How an Antivirus Works?

Just like we humans can get infected and fall ill, our computers can also get infected while they are connected to the Internet. Viruses can get into our computer via things we download from the Internet like emails or files that we copy online. A virus can destroy our data by wiping it out or making it unusable and can also affect the performance of our computer by slowing it down strikingly. A virus can also transmit our confidential data back to someone else or let someone take control of our computer remotely and use it for their own purposes.
Antivirus is the most essential software to be on Windows computers to prevent them from viruses. If you’ve ever wondered how these antivirus programs detect viruses(just like me :p), read on!

How The Antivirus Detects Virus?

Signature detection is a method by which antivirus keenly scans files that are brought into a system to analyze more likely hazardous files.



In essence, antivirus applications come with a directory of already checked-viruses and match the codes and patterns in files and web pages to unique bits and patterns that make up the code of a virus. If they match, the file is quarantined, means that it is moved to a new and safe location so that it does not infect any other files on the system.
Antivirus programs also checks for any malicious behavior on a system such as suspicious registry entries or executing an unknown program automatically upon system startup thus protecting our computer against encrypted viruses or viruses that are still unidentified.
Following is a list of the different virus detection methods an antivirus can use to protect our computer.

  1. Virus Definitions :This is essentially the first method conventional antivirus software utilize to identify virus.
    The programs look for signatures to detect new malware. The antivirus companies analyze and extract an exact signature of the file and keep them in a database to which threats are compared and devices are then protected in case the signatures match.
  2. Heuristic-based detection : This is the most common form of detection that uses an algorithm to compare the signature of known viruses against a potential threat. An antivirus packed with this type of detection can also detect viruses that have not yet been discovered and released as a new virus but it can also generate false positive matches which means an antivirus scanner may report an uninfected file as an infected one.
  3. Behavior-based detection :If a virus passes the above detection methods, the antivirus then observes the behavior of programs running on the computer. The antivirus triggers a warning if a program begins to perform strange actions listed below:
    • Settings of other programs are changed
    • Dozens of files are modified or deleted
    • Remotely connecting to computers

    This is a useful method for finding viruses or any other type of malware that attempt to steal or log information.

  4. Sandbox Detection : This is a type of detection method in which antivirus software run programs in a virtual environment and record the actions it performs to identify whether the programs are malicious or not. If the program is found safe, it is then executed in the real environment.

    This technique is rarely used in consumer antivirus solutions as it is both heavy and slow but antivirus solutions designed for corporate and network use offer this.

  5. Data Mining : Data Mining is the recent development in malware detection that security companies now provide with their antivirus products to detect and eliminate forms of malware that has just been released. First, a series of features of files are extracted from files and then data mining and machine learning algorithms are used to determine the behavior of a file to detect whether the file is malicious or not.

Types of Scans

Apart from the detection methods explained above, the types of scans an antivirus offers is an equal measure of how successful it is.

  1. On-Demand Scan : The term ‘On-demand’ scanning itself means that this feature either runs when the user wants to scan his computer on suspecting any abnormal behavior or the user schedules it to run at a specified time. It searches the contents of the disks, directories and files and boot sectors and system components as well. These are used either as a preventive maintenance activity or when a virus is suspected.
  2. Real-Time Protection : Almost all modern antivirus programs offer this type of automatic protection that runs in background thereby increasing chances of catching malware before it does damage. Thus, these types of scans are also known as ‘background guard’. It basically monitors the system for any suspicious activity in real time while data is loaded into the active memory. For example, when a USB drive is inserted or a downloaded file is executed.
  3. Smart Scans : Under Smart Scans, an antivirus only scans the selected files that are more suspicious to be infected. This type of scanning lowers the need of system resources while protecting against the more common types of viruses, threats and risks.


My Personal Notes arrow_drop_up

Check out this Author's contributed articles.

If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.