How Anti-virus works

Anyone who has a PC has used, or at least heard of anti-virus. The war on viruses has gotten hot and heavy in the last two years or so. Anti-virus manufacturers have really got to be on their toes if they want to keep us protected. There is a lot more than scanning emails and downloads anymore to keep the nasties out. Today I’d like to take a moment to help explain what anti-virus actually does when it’s scanning you system, and what it’s looking for.

First off, we’ll start with the basics. Anti-virus scans your email and downloads—but what is it looking for? There are two main types of scanning “Specific” and “Generic”.

Your first line of defense are all those virus definitions, signatures, and updates that your anti-virus software is always downloading. They provide identifiable characteristics, or finger prints, for malicious code. This is what is meant by “Specific” scanning—your anti virus program takes all these updates and stores them in an internal database. The anti-virus then matches them against any new files being introduced to your system via email or file download for known threats.

Using virus definitions is great for known viruses, but new viruses are growing exponentially every year and it is possible to not have a definition in time to properly diagnose a dangerous line of code. Heuristic and sandboxing are “Generic” scanning methods. They are not perfected yet and can bring up some strange issues including system slowdown and incorrect diagnoses. Generic scanning is really in its infant stage and is used more in larger networks where a server can do all the scanning (not individual PCs). Antivirus companies use Generic scanning to construct new virus signatures and I feel that these methods will be more widely used by single users in the future.

Heuristic is a type of generic scanning that looks through the lines of code, not for exact matches to virus definitions, but for suspicious code. The anti-virus makes intelligent assumptions based on the scrutinized code. Basically this means that the anti-virus can try to determine whether or not a file has a virus in it by looking at how the file or program is constructed and acts. This isn’t a perfect system, however, and can bring up some strange results. This is why some programs tell you to turn off your anti-virus before installing. This type of scanning isn’t a perfected science, but on the bright side it is better to be safe then sorry.

Sandboxing is where an antivirus program will take suspicious code and run it in a Virtual Machine (secure from the rest of the system) in order to see exactly how the code works and what its purpose is.

Well that’s a quick overview of how anti-virus works to protect our systems form infection. Hopefully, with the introduction of new technologies and methods, the threat of infection will be a remote and it might just discourage the writers of these malicious codes. As usual, I emphasize that anyone who has a PC should have anti-virus software installed to keep their system virus free.

Stay safe out there,

~ Chad