How does Antivirus Software Work?

Most Antivirus software (AV) is used to defend your computer from not only viruses, but also other malicious programs such as keyloggers, Trojans and Hijackers.

A keylogger is keyboard capturing software that furtively records user keystrokes and then sends the output to a remote adversary.  The entire operation is covert and some AV suites don’t detect it which makes it that much more difficult to control.

Trojans, are equally insidious because they surreptitiously give an intruder privileged access to the operating system under the guise of benign software.  IT professionals call this a backdoor, because it often goes undetected in the same way a thief might go unnoticed if he entered your home through the backdoor.

Trojans often grant hackers remote access to the target machine which gives them virtually carte blanche access to your entire file system. Very bad.

Hijackers are also problematic.

When someone hijacks your car he or she attempts to forcefully seize it without your consent.  Similarly, browser hijacking means someone has forced the modification of your browser in such a way that the homepage appears to be permanently changed.  Hackers usually do this to goose web traffic hits or just to be asinine.  Browser hijacking is really a pain and sometimes even good AV suites have an arduous time removing them.

And here’s the thing: if it weren’t for antivirus software, I surmise 80% of the worlds systems would be unusable.  Antivirus is an imperative stratum of any protection plan because it shields your system from most digital threats with only a negligible impact to system performance.

AV programs are typically divided into two camps: (but modern variants use a hybrid of both) signature-based and heuristics-based.

Signature Based

Antivirus software that subscribes to the signature model examines files and searches for matches in a virus dictionary.  Think of this like a doctor who consults a reference tome before diagnosing you.  Seem ineffective?  It’s not that ineffective when you realize that its efficacy is contingent on a current virus database, also known as virus signature base.  As the creators of your AV program discover new viruses in-the-wild they release new signatures which your AV software downloads and uses to detect the latest threats.

One problem with this approach is that viruses are becoming increasingly sophisticated.  Virus authors are now circumventing AV software by encrypting the parts that identify them.  Viruses that do this are known as polymorphic viruses and are a particularly painful breed to deal with.

Another problem with the signature approach is that it is reactive.  By the time a new signature has been detected and added to the signature file you’re probably already infected and therefore the damage is already done.

That’s where the heuristics based approach comes in.

Heuristics Based

Heuristics = behavioral.   It’s like a doctor who examines your behavior before diagnosing and curing you, he doesn’t need a reference manual.

In the computer world, if one program tries to write data to an executable program this would be considered suspicious and therefore would be strictly proscribed by your AV suite.  The heuristics engine would detect this behavior as odd and wouldn’t permit the data write.

Contrary to the signature based approach, heuristics gives your AV software a certain measure of intelligence because it can protect against new threats before they hit the virus signatures.  On the flip side, pure heuristics AV solutions are rare because the rate of correctly detecting valid viruses is not as high as it should be.  Heuristics generate mistakes called false positives, and require user intervention to manually approve certain activities that the Antivirus software doesn’t realize is valid.

How it works

Usually the AV software lurks quietly in the background, like a shark waiting to attack it’s prey.  Every time you open a file the antivirus program intercepts it for an instant, scanning and checking for anomalies while you blithely go on checking your latest @mentions in Twitter.

Some vendors call this on-access scanning or real-time protection or even resident scanning but the result is the same:  you have a virtual bodyguard always working to protect your system.

I highly recommend scheduling weekly, over-night, full-system scans because the on-access scans won’t catch everything.  It’s a wise move to schedule these scans as part of your general maintenance routine.

Most antivirus programs rely on a hybrid of signature and heuristics based analysis.  And since there’s a signature element, the AV program will attempt to download new virus definitions so it can stay ahead of the latest threats.  When a virus is detected, the AV software quarantines it which means it sequesters the files to a safe location on the hard drive.  Once quarantined a virus is rendered useless.  The AV software doesn’t immediately expunge the virus because sometimes it tags valid files as malicious.  So the quarantine is like a hermetically sealed glass jar that nothing can enter or escape but you can look inside to see if the thing is really a virus or not.

What antivirus software do you recommend?

I like free.  If you’re computer isn’t so sick that it can’t access the internet, the best online scanner is Bitdefender Quickscan.

Bitdefender Quickscan Online Scanner

The nice thing about Quickscan is that it works in all major browsers and gives you a quick report on any viruses it found.  The negative is that it won’t scan your entire hard drive, but if then again if it did that it wouldn’t be quick so that doesn’t really bother me.  It’s not meant to be an AV replacement; just think of it like another tool in your antivirus arsenal.

MalwareBytes is the best free antivirus tool

The best free antivirus program in categorically Malwarebytes Anti-Malware.  It beats commercial antivirus suites in benchmark tests, is super easy to install and correctly remediates malicious changes to Windows settings.  You can download it right now from http://www.malwarebytes.org/

The Bottom Line

As long as there are computers and nefarious hackers bent on making a name for themselves by committing digital atrocities, there will be a need for antivirus software.  Fortunately, as hackers use more advanced attack vectors antivirus makers keep the pace and right there to fight back.  The key to protecting your system is using the right tools and learning about online safety especially in public internet areas.

Have you had success with any other free AV solutions?  Let me know in the comments!

 

 

About

Connect with Vonnie on Twitter

Posted in How To, Security, What Is