0 How Antivirus Detect Viruses and other Malware

Earlier we have discussed what are Viruses and Worms. Generally most users have one or the other antivirus software installed on their systems to protect them from such malware.
But have you ever wondered how these software differentiate between which is a harmless file and what is actually harmful? In this post we'll be taking a look at how an antivirus decides which file is infected.
There are mainly two approaches used to detect a malware by an antivirus software which are in use today:

• Virus Signature Approach:

             In this approach the antivirus checks the file and compares it with a dictionary of known virus signatures. If any part of code matches with a virus signature, the user is alerted and asked for an action.

The problem with this method is if a new virus is created (many new viruses are created everyday) its signature would not be present in the dictionary and it may be passed by the antivirus as safe. Thus the antivirus should be regularly updated to include definitions for new viruses.

• Suspicious Behaviour Approach:

             In this approach instead of checking the signature of files the antivirus looks for any suspicious behaviour which may be dangerous. For example, if a program is written to format a hard disk it may be termed as dangerous. Thus any program which shows such behaviour is alerted as a 'virus'. 

But this approach also has its share of cons. Imagine a scenario where a new application is written to format a system on demand. But according to the antivirus it is a dangerous activity and it will be alerted as a virus inspite of not being one. Thus this method generates a lot of false alarms.

Modern Antivirus Programs:

Most modern antivirus programs use a combination of these approaches to detect known and new viruses.

But these approaches alone are not sufficient as there exist methods to encrypt a virus signature which makes it undetectable (UD). So apart from using an antivirus program the user should still work with precautions like not clicking on malicious links, not running programs from unknown sources, etc. to keep their system safe.

Thanks for reading. Hope this article covered the basics of detection process of an antivirus well. You can add your views  in comments and let me know if you feel I missed something.