How does an antivirus work?

When acomputer virusinfects a computer, it must make changes tofileson your computer, critical areas like theRegistry, or sections ofmemoryto spread or damage the computer. An antivirus program protects a computer by monitoring all file changes and the memory for specific virus activity patterns. When these known or suspicious patterns are detected, the antivirus warns the user about the action before they are performed. Below is a list of the different forms of virus detection an antivirus can use to protect your computer.
Heuristic-based detection

The most common form ofdetection is aheuristic-based detectionthat uses analgorithmto compare the signature of known viruses against a potential threat. 

Heuristic-based detection allows an antivirus to detect viruses that have not yet been discovered or previous viruses that havebeen modified ordisguised and released as a new virus.Heuristic-based scanning is the best-known method for detecting new viruses but can also generate false positive matches, which means an antivirus scannermay report a file as being infectedthat is not infected.
Signature-based or virus dictionary detection

Every antivirus scanner has a virusdefinition file, database, ordictionary that contains thousands of known virus signatures. These signaturesallow an antivirus program to identify past viruses that havebeen analyzed by security professionals. 

Today, there are well over 100,000 differentknown virus signatures that can be used for comparison.Signature-based detection is an excellent way to prevent past known viruses and is the best method of detection without creating a false warning. However, signature-based detection cannotdetect new viruses until the definition file is updated with new virus information.
Behavior-based detection

If a virus has made it past the above detections, the antivirus analyzes the behavior of programs running on the computer. If a program begins to perform strange actions, the antivirus maytrigger a warning. 

Some of the strange actions, or behaviors, the antivirus watches for are listed below.

  • Changing settings of other programs
  • Modifying or deleting dozens of files
  • Monitoring keystrokes
  • Remotely connecting to computers         

  Behavior-based detection is a useful method offinding viruses orother malware that attempt to steal or log information. However, many programs today need to report to an online server or log keystrokesto prevent online cheating, sometimes causing this typeof detection to create false warnings

Sandbox detection

If a program is suspicious, some antivirus programs can also use sandbox detection, which creates an emulated environment for the program to run and analyze its behavior. If when executed in the emulated environment the program appears to perform destructive or abnormal behavior the antivirus alerts the user before itrunning it on the computer.
Cloud antivirus detection

Cloud antivirus detection is a type of antivirus protection that uses a small client on the computer that collects information and processes all of the forms of virus detection mentioned above in thecloud. By running all detection in the cloud, the computer requires little processing compared to a full antivirus program running on the computer but does always need an Internet connection.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s