How Antivirus works

How Antivirus works

Antivirus software typically uses a variety of strategies to identify and remove viruses, worms and other malicious programs. The following are the two most widely used methods of identification:

1. Signature-based dectection approach (Dictionary)

This is the most commonly used method, which involves searching for known patterns of virus within a given file. Every antivirus software will have a dictionary of sample malware codes called signatures in its database. Whenever a file is examined, the antivirus refers to the dictionary of sample codes present within its database and compare the same with the current file. If the piece of code within the file matches with the one in its dictionary, it is in position and action is taken immediately to prevent the virus from further replication. The antivirus may choose to repair the file, quarantine or delete permanently based on its potential risk.

Since new viruses and malwares are created and released every day, this method of detection can not defend against new malwares unless their samples are collected and signatures are released by the antivirus software company. Some companies may also encourage users to upload new viruses or variants, so that the virus can be analyzed and the signature can be added to the dictionary.

Signature based detection can be very effective, but requires frequent updates of the virus signature dictionary. So users have to update the antivirus software on a regular basis in order to defend against new threats that are released daily.

2. Heuristic-based detection approach (suspicious behavior)

Heuristic-based detection involves identifying suspicious behavior from any given program which might indicate a potential risk. This approach is used by some of the sophisticated antivirus software to identify new malware and variants of known malware. Unlike signature-based approach, here the antivirus does not attempt to identify known viruses, but instead monitors the behavior of all programs.

For example, the harmful behavior such as a program that tries to write data to an executable program is in place and the user is notified of this action. This detection method provides an additional level of protection against unidentified threats.

File emulation: This is another type of heuristic approach that runs a program in a virtual environment and the actions performed by it are logged. Based on the actions logged, the antivirus software can determine if the program is malicious or not and take the necessary action in order to remove the infection.

Most commercial antivirus software uses a combination of both approaches signature-based and heuristic-based to combat malware.

Issues of interest

Zero-day threats: A zero-day (zero-hour) threat or attack is where a malware tries to exploit vulnerabilities in computer applications that have yet to be identified by antivirus software company. These attacks are used to cause damage to your computer even before they are identified. Since the patches are not yet released for this type of new threats, they can easily manage to bypass the antivirus software and perform malicious actions. However, most of the threats are identified after a day or two of its release, but the damage caused by them first identification is quite inevitable.

Daily Updates: Since new viruses and threats are released every day, it is essential to update your antivirus software to keep your virus definitions up-to-date. Most software will have an automatic update feature so that the virus definitions are updated every time the computer is connected to the Internet.

Effectiveness: Although anti-virus software can take almost all malware is not yet 100% safe against all kinds of threats. As explained above, a zero-day threat can easily bypass the protective shield of the antivirus software. Also virus authors have tried to stay a step ahead by writing "oligomorphic", "polymorphic" and, more recently, "metamorphic" virus codes, which encrypt parts of themselves or otherwise modify themselves as a method of disguise, so not match virus signatures in the dictionary.

Thus user education is as important as antivirus software, users must be trained to practice safe surfing habits such as downloading files only from trusted sites and not blindly executing a program that is unknown or obtained from a untrusted source.

How to choose best antivirus?