You know you need an antivirus program on your computer, and by now, you should probably have one on your smartphone, too. Yet, for all the time that “tech experts” spend telling you to beef up your device security, they almost never explain what that software is actually doing to keep your device safe.
If you’ve always wondered how antivirus software works, now is your chance to learn. Here’s a guide to how the most common antivirus systems track and thwart viruses — and how they’ll likely continue to do so in the future.
The most common type of antivirus protection — and the one that exists in virtually all antivirus software — is signature detection. This method of malware prevention works through the identification of unique patterns, or signatures, within discrete pieces of malware.Most often, a signature is a string of code that is exclusive to a certain kind of malware, but signatures can also consist of atypical application behaviors that are known to be associated with specific malware attacks.
Security companies have amassed huge libraries of malware signatures that their antivirus programs can rely on to keep users safe. Whenever a device is confronted with data — such as an unrecognized file from a USB drive or a downloaded email attachment — the antivirus software installed should perform a scan, comparing the data against its signature database. If a match is found, the program should quarantine the file and notify the user before the malware can do any harm.
The problem with signature detection is that it requires antivirus program developers to know and understand malware before the software can provide any sort of protection. This means that users typically aren’t secure against the latest, greatest threats until they receive updates from their antivirus providers. Fortunately, high-quality antivirus software offers additional layers of protection through other detection methods.
As malware has grown and evolved, different types of malware have developed. These days, there are more than nine varieties:
- Trojan horses
- Grayware(spyware and adware)
- Fileless malware
Using these categories, security firms can classify different types of attacks — and more importantly, they can develop antivirus software that can distinguish between the types and respond appropriately for each case. This is called generic detection, and it is becoming more common in antivirus tools.
This is faster and more effective than signature detection for a handful of reasons. First, antivirus programs can quickly compare features of an unknown file against generic patterns known about different types of malware, which takes less time than searching through a large database of signatures. Then, antivirus programs can launch targeted responses, which more successfully combat the upcoming behaviors of specific malware types. Then, the program isn’t wasting time or processing power on responses that won’t work.
Unfortunately, generic detection is a victim of the same major weakness as signature detection. Though most new malware falls into a known category, generic detection won’t help protect devices against totally novel malware attacks. To do that, users need another layer of antivirus defense.
Only the most advanced antivirus solutions offer heuristic detection. That’s because this is a relatively complex antivirus feature that works to thwart unknown types of malware before they reach users’ devices. Like signature and generic detection, heuristic detection relies somewhat on a database of known malware code and behaviors — but because it is often looking for unidentified malware, it must apply this knowledge to unfamiliar programs.
To do this, heuristic detection services emulate new files in a virtual environment. By doing this, the antivirus program can watch what a suspicious file will attempt to do. If it performs any red-flag behaviors, the antivirus software will quarantine the file and request the user’s permission to erase it. Then, the program might send information about this malicious file to its developers, who can perform further research on the new malware to benefit other antivirus efforts.
Already, a new style of antivirus protection is emerging — and it relies heavily on artificial intelligence. Cybercriminals are beginning to adopt AI into their malware attacks, which means security providers need to use the same tactics as defense. Like heuristic detection methods, artificial intelligence will be able to identify unknown malware, and it might be able to predict malware trends and develop security solutions well in advance. This will keep users and devices safe into the future.