How Anti-Virus Software Works

Anti-virus software today is fairly sophisticated, but virus writers are often a step ahead of the software, and new viruses are constantly being released that current anti-virus software cannot recognize.

The key to anti-virus software is detection. Once an infected file has been detected, it can sometimes be repaired. If not, the file can at least be quarantined so that the viral code will not be executed.

The difficulty here is that generic virus detection is inadequate for current and new viruses, and so anti-virus software must be constantly updated with new lists of viruses. Currently, when a new virus is discovered (unfortunately only through execution,) samples are sent to virus analysis centers. These centers analyze the virus and extract a unique string from the virus that will identify it. This and other information about the virus is added into a database that users can then download. However, should generic virus detection ever become 100% effective, then the other steps (removal/repair) should be greatly simplified.

Virus Detection Methods

There are four major methods of virus detection in use today: scanning, integrity checking, interception, and heuristic detection. Of these, scanning and interception are very common, with the other two only common in less widely-used anti-virus packages. Unfortunately, while scanning is very effective against known viruses, it is completely incapable of dealing with new viruses, forcing anti-virus analysis centers into a reactive stance.


Definition: A scanner will search all files in memory, in the boot sector (the sector on disk that specifies where boot information is,) and on disk for code snippets that will uniquely identify a file as a virus. Obviously, this requires a list of unique signatures that will be found in viruses and not in benign programs. To prevent false alarms, most scanners also will check the code of a suspected file against either the virus code itself or a checksum of it. (A checksum is a method frequently used to determine if data has been changed, and involves summing all of the bits in a file.)

This is the most common method of virus detection available, and is implemented in all major anti-virus software packages. There are two types of scanning: on-access and on-demand. On-access scanning scans files when they are loaded into memory prior to execution. On-demand scanning scans all of main memory, the boot sector, and disk memory as well, and is started by a user when he/she wishes. On-access scanning has become more aggressive recently, with virus scans occurring even if files are selected, but not loaded.

Advantages Scanners can find viruses that haven't executed yet - this is critical for e-mail worms, which can spread themselves rapidly if not stopped. Also, false alarms have become extremely rare with the software available today. Finally, scanners are also very good at detecting viruses they have the signatures for.
Disadvantages:  There are two major disadvantages to scanning-based techniques. First, if the software is using a signature string to detect the virus, all a virus writer would have to do is modify the signature string to develop a new virus. This is seen in polymorphic viruses.

The second, and far greater disadvantage is the limitation that a scanner can only scan for something it has the signature of. The Maltese Amoeba virus was a very destructive virus that activated on November 11, 1991, and was able to spread rapidly before its activation without being detected. According to the 1991 Virus Bulletin: "Prior to November 2nd, 1991, no commercial or shareware scanner (of which VB has copies) detected the Maltese Amoeba virus. Tests showed that not ONE of the major commercial scanners in use ... detected this virus." Although virus updates occur more frequently today because of the Internet, viruses still cannot be detected until one has executed.

Integrity Checking

Definition: An integrity checker records integrity information about important files on disk, usually by checksumming. Should a file change due to virus activity or corruption, the file will no longer match the recorded integrity information. The user is prompted, and can usually be given an option to restore the file to its pre-corrupted/infected state. This is an extensive process, and few virus checkers today utilize it. Norman Virus Control, however, is one.

Advantages: Integrity checking is the only way to determine whether a virus has damaged a file, and it's fairly foolproof. Most integrity checkers today also have the benefit of detecting other damage to data, such as corruption, and can restore that as well.
Disadvantages: The major problem with integrity checking is that not enough companies offer comprehensive integrity checking software. Most anti-virus suites that do offer it don't protect enough files, and those that they do may not be damaged at all with newer viruses. Simpler integrity checkers won't be able to differentiate between damage done via corruption and damage done via a virus, thus giving the user unclear information as to what's going on. Finally, this process is simply rather cumbersome - in today's computers, many important files are changed by as little as booting up and shutting down, so integrity checkers need to be coupled with scanners for maximum efficacy in detecting viruses.

Heuristic Virus Checking

Definition:  This is a generic method of virus detection. Anti-virus software makers develop a set of rules to distinguish viruses from non-viruses. Should a program or code segment follow these rules, then it is marked a virus and dealt with accordingly. This allows detection of any virus, and theoretically, should be sufficient to deal with any new virus attacks. F-secure virus software uses this method in addition to scanning, although not very many software packages available today utilize heuristic virus checking.

Advantages: Generic virus protection would make all other virus scanners obsolete and would be sufficient to stop any virus. The user doesn't need to download weekly virus updates anymore, because the software can detect all viruses.
Disadvantages: Although these are huge benefits to heuristic virus checking, the technology today is not sufficient. Virus writers can easily write viruses that don't obey the rules, making the current set of virus detection rules obsolete. Changes to these rules must be downloaded, and thus these virus checkers must be updated and won't stop many new viruses, which gives them similar characteristics to scanners. In addition, the potential for false alarms and not detecting a known virus is greater with heuristic checkers than with scanners.


Definition: Interception software detects virus-like behavior and warns the user about it. How to detect virus-like behavior? Use heuristics again. Many viruses will perform some suspicious action, like relocating themselves in memory and installing themselves as resident programs. Many software packages have this as an option, although most people usually disable it.

Advantages: Interception is a good generic method to stop logic bombs and Trojan horses. Logic bombs will trigger a (usually destructive) sequence given an event, such as the date being set to a certain date. When not detected by scanners, interception software will usually detect the destructive and unusual sequences of events caused by logic bombs and Trojan horses.
Disadvantages: Unfortunately, interceptors aren't very good at detecting anything else. Interceptors also have all the drawbacks of heuristic systems - difficulty differentiating virus from non-virus, and easy to program around. Also, most interceptors are very easy to disable, and so many viruses frequently disable them before launching. Due to the nature of an interceptor, this software is unable to detect viruses before they launch, and a lot of damage could already have been done. Lastly, interceptors are a nuisance and frequently prompt the user to allow/disallow activity during software installations and system upgrades, making the above very tedious. Combined with their limited usefulness, most software packages disable or strongly limit interception by default.

Comments (4)

Kaspersky could create a sandbox to execute the suspicious file and evaluate the behavior before permit the execution of the system itself. All of this in few milliseconds.
Rich RumbleSecurity Samurai
Top Expert 2006

Most AV's run binaries in a sandbox now, even M$'s MSE does it, That is where most Heuristics are taking place, the watching and waiting to see what happens in the sandbox. Good article for beginners though!
Arman KhodabandeFreelance Developer

This should be mentioned that the only companies benefiting new viruses are Antivirus companies.
They make viruses and release the update a few days after.
An AV company also has the trouble of adding other viruses from other companies to the database :D
Rich RumbleSecurity Samurai
Top Expert 2006

They must have the people who do the alien cover ups in charge of virus writing too, they are the only ones who can go this long without anyone finding out (for sure). I loved that rumor in the 90's too.

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.