- slide 1 of 10
How do Antivirus Programs Work?
An antivirus program is an essential tool you have to install on your computer. How it works depends on the features and available options, in addition to how you want it to work. That is, if you have configured the antivirus to run its task using your preferred settings or its default settings. Below are the common tasks performed by antivirus programs and how they work to safeguard your computer.
- slide 2 of 10
Protection and Detection Used by Antivirus Programs
Antivirus Protection: Real-time Shield against Malware
The first and most important task of an antivirus program is to protect, prevent, or block any malicious activity in your computer or home and office network in real-time. The real-time protection should trigger an alert or provide automatic action whenever a suspected or positively identified malware activity is detected. By default, most antivirus programs will quarantine a possibly infected file before removing it. When it finished quarantining a copy, the antivirus program will start disinfecting or removing the malware. Most antivirus programs will only monitor some critical areas in your computer. However, it is recommended to set up an antivirus program to monitor all files, file extensions, and file formats. This is suggested because there are incidents already where malware has distributed and disguised itself using a file extension that is not often monitored by malware scanners.
Many AV programs are using cloud protection. Examples are F-Secure’s browser protection, PrevX, Norton, ThreatFire, Panda, etc. Even web browsers with fraud and malware protection are using cloud-based detection to prevent downloading of unsafe files and keep known malware URLs from loading. Cloud protection by an antivirus program is the process of checking the URL or file against the database on the antivirus vendor's server. If the URL or file is known on their server as unwanted or not safe, the user will receive automatic protection with a warning that the URL has been blocked, even without a detection signature on the user's system yet.
Antivirus Detection: Manual Malware Scanner
Another component of an AV program is the detection of malware during a manual or scheduled scan. The on-demand scan engine of antivirus program works differently from its on-access engine. The manual malware scanner will scan every single area, including files, folders, and running processes.
- slide 3 of 10
Threat Level Determination by Antivirus Programs
How do antivirus programs rate possible risk? They use a threat level index to determine what type of action to take. If the program is adware only, most antivirus programs will display a dialog box to inform the user why a program or related file of an adware program was detected. If the detected object is posing security and privacy risks, the threat level is medium, high, or severe. The threat level ratings by antivirus programs are not all the same. Some antivirus programs may not detect or even scan for tracking cookies. Some of these are installed when legitimate software downloaded from third-party websites is bundled with another installer from a company that is known to have a spyware or adware business. This is because the antivirus program is using a different risk rating. An example is Microsoft Security Essentials and VIPRE anti-malware will detect a risk with Unlocker, but other malware scanners do not. Another example is Ask Toolbar in Nero is detected by NOD32, but some antivirus programs do not detect it as a security risk.
- slide 4 of 10
Antivirus programs work by using a scanner based on detection level or threat rating. If the malware is posing high security and privacy risk, the malware removal engine will run to clean the system. False positives can occur and it is recommended to be careful in deleting files using antivirus without allowing it to quarantine the file. On this page, you will learn more how antivirus programs work in identifying malware.
- slide 5 of 10
Antivirus Identification Methods and Malware Removal
Antivirus programs offer several types of detection methods to identify malware, but the most common detection method is by using traditional virus detection (signature-based) and sophisticated heuristic analysis:
- A signature-based detection lets the antivirus program compare the activity on a system by monitoring files or processes against the downloaded detection signatures on the user’s machine. An example would be checking the cryptographic hash value (MD5, SHA), CLSID (a unique identifier), or any related application ID against the virus database in addition to identifying the activity of the object being scanned.
- If a malware is not identified, it means that the antivirus does not have a detection signature for it yet. To help protect the computer against unknown malware (AKA zero-day threats), antivirus programs with heuristic detection capability should be able to identify the malware activity even though there is no threat or virus name yet. This is why you will notice that some antivirus program will display a malware alert with "Trojan.Generic, Suspicious, Heuristic" or similar as the threat name. The heuristic detection engine found malicious activity or unwanted object or code in a particular processes or file, thus it was detected as a generic suspicious object.
Malware Removal: Antivirus programs do not work in detecting malware alone, but have another important function: to successfully wipe out a malware infection. Most antivirus programs will perform well in detecting malware, but will fail to successfully eradicate malware. AV-Comparatives.org, West Coast Labs, ICSA Labs are example of certification systems that will not only rate antivirus by its detection performance, but also its removal performance.
- slide 6 of 10
Quarantine and False Positives in Antivirus Programs
Antivirus programs work also by quarantining suspect and malware files. This process is to prevent the offending objects from doing any damage in the system and to allow the end-user to restore back a quarantined object to its original location if it is found to be a false positive.
A false positive detection is when a malware signature detected an uninfected file or process. In some cases, a false positive can cause a system to not to boot or run properly. If another program is affected by the false detection, the system will run normally, but not the program that the AV have falsely identified and removed.
- slide 7 of 10
Antivirus Tasks and Self-DefenseAn antivirus program works also by providing self-protection. Some malware will target an antivirus program by shutting down or disabling access to the antivirus. If antivirus programs have no self-defense or are lacking protection from current viruses and other type of malware targeting antivirus, they will not be able to protect the computer or themselves. To help assist your antivirus from such attacks, add extra protection by installing additional antimalware program from another vendor that do not have compatibility issues with your current antivirus. There are antivirus programs that have multiple tasks in keeping the system protected and updated. Some tasks of antivirus programs include schedule scan, email protection, maintaining activity logs, IM and browser protection, network protection, and many more. Some free personal antivirus software have limitations on how you can use or create tasks while paid solutions do not have any limitation in using the program or creating antivirus tasks.
- slide 8 of 10
How do antivirus programs work with Windows System Restore or together with other anti-malware software? This page will describe are the limitations of antivirus programs and their compatibility issue with other security tools.
- slide 9 of 10
Limitations of Antivirus Programs
In any system or organization there is always policy. By default, antivirus programs are designed to scan and detect only in areas that it is allowed to scan. System Restore in Windows XP, Vista, and Windows 7 can be scanned for malware, but antivirus programs are not allowed to delete items from System Restore. This is why some people and antivirus vendors recommend turning off System Restore in order to delete the infected system restore point. Do that only if you are positive that your restore point includes an infection and/or when you’re done cleaning up the system from any type of infection.
Another limitation of antivirus programs depends on what type of antivirus you use. See To Pay or Not To Pay for Anti-virus protection.
Depending on what file system is in use, an antivirus program is also limited in being able to install all of its components in order to be able to use all of its options or features. If you are using a 64-bit edition of Windows, some features of the antivirus program will not run. For example, Kaspersky’s “Safe Run Mode" does not work at all with the 64-bit edition of Windows XP and will only run with limited function in 64-bit editions of Vista and Windows 7. Check the vendors’ website or product manual for any limitations of your antivirus program.
- slide 10 of 10
Compatibility of Antivirus Programs
Antivirus programs should work in conjunction with other security measures, but should not be used with another antivirus program that is offering the same ability or feature. What you can use in addition to antivirus program is a firewall application and an anti-malware scanner with real-time protection that will not interfere with an antivirus program (e.g. Malwarebytes, A-squared, SUPERAntispyware, and Ad-Aware).
These products will work together with your antivirus program and will detect active malware processes that your antivirus programs may miss. If ever the antivirus program and the real-time protection by another anti-malware scanner have a conflict because they found the malware at the same time, you have to decide which of them to let handle the removal task. It is important to run a scan using these programs to ensure nothing slipped in or was left behind during the detection and removal tasks.
There are recommended workarounds by some antimalware vendors to prevent an antivirus from interfering with the tasks of antimalware:
- Add the executable, processes, and installation directory of the particular antimalware program to the exclusion or allowed list in the antivirus program.
- If the antivirus program installer’s has detected antimalware software during the install process of antivirus software, the installation will quit or will not proceed. To work-around this issue, re-install the antimalware after installing your preferred antivirus program.
To enjoy the protection of antivirus program, we must maintain it by installing the latest detection updates, configure it to use the maximum protection it can offer, and enable the features that you want the antivirus program to do. If you are in doubt about changing any settings, check the documentation or help file of the program to understand what the settings are for. You can also seek advice in free support forums by antivirus vendor or any security discussion forums.
In the next article, the last part of “Understanding Antivirus Programs," we will discuss the Top 10 antivirus programs that you should look into or consider.
Understanding Antivirus Programs - How Does AntiVirus Software Work?
What is personal antivirus program? How antivirus programs work? Antivirus program is your first defense against malware and it works by scanning and monitoring the system. These articles will help you understand your antivirus programs.