How does an antivirus work?

Updated: 12/30/2019 by Computer Hope
Antivirus programs and companies

When a computer virus infects a computer, it must make changes to files, critical areas like the registry, or sections of memory to spread or damage the computer. An antivirus program protects a computer by monitoring all file changes and the memory for specific virus activity patterns. When these known or suspicious patterns are detected, the antivirus warns the user about the action before they're performed. Below is a list of the different forms of virus detection an antivirus can use to protect your computer.

Heuristic-based detection

The most common form of detection is a heuristic-based detection that uses an algorithm to compare the signature of known viruses against a potential threat. Heuristic-based detection can detect viruses that have not yet been discovered. It may also detect known viruses that were modified or disguised, and released into the wild again.

Heuristic-based scanning is the best-known method for detecting new viruses. However, it can also generate false positive matches, which means an antivirus scanner may report a file as being infected that is not infected. These "false positives" are minimal, but not uncommon.

Signature-based or virus dictionary detection

Every antivirus scanner has a virus definition file, database, or dictionary containing thousands of known virus signatures. These signatures allow an antivirus program to identify past viruses that were analyzed by security professionals. Today, there are well over 100,000 different known virus signatures that can be used for comparison.

Signature-based detection is an excellent way to prevent past known viruses and is the best method of detection without creating a false warning. However, signature-based detection cannot detect new viruses until the definition file is updated with new virus information.

Behavior-based detection

If a virus has made it past the above detections, the antivirus analyzes the behavior of programs running on the computer. If a program begins to perform strange actions, the antivirus may trigger a warning. Below are examples of the types of actions and behaviors that may trigger a warning.

  • Changing settings of other programs.
  • Modifying or deleting multiple files.
  • Monitoring keystrokes.
  • Remotely connecting to computers.

Behavior-based detection is a useful method of finding viruses or other malware that attempt to steal or log information. However, many programs today need to report to an online server or log keystrokes to prevent online cheating, sometimes causing this type of detection to create false warnings.

Sandbox detection

If a program is suspicious, some antivirus programs can also use sandbox detection, which creates an emulated environment for the program to run and analyze its behavior. When executed in the emulated environment, if the program appears to perform destructive or abnormal behavior, the antivirus alerts the user before running it.

Cloud antivirus detection

Cloud antivirus detection uses a computer program that collects information, which is then uploaded and processed by a server in the cloud. By running all detection on the server, your computer is spared additional processing. Cloud antivirus requires an Internet connection.

Full system scan

Finally, a full system scan or individual file scan is a manual action taken by a user to scan all computer files. To run this type of scan, open the antivirus program, and select full system scan option or right-click a file and select the option to have it scanned.

A full scan should not be necessary if an antivirus program is running on your computer and actively monitoring for changes. However, if your computer is acting suspicious or a new antivirus scanner is installed, it is not a bad idea to run a full scan. Almost all files are looked at during a full system scan, so it may take a long time to complete.


If you have many files to scan, start the scan before you leave for work or go to bed.