How does Antivirus Software Work?

As the name suggests, antivirus software was originally developed to protect against computer viruses. Computer viruses are characterized by their abilities to attach themselves to files of certain types and replicate, much like biological viruses. However, viruses are just one of many types of malware, and they’re not even nearly the most common.

Fortunately, most antivirus software now provides comprehensive protection against all types of malicious software. This includes things like browser hijackers, malicious browser plugins, keyloggers, ransomware, and trojan horses. If any known malicious code is detected on your computer or network, the antivirus software should intervene.

That said, it’s important to remember that many cyberattacks don’t involve malicious software at all. Hence, it’s vital to protect against things like online identity theft, spam email, and social engineering attacks. Another increasingly common threat is fileless attacks, which can often evade most antivirus software because they exclusively exploit legitimate files in your operating system, effectively turning it against itself.

Many paid antivirus solutions offer some protection against these sorts of threats, but this shouldn’t be taken for granted. The best antivirus software should protect against most threats of the following categories:

•   Viruses: To the layman, a computer virus typically refers to any kind of malware. Pure computer viruses, which work by attaching themselves to legitimate files, only account for around 10% of all malware.
•   Worms: Worms are the earliest form of malware, and, like viruses, they self-replicate to spread quickly. Worms are usually intended to disrupt by overloading the network and hogging bandwidth.
•   Trojans: Trojans consist of two components – a server on the attacker’s computer and a client on the victim’s computer. This allows the attacker to control and access the victim’s device remotely.
•   Keyloggers: Keyloggers are an especially dangerous form of malware designed to record every keystroke to steal things like typed usernames and passwords and track websites visited. Keyloggers are one of the most common forms of spyware.
•   Ransomware: So-called cyberextortion has been increasing in recent years. This type of malware encrypts your data to make it inaccessible unless you pay a ransom to obtain the decryption key.
•   Cryptojacking malware: An increasingly common form of malware, cryptojacking is the process of hijacking a target computer to mine cryptocurrency like Bitcoin. While it doesn’t involve the theft of data, it consumes computing resources and causes disruption.
•   Rogue software: Rogue software comprises a large group of malware masquerading as legitimate software, like fake antivirus programs and bogus computer optimization utilities.
• Browser hijackers: These malicious browser plugins attach themselves to your web browser, typically to keep rerouting you to malicious websites. While not as common as they were a few years ago, they are often used in identity theft.

While proactive, real-time protection is essential for defending your computer and network, it may sometimes be necessary to run a manual scan or schedule one to run later. A manual scan should pick up any malicious code that it may have missed before due to the virus definition database being updated. It’s also a good idea to launch a manual scan if you have just updated your antivirus software or installed a new antivirus product for the first time.

There are various types of manual scans. The quickest ones only scan certain filetypes, such as executable (.EXE) files, which are more likely to contain malicious code. Others might only scan files that are currently open or those that have recently been modified. However, the most comprehensive method is a full system scan, which can be especially useful if there is already an infection on the computer. Full system scans can take a long time though, so it’s usually best to schedule them to run when you’re not using the computer.

Real-time protection is the pillar of any comprehensive antivirus software since it aims to prevent your computer from becoming infected in the first place. The best antivirus solutions constantly scan all incoming traffic in the background to detect potentially malicious programs or lines of code. If it detects something, it will quarantine the threat and send you an alert. For example, if you’re visiting a website that tries to install a malicious browser plugin, the antivirus software should prevent it from happening. Real-time protection should also kick in when you attempt to download a file or email attachment or connect an external storage device.

Both manual scanning and real-time protection rely on something called a malware definition database. This is a comprehensive library of known malware signatures that effectively tells the antivirus software what to look out for when scanning your computer or network activity. Most internet security systems automatically update these databases daily or even every hour.

That said, regardless of how quick definition updates come through, new malware that hasn’t been seen before appears all the time. In other words, conventional antivirus works somewhat like a vaccine in that it doesn’t work until someone has already been infected or a cybersecurity professional has discovered the threat first.

This is also why any comprehensive antivirus suite will also support heuristic scanning, which looks for suspicious behavior rather than known malware signatures alone. This allows it to catch threats that haven’t yet made it into the virus definition databases. For example, suppose your antivirus notices a program running on your system trying to open an unrelated executable file on your computer. In that case, it might detect the offending file as a new potential virus.

Any decent antivirus software will act if it detects any suspicious files or code. This should happen before the malware ends up on your device. This is particularly important since some malware is designed to deliberately disable your defenses and proliferate very quickly. For example, ransomware must be stopped immediately before it causes severe damage to your computer.

A common way to neutralize any detected threats is to ruthlessly delete the offending files so that there’s no trace of them anywhere on your device. However, there is no such thing as a perfect antivirus solution, and even the best programs may yield occasional false positives. This is especially likely to be the case with heuristic scanning.

Antivirus quarantine typically comes into play in these cases. Rather than being deleted, a quarantined file is placed in a special folder where it cannot interact with anything else on your computer. This gives you a chance to review the file in question manually and, if no infection is discovered, put it back into service. Some software automatically deletes quarantined files after a certain amount of time has passed.

Different antivirus programs offer different levels of detection and prevention, but none of them protect against every possible malware threat out there. The most effective solutions provide multiple layers of defense – specifically real-time protection and heuristic scanning.

Every computer should have antivirus software installed. While the basic offering included in Windows is good enough for most casual users, opting for a paid platform can offer much better protection. For example, Bitdefender, Kaspersky, and Norton all scored 100% in recent tests by the Independent IT-Security Institute.

Even then, none of these solutions are bullet-proof. After all, most cybercriminals rely on social engineering tactics to manipulate their targets into taking the desired action. Ironically, this might even involve compelling a would-be victim to disable their antivirus software to receive a malicious payload.

Because of the overwhelming human element to information security, the most important thing is staying vigilant and not taking technical defense measures for granted.