How Antivirus Software Works

By Chris Hoffman on October 1st, 2012

image

Antivirus programs are powerful pieces of software that are essential on Windows computers. If you’ve ever wondered how antivirus programs detect viruses, what they’re doing on your computer, and whether you need to perform regular system scans yourself, read on.

An antivirus program is an essential part of a multi-layered security strategy – even if you’re a smart computer user, the constant stream of vulnerabilities for browsers, plug-ins, and the Windows operating system itself make antivirus protection important.

On-Access Scanning

Antivirus software runs in the background on your computer, checking every file you open. This is generally known as on-access scanning, background scanning, resident scanning, real-time protection, or something else, depending on your antivirus program.

When you double-click an EXE file, it may seem like the program launches immediately – but it doesn’t. Your antivirus software checks the program first, comparing it to known viruses, worms, and other types of malware. Your antivirus software also does “heuristic” checking, checking programs for types of bad behavior that may indicate a new, unknown virus.

Antivirus programs also scan other types of files that can contain viruses. For example, a .zip archive file may contain compressed viruses, or a Word document can contain a malicious macro. Files are scanned whenever they’re used – for example, if you download an EXE file, it will be scanned immediately, before you even open it.

It’s possible to use an antivirus without on-access scanning, but this generally isn’t a good idea – viruses that exploit security holes in programs wouldn’t be caught by the scanner. After a virus has infected your system, it’s much harder to remove. (It’s also hard to be sure that the malware has ever been completely removed.)

image

Full System Scans

Because of the on-access scanning, it isn’t usually necessary to run full-system scans. If you download a virus to your computer, your antivirus program will notice immediately – you don’t have to manually initiate a scan first.

Full-system scans can be useful for some things, however. A full system scan is helpful when you’ve just installed an antivirus program – it ensures there are no viruses lying dormant on your computer. Most antivirus programs set up scheduled full system scans, often once a week. This ensures that the latest virus definition files are used to scan your system for dormant viruses.

These full disk scans can also be helpful when repairing a computer. If you want to repair an already-infected computer, inserting its hard drive in another computer and performing a full-system scan for viruses (if not doing a complete reinstall of Windows) is useful. However, you don’t usually have to run full system scans yourself when an antivirus program is already protecting you – it’s always scanning in the background and doing its own, regular, full-system scans.

image

Virus Definitions

Your antivirus software relies on virus definitions to detect malware. That’s why it automatically downloads new, updated definition files – once a day or even more often. The definition files contain signatures for viruses and other malware that have been encountered in the wild. When an antivirus program scans a file and notices that the file matches a known piece of malware, the antivirus program stops the file from running, putting it into “quarantine.” Depending on your antivirus program’s settings, the antivirus program may automatically delete the file or you may be able to allow the file to run anyway, if you’re confident that it’s a false-positive.

Antivirus companies have to continually keep up-to-date with the latest pieces of malware, releasing definition updates that ensure the malware is caught by their programs. Antivirus labs use a variety of tools to disassemble viruses, run them in sandboxes, and release timely updates that ensure users are protected from the new piece of malware.

image

Heuristics

Antivirus programs also employ heuristics. Heuristics allow an antivirus program to identify new or modified types of malware, even without virus definition files. For example, if an antivirus program notices that a program running on your system is trying to open every EXE file on your system, infecting it by writing a copy of the original program into it, the antivirus program can detect this program as a new, unknown type of virus.

No antivirus program is perfect. Heuristics can’t be too aggressive or they’ll flag legitimate software as viruses.

False Positives

Because of the large amount of software out there, it’s possible that antivirus programs may occasionally say a file is a virus when it’s actually a completely safe file. This is known as a “false positive.” Occasionally, antivirus companies even make mistakes such as identifying Windows system files, popular third-party programs, or their own antivirus program files as viruses. These false positives can damage users’ systems – such mistakes generally end up in the news, as when Microsoft Security Essentials identified Google Chrome as a virus, AVG damaged 64-bit versions of Windows 7, or Sophos identified itself as malware.

Heuristics can also increase the rate of false positives. An antivirus may notice that a program is behaving similarly to a malicious program and identify it as a virus.

Despite this, false positives are fairly rare in normal use. If your antivirus says a file is malicious, you should generally believe it. If you’re not sure whether a file is actually a virus, you can try uploading it to VirusTotal (which is now owned by Google). VirusTotal scans the file with a variety of different antivirus products and tells you what each one says about it.

Detection Rates

Different antivirus programs have different detection rates, which both virus definitions and heuristics are involved in. Some antivirus companies may have more effective heuristics and release more virus definitions than their competitors, resulting in a higher detection rate.

Some organizations do regular tests of antivirus programs in comparison to each other, comparing their detection rates in real-world use. AV-Comparitives regularly releases studies that compare the current state of antivirus detection rates. The detection rates tend to fluctuate over time – there’s no one best product that’s consistently on top. If you’re really looking to see just how effective an antivirus program is and which are the best out there, detection rate studies are the place to look.

av-comparatives-detection-rates-graph

Testing an Antivirus Program

If you ever want to test whether an antivirus program is working properly, you can use the EICAR test file. The EICAR file is a standard way to test antivirus programs – it isn’t actually dangerous, but antivirus programs behave as if it’s dangerous, identifying it as a virus. This allows you to test antivirus program responses without using a live virus.

image


Antivirus programs are complicated pieces of software, and thick books could be written about this subject – but hopefully this article brought you up to speed with the basics.

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.

  • Published 10/1/12
More Articles You Might Like

Enter Your Email Here to Get Access for Free:

Go check your email!