How does antivirus detect the virus?

The antivirus programme works in the background. It keeps scanning each of the files you open or execute. It is called Real time protection. Different antivirus manufacturers have assigned different names to this process. It may be called On Access scanning, background scanning or resident scanning. All those names mean the same thing.

Real time protection

The antivirus programme keeps updating its database of the viruses that have been found to affect the PCs worldwide. Whenever you open a programme or a file, it is scanned to check the presence of any known virus by comparing it to the ones that the programme has in its database.

Heuristic scan

Antivirus programmes also do their task by performing what is known as Heuristic scan. It is the process wherein the file is scanned for any kind of an abnormal behaviour. Such a behaviour could be an indication of a new virus hitherto unknown. It will scan other types of files like a macro in a word or excel file or a zip file in an application. Zip archives can contain viruses in a compressed form.



Apart from the real time scan, you can set your antivirus programme to run scheduled full scans. This will scan the entire system to check for the viral behaviour of any sort.

It should be noted that the virus database on your system should be up to date. Numerous viruses are detected almost on a daily basis. Your antivirus programme is completely dependent on the virus definitions that it has in its database. Antivirus program firms use a variety of tools to identify and segregate the viruses and compile the up to date databases. Make it a point to keep your virus database always updated to be secure.

There are different methods em[loyed by antivirus programs in identifying the viruses. Some of them are

1. Signature based
It involves scanning and checking all executable files and programs and then comparing them to the existing list of database. All your files, programs and apps are scanned as and when you put them to use.

2. Heuristic based
The scan ks used along with the signature based technique. It identifies the suspicious code in the program. Thus a strange behaviour can be quarantined even when it does not have a definition in the virus database. It checks the codes that are vulnerable to a virus attack.

3. Behavioural based
It checks the behaviour of a malware whern it is being executed. What it means is the antivirus program will detect the virus only when it sees a malware in action.

Sandbox detection

It is quite similar to behavioural based detection. It runs the suspected program in a virtual environment. Thererby the program can track the functions performed by the suspect.

Data Mining
This is one of the latest trends used in detecting the virus. The file features are extracted from the file itself. These features are classified as malicious or not using specific algorithms.

Here are some of the answers to your questions.

1. How antivirus detects virus?

Antivirus products are installed alongside kernel in order to remove the virus from the operating system. They stay on top of every service and program being run by the kernel. This allows them to identify the patterns with which virus run. And from here they can either patch the virus or remove the infected file from further corruption.

It makes use of multiple scanning algorithms to identify the common security threats, some of these algorithm include - Heuristic scanning, On -access scanning, System scanning, Pattern detection and definition matching. Apart from that there is also sandbox detection and data mining methods being employed in each algorithm.

Heuristics and On-access scanning consume a lot of system resources. And they take control of entire system resource before removing the common threats in the system. System scanning checks files and folders for the infection including the operating system drivers and files.

Pattern detection and definition matching both make use of central repository of patterns of common virus definitions. And pattern detection actively checks for such patterns before executing any file on system. In definition matching, the definition from repository are downloaded to identify the security threat.

2. How it identifies if the system is infected with virus or not?

Depending on the type of algorithm being used for the scanning the virus definitions are matched against the scanned file. And this way the file is compared for infection. If the file is confirmed as per the infection pattern, it is either cleaned, deleted or kept in quarantine region of the antivirus.

3. What is the algorithm behind it?

Each company makes use of their own algorithm for the virus detection. Algorithm also depends on the type of detection method under use. So none of these algorithm are released in public for the study. However the specific names for such algorithm maybe released if any antivirus company applied for the patent.

4. How antivirus companies prepare update daily?

Prior to 2000, each antivirus company used to maintain the virus definition proprietorially. Today, the anti virus companies release data for the virus and security threat definitions to the common open repository accessible to each antivirus company using samples from CARO and EICAR. This way each company gets the virus definition pattern on which they can update their virus detection algorithm. You can read about how open samples definitions are updated from openantivirus project website.

The anti-virus software programs are programs which are made to scan files and to identify and at the same time eliminate the viruses and other malicious software which are also known as malware.

The Anti-virus software programs are usually based on two different techniques that help the program to perform the above said tasks: The Virus Dictionary Approach and the Suspicious Behavior Approach. There is another approach or method which is quite often used to detect a virus. This is known as the Sandbox method.

Firstly they start with Examining files to search for the known type of viruses with the help of a virus dictionary. It search for programs that display suspicious behavior and can indicate the signs of the computer getting infected. In most cases the commercial anti-virus software available on the internet use two approaches though the primary method is generally seen to be the virus dictionary approach.

Virus dictionary approach
The virus dictionary approach is where the anti-virus software is seen to be examining a file while referring to a dictionary of known viruses in which there would be a list of viruses that are previously identified by the developer of that particular anti-virus software. When the software could identify a piece of code in the file with any of the identified viruses listed in the dictionary, then the anti-virus program will either be instructed to automatically delete the file, or quarantine it to make the file inaccessible for other programs to interact and stops the virus from spreading. It might also try to repair the file by deleting the virus itself from the system.

Suspicious behavior approach
The suspicious behavior approach, on the contrary monitors the behavior of all programs instead of trying to identify the known viruses. It starts working If it finds any program trying to write data on an executable program.

The Sandbox Method
Another popular detection method is the sandbox. A sandbox is known to emulate the operating system and running the executable in a simulating situation. Once a program is terminated, the sandbox works on analysis of the changes that is indicative of the presence of a virus.