What is Antivirus Software and How does it Work?


Antivirus is the main line of defense between your computer and malware infections. Most people typically allow antivirus to run quietly in the background, automatically self-update when necessary, and perform scheduled scans. That’s all fine and well. But you can get much more out of your antivirus protection by knowing how it actually works. There’s certainly nothing wrong with generally allowing antivirus software to do its own thing. However, when you know the hows and whys of how antivirus software works, you’ll be able to fine-tune the settings much better to your particular needs.

You’ll also be able to determine if there are certain functions or features of antivirus software you don’t actually need. While many people can be tempted to subscribe to the highest tier plan an antivirus software offers, or perhaps just go for the most basic protection available, you’ll be able to narrow your choices down a lot better once you have an understanding of what particular features actually do for you.

Once you are more familiar with basic antivirus functions, you can more easily follow along some of the antivirus reviews at AV-Best, which compares some of the most popular antivirus products and what they offer the consumer. With all of that said, let’s get into how antivirus software actually works. There are two main methods antivirus software uses to protect the user from malware.

    • Signature-based detection
    • Heuristic analysis


We’ll explore both of these deeper, but the gist is, signature-based detection scans files for known threats. It’s like a trespass ban list at a theme park, where specific names of people are recorded for denial of entry. Heuristic analysis scans files for known virus behavior.

Going on the theme park analogy, heuristic analysis is like searching for people on the banned list, even if they’re wearing a fake mustache and eyeglasses. Those are vast simplifications of signature-based detection and heuristic analysis, just to give you a basic idea, so now we’ll jump into describing them in more expansive terms.

What is signature-based detection?

As we said, signature-based detection compares files against the antivirus software’s registry database. If a match is found, then the files will immediately be quarantined (in most cases – it depends on your software settings). Of course, it’s not actually the “files” being scanned on the antivirus database.

It’s not like the antivirus database is a big list of filenames, so that anything named “BigScaryVirus.exe” is automatically quarantined. What the signature-based detection is actually looking for is code that a file attempts to execute. Because viruses are simply strings of code (instructions) sent to the computer, the antivirus software tries to determine what actions a file executes when it is launched.

This can range from things such as trying to run administrative commands in the background, to contacting known malicious web servers, and trying to run scripts to install unwanted programs.

What is heuristic analysis?

As we said earlier in this article, if signature-based detection is the banned list at a theme park, heuristic analysis is detecting the banned people who try to sneak in wearing a fake mustache. How this actually works in antivirus software is that, when a file is scanned, it may not contain any “known” virus code patterns.

It is not an immediately recognizable threat. However, it may contain suspicious code patterns, such as a script that attempts to alter critical Windows files, in typical virus fashion. Heuristic analysis thus opens the file in a sandbox scenario, to see what would happen if it actually allowed the program to run.

Because the program is not allowed to escape the virtual sandbox, any potentially malicious code is not allowed to actually run on the system itself. Aside from the sandbox, a more recent approach to heuristic analysis utilizes machine learning and data mining. In this method, algorithms can be applied to classify the behavior of a file, by extracting certain file features from the file itself.

Configuring antivirus security is tricky business

While we’re making the process sound rather simple, antivirus software developers must actually take special care to balance the sensitivity of their heuristic analysis. If it’s too weak, it will obviously let viruses pass through. But if it’s too strong, it will raise false positives on files that don’t actually contain any viruses.

Some companies take the approach of stronger security is better, and thus some antivirus software may have a tendency to give more false positives. Other companies don’t want to inconvenience the user, and may have more relaxed security settings. It’s truly a difficult balancing act.

As a specific example, imagine you download a program for completely altering the appearance of the Windows Start menu. This program allows you to add custom graphics to the Windows GUI, creating a completely unique user experience. Now, because this tool will alter and modify Windows system files, some antivirus softwares will actually detect it as a threat, and possibly quarantine (or automatically delete) the program.

I personally use one such program, for modifying my entire Windows system with a black theme. So as we said, it’s difficult for antivirus software developers to fine-tune and balance their heuristic analysis, without inconveniencing the user and giving too many false positives. Of course, the user can always manually adjust the overall security settings of their antivirus software, and even add specific files and folders to the antivirus software’s whitelist, so that the antivirus will completely ignore those files and folders.

Real-time and Web Protection

While traditional malware typically came from infected files a user intentionally downloaded, such as an infected email attachment, the web has certainly evolved beyond that. In the modern age, a user can become infected in many different manners. Plugging an infected flash drive into your computer is a common way, as malware can automatically detect when flash drives are plugged into the computer, and copy itself between drives.

Users can also become infected simply by surfing the web without adequate real-time protection. Cybercriminals have become sophisticated enough to embed malicious scripts in website code, and even banner ads, that can take advantage of security holes in the user’s browser software. 2016 saw the rise of cryptominer scripts, where simply visiting a website hosting one of these scripts could hijack your CPU power for mining cryptocurrency.

Nowadays, many malware threats can actually come through just the mere act of visiting infected websites, typically through scripts and plug-ins that exploit security holes in the browser, or common browser plug-ins such as JavaScript and Flash. There’s also been a large increase in social-media based malware, which are similar to the email-chain viruses of the early days of the internet.

You might receive a Facebook message from a friend (who is infected, and didn’t actually send you a message) containing a fake video. When you download the video, your computer becomes infected, and the malware forwards the video to everyone on your friends list. So modern antivirus software no longer relies on just local file scanning to protect the user, but also employs real-time web scanning, inspecting websites for malicious scripts and advertisements.

Advertiser Disclaimer: We are a professional review site that receives compensation from the companies whose products we review. We test each product thoroughly and give high marks to only the very best. We are independently owned and the opinions expressed here are our own. We are not responsible for direct, indirect, incidental or consequential damages resulting from use of any antivirus software and/or this website.