How Does Antivirus Software Work?


A critical component of cybersecurity is antivirus software, and most people generally understand why antivirus software is necessary. But not many people are actually aware of how antivirus software works, and how it fights threats to keep users protected.

Here at AV-Best, we compare many of the top antivirus software to inform consumers which products offer the best protection and security tools for your money. The landscape of malware threats has changed considerably over the years, and so antivirus products have evolved as well.

Many companies offer additional security features such as VPNs, password vaults, sandbox environments, and other ways of keeping a user safe. But in the end, the main defense is strong antivirus protection, and in this article we are going to explain exactly how antivirus software works.

This information will be relevant to most companies, as not all antivirus products use a traditional approach to virus scanning, but we will explain the most popular methods antivirus software use to combat threats.

Signature-based detection

Generally speaking, antivirus software uses two primary forms of threat detection. The first is signature-based detection, which basically means the antivirus will check files and apps for known virus behavior. When you launch files and apps, the antivirus quickly scans the instructions being sent to the computer, to see if the file is trying to run any code that is a signature of known viruses.

Signature databases are usually stored locally, but many antivirus companies are beginning to store their virus signature databases in the cloud. This is because people do not always keep their signature definitions up to date, and the cloud offers a much faster, more convenient way of delivering the latest virus definitions to the end-user.

It also allows the end-user to send virus information back to the company to be disseminated to the rest of the user-base much faster, but we’ll touch on that later.

Heuristic analysis

The second form of protection is known as heuristic analysis. What this basically means is that when a file or application is launched, the antivirus software scans it for virus-type behavior. So even if an application does not contain any known virus signatures, the antivirus software will still flag it if the app performs behavior similar to a virus.

For example, if an app tries to launch a background command prompt and run commands that alter critical system files, this is obviously a huge red flag. This is how the virus signature database is updated often, especially cloud-based signature databases. With so many new malware being released every day, companies rely on heuristic scanning results from the end-user to discover these new threats, and add them to the database.

This is a powerful form of keeping all users safe. For example, if someone in South Korea downloads a previously unknown malware, which is caught by the antivirus software’s heuristic analysis, pretty much everyone around the world is now protected from that same malware threat, as it gets added to the signature database.

Other forms of protection

Signature databases and heuristic analysis are the most immediate methods of antivirus protection, but modern antivirus software is using many other approaches to protecting the end-user. This is because in the modern age, malware infection methods have evolved. In the early days of the internet, many viruses were spread via malicious software downloads, or email attachments. That hasn’t changed, as you can still find many websites serving up infected downloads, especially websites that offer illegally pirated software.

However, manually launching infected files is no longer the primary threat. Nowadays, many malware threats can actually come through just the mere act of visiting infected websites, typically through scripts and plug-ins that exploit security holes in the browser, or common browser plug-ins such as JavaScript and Flash.

For example, imagine you’re surfing the web without any form of antivirus protection. You visit a website for pirated software, but do not actually download anything. Yet somehow, your computer still becomes infected with malware. This is because malware can be delivered through malicious scripts, and even banner advertisements, running on the website. Yes, malware can absolutely be embedded in banner advertisements, a practice known as malvertising.

This is why most antivirus companies are offering additional forms of protection beyond traditional local scanning. Ad blocking, VPNs, and live site scanning all serve to protect the user while surfing the web. In some cases, this has a very slight impact on the speed of loading webpages. You might have a 50Mbps fibre connection, yet websites don’t immediately load.

This is because the antivirus software is scanning the website for hidden scripts being executed, and loads the website fully only after it has passed the check. To give you a common example, cryptojackers became extremely popular in recent years. Cryptojackers are website scripts that attempt to hijack your computer’s resources, notably the CPU, to mine cryptocurrency.

So if you visit a shady website and notice your CPU usage suddenly spikes extremely high for no apparent reason, it’s a good sign the website is running some kind of cryptojacker script.

Why false flags happen in antivirus software

False flags or false positives in antivirus software is when a file or application is detected by the antivirus as being a threat, when it really isn’t. Some antivirus products put out a lot more false flags than others, and we’re going to explain why. It generally boils down to the antivirus software’s security settings, and overall sensitivity to what the company considers “virus type behavior”.

So for example, let’s say you download software for the express purpose of modifying key Windows files, for theming the entire Windows GUI. Not just new mouse cursors and wallpaper, there are softwares that allows you to completely change the look of task bars, the Start menu, etc.

When you run these programs that attempt to modify or alter important Windows files, the antivirus software immediately detects this as a threat, and quarantines (or completely removes) the offending software, to the chagrin of the end-user.  As we said, this is because some antivirus software is configured to have very strict security out-of-the-box.

The user, of course, typically always has control over the security settings, and can even add files and folders to the antivirus’ Whitelist, which basically instructs the antivirus software to ignore those files and folders during scans.

Advertiser Disclaimer: We are a professional review site that receives compensation from the companies whose products we review. We test each product thoroughly and give high marks to only the very best. We are independently owned and the opinions expressed here are our own. We are not responsible for direct, indirect, incidental or consequential damages resulting from use of any antivirus software and/or this website.