Here’s what goes on when your antivirus software spots a malicious threat.
Antiviruses – they’re known but at the same time unknown. While we’re all aware of them and the need to use them, we don’t necessarily understand what it is they do or how they work. That can be a problem because understanding that can be key to getting the best out of them.
About antiviruses
Even if you’re a cautious computer user the number of threats you face are multiplying. As cyber criminals become smarter and more devious it’s increasingly difficult to be safe online, which is why you need protection. Everyone should implement a multi-layered defence which includes a good antivirus programme.
The programme should fire up on start-up and sit in the background of your computer checking it for issues. Some only perform a scan when you get started or at certain times, but the best are those which will offer real-time scanning – constantly checking for problems and checking any file you open for malicious software.
Those which don’t offer this will leave a gaping hole in your defences. A common line of attack for malware can be to exploit vulnerabilities in your popular programmes. Documents such as Word, for example, can contain malicious viruses. A program should check a document every time you open it to search for a virus.
An antivirus programme can also perform a full system scan. This is when it searches every nook and cranny of your computer’s hard drive searching for a threat. Generally speaking, you should not need to perform a full system scan if you have real time scanning. Your computer should detect threats as and when they get onto the system. However, it can be useful if you’ve purchased a new piece of software or if it has been updated. Running a scan will identify any problems.
How they detect threats
Antivirus programmes rely on a set of definitions and rules to identify suspicious files. This information provides it with signatures for viruses. When it spots a file with a suspicious flag, it will stop it from running and place it in quarantine.
What happens next depends on the settings of your antivirus programmes. Some will simply place the infected file in quarantine meaning it will still be on your computer, but unable to do any damage. The programme will then notify you and ask if you want to delete the file. Others will delete the file automatically.
Both options have their advantages. Quarantining, puts the decision in your hands. If you know a file can be trusted, you can chose to allow it to run. This can be useful in cases of false positives, in which an antivirus flags up safe files.
On the other hand, this can be inconvenient and often leads to infected files staying on a system for much longer than they should. You assume a file has been removed, when in fact it is simply lying there dormant.
A key to the performance of a program will be the definitions it uses to flag a suspected file. Antivirus companies compile directories of definitions which they continually update. To remain effective an antivirus system should update itself at least once a day – sometimes more – to ensure it can cope with the very latest threats.
These definitions can also make an antivirus too sensitive. This can be a particular problem with some of the cheaper options. They lead to a number of false positives which can be time consuming and frustrating for you as the owner. False positive ratings are one of the main ways in which antiviruses are rated for performance.
Beyond definitions
The better-quality antivirus programmes, though, do more than just use definitions. Cyber criminals are smart, and viruses are constantly evolving new ways around defences. To ensure they can meet evolving threats they rely on something called Heuristics. The principal is simple. A virus may not be listed by the definitions, but it might exhibit behaviours which set alarm bells ringing. How? Well, imagine a file comes onto a computer – it is not flagged by definitions, but once on the system it starts trying to access multiple files on the system.
The antivirus software will spot this suspicious activity, in much the same way a store detective might notice a shopper stuffing his coat with produce and eying the exits. He hasn’t done anything bad yet, but you get the feeling he’s planning to.
This approach is useful at detecting files which get around the definitions defence, but it can be too aggressive and increase the number of false positives.
Deciding on the best
So, that’s how most antivirus programmes work, but that doesn’t mean they all perform the same. Far from it. Different programmes boast different detection rates. It all depends on how effective the company is at drawing up their definitions and designing their heuristics. Those which are continually updating and testing their software tend to have a better detection rate.
You can find out about these by looking at reviews and seeing how these systems perform in the real world. It will give you everything you need to make an informed and accurate buying decision.