening;
  • · Interception of data entered from the keyboard;
  • · mailing of letters;

Performing each such action separately does not constitute a reason to consider the program as malicious. However, when the program performs several such actions in succession, for example, it writes itself to the startup key of the system registry, intercepts data entered from the keyboard and, with a certain frequency, sends this data to some address on the Internet, which means this program, at least, suspicious. Based on this principle, the heuristic analyzer constantly monitors the actions performed by programs.

Advantages: the ability to detect previously unknown malicious programs, even if they are not very similar to the already known ones (using a new vulnerability to penetrate a computer, and then performing the already familiar malicious actions). Such a program can be missed by a heuristic analyzer of the first type, but it may well be detected by an analyzer of the second type.

Disadvantages:

  • · False positives;
  • · Impossibility of treatment;
  • · Not high efficiency.
Type

Related entries:

Folders and files. What is a folder? What are files and foldersFolders and files. What is a folder? What are files and folders Editing the context menuEditing the context menu What is an optical drive and floppy driveWhat is an optical drive and floppy drive Customizing the Windows7 ToolbarCustomizing the Windows7 Toolbar Beautiful icon for program folderBeautiful icon for program folder
New or popular