How do Antivirus Systems Detect Malware.

I started this project by researching antivirus systems and how they detect malware. In order to accomplish this, I read through several online articles, forums, and blog posts. Many modern operating antivirus systems run multiple layers of defense against malware.

These layers each attempt to detect malware but usually at different points. One of the most common points at which antivirus systems detect malware is known as access scanning. This occurs when the antivirus system waits until the code in question attempts to run. The antivirus will then scan the code in order to determine if the program is malicious or not. Some access scanning systems also extend to scan files as they are being downloaded to a system, not just upon execution. Many antivirus systems also include an option to perform system scans. These scan will attempt to look at programs and files that exist within the computer’s hard drive. This is commonly used when antivirus systems are first installed, on systems where it is already known malware exists, and used on a semi regular basis in an attempt to catch dormant viruses. While these examples show times at which viruses and other malware are detected, it doesn’t show how exactly antivirus systems detect malicious software.

The first primary method that antivirus systems use to detect malware is signature-based detection. This method is when antivirus systems scan malware and compare it to other known viruses that exist and have already been catalogued. However, this method ineffective against new types of malware that have not yet been detected. In order to combat this new malware, many antivirus systems also implement heuristic-based detection in conjunction with signature-based detection. Heuristic-based detection will scan files in order to determine if it is similar to an existing piece of malware. This is used because often times malware will be created from a previous piece of malware, resulting in it acting and looking extremely similar to already known malware. This allows the antivirus systems to detect new types of malware and update existing definitions of malware to improve signature-based detection in the future. The next major tool that antivirus systems use to detect malware is known as behavior-based detection. Using this method, the antivirus systems will examine what the code will attempt to do at run time. The malware may attempt to unpack, or download other malicious code. It could attempt to read keystrokes from the user or install other software. None of these methods on their own definitively mean the code is malware, but it can set off red flags that indicate its possibility. Finally, some antivirus systems also implement what is known as a sandbox testing of the malware. This is when the antivirus systems attempts to completely run the software within a virtual environment and checks what results from the codes execution. It will check to see if any malicious result stems from the actions of the code in order to determine if the code is malicious or not. While these are not the only methods that are used to detect malware, they are the most common ones. However, this is field that continues to improve itself in order to protect people from malware.