Virus & Malware Detection Methods
There are several techniques which antivirus software use to identify viruses & malware:
Anti-virus Signature-based identification
Out-of-date antivirus software relies heavily upon signatures to identify malware. Substantially, when a malware reaches an antivirus firm, it is analysed by malware scientists or by their dynamic analysis systems & engines. Then, once it is confirmed to be a malware, a proper signature of the file is extracted and added to the signatures database of their antivirus software, which in turn is updated with their antivirus software users across the globe, at the time of their periodic update. When a particular file must be scanned, the antivirus engine compares the contents of the file with all the available malware signatures in its database. If the file hits a match with any of its signatures the engine knows which malware it is and performs predefined procedure in order to cleanse that infection.
Signature-based detection method maybe very effective. However, clearly, this time of virus detection cannot actively defend against malware unless some of its samples have already been obtained, a proper signature generated, and the antivirus product updated with the related malware information and its counter defence actions. Signature-based detection systems rely on the idea that, the more infective a malware is, the faster arrives in the hands of security researchers. Thus, even if it does not guarantee perfect defence, it protects from the most widespread threats. However, this approach is not categorically effective against next-generation malware, i.e., malware that has not been yet encountered or analysed by the antivirus software provider.
Heuristics Analysis Method
Advanced antivirus software uses heuristic analysis to identify new malware or variants of known malware, unlike signature-based identification methods. Many viruses start as a single infection and through either mutation or improvements by other attackers, can grow into dozens of slightly different strains, called variants. Generic virus detection refers to the detection and removal of multiple threats using a single virus definition.
While it may be advantageous to identify a specific virus, it can be faster to detect a virus family through a generic signature or through an inaccurate match to an existing signature. Virus researchers developing antivirus software find common areas that all viruses in a family share distinctively and can thus create a single generic signature. These signatures often contain non-contiguous code, using wildcard characters where differences exist. These wildcards allow the scanner to detect viruses even if they are padded with extra, meaningless codes. A detection that uses this method is said to be "heuristic detection or heuristics analysis method."
Rootkit Detection Method
Latest antivirus software attempts to scan for rootkits. A rootkit is a type of malware planned to gain administrative level or privilege user control over a computer system without being detected. Rootkits can change how the operating system functions and, in some cases, can tamper with the installed antivirus program and render it useless. Needless to say, rootkits are also more difficult to be removed, in some cases requiring a complete formatting and re-installation of the OS.
Real-time virus protection
Live shield, Real-time protection, on-access scanning, background guard, resident shield, auto-protect, and other synonyms refer to the automatic protection provided by most anti-virus, anti-spyware, and other anti-malware programs. This monitors computer systems continuously for suspicious activity such as computer viruses, spyware, adware, and other malicious objects in 'real-time', example, when inserting a CD /removable media, browsing the web, downloading emails or when a file already saved on the computer is opened or executed.