Understanding Antivirus Programs - About Antivirus Programs

Antivirus program are often distributed in two versions- 32-bit and 64-bit- and are available for the Windows, Linux, and Macintosh operating systems, allowing all type of users or system to be protected from known malicious software or files targeting it. Some antivirus programs that have limited features usually employ low memory usage while antivirus programs that offer extra features or complete protection will use more memory. The extra protection includes web protection and content control, network scan, e-mail scanner, sandboxing, and many more.

A personal antivirus program offers automatic real-time or on-access protection and on-demand or manual scanning. A removal engine is also included in most antivirus programs. There are independent antivirus testing laboratories such as AV-Comparatives, VB100 et al, and certification systems like West Coast Labs’ Checkmark, ICSA Labs or CheckVir, etc. that will rate the various antivirus software systems and give yearly awards to the most effective. Most of the ratings are based on the performance of antivirus in detecting and removing a specific set of malware samples. The test is done using different levels: Detection test and Removal test. There are antivirus program that will pass in detection test but will fail with removal testing, vice-versa, or will pass both testing. End-users or business users often decide in using or buying by tracking the performance of antivirus program, in addition to recommendations or personal experience with the product.

An antivirus program also features schedule scan, automatic and manual malware signature updates, and email and instant messaging protection. The effective antivirus program will use signature-based and heuristic analysis on any files in the system in addition to providing fast detection updates to detect the growing number of malware and currently in the wild. There are antivirus program that will only detect malware when the file is executed, opened, or when the malicious processes is actively running. This type of anti-malware program should not be used unless you are using it to complement another antivirus program that catches and prevents in real-time any known malware before it is even executed. Other antivirus will request end-users to automatically submit suspicious and detected malware to help the malware research team in analyzing the copy of suspicious files, allowing them to modify or update their detection signatures, and quickly provide protection to their customers.

Subscription-based (Paid) Antivirus Program - A personal antivirus program will depend on the End-user License Agreement (EULA). An antivirus program can be use for personal use for one or more than 2 computers. Many antivirus vendors are now offering home user license so you don’t need to purchase another antivirus solution or to save money into buying more than one license. For small business, the antivirus program is usually purchased together with administrator kit, allowing administrators to install a light-weight but controlled antivirus client, while the administrator computer will use a console to remotely update, configure or monitor the status of antivirus on the network. The license also depends on the number of computers and often saves money if purchased in quantity. “Paid” does not mean providing 100% protection because there’s no single antivirus that passes with 100% detection or prevention.

Freeware Personal Antivirus Program - Free antivirus software is offered with limitations on features, options, and protection. For example, the free edition of AntiVir does not have Web Guard, e-mail scanner, or protection against drive-by downloads, and there is no access to faster update servers. Another example is the free AVG and Avast. AVG do not offer advanced anti-rootkit protection, protection when using applications to share files via messaging application, or access to faster update servers. Avast’s real-time protection do not have malicious script blocker capability and push updates. Microsoft is also offering basic antivirus protection, Microsoft Security Essentials. The advantage of using free antivirus is you can create your own suite – see Security Suites vs. Standalone Products: Which is the Best Option?

The most common method of detection for real-time and manual Scanning is signature-based. This means that the program will connect to the server of the antivirus vendor to download the latest or updated detection signatures. Antivirus will use the signatures, which snippets of known virus files or templates that represent their shapes in memory, to try to detect malware by checking files and processes against the virus signatures installed as a normal part of the antivirus program’s updates.

A heuristic analysis is also available in antivirus programs to protect against zero-day malware and malware with the same behavior that is known to antivirus detection database. Heuristic analysis is an attempt to detect malware that is not yet included in the virus signatures because it's new or a variant of previously known malware that is in the wild. Zero-day malware means many computer users are reporting the infection or there are people who are seeing the attack, but not all antivirus will detect it unless the heuristic detection of antivirus program is very effective.

Another detection method by antivirus program is by using cloud-based detection or scanning. The scanning is not done using the user’s machine but using a remote server, which means to be protected from new malware, the PC must be connected to the internet or online. The scanner will only use the cached definitions or its detection signatures if the end-user’s machine is not online.

An online virus scan is one popular type of virus scan that is offered by antivirus vendors themselves or by another company or group that collects the malware samples with a goal to distribute the collected samples to several antivirus vendors. Online virus scan is not part of installed antivirus program.

Note: It is not recommended to run two antivirus programs for it will conflict or interfere with one another. Not to mention the performance issue on a computer when more than one antivirus program is installed. Understanding what your personal antivirus program can do is important before installing another protection tool that could be redundant. Adding extra layers of protection is a must, but make sure that it is not incompatible or interfering to the protection offered by on-access protection of antivirus program.

In the next article, the second part of “Understanding Antivirus Programs,” we will discuss how antivirus programs work.