How does an antivirus work?
When a computer virus infects a computer, it must make changes to files on your computer, critical areas like the Registry, or sections of memory to spread or damage the computer. An antivirus program protects a computer by monitoring all file changes and the memory for specific virus activity patterns. When these known or suspicious patterns are detected, the antivirus warns the user about the action before they are performed. Below is a list of the different forms of virus detection an antivirus can use to protect your computer.
The most common form of detection is a heuristic-based detection that uses an algorithm to compare the signature of known viruses against a potential threat. Heuristic-based detection can detect viruses that have not yet been discovered. It may also detect known viruses that have been modified or disguised, and released into the wild again.
Heuristic-based scanning is the best-known method for detecting new viruses. However, it can also generate false positive matches, which means an antivirus scanner may report a file as being infected that is not infected. These "false positives" are minimal, but not uncommon.
Signature-based or virus dictionary detection
Every antivirus scanner has a virus definition file, database, or dictionary that contains thousands of known virus signatures. These signatures allow an antivirus program to identify past viruses that have been analyzed by security professionals. Today, there are well over 100,000 different known virus signatures that can be used for comparison.
Signature-based detection is an excellent way to prevent past known viruses and is the best method of detection without creating a false warning. However, signature-based detection cannot detect new viruses until the definition file is updated with new virus information.
If a virus has made it past the above detections, the antivirus analyzes the behavior of programs running on the computer. If a program begins to perform strange actions, the antivirus may trigger a warning. Some of the strange actions, or behaviors, the antivirus watches for are listed below.
- Changing settings of other programs.
- Modifying or deleting dozens of files.
- Monitoring keystrokes.
- Remotely connecting to computers.
Behavior-based detection is a useful method of finding viruses or other malware that attempt to steal or log information. However, many programs today need to report to an online server or log keystrokes to prevent online cheating, sometimes causing this type of detection to create false warnings.
If a program is suspicious, some antivirus programs can also use sandbox detection, which creates an emulated environment for the program to run and analyze its behavior. If when executed in the emulated environment the program appears to perform destructive or abnormal behavior, the antivirus alerts the user before it running it on the computer.
Cloud antivirus detection
Cloud antivirus detection uses a client on the computer that collects information, which is then uploaded to, and processed by, a server in the cloud. By running all detection on the server, your computer is spared additional processing. Cloud antivirus requires an Internet connection.
Full system scan
Finally, a full system scan or individual file scan is a manual action that can be taken by a user to scan all of the files on their computer. To run this type of scan, you must open the antivirus program and select the option to do a full system scan or right-click a file you want to scan and choose the option to scan the file.
A full scan should not be necessary if an antivirus program is running on your computer and monitoring for changes. However, if your computer is acting suspicious or a new antivirus scanner is installed, it is not a bad idea to run a full scan. Keep in mind that since almost all files are looked at during a full-system scan that these scans can take anywhere between 20 minutes to several hours to complete.