How Antivirus Software Detect Viruses: Signature Based Detection
A number of detection techniques are used in antivirus software to detect viruses and other malicious programs. Signature based detection is the most widely used method. This method is fast and effective in detecting many viruses. However, it is not very effective against newer and emerging threats.
When a file is scanned using antivirus software, it checks the file and compares its content with a database of virus signatures. If a viral signature is found, it means that the file is infected. The antivirus software then performs operations on the file to remove the treat. Usually the file is deleted or quarantined. Quarantining makes the file inaccessible to other applications by encrypting it.
Antivirus software can also repair infected files. Some viruses inject malicious code into normal useful files. The file can be repaired by removing the malicious code that has been injected into it. If the entire file is infected, it cannot be effectively repaired and has to be deleted. Many viruses programs corrupt the files that they infect. For this reason, infected files cannot be repaired in a large number of cases.
Deleting the infected files is very effective in removing virus programs. Some antivirus programs delete infected files securely which means the file cannot be recovered. Secure deletion involves overwriting the infected file to prevent it from getting recovered.
Newer and more potent virus programs emerge everyday. For this reason, antivirus programs need to be updated regularly to provide complete protection. The companies that develop antivirus software are a lookout for new viruses and add the signatures to the database and make them available as update files. Users can also submit suspected files for analysis. Many virus programs offer real-time protection. This means the software continuously monitors files and emails when they are accessed. If these files are infected, the software stops them from getting executed. Antivirus scans can also be scheduled at regular intervals to detect viruses.
Signature based scanning is not so effective against viruses that disguise themselves. These viruses called "polymorphic" viruses modify the file signatures by encryption when they infect files. Thus files infected with these viruses do not match virus signatures in the database and cannot be easily detected. These can only be detected by employing other detection techniques like heuristic scanning.
A new technique that is gaining popularity is "Whitelisting". Instead of scanning for malicious code, the method allows only trustworthy files to be executed. This method completely eliminates the need for signature based protection. However, it also has one major drawback: useful files not on the whitelist cannot be accessed. To use these files, these have to be added to the whitelist manually.
Most antivirus software available these days employ a combination of techniques for effective protection. They also come with other protective measures like a firewall for added protection.
