• ARTICLES
SEARCH

How-To Geek

HTG Explains: How Antivirus Software Works

image

Antivirus programs are powerful pieces of software that are essential on Windows computers. If you’ve ever wondered how antivirus programs detect viruses, what they’re doing on your computer, and whether you need to perform regular system scans yourself, read on.

An antivirus program is an essential part of a multi-layered security strategy – even if you’re a smart computer user, the constant stream of vulnerabilities for browsers, plug-ins, and the Windows operating system itself make antivirus protection important.

On-Access Scanning

Antivirus software runs in the background on your computer, checking every file you open. This is generally known as on-access scanning, background scanning, resident scanning, real-time protection, or something else, depending on your antivirus program.

When you double-click an EXE file, it may seem like the program launches immediately – but it doesn’t. Your antivirus software checks the program first, comparing it to known viruses, worms, and other types of malware. Your antivirus software also does “heuristic” checking, checking programs for types of bad behavior that may indicate a new, unknown virus.

Antivirus programs also scan other types of files that can contain viruses. For example, a .zip archive file may contain compressed viruses, or a Word document can contain a malicious macro. Files are scanned whenever they’re used – for example, if you download an EXE file, it will be scanned immediately, before you even open it.

It’s possible to use an antivirus without on-access scanning, but this generally isn’t a good idea – viruses that exploit security holes in programs wouldn’t be caught by the scanner. After a virus has infected your system, it’s much harder to remove. (It’s also hard to be sure that the malware has ever been completely removed.)

image

Full System Scans

Because of the on-access scanning, it isn’t usually necessary to run full-system scans. If you download a virus to your computer, your antivirus program will notice immediately – you don’t have to manually initiate a scan first.

Full-system scans can be useful for some things, however. A full system scan is helpful when you’ve just installed an antivirus program – it ensures there are no viruses lying dormant on your computer. Most antivirus programs set up scheduled full system scans, often once a week. This ensures that the latest virus definition files are used to scan your system for dormant viruses.

These full disk scans can also be helpful when repairing a computer. If you want to repair an already-infected computer, inserting its hard drive in another computer and performing a full-system scan for viruses (if not doing a complete reinstall of Windows) is useful. However, you don’t usually have to run full system scans yourself when an antivirus program is already protecting you – it’s always scanning in the background and doing its own, regular, full-system scans.

image

Virus Definitions

Your antivirus software relies on virus definitions to detect malware. That’s why it automatically downloads new, updated definition files – once a day or even more often. The definition files contain signatures for viruses and other malware that have been encountered in the wild. When an antivirus program scans a file and notices that the file matches a known piece of malware, the antivirus program stops the file from running, putting it into “quarantine.” Depending on your antivirus program’s settings, the antivirus program may automatically delete the file or you may be able to allow the file to run anyway, if you’re confident that it’s a false-positive.

Antivirus companies have to continually keep up-to-date with the latest pieces of malware, releasing definition updates that ensure the malware is caught by their programs. Antivirus labs use a variety of tools to disassemble viruses, run them in sandboxes, and release timely updates that ensure users are protected from the new piece of malware.

image

Heuristics

Antivirus programs also employ heuristics. Heuristics allow an antivirus program to identify new or modified types of malware, even without virus definition files. For example, if an antivirus program notices that a program running on your system is trying to open every EXE file on your system, infecting it by writing a copy of the original program into it, the antivirus program can detect this program as a new, unknown type of virus.

No antivirus program is perfect. Heuristics can’t be too aggressive or they’ll flag legitimate software as viruses.

False Positives

Because of the large amount of software out there, it’s possible that antivirus programs may occasionally say a file is a virus when it’s actually a completely safe file. This is known as a “false positive.” Occasionally, antivirus companies even make mistakes such as identifying Windows system files, popular third-party programs, or their own antivirus program files as viruses. These false positives can damage users’ systems – such mistakes generally end up in the news, as when Microsoft Security Essentials identified Google Chrome as a virus, AVG damaged 64-bit versions of Windows 7, or Sophos identified itself as malware.

Heuristics can also increase the rate of false positives. An antivirus may notice that a program is behaving similarly to a malicious program and identify it as a virus.

Despite this, false positives are fairly rare in normal use. If your antivirus says a file is malicious, you should generally believe it. If you’re not sure whether a file is actually a virus, you can try uploading it to VirusTotal (which is now owned by Google). VirusTotal scans the file with a variety of different antivirus products and tells you what each one says about it.

Detection Rates

Different antivirus programs have different detection rates, which both virus definitions and heuristics are involved in. Some antivirus companies may have more effective heuristics and release more virus definitions than their competitors, resulting in a higher detection rate.

Some organizations do regular tests of antivirus programs in comparison to each other, comparing their detection rates in real-world use. AV-Comparitives regularly releases studies that compare the current state of antivirus detection rates. The detection rates tend to fluctuate over time – there’s no one best product that’s consistently on top. If you’re really looking to see just how effective an antivirus program is and which are the best out there, detection rate studies are the place to look.

av-comparatives-detection-rates-graph

Testing an Antivirus Program

If you ever want to test whether an antivirus program is working properly, you can use the EICAR test file. The EICAR file is a standard way to test antivirus programs – it isn’t actually dangerous, but antivirus programs behave as if it’s dangerous, identifying it as a virus. This allows you to test antivirus program responses without using a live virus.

image


Antivirus programs are complicated pieces of software, and thick books could be written about this subject – but hopefully this article brought you up to speed with the basics.

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.

  • Published 10/1/12

Comments (29)

  1. toucan

    When i had Norton (the pc came with a free trial!) i would never see any virus warnings. Until about a week before the licence ran out and then it would ‘find’ about 5 a day! (It was just trying to prove it’s worth by scaring the user into thinking that it was needed.)

  2. Jim

    Chris,
    Thanks for another great article!

  3. dabull

    isn’t there a difference between virus and malware? i noticed the article mention both these types of files as if there were the same…

    im just mentioning this because i had a discussion with my co worker about this vary topic last week. anti-virus programs seem to only look for virus defined files. Malware always seems to slip though for some reason… i usually have to use a malware detector to get rid of malware; while my anti-virus program does nothing but take up I/O from the hard drive. if anyone can clarify this, it would be greatly appreciated.

  4. r

    at work I manage domain workstations using Kaspersky Enterprise, it has it’s issues but seems to do an overall good job when managed correctly. Personally, I have most success using Avast Internet Security. Even with any types of AV it’s always good to have a working knowledge of reading Win processes, start-up programs, & common places where viruses plant themselves & infect systems.

  5. Kit Lueder

    “A full system scan is helpful when you’ve just installed an antivirus program – it ensures there are no viruses lying dormant on your computer. ”
    What? You think scanners are 100%? Dream on. No, the full-system scan is essential because there is a delay between when a virus appears and when the signature-files are updated, so the full-system scan detects new infections once the new viruses are defined, after-the-fact on an ongoing basis.

  6. spike

    @dabull: Malware is “mal” (bad, malicious) software. Viruses are malware, worms are malware, trojan horses are malware, etc.

  7. T. Childs

    Thanks Geeks. The How Anti virus Programs operate was great, very informitive as usual. You always do a good job!
    Terry

  8. rhabdomantist

    Nice to see MSE being used as an example. Unfortunately the AV-Comparitives graph doesn’t include it.

  9. KB Prez

    Great article Chris! Thank you!

  10. Richard Post

    I am under the impression that the windows operating system,
    when it added in its windows ‘defender’ stuff,
    said it fought ‘malware’, because it would put antivirus companies out of business,
    if it admitted that the windows operating system was also checking for viruses.

  11. boopar

    MSE is indeed putting all anti virus companies out of business if original windows SW is installed!

  12. dabull

    @spike

    thanks for the break down. I was just under the impression that malware and viruses are considered different types. Notable that malware when broken down is malicious software, meaning almost anything can be malicious software when created for malicious purposes i.e virus, worm, etc.

    But, most basic certificate training courses distinctly separate malware from viruses (i could be wrong). Also, anti-virus suites tend to skip over software labeled “malware”. For example, we run kaspersky enterprise at my job, but sometimes uses catch trojans and “malware” from sites they visit. kaspersky is usually (i’d say 90% of the time) bypassed. I usually have to install malware bytes to get rid of those pests.

    In kaspersky’s defense, it does pick up malware when i run full scans from safemode. I’ve just noticed its not as active in defense against malware than another program like malware bytes or spybot…

  13. Scott

    I have used AVG free for many years and never had any viruses. True, I do use Open DNS on my home netwrok to protect against malware, but my parents had an email they recieved blocked by AVG free, so I was impressed.
    Great article, I just wonder if the AVG rank on that graph is for the paid or free one.

  14. Dave

    Having been around awhile, viruses were originally bits of code that self-propagated and did things like display a message, reformat your hard drive, or some other such bit of mischief. Hackers liked to create these exploits as proof of their skills, or just for a laugh.

    Malware came later, and was first termed “spyware”. It hid on your computer and spied on what you were doing, sending information back to the mothership. Over time the main intent of such code became capturing your banking information, credit card numbers, logins, etc, or turning your PC into a “zombie” which could be used as a spambot, to run denial-of-service attacks, etc. Therefore it was rechristened “malware”.

    At this point in time, the lines have blurred between the two, and “malware” (malicious software) works well as a catch-all term for both.

  15. Keith

    Over at http://www.eicar.org/85-0-Download.html

    they use words like this

    quarantaine

    and this

    ARCHIVEe

    Sometimes, I get really irritated and I wish these people would get their English straight and do some proofreading. The question comes up: If they **ck up their grammar and spelling, what *else* do they get wrong?

  16. Ed Armitage

    We use Kaspersky Enterprise and coupled with their reporting we find it to be a great tool. If we find a virus, or one is reported through their reporting tools, we then run a full scan with Kaspersky, MalwareBytes and the Microsoft Security Essentials. We also run a full scan with Kaspersky once a week. We realize that no one piece of software can find all viruses but we have had quite a bit of success using the methodology deacribed.

  17. Randall

    The information provided seems to be fine as far as it goes but as someone else mentioned – it would have been nice to mention if the AV chart was comparing free or fee programs. I guess I could access the AV site mentioned but it would have been nice to mention it in this article. Also, the article makes no mention of installing more than one program on a computer at a time is useful. If one is good, are two or more better? As I read many of your articles, I often find myself perturbed that a bit more information is not provided. I know you can not hit everything but answering as many questions as possible would seem preferable to leaving many (some) of us hanging. I admit I am not a computer savvy as many of the folks in the comments section. I learn as much from them, many times, as I do your article. Thanks for the info! It is useful and appreciated.

  18. gc

    Yes, a good (basic) article. Like the writer mentioned, there’s a lot more to be learned, an a lot of it’s online. It’s been said there is no 1 greatest AV. On this I agree,as Igo back to the earliest days of Zone-alarm vs Norton, vs MacAfee. In my experience, Norton (Symantic was the most advanced, but the downside was the amount of resources it devoured, until it eventually became a problem for me, rather than a sloution. It virtually took over my machine, embedding itself in what seemed like almost all the operating system file folders, and was almost impossible to uninstall completely. (They even have their own downloadable Norton-remover tool, which still failed to remove everything-Norton, as some application folder files are still listed, as well as common files.)

    I also noticed that graph doesn’t show Vipre? It’s one of the the newest generation of AV products-
    I use it because it rarely freezes my pc , even when it’s updating. After a year of using it, I’d say the jury is still out on it’s effectiveness at detecting and blocking viruses,.as I’ve had two incidents this year. Virus removal is time-consuming, and for the uninitiated, It could become very expensive as well.
    The most reliable help I found as far as paid services, was Microsoft…they stayed with me til it was fixed, and left a trouble ticket iopen for a week for followup issues. I learned a lot after that, and the next it happened, I fixed it all by myself yaay!! Final note: I’ve read that there is a new malware practice out there in cyberspace, one which AV software cannot help with. (unfortunately I found out first-hand: it’s downloaded without your knowledge, a malicious script writtten on viewed webpages and ends up right in your start folder, your registry, and your system32 files. You will need a root-kit remover to get rid of it, so consider yourself warned, and be vevrrry careful whwere you surf.

  19. KMFDMKid2000

    Excellent read. Very well written. This is why I love HTG.

    I may have already known the information, but it’s still worth reading as a skill review and knowledge confirmation. Plus I can point those less in the know to the article so they can learn.

  20. Judy Drysdale

    Very informative – thank you. I have Komodo Anti Virus installed – I don’t see it on the graph – is it no good? Does anybody else know?

  21. garry

    Great reading and comments— I use AVG and have had no problem , a few months ago in a magazine that i subscribe to ( PC AND TECH AUTHORITY) did a test and report on all anti-virus paid and free systems and from the data analysed AVG came out just as good as any other, just remember that not all Anti- Virus systems work the same( LOVE THE HOW- TO GEEK ARTICLES ) no i not a geek just an average guy trying to understand how to operate and enjoy my computer and search the web.

  22. Rhoni

    Your article said it can not detect an antivirus program on my computer. I paid 60.00 to have McAfee they do regular scans. I have a one year subscription to them. Does this mean I am not protected against viruses. I know I have pop ups that I have blocked against and receive regularly.

  23. geekhillbilly

    I use Comodo Internet security x64 on my Windows 7 machines because Microsoft Security Essentials was completely ineffective in preventing a drive by trojan.AVG has proved to be worse than useless and the rest of the free one only partially effective.I like the sandbox feature on Comodo,as it isolates any spurious infections.With a combo of FIrewall,antivirus and anti-malware,I haven’t found anything more effective on an x64 machine.

    My main machine runs Linux Mint,so I’m good there

  24. stan

    Great work there really got informed with that piece.
    tnx.

  25. qwertyyy

    I am a real fan of MSE now, I use to have Norman… 3-4 years ago…

  26. Rick Hake

    How about an article on whats being done to catch the perps writing virus & malware programs, and neuter them with a butter knife in public? Don’t tell me it cannot be done or that its too hard to identify them. I have 23 years in law enforcement and security, and a few years as a newspaper editor. My background tells me tells me to look for motive. The motive has to be money. There can’t be that many sick demented nerds out there who would spend the time required to do the damage with no real gratification in return. The ones making big money from anti-viral programs have a perfect motive.
    Could it be nobody is looking? With the technology we have today we should be making inroads in slowing the development and proliferation of viruses and malware. The Anti-Virus companies are not doing much more than lip service towards catching these idiots. Of course, we would be asking them to risk cutting into their bottom line. If they were interested they would post a tempting about of money for a reward for the capture and conviction of these maggots. If an anti-viral company ever does make an honest attempt to bring these creeps to justice, I will purchase that one.
    If we can track-down and catch terrorist’s, we should be able to do this. The science of back-tracking data packs needs to have a lot more effort applied to it.

  27. >:)

    lol im use windows XP >:( im need windows vista

  28. Reginal

    Can you run windows security essentials and another anti virus at the same time? I was told you should not run more than one at the same time.And how does it effect your computer.

  29. Reginal

    By the way ,I find Avast to be pretty darn good.

Get Free Articles in Your Inbox!

Join 134,000 newsletter readers

Email:

Go check your email!