Does Your Antivirus Software Do This?

Category: Anti-Virus

Antivirus software’s first job is to detect viruses and other types of malware before they do their damage. There are three ways to identify malware, and a number of variations on these basic strategies. Here's a plain-English description of how antivirus software gets the job done...

Three Different Types of Antivirus Software

Have you ever wondered how antivirus software works? In a nutshell, traditional computer security software hooks into your operating system, and inspects every file or program before it is allowed to be open or run. Some anti-malware technology keeps an eye out for unexpected system changes. Others maintain a "whitelist" of known-good programs. A combination of these methods will provide the best security. Let's crack open the nut, and look at these techniques in a bit more detail.

The first malware detection method is commonly called “signature-based detection.” Any program contains unique blocks of code that identify it as surely as passages from a book identify what book you’re holding. The patterns of code which uniquely identify a malware program are called its “signature.”

Antivirus vendors compile databases of malware signatures and distribute copies to their users regularly. The antivirus program scans files on a user’s system looking for matches between each file’s code and those in the signature database. Matches are flagged as malware and are blocked from opening.

How Does Antivirus Software Work?

There are a few problems with signature-based malware detection. First, only known malware is included in the signature database. New malware is created all the time, and there is a lag between its creation and its inclusion in signature databases. Second, malware authors create self-modifying malware that alters its own signature every time it runs. Signature-based detection is a basic but dangerously incomplete form of protection.

Your Behavior is Unacceptable!

The second malware detection method looks at what a program does rather than what it is. This “behavior-based” method assumes that certain actions indicate harmful intentions. A program that scans for other executable files on your hard drive is presumed to be looking for files it can infect, for instance. All sorts of “suspect behavior” may be deemed reasons to flag a program as potential malware. Some examples are programs that modify the Windows registry, or make changes to system settings.

“Heuristic analysis” is a fancy term for behavior-based detection. Heuristic programs may have many complex behavioral rules and run a suspect program in a virtual machine or sandbox, simulating what the program might do without allowing it access to the actual resources on your system. This sort of testing consumes a lot of computer resources, so it is typically reserved for user-initiated “on-demand” tests of suspect files.

On the plus side, behavior-based detection can stop even the newest or best disguised malware. On the other hand, it may have a high rate of “false positives,” frequently flagging innocuous programs that are behaving in suspect ways for legitimate reasons. The user has to look at a flagged file and decide whether to tag it as “OK” to run or “banned” as malware. These interruptions can be inconvenient, and often the user isn’t qualified to make that decision correctly.

Have We Met Before?

A third malware prevention method is the whitelist approach. Because of the potential for the signature-based and heuristic approaches to fail at detecting new or evolving malware, something else is needed to fill the gap. Whitelisting is the strategy of permitting a finite list of known “good” programs to run, and blocking anything that is not on the list. The trick lies in building a reasonable whitelist of allowed programs. All legitimate Windows components would be on that list, as well as hundreds of popular apps that are proven to be virus-free. That whitelist is dynamically updated over time, and users may add new programs they deem to be safe.

PC Matic is an example of a security tool that uses the whitelist approach, in conjunction with signature scanning and heuristics. PC Matic blocks polymorphic (evolving) threats and also catches emerging threats such as fileless malware and ransomware.

One criticism of the whitelist approach is that it may generate "false positives" when it encounters new software. I've been using PC Matic for over a year, and even though I download and test a lot of programs, I've only seen that happen once, when I tried to run a very old program that I've had since the DOS days. PC Matic flagged it, and gave me the choice to block it, or add it to my personal whitelist. One click and I was over that hurdle.

Got something to say about anti-virus software? Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 5 Dec 2019

For Fun: Buy Bob a Snickers.

Prev Article:
Geekly Update - 04 December 2019

The Top Twenty
Next Article:
Why Do Spam and Malware Exist?

Most recent comments on "Does Your Antivirus Software Do This?"

(See all 22 comments for this article.)

Posted by:

05 Dec 2019

For an all-in-one for especially older computers, PCMATIC may be a solution for you. You would have to weigh whether it is worth $50 a year. That may be a lot for some, especially those who find free programs are currently doing the job well.

Posted by:

Stuart Berg
05 Dec 2019

I've been using a different whitelist antivirus for several years called VoodooShield while at the same time running my "regular" antivirus (which happens to be Kaspersky). It seems to work exactly like PCMatic except it's FREE! There is a paid version which gives you more flexibility in the settings, but the FREE version is fine for the average user.

Posted by:

Beverly Chapin
06 Dec 2019

I've been using PC Pitstop over a year now and so far no problems. I am a paid subscriber and feel shielding multiple computers for $50 yearly is very reasonable, especially compared to cost of losing data or money if infected.

Posted by:

Larry Ray Etheridge
06 Dec 2019 are the only one of all my geek newsletters that endorses PC Matic.

Posted by:

stuart Ben
06 Dec 2019

This sure sounds like a paid advertisement to me. Perhaps if you had mentioned even ONE of the other well established antivirus suites in your review it would not be quite so transparent.

Posted by:

06 Dec 2019

Thank you, Bob, for this very informative article! Even those of us that are geeks are still learning more.

Thank you, Stuart, for the VoodooShield information. This is also helpful information.

Posted by:

06 Dec 2019

I have tried nearly a dozen of "Free" and "Paid" antivirus program...including one mentioned in this thread. Not one of them has worked as well as PC Matic. It shields two desk tops and my Android Smart phone. Yes, it sometimes block my legitimate downloads, but it has a feature that gives you a 10-minute or an hour timeframe to download data without interference. For the record: I am a non-geek Senior who relies on Bob for information and direction. In this instance, cut him a little slack. PC Matic is a good product for me.

Posted by:

06 Dec 2019

I have to agree with the sentiments of commentator Stuart Ben (06 Dec 2019). I was convinced that this latest edict from "Dr Bob" was a spoof - I can't remember the last time I read such a biased report about a product from Bob as he is normally so impartial. If PC Matic is as good as we are being asked to accept why doesn't the product feature prominently in the independent antivirus laboratory quarterly reviews that are undertaken and published in reputable computer magazines on both sides of the Atlantic? For years I have been, and remain, a committed user of Kaspersky's paid for versions (despite what I feel is the unwarranted hysteria emanating from the U.S because of it's origins) but I am always willing to consider an alternative, if it can be independently verified to be be better than what I currently use.

Posted by:

Pat Hagar
06 Dec 2019

I have used P.C.Matic for several years (after some others) and I cannot imagine a better product or company !

Posted by:

Norman Rosen
06 Dec 2019

I have been using PC Matic for over 10 years and have an Evergreen license. Best deal I ever made. This is a wonderful program. Mark, you ask why it is not better known if it is so good: excellent question. As far as I am concerned, this product is excellent.

Posted by:

Bobby New
06 Dec 2019

I used PC Matic for almost one year and while it stopped unwanted and dangerous invasions, it made my ASUS UX510 PC experience stoppages for several seconds at a time up to 2-4 minutes pauses where I could not use my computer at all. I have 8 gig Ram and 256 SS drive. Once I deleted it and installed another virus/malware/firewall software, the problem went away.

Posted by:

Bruce Fraser
07 Dec 2019

PCMatic has been tested by the Anti-Virus review agencies. And it fails miserably. quoted from one test result:
"PC Matic didn't fail the VB100 test by just 'one false positive.' In many cases, it blocked hundreds of valid programs. The same held true in a test by AV-Comparatives that PC Pitstop commissioned. While PC Matic achieved a perfect malware-blocking score, it also blocked over 800 valid programs. To put that in perspective, the second-highest number of false positives was just 12, by Webroot SecureAnywhere AntiVirus. Most of the tested products didn't exhibit any false positive detections at all."


Posted by:

07 Dec 2019

Got PC Pitstop for 1 year free from a vendor back in 2000, been using it ever since. Never had a false positive. Only problem I had, was a Grandson that locked things up.

Posted by:

Bob K
07 Dec 2019

PC Matic is a prominent advertiser on Bob's site, hence Bob is lining his pocket by promoting PC Matic. I cannot say that I blame him; however, I certainly don't have to believe him, and I don't. I' ve seen many reviews, and most do not rave about it. It's good, but not great with way too many false positives.
The obvious is just too obvious here.

Posted by:

07 Dec 2019

I currently use PC Matic It constantly tells me that MBAM is an exploit that is blocked. I do not get a choice to add it to the whitelist. I have manually added it, but it hasn't stopped the false positive.

Posted by:

Dennis English
07 Dec 2019

I bought the PCMatic for my HP Pavilion running XP when MS stopped supporting XP. PCMatic failed to load a file on my computer until after I had a virus. When I queried them about it they sent me the file, but it was too late. I can't trust them now, and I paid for lifetime support.

Posted by:

07 Dec 2019

I have been a loyal ESET Smart Security user for over 7 years, and won't consider using anything else. I can purchase a fresh one year 3 computer subscription for less than $30 by shopping around online after every January. A great investment!

ESET offers lean code for low resource usage, as well as excellent signature update frequency and versatile customization options. The software itself automatically upgrades to the latest version. Try it and you will like it!

Posted by:

Dave White
08 Dec 2019

While I have a great deal of respect for your knowledge of the computing scene, I do not believe that this article is to be taken seriously. Given that you are paid for presenting advertising by PC-Matic, I hardly think your recommendation is to be taken seriously. You have an interest in promoting PC-Matic, and I for one would not accept such clearly biased advice.

Posted by:

09 Dec 2019

@Bruce Fraser: Regarding false positives, that's a red herring in my opinion. The programs on the "false positive" list are edge cases that you won't find on most consumer computers.

Here's a quote from PCMatic support forum: "In our case, Virus Bulletin had about one million good files, and PC Matic incorrectly identified about a thousand. This represents a .1% error rate or 99.9% white list accuracy rate. 99.9% accuracy is rather good, but the false positive rate our customers experience is better. When PC Matic blocks a potentially good file, the sample goes to our research team, and it is re-categorized in less than 24 hours. So in the unlikely event of a false positive, it effects one and only one customer."

Posted by:

15 Dec 2019

I read with interest a host of positive comments re PCMatic from users who say they have been well protected by it. However I suspect any of us using a halfway decent AV program would say the same. I have used the free version of Avira for many years without experiencing any probs but also do occasional checks with MBAM. I maybe have had one false positive in that time on Avira and have run into the known MBAM rejection of Advanced System Care as a PUP, which I have ignored but otherwise all has been fine,

There's more reader feedback... See all 22 comments for this article.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML

Article information: AskBobRankin -- Does Your Antivirus Software Do This? (Posted: 5 Dec 2019)
Copyright © 2005 - Bob Rankin - All Rights Reserved