How Does Antivirus Software Work?
The concept of malicious software code intended to harm computers first rose to prominence in 1981, when a virus was created which targeted Apple computers. By the mid-1980s, less wholesome members of the computing industry were launching wholesale assaults on mainframe computers and the MS-DOS operating system – the Windows of its time. In response, companies like Atari and Microsoft began developing antivirus software. And so began a cat-and-mouse game which continues to this day, albeit with much higher stakes and a far more diverse cast of characters…
An expanding brief
Despite retaining its original title, antivirus software is now expected to tackle more than just corrupting computer code. It has to identify worms – self-replicating programs which use network connectivity to target other computers. It needs to prevent spyware and adware – respectively designed to monitor user activity and bombard them with advertising. Antivirus software has to weed out Trojan horse files, tackle the pernicious threat of rootkits, and far more besides. In other words, it’s expected to form an impenetrable shield against every known threat in existence. It even has to gauge whether a newly-launched threat (known as zero-day malware) exhibits the characteristics of malicious software.
Clearly, a high level of sophistication is required to make such judgments. Antivirus packages have never been as well-engineered as they are today, or indeed as resource-hungry. Users are increasingly dialing down software settings and disabling key functionalities in an attempt to balance safety with performance. It’s particularly frustrating when a regularly-used file or application is repeatedly scanned, yet unprecedented levels of malware mean caution is vital.
So how does it work?
Every piece of malware has been engineered by a computer programmer or mutated from an existing piece of code. As such, it’ll bear certain characteristics which distinguish it from legitimate software. For instance, a Microsoft Office document will almost certainly contain a macro, ready to launch when the file is opened. A Word or Excel file without a macro should be safe for use, whereas a macro file will raise the hackles of any decent antivirus package.
Antivirus tools use a number of techniques to identify and block malicious software:
- Generic detection. This involves looking for worms and other genetically identifiable sequences, featuring a recognizable code signature.
- Specific detection. Some malware poses a particular risk, so these specific signatures will be proactively hunted.
- Heuristic detection. This is the more nebulous process of using machine learning to try and spot suspicious files or unreasonable behavior.
Heuristic detection is the most challenging aspect since it involves making considered judgments about whether the behavior is suspicious or not. A newly installed program which tries to access every file on a computer should attract attention, as will a newly downloaded file that immediately attempts to replicate itself. However, heuristic detection is fallible – it’s been known for antivirus tools to identify themselves as behaving suspiciously, before trying to delete their own code. Other false positives have centered on Google Chrome, and even Windows itself.
Staying up to date
Ultimately, the process of identifying and deleting (or quarantining) rogue agents relies on an up-to-date list of code signatures, plus an ever-lengthening database of known threats. This is why antivirus tools require constant updating. Zero-day attacks regularly create chaos within hours of being unleashed, meaning they could easily slip through the net of any antivirus software which hasn’t been updated for a while. Mutations in existing malware also need to be fed through to antivirus databases on individual devices; known as server-side polymorphism, some code uses encryption and self-revision to avoid being matched with known threats.
A few myths have evolved around malware, none of which stand up to scrutiny. For instance, Apple devices aren’t immune to attack – macOS malware almost trebled last year, while iOS is under increasing assault from a spectrum of adware apps and vulnerabilities. It’s equally untrue that an infected device is easily identified: while some malware causes hardware to run slowly or display numerous pop-up windows, Trojans, and spyware discreetly record sensitive information before passing it onto crooks. Finally, don’t assume you’re only at risk if your hard drive contains important or sensitive data. Distributed Denial of Service attacks (designed to crash websites) corral millions of computers into slave networks, under the control of a remote mastermind.
To ensure your chosen antivirus package performs optimally, grant permission for it to run in the background – known as on-access scanning or real-time protection. Perform full scans periodically (ideally overnight) to identify dormant or historic threats. Finally, ensure the package is allowed to update whenever necessary, giving it the best chance of quarantining new malware and correctly identifying rogue code. Malware takes many forms, so antivirus tools must remain eternally vigilant.