Understanding Antivirus Software

Understanding Antivirus SoftwareAntivirus software protects your computer from viruses, right? Well, yes and no. Most antivirus software packages these days work in two very different ways:

Signature matching:

The antivirus software looks inside files to see whether any portion of the file matches a big database of known "bad" snippets of data. When a new virus or worm is discovered, characteristic parts of the infecting program are added to the signature database. Signature matching still forms the backbone of the antivirus industry, but the black-hat cretins are getting better at writing malware that modifies itself, rendering signatures useless.

Some industry pundits observe that a steady flow of updated signature files drives revenue for the antivirus industry: If you drop your subscription, you don't get any new signatures. The antivirus software industry has one of the few software products that becomes nearly obsolete every few days. Powerful economic incentives exist to stick with the signature-matching model - which, by its very nature, only works after a new virus has been identified.

Heuristic analysis:

The antivirus software relies on the behavior (or the expected behavior) of a program to catch the destructive software before it has a chance to run. Although an enormous amount of research has gone into heuristic analysis, a black box that takes a file and determines whether it's going to mess up a PC is still a long way off. In fact, there are sound theoretical reasons why a perfect black box of that ilk can never exist.

When a bad piece of software is identified, the antivirus program (AV) offers to remove the infection. When viruses are attached to other files, in most cases, the offensive program can be removed without destroying the "host" file. Some AV packages have the ability to shut down a PC's links to the outside world if a particularly virulent worm is detected.

Antivirus software typically watches for infections (through signature matching or heuristic analysis) in one of three ways, and each of the ways hooks into Windows in a different manner:

A complete scan:

Typically, you schedule full scans of all your files in the middle of the night or shortly after you download a new signature file. The antivirus program runs a full scan as soon as it's up to date.

On the fly:

When you open a file or run a program, Windows alerts your antivirus software, and the AV software kicks in to scan the file before it gets run or opened. Similarly, if you download a program from the Internet, or run a program on a Web page, Windows has your AV software check before you have a chance to shoot yourself in the foot.


Good antivirus software runs in the background, looking for specific events that may be indicative of an infection. Some AV packages include firewalls, spam blockers, and other components that take lurking to a higher level, but almost all AV software watches while you work, running as a separate Windows task in the background.

In addition, all AV software scans email messages and attachments for infected files. Some scan before the mail gets to the email program; others scan as attachments are opened.