and alter unrelated or operating system files. This approach was not
               widely used in the past but has now become the mainstay of the

               advanced endpoint protection solutions used by many organizations.
               A common strategy is for systems to quarantine suspicious files and
               send them to a malware analysis tool where they are executed in an
               isolated but monitored environment. If the software behaves
               suspiciously in that environment, it is added to blacklists throughout
               the organization, rapidly updating antivirus signatures to meet new
               threats.


               Modern antivirus software products are able to detect and remove a
               wide variety of types of malicious code and then clean the system. In
               other words, antivirus solutions are rarely limited to viruses. These
               tools are often able to provide protection against worms, Trojan
               horses, logic bombs, rootkits, spyware, and various other forms of
               email- or web-borne code. In the event that you suspect new malicious
               code is sweeping the internet, your best course of action is to contact

               your antivirus software vendor to inquire about your state of
               protection against the new threat. Don’t wait until the next scheduled
               or automated signature dictionary update. Furthermore, never accept
               the word of any third party about protection status offered by an
               antivirus solution. Always contact the vendor directly. Most

               responsible antivirus vendors will send alerts to their customers as
               soon as new, substantial threats are identified, so be sure to register
               for such notifications as well.

               Other security packages, such as the popular Tripwire data integrity
               assurance package, also provide a secondary antivirus functionality.
               Tripwire is designed to alert administrators to unauthorized file
               modifications. It’s often used to detect web server defacements and

               similar attacks, but it also may provide some warning of virus
               infections if critical system executable files, such as command.com, are
               modified unexpectedly. These systems work by maintaining a database
               of hash values for all files stored on the system (see Chapter 6,
               “Cryptography and Symmetric Key Algorithms,” for a full discussion of
               the hash functions used to create these values). These archived hash
               values are then compared to current computed values to detect any

               files that were modified between the two periods. At the most basic