Working principle of Antivirus

How does an Antivirus work?

Antivirus is thus the prime line of defense which operates to eliminate and destroy malwares. Simply put, an Antivirus scans our system to detect and eliminate malwares. Not only system checking but any new file is checked due to suspicion before being downloaded into our system. There are Two major approaches on which an antivirus works. They are

• Dictionary based approach

• Suspicious behavior approach

• Emulation approach

• Sandbox approach

Dictionary based approach

Dictionary is a book where we generally look out for meanings and definitions of things. Similarly an Antivirus Dictionary is a file which contains Virus definitions. During a system scan by the Antivirus, system file codes are compared to virus definitions in the dictionary to find out if it is a virus. If the file contains a virus code then the user is intimated about it. Then the user has to decide on to whether the file has to deleted or quarantined or repaired.

It's a quite faster approach of finding viruses as they can be done when any file is opened, executed and closed by the operating system. But the prime necessity with this approach is its daily updates. Every day there are about thousands of new viruses appearing that outdated dictionaries can't possible detect or eliminate these new viruses upon encountering them if the dictionary does not have a definition of them. So this is the reason why we are asked to Update our Antivirus software regularly.

Although this is considered a very effective method, it still fails in case of oligomorphic, metamorphic and polymorphic viruses, which have the ability to morph their identity to the software.

Suspicious Behavior approach

As the name suggests, this method is based on suspecting the behavior. For example let's say an unknown process running in our system is trying to modify the FAT or writing data into some executable. This definitely triggers suspicion. Thus this method can provide protection against new viruses. In case of Dictionary approach the virus has to list in the dictionary.
But the major problem with this approach is the number of False positives. Thus with more and more warnings the user tends to ignore them and thereby occasionally allowing viruses to destroy our systems.

Both Dictionary and suspicious behavior approach are used in combination in today's Antivirus software to detect, remove and prevent malwares.

Emulation approach

Some Ant viruses emulate the beginning of the code of each new executable found that is going to get executed before transferring the entire control to that executable itself. If the program has any self modifying or self replicating code or trying to find out other executables then we can say that the executable has been infected. But even this method has a lot of false positives.

Sandbox approach

In computer security, a sandbox is a security mechanism for isolation of running programs.

It's for testing an untested piece of code which can be an untrusted program. It does this by tightly controlling the resources given to this untrusted program to run. In other words it just acts like Our Operating system and runs the untrusted guest programs. After running the program, the sand box is examined for any changes having nature of viruses. This method has a high performance overhead thereby limiting their usage to On-Demand scans.

There is no method which is 100 percent accurate and protective. Anti viruses as such use combinations of the above said methods to protect the system. The more amount security fixes brought into any system or OS the less will be the chance of intrusion. Experts say that LINUX is a secure OS because of its complex file systems and the complex access mechanisms. If Microsoft tries to make such security fixes in Windows too then there would be more protection.