How Antivirus Software Works

How antivirus worksDue to ever increasing threat from virus and other malicious programs, almost every computer today comes with a pre-installed antivirus software on it. In fact, an antivirus has become one of the most essential software package for every computer.

Even though every one of us have an antivirus software installed on our computers, only a few really bother to understand how it actually works! Well, if you are one among those few who would really bother to understand how antivirus works, then this article is for you.

How Antivirus Works:

An antivirus software typically uses a variety of strategies in detecting and removing viruses, worms and other malware programs. The following are the two most widely employed identification methods:

1. Signature-based dectection (Dictionary approach)

This is the most commonly employed method which involves searching for known patterns of virus within a given file. Every antivirus software will have a dictionary of sample malware codes called signatures in its database. Whenever a file is examined, the antivirus refers to the dictionary of sample codes present within its database and compares the same with the current file. If the piece of code within the file matches with the one in its dictionary then it is flagged and proper action is taken immediately so as to stop the virus from further replicating. The antivirus may choose to repair the file, quarantine or delete it permanently based on its potential risk.

As new viruses and malwares are created and released every day, this method of detection cannot defend against new malwares unless their samples are collected and signatures are released by the antivirus software company. Some companies may also encourage the users to upload new viruses or variants so that, the virus can be analyzed and the signature can be added to the dictionary.

Signature based detection can be very effective, but requires frequent updates of the virus signature dictionary. Hence, the users must update their antivirus software on a regular basis so as to defend against new threats that are released daily.

2. Heuristic-based detection (Suspicious behaviour approach)

Heuristic-based detection involves identifying suspicious behaviour from any given program which might indicate a potential risk. This approach is used by some of the sophisticated antivirus software to identify new malware and variants of known malware.

Unlike the signature based approach, here the antivirus doesn’t attempt to identify known viruses, but instead monitors the behavior of all programs.

For example, malicious behaviours like a program trying to write data to an executable program is flagged and the user is alerted about this action. This method of detection gives an additional level of security from unidentified threats.

File emulation: This is another type of heuristic-based approach where a given program is executed in a virtual environment and the actions performed by it are logged. Based on the actions logged, the antivirus software can determine if the program is malicious or not and carry out necessary actions in order to clean the infection.

Most commercial antivirus software use a combination of both signature-based and heuristic-based approaches to combat malware.

Issues of Concern:

Zero-day threats: A zero-day (zero-hour ) threat or attack is where a malware tries to exploit computer application vulnerabilities that are yet unidentified by the antivirus software companies. These attacks are used to cause damage to the computer even before they are identified. Since patches are not yet released for these kind of new threats, they can easily manage to bypass the antivirus software and carry out malicious actions. However, most of the threats are identified after a day or two of its release, but damage caused by them before identification is quite inevitable.

Daily Updates: Since new viruses and threats are released every day, it is most essential to update the antivirus software so that the virus definitions are kept up-to-date. Most software will have an auto-update feature so that, the virus definitions are updated whenever the computer is connected to the Internet.

Effectiveness: Even though an antivirus software can catch almost every malware, it is still not 100% foolproof against all kinds of threats. As explained earlier, a zero-day threat can easily bypass the protective shield of the antivirus software. Also virus authors have tried to stay a step ahead by writing “oligomorphic“, “polymorphic” and, more recently, “metamorphic” virus codes, which will encrypt parts of themselves or otherwise modify themselves as a method of disguise, so as to not match virus signatures in the dictionary.

Thus user awareness is as important as antivirus software; users must be trained to practice safe surfing habits such as downloading files only from trusted websites and not blindly executing a program that is unknown or obtained from an untrusted source. I hope this article has helped you understand the working of an antivirus software.

30 Comments

  1. Muralimohan.A.R
    January 18, 2011 at 9:55 PM

    Nice Post..

    Keep posting ..waiting for your nest post…


  2. Alice
    January 19, 2011 at 7:17 AM

    Good article

    Keep it up, waiting for the next post.


  3. Sunny
    January 19, 2011 at 12:51 PM

    Dear Srikanth,

    I need small information from you.Which certification is globally identified & weight-ens in the field of Hacking..

    This info. is very important for me. And I’ll be waiting for your reply.

    Thank You.


  4. Pankii
    January 19, 2011 at 2:46 PM

    Good…
    try to post some more new


  5. MORPHINE
    January 21, 2011 at 2:37 PM

    YOU CAN BYPASS ANTIVIRUS BY DIFFERENT METHODS…..
    THE BEST OF THEM ARE PROTECTORS, CRYPTING, BINDING OR HEXING(LITTLE BIT TOUGH)
    CYRPTERS HELPS TO PROTECT THE VIRUS FILE BY PROVINDING FALSE CODE OR TRASH CODE TO THE ANTIVIRUS……..
    SO AS THE SAME FOR PROTECTORS.
    BINDERS HELP IN BINDING THE VIRUS WITH ANOTHER FILE…
    AND LAST BUT NOT THE LEAST IS HEXING using a aplit detect method. ANY ONE HAVING A GOOD KNOWLEDGE IN HEXING CAN EASILY BYPASS ANY ANTIVIRUS. BECAUSE ANTIVIRUS LOOKS FOR A SPECIFIC SIGNATURE IN THE VIRUS.. IF SOMEONE EDIT IT THEN ITS ALMOST IMPOSSIBLE TO DETECT..

    BUT AGAIN THERE ARE VARIOUS WAYS TO DETECT THEM…. :)


  6. Brad
    January 22, 2011 at 10:48 PM

    Hello sir, I am great fan of your i just wanted to know about these gprs tricks and how can we get them. I am an aircel user of UP so i would prefer a trick for free internet for aircel.


  7. rida
    January 22, 2011 at 11:04 PM

    thank you !!!
    but wat please post a detail description on “protector”,”crpting”,”binding” and “hexing”

    please
    thank in advance


  8. Mars M
    January 23, 2011 at 7:18 PM

    Very nice post.
    Thanks for your post.

    Mars M


  9. Apsara Khan
    January 28, 2011 at 5:12 PM

    What a great post well Srikanth i have learned a lot of things from your website and i hope that many people loves you.I want to share a newly born hacking blog here and that is http://www.ehacking.net This is also a great website.

    Regards


  10. Satyajit@SecurityHunk
    January 29, 2011 at 9:26 PM

    You have written nicely…i really liked the post..could have added more.. :)


  11. COOL
    February 9, 2011 at 6:55 PM

    NYC POST .THX 4 POSTING


  12. husam
    February 19, 2011 at 7:11 PM

    hi , thnx for this article

    i’m wondering what is the best anti-virus on the internet ?


  13. naresh twanabasu
    February 23, 2011 at 8:56 AM

    very nice article
    it would be better if working techniques is given in more advance form with details


  14. atul
    March 1, 2011 at 2:10 PM

    good posting thanks !!!


  15. Manish
    March 12, 2011 at 1:13 PM

    Avast rokzz……


  16. Mayuresh
    March 18, 2011 at 8:02 AM

    good! keep it up!


  17. shoonya
    March 24, 2011 at 10:41 AM

    Nice article. But, I just have one small thing to say. When you mention every computer, please be specific and mention it as “every windows pc/computer”. I think that will be more appropriate.


  18. sri
    April 27, 2011 at 11:25 AM

    dude is there any software that makes cd or dvd uncopyable plz give reply me plzz


  19. siva_phd9
    May 30, 2011 at 3:29 PM

    A very good article.Your presentation is nutshel.


  20. pj
    July 2, 2011 at 7:30 PM

    good information…thanx


  21. Kubler
    July 14, 2011 at 12:41 AM

    Hello. Can you tell me about some similar antivirus tests that are used on Linux and other Unix-like systems?
    Thank you


  22. The Nev
    July 14, 2011 at 2:14 AM

    Hey, cool; good information to know.


  23. Manish Kumar
    March 29, 2012 at 9:45 PM

    Yaha…Mr Srikanth..You are very dadication man…..I have learn many things and to do something well……I want to share a website similer to you……
    http://www.dailyhackingtips.com/


  24. Bholi@ unlocked cell phones
    April 5, 2012 at 4:33 AM

    Good Article….)


  25. saad saleem
    September 9, 2012 at 3:53 PM

    thankx for sharing this information……..


  26. sudee
    September 16, 2012 at 10:38 PM

    sir please give me ur email adress i have many doughts, i hope u will cleare my doughts, thangs in advance


  27. sudee
    September 17, 2012 at 11:30 AM

    sir can u tell me how to instal turbo c for windows 7


  28. arun
    December 7, 2012 at 9:41 AM

    hello frinds … pls help me and let me know from where do i get a source code for making an antivirus software..


  29. Sac
    March 27, 2013 at 5:36 PM

    Hi Srikant,

    thanks for such a nice article.

    Also, If you can tell about hexing as the encoders or encrypters available publically are easily detectable by AV. Could you please help.


  30. naveen rs
    February 12, 2014 at 9:48 PM

    thank you


Leave A Reply