https://www.malwarefox.com/how-antivirus-works/
It stands to reason, then, that antivirus programs are some of the most advanced security software available these days. Most of these offer advanced features to stop viruses and worms from getting into your system and causing harm.
Here’s a detailed look at how antivirus software works, and how it stands guard to protect your PC or mobile device from these malicious and menacing threats.
What Exactly is Antivirus Made of?
Think of antivirus software as the penicillin of the Computer world.
These applications may look lightweight, and function in the background, but are built on some of the most advanced computing and security technologies available. They have to be, considering the continually evolving threats of advanced malware these days.
Viruses and worms exhibit powerful combinations of infection techniques. Tackling them doesn't only require a better understanding of these threats, but also a layered approach to security.
The diversity of malware and the inventiveness of its authors means that a specimen occasionally finds its their way around antivirus programs.
Almost all good antivirus programs employ several protective measures to reliably block malware attacks — even if one mechanism is bypassed, the other ones still have a chance to stop the infection.
The applications themselves range in ability. Some are designed to protect a single computer at a time, while others are designed for servers. There are even antivirus programs specifically designed to take on enterprise class networks.
But regardless of the scope of coverage, the underlying mechanisms of an antivirus package remain mostly the same. It actively scans files that are introduced to a system, relying on a method to identify potentially hazardous files. This is called signature detection.
Basically, antivirus applications maintain a database of known viruses and compare the scanned files to that database in order to find out whether the characteristics match. If they do, the file is quarantined, which is to say that it is moved to a new, safe location and renamed, so that it does not affect other files on the system.
In addition to signature detection, antivirus programs also attempt to identify suspicious behavior on a system. This ranges from making suspicious registry entries, or adding items to a list that executes automatically upon system startup.
This approach is what helps protect against encrypted viruses, or viruses that are yet to be identified.
That’s the long and short of it, a basic overview of how this type of software works. But as noted above, these security solutions also come with a bunch more advanced detection capabilities and clean up techniques that help them protect against more advanced and stealthier threats.
How an Antivirus Program detects Infection?
In an attempt to protect itself, modern malware threats employ several techniques to avoid detection and elimination.
It is these self-preservation methods that antivirus programs need to guard against, in order to protect a system or a network.
Malicious software can also mutate, making it difficult to create a signature. And worse yet, there is malware that also actively attacks antivirus software and personal firewalls to terminate their processes, and prevent their launch.
All of this, ultimately, makes detection extremely important. Timely detection, at that, in order to prevent the spread of viruses and worms, and limit their destruction before it begins. This is where the advanced complexity of modern antivirus comes into play.
That simple antivirus program you see? It may not look like it, but the program comes with some serious magic on the backend, that allows it to quickly and accurately detect any type of malware before things get out of hands.
It can protect your devices from threats like viruses and worms, trojan horses and dialers, adware and spare, ransomware, browser helper objects, keyloggers, backdoors, rootkits. And not just that, some solutions also bring along protection against spam, scam and phishing attacks, online identity and malicious and infected URLs.
These are some really next generation technologies that are very well equipped against all manner of modern malware and threats. And they do this by using different layers of defense in order to detect possible viruses, which include everything from the tried and tested virus definitions and heuristics to newer technologies like sandbox detection, behavior detection, artificial intelligence, machine learning, and cloud based file detonation.
Though the approaches below are listed under individual headings, the distinctions between many of these are often blurred, as antivirus programs combine different techniques to actively protect against the different types of threats.
1. Virus Definitions
This is practically the first method traditional antivirus software employ to identify malware.
The programs rely upon signatures to detect new malware. Provided the company has already analyzed and extracted a proper signature of the file that is then kept in a database. Threats are compared to this database, and devices are then protected in case the signatures match.
But while this approach does prevent malware outbreaks, cybercriminals try to stay one step ahead by writing viruses that either encrypt themselves or modify their code in order to disguise and not match virus definitions.
2. Heuristics
While identifying a specific virus is well and good, most antivirus programs come with advanced heuristics that allows them to quickly detect a virus family, even by an inexact match to an existing signature.
This helps protect against viruses that start as a single infection, but grow into dozens or even hundreds of slightly different variants.
A heuristic detection allows a scanner to detect viruses even when they are padded with extra or meaningless code, using what are called wildcard characters.
Heuristics is vitally important for modern antivirus solutions, but it usually not too aggressive, so as not to flag legitimate software as malware.
3. Behavioral Blocking
Behavior detection is a signatureless approach to detection that helps the program build a full context around every process execution path in real time, and identify the stealthier, more advanced malware threats.
Suspicious behavior includes unpacking of malicious code, modifying the host files, or observing key strokes. Noticing actions like these allows an antivirus program to detect previously unseen malware on a system.
4. Sandbox Detection
This is a behavioral based detection technique that executes the programs in a virtual environment, as opposed to detecting its fingerprint at run time.
Antivirus software that come with this type of detection capabilities execute programs in a separate, virtual environment, and log the actions it performs to determine whether the programs are malicious or not. If found safe, a given program is then executed in the real environment.
As you can imagine, this technique is both heavy and slow, and its resource intensive nature means that it is rarely used in consumer antivirus solutions. End users may not always have the need for sandbox detection, but enterprises do, and antivirus solutions designed for corporate and network use offer this.
5. Data Mining
This is one of the latest approaches in malware detection that security vendors now provide with their antivirus and antimalware products.
A series of features of files are extracted from files, and then data mining and machine learning algorithms are used to classify the behavior of a file and detect whether it has malicious intent or not. This is particularly helpful in detecting and defeating the newest forms of malware in the wild.
Types of Scans
All these varying types of detection capabilities are fine, but another, equally important, measure of how successful an antivirus is in protecting a system is the types of scans it offers.
Originally, antivirus programs just offered a regular scanner that searched through the hard drive, looking for known viruses. But modern security solutions offer a whole range of scanning options. These include both conventional and behavior based scans.
1. On-Demand Scanning
A conventional scan is either run when the user requests it, or at a scheduled instance that the antivirus sets up. This type of scan searches the contents of the disks, directories and files, as well as boot sectors and system components. Conventional disk scans are used either as a preventive maintenance activity, or when a virus is suspected.
2. Real-Time Protection
Also known as memory-resident scanning or background guard.
This type of scanning refers to the automatic protection that almost all modern antivirus programs offer. It basically monitors the system for any suspicious activity in real time, while data is loaded into the active memory.
For example, when a USB drive is inserted, a browser is opened, or a downloaded file is executed.
The price of this type of scanning is performance, but it offers increased protection, and more chances of catching malware before it does damage.
3. Smart Scans
These refer to an approach where an antivirus only scans selected files, that are more suspicious to be altered or infected. Smart scanning lowers the need of system resources, while protecting against the more common types of viruses, threats and risks.
4. Startup Scanning
Antivirus software often come with a special program that is designed to run every time the PC is booted up. It does a quick scan of the boot sectors and critical system files, instead of a full disk scan that takes a long time to finish. This comes in particularly handy to catch boot sector viruses, before they get a chance to spread.
Detection Rate
And now, time for some bad news. Recent tests have shown that antivirus detection rates have dramatically dropped since the start of 2017.
This has got to do with the continually evolving threats, where cybercriminals and malware authors device stealthier techniques that help their malware go undetected.
And while this decline is a bit scary, detection rate is still a very important metric for antivirus and security software, as it assesses the ability of these programs to detect malicious files on a system.
Dedicated tests are run by independent organizations like AV-Comparatives and AV-Test to determine the file detection capabilities of the antivirus programs available on the market.
Typically, more than 100,000 samples are used for testing, and a detection rate is then determined, which is obviously different for different antivirus programs. In particular, antivirus companies that have more efficient heuristics and release more virus definitions than their competitors, usually see higher detection rates.
The detection rates fluctuate over time, with no best product constantly on top. Then again, this goes to show just how dynamic and constantly changing the computing security landscape is these days.