Virus & Malware Detection Methods
There are several techniques which antivirus engines use to identify viruses & malware:
Out-of-date antivirus software relies heavily upon signatures to identify malware. Substantially, when a malware reaches an antivirus firm, it is analyzed by malware scientists or by dynamic analysis systems. Then, once it is confirmed to be a malware, a proper signature of the file is extracted and added to the signatures database of the antivirus software, which in turn is updated with the antivirus software users, at the time of their periodic update. When a particular file has to be scanned, the antivirus engine compares the contents of the file with all the available malware signatures in the it’s database. If the file matches one signature, then the engine knows which malware it is and performs predefined procedure in order to cleanse the infection.
Signature-based detection method can be very effective but, clearly, cannot defend against malware unless some of its samples have already been obtained, a proper signature generated and the antivirus product updated with the related malware information and its counter defense actions. Signature-based detection systems rely on the idea that, the more infective a malware is, the faster arrives in the hands of security researchers. Thus, even if it does not guarantee perfect defense, it protects from the most widespread threats. However, this approach is not really effective against next-generation malware, i.e. malware that has not been yet encountered or analyzed by the antivirus provider.
Heuristics Analysis Method
Advanced antivirus software uses heuristic analysis to identify new malware or variants of known malware, unlike signature based identification methods. Many viruses start as a single infection and through either mutation or improvements by other attackers, can grow into dozens of slightly different strains, called variants. Generic detection refers to the detection and removal of multiple threats using a single virus definition.
While it may be advantageous to identify a specific virus, it can be faster to detect a virus family through a generic signature or through an inaccurate match to an existing signature. Virus researchers find common areas that all viruses in a family share distinctively and can thus create a single generic signature. These signatures often contain non-contiguous code, using wildcard characters where differences exist. These wildcards allow the scanner to detect viruses even if they are padded with extra, meaningless codes. A detection that uses this method is said to be "heuristic detection or heuristics analysis method."
Rootkit Detection Method
Latest anti-virus software attempts to scan for rootkits. A rootkit is a type of malware planned to gain administrative level or privilege user control over a computer system without being spotted. Rootkits can change how the operating system functions and in some cases can tamper with the installed anti-virus program and render it useless. Rootkits are also more difficult to remove, in some cases requiring a complete format and re-installation of the operating system.
Live shield, Real-time protection, on-access scanning, background guard, resident shield, auto-protect, and other synonyms refer to the automatic protection provided by most antivirus, anti-spyware, and other anti-malware programs. This monitors computer systems for suspicious activity such as computer viruses, spyware, adware, and other malicious objects in 'real-time', example, when inserting a CD, browsing the web, opening an email, or when a file already saved on the computer is opened or executed.