Understanding How Anti-Virus Software Works

A computer virus is a self-replicating program which installs itself on your computer without your consent. It does so by inserting itself into other programs, data files, or the boot sector of your hard drive. Once this happens, the affected areas are said to be ‘infected’.

The vast majority of viruses perform some sort of harmful activity on their hosts. A virus may access your confidential information (such as your banking details), corrupt data or steal hard disk space or processing power, log your key-strokes and spam your contacts. If you are extra lucky, however, it might only display humorous, scatological or political messages on your screen.

Anti-virus software is used to detect and remove computer viruses. It consists of two basic types: signature scanners and heuristic detectors. Signature scanning is used to identify known threats, while heuristics are used to find unknown viruses.

Infected files

In the old days… less than a decade ago… most viruses were contained in executable (or program) files, ie files with extensions such as .exe or .com, so anti-virus software only had to check these kinds of files. Nowadays anti-virus software has to check a greater variety of files, including Microsoft Word documents and other non-executable (and seemingly harmless) files.

In MS Word, a macro is a set of instructions you record and associate with a shortcut or name. You can use a macro, for example, to save the text of a legal disclaimer. You can then add the text to any document you are writing (without having to retype the disclaimer) by just pressing the particular shortcut key combination or clicking the macro name.

Despite the time they can save, macros present a risk. Rogue programmers can use them to hide viruses within documents which they send as email attachments to unsuspecting victims. Once they open the attachments, the victim’s computer is infected.

Nasty little programs can also be embedded in other non-executable files, so that opening these files can result in infections.

Some email programs, such as MS Outlook Express and Outlook in particular, are vulnerable to viruses embedded in the body of an email. You can infect your computer just by opening or previewing a message.

Identifying viruses

There are several methods which antivirus software can use to identify files containing viruses: signature scanning, heuristic detection, and file emulation.

Signature scanners

Signature-based detection is the most common method of identifying viruses. It involves searching the contents of a computer’s boot record, programs, and macros for known patterns of code that match known viruses. Because viruses can embed themselves anywhere in existing files, the files have to be searched in their entirety.

The creators of the anti-virus software maintain the characteristics of known viruses in tables called dictionaries of virus signatures. Because thousands of new viruses are being created every day, the tables of virus signatures have to be updated regularly if the anti-virus software is to be effective when it checks files against these lists.

To avoid detection, rogue programmers can create viruses that encrypt parts of themselves or that modify themselves so that they do not match the virus signatures in the dictionary.

In practice, the signature-based approach has proved very effective against most viruses. However it cannot be used to find unknown viruses, or viruses that have been modified. To counter these threats, heuristics need to be used.

Heuristic detectors

Heuristic-based detection involves trial-and-error guided by past experience. Heuristic detectors will, for example, look for sections of code that are characteristic of viruses, such as being programmed to launch on a particular date.

The use of generic signatures is a type of heuristic approach that can identify variants of known viruses by looking for slight variations of known malicious code in files. This makes it possible to detect known viruses that have been modified.

File emulation

File emulation is another heuristic approach. It involves running a file in a sandbox, an isolated part of a computer in which untrusted programs can be run safely, to see what it does.

The actions the program performs are logged and if any of these are deemed to be malicious, the anti-virus software can carry out appropriate actions to disinfect the computer.

Memory-resident anti-virus software

Memory-resident anti-virus software installs programs in RAM that continue to operate in the background while other applications are running.

A computer’s hard disk is where computer programs and files are stored, while RAM (random access memory) is the memory that programs use when they are running. When starting, a program is first loaded into RAM. Once programs have finished running they exit RAM. In addition, RAM is volatile, ie when the power is turned off everything in RAM is wiped out. By contrast, the programs and files on your hard disk remain when your computer is powered off.

Memory-resident anti-virus programs monitor a computer’s operations for any action associated with viruses, such as downloading files, running programs directly from an internet site, copying or unzipping files, or attempting to modify program code. It will also be on the look out for programs that try to remain in memory after they’ve been executed.

When they detect suspicious activity, memory-resident programs halt operations, display a warning message, and wait for the user’s OK before allowing operations to resume.


Despite its undoubted benefits, antivirus software has a few drawbacks. Because it uses computer resources, it may slow your computer down a bit, though this is not usually very significant.

No anti-virus software can provide full protection against all viruses, known and unknown. Once installed, however, it can lull you into a false sense of security. You may also find it difficult to comprehend the prompts and decisions the software throws up on your screen now and then. An incorrect decision may result in an infection.

Most anti-virus software uses heuristic detection. This must be fine-tuned in order to minimise false positives, ie the misidentification of non-malicious files as a viruses.

False positives can cause serious problems. If an antivirus program is configured to immediately delete or quarantine infected files, a false positive on an essential file can render the operating system or some applications unusable. This has happened several times in recent years, even with major anti-virus service providers such as Symantec, Norton AntiVirus, McAfee, AVG and Microsoft.

Anti-virus software can also pose its own threat, because it usually runs at the highly trusted kernel level of the operating system, thus creating a potential avenue of attack. It needs to do this in order to have access to all potential malicious process and files. There have been cases where anti-virus software has itself been infected with a virus.

Finally, it’s best to remember that not all heuristic methods can detect new viruses. This is because the rogue programmers, before booting their new viruses into cyberspace, will test them on the major anti-virus applications to make sure that they are not detectable!

Source by Paul D Kennedy

Related Posts

About The Author

Add Comment