Techniques Used by Anti-virus Programs

There are many anti-virus programs available to the public.  Some are free-of-charge downloads, and others can be purchased from an anti-virus software publishing company.  Regardless of the source of the program, they all detect viruses using one of several techniques and many of them use several of the techniques described below.  This section provides an introduction to these techniques for people who want to understand how anti-virus programs work.

Programs utilizing virus scanners are the most common type of anti-virus programs.  Scanners search the computer for known virus codes.  It is looking for virus code patterns that are not found in normal program files. Scanners can be general where they search for all kinds and classes of viruses or specialized where they are written to detect and clean only a small number of viruses on one class.  

Two errors that anti-virus software can make is that it fails to find a virus that is there, or it reports that there is a virus when there is not (referred to as a false alarm).   A scanner can make either of these errors.  It might report a virus pattern, or false alarm, when there isn’t a virus because the virus pattern code just happens to also match a part of a normal file code. On the other hand, if the scanner is not updated to search for the specific code for a new virus, it cannot detect that virus.  For this reason, scanners need to be updated on a regular basis, at least quarterly, monthly is better yet.  In the case of large companies or highly susceptible situations, updates can be done daily.  Most anti-virus vendors offer subscriptions to monthly upgrades for their software.  

Change detection (or CRC scanners) is another technique used where the software detects changes made in files.  When checking executable files, there should be little change unless the software has been updated.  Since this anti-virus program looks for changes it is not dependent on knowing about new viruses so does not need updated. It should be noted that for change detectors to work, they must first know what is on the computer.  This makes it difficult for them to detect viruses existing before they run on the machine.

From a disadvantage point of view, the user will need to have some knowledge to know on how to respond when the software reports a change.  The user will have to determine if the file change is normal or not.  It is also possible that the user will have made a purposeful change so the user thinks the changed file is okay, but in reality, a virus has been programmed to infect during the user’s change so the virus escapes detection by the anti-virus software. 

When an anti-virus program detects viruses by looking for characteristic behaviors of them it is using a technique called heuristic analysis.  It is interesting to know that some heuristic scanners use the computer's RAM (random access memory) to set up a virtual computer.  It actually tests the computer's programs by running them in this virtual situation and observing what they do.

Many software programs use a verifier.  Verifiers identify the specific virus that has been detected by the software.  The verifier program requires that in-depth analysis of the virus code is done.