How Does Antivirus Software Work?

Category: Anti-Virus

Antivirus software’s first job is to detect viruses and other types of malware before they do their damage. There are two ways to identify malware, and a number of variations on these basic strategies. Here's a plain-English description of how antivirus software gets the job done...

Different Types of Antivirus Software

Have you ever wondered how antivirus software works? In a nutshell, traditional computer security software hooks into your operating system, and inspects every file or program before it is allowed to be open or run. Newer anti-malware technology keeps an eye out for unexpected system changes. Combining both methods will provide the best security. Let's crack open the nut, and look at these techniques in a bit more detail.

The first malware detection method is commonly called “signature-based detection.” Any program contains unique blocks of code that identify it as surely as passages from a book identify what book you’re holding. The patterns of code which uniquely identify a malware program are called its “signature.”

Antivirus vendors compile databases of malware signatures and distribute copies to their users regularly. The antivirus program scans files on a user’s system looking for matches between each file’s code and those in the signature database. Matches are flagged as malware.

How Does Antivirus Software Work?

There are several problems with signature-based malware detection. First, only known malware is included in the signature database. New malware is created all the time, and there is a lag between its creation and its inclusion in signature databases. Second, malware authors create self-modifying malware that alters its own signature every time it runs. Third, encryption can disguise the signature of a malware program. Signature-based detection is a basic but dangerously incomplete form of protection.

Your Behavior is Unacceptable!

The second malware detection method looks at what a program does rather than what it is. This “behavior-based” method assumes that certain actions indicate harmful intentions. A program that scans for other executable files on your hard drive is presumed to be looking for files it can infect, for instance. All sorts of “suspect behavior” may be deemed reasons to flag a program as potential malware. Some examples are programs that modify the Windows registry, or make changes to system settings.

“Heuristic analysis” is a fancy term for behavior-based detection. Heuristic programs may have many complex behavioral rules and run a suspect program in a virtual machine or sandbox, simulating what the program might do without allowing it access to the actual resources on your system. This sort of testing consumes a lot of computer resources, so it is typically reserved for user-initiated “on-demand” tests of suspect files.

On the plus side, behavior-based detection can stop even the newest or best disguised malware. On the other hand, it may have a high rate of “false positives,” frequently flagging innocuous programs that are behaving in suspect ways for legitimate reasons. The user has to look at a flagged file and decide whether to tag it as “OK” to run or “banned” as malware. These interruptions can be inconvenient, and often the user isn’t qualified to make that decision correctly.

The Cloud and the Crowd

The “always connected” culture has enabled techniques that improve signature and behavior based detection methods. Cloud-based signature databases are updated constantly, eliminating delays between additions to the database and the downloading of updates to users’ computers. Cloud-based antivirus engines run on the vendor’s servers, reducing the drain of users’ computer resources and ensuring that the latest version of the engine is always used.

Collaboration between antivirus programs running on many different computers is also enabled by the Internet. When my behavior-based antivirus program flags a new potential malware program, that new “threat” is communicated to the antivirus vendor. Someone there determines whether this new threat is really a threat or a false positive, and that “wisdom of the crowd” is added to the antivirus product. Suspect files can also be uploaded to a vendor for analysis and inclusion in signature databases.

Some readers have asked why they need antivirus software if they already have a firewall. To put it simply, a firewall is a doorman while antivirus software is a bouncer. A doorman keeps unauthorized people out. A bouncer monitors people who are already in, kicking out known miscreants who slipped in, and anyone who starts behaving inappropriately. A well-secured nightclub has both doorman and bouncer. A well-secured computer has both a firewall and antivirus software.

To learn more about firewalls or find links to free anti-virus software, see my articles Do I Really Need a Firewall? and Free Anti-Virus Programs.

Got something to say about anti-virus software? Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 23 May 2013

For Fun: Buy Bob a Snickers.

Prev Article:
Geekly Update - 22 May 2013

The Top Twenty
Next Article:
Computer Security: The Missing Link

Most recent comments on "How Does Antivirus Software Work?"

Posted by:

23 May 2013

Thank you for a great article re virus protection.

Posted by:

23 May 2013

Mr. Bob, What's your opinion of Panda Cloud Antivirus on a 1 - 10 scale?

Posted by:

Jim Komasinski
24 May 2013

Bob, After 40+ years in the IT field, this article of yours is one of the finest tech articles I've ever read: informative, direct, plain explanations of both how and what. You're a wonderfully refreshing technical writer.

Posted by:

24 May 2013

Love the "Doorman and Bouncer" analogy. Other analogies I often use are:
- "Butler" for firewall
- "Two cops arguing over jurisdiction" for two AV programs running at a time
- "Independent investigator" for second opinion scanners like Malware Bytes
- "Steam cleaning your engine" for registry cleaners
- "Seatbelt" for minimally invasive AV programs (gotta have one when driving the information superhighway!)
- "Firesuit and Helmet" for overly intrusive security suites
- "Corrupted Government Officials" for root-kit infections; when can't trust your OS to give straight answers
- "Desktop Size" for RAM, the bigger the desktop the more things you can work on at one time.
What's your favorite computer analogies?

Posted by:

31 May 2013

Yup i completely agree to this tutorial!
But using a good security software is very important, and also its must to go with an antivirus software that suits our pc configurations and functions of the system. Recently i have gone through a article about the av test of best security software Comodo , the leading security provider provides the perfect protection.
Here is the link for reference :

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy     RSS/XML

Article information: AskBobRankin -- How Does Antivirus Software Work? (Posted: 23 May 2013)
Copyright © 2005 - Bob Rankin - All Rights Reserved