CyberSecurity FAQ - What is anti-virus software and how does it work?

Anti-virus software, a.k.a anti-malware software, is computer software used to scan files to identify and eliminate malicious software (malware). Although anti-virus software was originally developed to detect and remove computer viruses (hence its name), it has been broadened in scope to detect other malware, such as worms, Trojan horses, adware, spyware, ransomware, etc. How does anti-virus software work? Anti-virus software typically uses two different techniques to identify and eliminate malware: • Virus dictionary approach: The anti-virus software scans a file while referring to a dictionary of known virus signatures that have been previously identified. If a code segment in the file matches any virus signature in the virus dictionary, then the anti-virus software performs one or more of the following operations: deletes the file; quarantines the file so that it is unable to spread; or attempts to repair the file by removing the virus from the file. • Suspicious behavior approach: The anti-virus software monitors the behavior of all programs, flagging suspicious behavior, such as one executing program attempting to write date to another executable program. The user is alerted to all suspicious behavior, and is queried regarding how the suspicious behavior should be handled. An advantage of the suspicious behavior approach over the virus dictionary approach is that the former can provide protection against new viruses whose signatures have not yet been incorporated into the latter’s virus dictionary. The two approaches are complementary and can be synergistically combined.

CYBERSECURITY FORUM and CyberSecurityForum.com are trademarks of PivotPoint Technology Corporation. All other product and service names mentioned are the trademarks of their respective companies.