How Antivirus Software Detects Computer Viruses

August 4, 2016

Computer viruses are almost as old as computers. They are definitely as old as personal computers. Why would a person decide to write such a malicious piece of code is a matter for another debate, an ethical or legal one perhaps, but right now we’re here to talk about antivirus programs and how they are able to detect and neutralize a virus.

We live in the earliest days of computer technology and one of the consequences of this is that the security aspect of it all definitely leaves much to be desired. When we are talking viruses and other malware, the situation is such that those people who compromise our cyber security are always one step ahead of those who provide it.

How Antivirus Software Detects Computer Viruses

At the present time, there is no possibility of developing an algorithm that would detect every virus. That being said, a multi-tiered and multi-faceted approach can result in a rather respectable level of protection for any computer system.

The Purpose Of Antivirus Software

A computer virus is a piece of code that is able to copy itself, much like a “natural” virus replicates and spreads, infecting and corrupting files, directories and entire systems. Antivirus programs were created as a response to this intrusion. Today, they don’t just work against viruses – they also fight other pieces of malware, such as worms, Trojan horses, unwanted ads, spyware and others. There are many different antivirus products on the market but pretty much all of them use one of the virus identification methods listed below.

Signature-Based Detection

How Antivirus Software Detects Computer VirusesSignature-based detection is the most common and the most widely used method for virus identification. It works by using a database of virus signatures, which are strings of data found in viruses and not in other, normal programs. This method is very reliable for detecting viruses that are already known and have been identified (and placed in the database) but is basically worthless when it comes to brand new viruses that have just been created.

The main issue with this type of detection is that it is purely reactive. Only when a certain piece of code has wreaked havoc and caused problems can it be identified as a computer virus.

Additionally, people who create viruses often manage to bypass this method by mutating their viruses so that their nature stays the same but their signature changes. Because of this, signature-based detection is still an important part of antivirus programs, but it’s no longer as important as it once was and is progressively being replaced or complemented with other identification methods.

Heuristics-Based Detection

Heuristics-based detection works similarly to the signature-based detection method. In fact, the two share a basic principle of searching for signatures. However, the difference is that while signature-based methods look for a specific signature, heuristics-based methods look instead for a generic one. This can work because when a virus mutates and slightly changes itself, the signature changes. However, it does not change completely – it remains similar, so we have something like families of viruses with similar signatures.

Antivirus programs based on heuristics look for files with suspicious traits that don’t necessarily have to match a specific suspicious signature or emulate running a suspicious file to see how it will behave. Basically, instead of looking for specific pieces of code that can be directly compared to the already known pieces of malicious code, heuristics looks for hints that would indicate this might be malicious code.

For example, if a piece of code seems to be written in order to perform an action usually associated with viruses, such as replicating itself or hiding its existence, chances are that we are talking about malicious code. Furthermore, heuristics can also involve comparing the source code of such programs with the code of already familiar viruses, looking for a certain percentage of the code that will match previously identified viruses, flagging this new code as potentially malicious.

Heuristics-based detection is very efficient, but it does have one significant downside: it sometimes flags normal, healthy files as malicious.

Behavioral-Based Detection

How Antivirus Software Detects Computer VirusesBehavioral detection, as its name suggests, actually observes how the piece of software behaves when it is executed. If the antivirus software notices that this behavior includes any of the red flag behaviors usually associated with viruses, it will raise an alarm. These red flag behaviors include replication, masking of the code, communication with remote servers, and so on.

The problem with this method is that it can label certain code as malicious simply because its behavior resembles the behavior usually adopted by malicious software. An example of this would be instant messaging clients that often have to communicate with remote servers that seemingly have nothing to do with the end user’s IP address. Since this is the type of behavior usually associated with malware, this can easily lead to a perfectly ordinary piece of software being labeled as malicious.

Thanks to the advancements in behavioral detection and the proliferation of whitelists, however, modern antivirus software solutions are quite good at minimizing the cases of false positives.

Cloud-Based Detection

Instead of doing a local analysis when searching for viruses, cloud-based detection collects data from protected computers and examines them on the provider’s infrastructure. A program that uses cloud-based detection will get specific details about a suspicious file and provide them to the cloud engine which processes the information. Very little processing is actually done by the local antivirus agent.

The cloud engine compares your data to the data collected from other systems and is thus able to make more reliable conclusions and decisions whereas other antivirus methods base their decisions and actions on behaviors and traits observed only locally (on your computer).

These are the most commonly used virus identification methods but bear in mind that most antivirus products use two or more of them at the same time since there is not a single method that can ward off all viruses.

One thing is for sure, though. Even with all the weaknesses of various virus detection methods, antivirus software solutions still manage to find the majority of malicious code and protect our systems against such attacks.