How Does Antivirus Software Work?
Antivirus software’s first job is to detect viruses and other types of malware before they do their damage. There are two ways to identify malware, and a number of variations on these basic strategies. Here's a plain-English description of how antivirus software gets the job done...
Different Types of Antivirus Software
Have you ever wondered how antivirus software works? In a nutshell, traditional computer security software hooks into your operating system, and inspects every file or program before it is allowed to be open or run. Newer anti-malware technology keeps an eye out for unexpected system changes. Combining both methods will provide the best security. Let's crack open the nut, and look at these techniques in a bit more detail.
The first malware detection method is commonly called “signature-based detection.” Any program contains unique blocks of code that identify it as surely as passages from a book identify what book you’re holding. The patterns of code which uniquely identify a malware program are called its “signature.”
Antivirus vendors compile databases of malware signatures and distribute copies to their users regularly. The antivirus program scans files on a user’s system looking for matches between each file’s code and those in the signature database. Matches are flagged as malware.
There are several problems with signature-based malware detection. First, only known malware is included in the signature database. New malware is created all the time, and there is a lag between its creation and its inclusion in signature databases. Second, malware authors create self-modifying malware that alters its own signature every time it runs. Third, encryption can disguise the signature of a malware program. Signature-based detection is a basic but dangerously incomplete form of protection.
Your Behavior is Unacceptable!
The second malware detection method looks at what a program does rather than what it is. This “behavior-based” method assumes that certain actions indicate harmful intentions. A program that scans for other executable files on your hard drive is presumed to be looking for files it can infect, for instance. All sorts of “suspect behavior” may be deemed reasons to flag a program as potential malware. Some examples are programs that modify the Windows registry, or make changes to system settings.
“Heuristic analysis” is a fancy term for behavior-based detection. Heuristic programs may have many complex behavioral rules and run a suspect program in a virtual machine or sandbox, simulating what the program might do without allowing it access to the actual resources on your system. This sort of testing consumes a lot of computer resources, so it is typically reserved for user-initiated “on-demand” tests of suspect files.
On the plus side, behavior-based detection can stop even the newest or best disguised malware. On the other hand, it may have a high rate of “false positives,” frequently flagging innocuous programs that are behaving in suspect ways for legitimate reasons. The user has to look at a flagged file and decide whether to tag it as “OK” to run or “banned” as malware. These interruptions can be inconvenient, and often the user isn’t qualified to make that decision correctly.
The Cloud and the Crowd
The “always connected” culture has enabled techniques that improve signature and behavior based detection methods. Cloud-based signature databases are updated constantly, eliminating delays between additions to the database and the downloading of updates to users’ computers. Cloud-based antivirus engines run on the vendor’s servers, reducing the drain of users’ computer resources and ensuring that the latest version of the engine is always used.
Collaboration between antivirus programs running on many different computers is also enabled by the Internet. When my behavior-based antivirus program flags a new potential malware program, that new “threat” is communicated to the antivirus vendor. Someone there determines whether this new threat is really a threat or a false positive, and that “wisdom of the crowd” is added to the antivirus product. Suspect files can also be uploaded to a vendor for analysis and inclusion in signature databases.
Some readers have asked why they need antivirus software if they already have a firewall. To put it simply, a firewall is a doorman while antivirus software is a bouncer. A doorman keeps unauthorized people out. A bouncer monitors people who are already in, kicking out known miscreants who slipped in, and anyone who starts behaving inappropriately. A well-secured nightclub has both doorman and bouncer. A well-secured computer has both a firewall and antivirus software.
Got something to say about anti-virus software? Post your comment or question below...
This article was posted by Bob Rankin on 23 May 2013
|For Fun: Buy Bob a Snickers.|
Geekly Update - 22 May 2013
The Top Twenty
Computer Security: The Missing Link
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- How Does Antivirus Software Work? (Posted: 23 May 2013)
Copyright © 2005 - Bob Rankin - All Rights Reserved