How Antivirus Works
If you own a Windows computer, it’s likely that you know how essential antivirus programs are. These powerful pieces of software detect viruses and perform a number of essential functions on your computer, but can sometimes be confusing to master. If you’ve ever wondered just how they detect those viruses, what they’re doing on your computer, or whether you need to manually run system scans yourself to make sure your software is working properly, read on!
Antivirus software performs on-access scanning (or background scanning, real-time protection, resident scanning, etc depending on the type of program you’re using), which scans every file you open to make sure it’s safe. Your software runs in the background, and while it seems as though every .EXE file opens instantly, what really happens is that your antivirus software checks the program first, comparing it to known viruses, worms, and other types of malware.
In addition to scanning the files you open, your antivirus software also performs “heuristic” checking – essentially, it checks your programs for “bad behavior” that could indicate a new virus it hasn’t seen yet.
Antivirus programs also have your back by scanning files that can contain viruses, like a .zip archive file (which could potentially have compressed viruses) or a Word document (which could contain a malicious macro). They’re scanned when they’re downloaded, and potentially scanned again when you try to use them, depending on the type of software you have.
While it’s possible to use your antivirus without enabling on-access scanning, we don’t recommend it. Viruses that exploit security holes in programs you use every day wouldn’t be caught by the scanner – and after a virus has infected your system it’s much harder to remove (and even harder to be sure that it’s been removed completely).
Because most antivirus software offers on-access scanning, it isn’t usually necessary to run full-system scans. As a general rule, your antivirus program should immediately notice any virus downloaded to your computer without you having to manually initiate a scan.
However, full-system scans can still be useful; they’re helpful when you’ve just installed a new antivirus program, ensuring that no viruses are lying dormant on your computer. Plus, many antivirus programs set up full systems scans on a regular schedule – usually once a week, which ensures that the latest virus definition files are used to scan your system for dormant viruses.
Full-disk scans can also be helpful if you’re trying to repair a computer; if your computer is infected, you can insert its hard drive into another computer to perform a full-system scan for viruses to hopefully fix the problem. But as a general rule, you don’t usually have to run full system scans yourself when your antivirus program is protecting you; it’s scanning in the background all the time, as well as doing its own regular full-system scans.
Your antivirus software relies on virus definitions to detect malware, which is why it automatically will download new, updated definition files, often at least once a day – and sometimes more.
These definition files contain signatures for viruses and other malware that have been encountered “in the wild” – in other words, online. When your antivirus program scans a file and notices it matches a known piece of malware, it will stop the file from running and put it into “quarantine.” Depending on your program’s settings, your antivirus may either automatically delete the file – or, if you’re confident that it’s been flagged incorrectly, you may be able to allow the file to run normally.
Antivirus companies keep up-to-date with the latest pieces of malware, releasing definition updates to ensure that their programs can catch all the latest viruses. Their labs use a variety of tools to disassemble the viruses, run them in sandboxes, and release timely updates to keep you protected.
In addition to their virus definitions, antivirus programs also use heuristics, which allow them to identify new or modified types of malware even without virus definition files. For example, if your antivirus program notices that a program running on your system is trying to open every .EXE file you have and infect it by writing a copy of the original program onto it, your antivirus program can identify the original program as a new, unknown type of virus.
However, no antivirus program is perfect, and heuristics can’t be too aggressive – otherwise, they’d constantly flag legitimate software as viruses.
Because there’s a truly huge amount of different files and software available online, it’s entirely possible that your antivirus program may occasionally flag a file as a virus when it’s actually completely safe. This is known as a “false positive,” and can even be caused by the antivirus companies themselves, when they flag Windows system files, popular third-party programs, or even their own antivirus program files as viruses.
Unfortunately, these false positives can damage users’ systems, and such mistakes generally end up in the news – like when Microsoft Security Essentials identified Google Chrome as a virus, Sophos identified itself as malware, or AVG damaged 64-bit versions of Windows 7. And, while heuristics is used to increase your protection, it can also increase the rate of false positives; your antivirus may notice a program is behaving similarly to a malicious program and identify it as a virus.
Despite these details, false positives are generally fairly rare in normal use, and you should usually believe your antivirus if it says a file is malicious (unless you are absolutely certain it isn’t). If you’re not sure whether or not a file is actually a virus, you can try uploading it to VirusTotal – which is owned by Google – and allow it to scan the file with different antivirus products and tell you what each one says.
Different antivirus programs have different detection rates, which take into account both virus definitions and heuristics. Some companies have more effective heuristics and release more virus definition updates than their competitors, which results in a higher overall detection rates.
There are several organizations which do regular tests of antivirus programs in comparison to each other, monitoring their detection rates in real-world use. AV-Comparatives is a site which regularly releases studies that compare the current state of antivirus detection rates. Detection rates tend to fluctuate over time, so there’s no one best product that’s consistently on top; if you really want to see exactly how effective your antivirus program is, or which are the best out there, detection rate studies are the place to go.
Cloud-based detection, another way antivirus software can protect you, identifies malware by collecting data from protected computers and analyzing it on the provider’s infrastructure, instead of performing the analysis locally. This is usually done by capturing the relevant details about the file, the context of its execution on the endpoint, and provides them to the cloud engine for processing, which allows the local antivirus to only perform minimal processing.
In addition, the vendor’s cloud engine can derive patterns that are related to malware characteristics and behavior by correlating data from multiple systems, contrasting other antivirus components which base their decisions on locally observed attributes and behaviors. In essence, a cloud-based engine allows individual users of the antivirus to benefit from the experiences of other members in the community.
Sandbox detection functions similarly to behavioral-based detection methods. In this detection mode, your antivirus software will run any potentially dangerous applications it detects in a virtual environment, tracking how it behaves without giving it the ability to impact your computer. By doing this, your antivirus software can identify whether or not the program is malicious and react accordingly.
Data mining techniques
One of the latest trends in detecting malware, data mining uses a set of program features to help discover whether or not a program is malicious.
Though the approaches above are listed under individual headings, the distinctions between them are often blurred; for example, the terms “heuristics-based” and “behavioral detection” are often used interchangeably. These methods, along with signature detection, play an active role when your software tool incorporates cloud-based capabilities as well. To keep up with the ever-expanding flow of malware samples, antivirus vendors are required to incorporate multiple layers of protection into their tools – relying on a single approach is simply not a viable option any more.
Testing an antivirus program
If you’re not sure whether or not your antivirus software is working properly and you want to test it, you can use the EICAR test file. This is a standard way to test antivirus programs; while not actually dangerous, antivirus programs act like it is and treat it as they would an actual virus. This lets you make sure your antivirus program is working properly without having to risk using a live virus.
Do antivirus vendors write viruses?
There’s a conspiracy theory that antiviruses write viruses – it’s old, silly, and completely unfounded, the same as claiming that doctors create diseases or that police rob banks to make sure they still have job security.
There are literally millions of different types of malware, with tens of thousands of new threats discovered daily. If antivirus vendors were the only ones creating the malware, there’d be far less of it – none of the people in the antivirus industry is a glutton for punishment! It’s criminals and attackers who write and distribute malware and viruses, and antivirus vendor employees work long and hard to make sure you and your computer is kept safe from the onslaught.