How antivirus work

Author and references

Scanning techniques

In order to better understand how an antivirus works, you must necessarily be aware of the components that characterize it, that is, the scanning modules that make up its "defensive shield".

Real-time scanning

The form of real-time scanning (also called On-Access) is the component of the antivirus that starts up together with the operating system, is positioned in RAM memory and analyzes in real time any action performed on the computer. Every time a file is executed, moved, created or modified (even in an "invisible" way, for example when simply opening a program), the module in real time analyzes each file used in the process (file binaries, DLL etc.) looking for a malicious or suspicious file. When the "alarm is triggered", the module takes care of blocking every action of the file and of "neutralizing" it, moving it to a protected area, located within the antivirus folders (this protected area is generally called Quarantine o Trash can).



This module is therefore a fundamental component of the antivirus: it, not surprisingly, is present on most programs designed for the purpose. Thanks to the on-access scan it is in fact possible to block an infection in the bud, preventing viruses from changing the behavior of the system and damaging personal files.

Obviously, this module it is not infallible: if the virus is well hidden inside legitimate files or not present in the special "list" in the possession of the antivirus (which we will return to later), it could escape this control, resulting almost completely invisible. Many viruses, in fact, can be activated remotely or after a certain period of time, thus escaping the control of real-time scanning and consequently generating a larger infection.


A real-time scanning module must be light enough and unobtrusive during its action: if this were not the case, the performance of the computer would decrease significantly after any operation initiated by the user (even the simple opening of a file or a folder, for example).


On-demand scanning

The form of on-demand scanning (also called On-demand) is the component of the antivirus that analyzes, one at a time, all the files present in the system or in the indicated folder. Compared with the real-time scanning module, it adopts a much more system precise and effective, and requires a greater amount of resources: in the past, it was not uncommon to have to interrupt your work when starting an on-demand scan, as the hard drive and CPU were completely busy doing this task.

Due to this high demand for resources, this module can be started only on request, by clicking on a specific button in the antivirus interface, or by calling the related functionality from the context menu of the files saved in the system.

On-demand scanning can also be scheduled, so you can make it happen when your computer isn't going to be used for other tasks.

Personally, I recommend you to schedule a full system scan at least once a month, setting a day and / or an hour when you are sure not to be present at the PC (better to leave the computer turned on for the purpose, so as not to have to postpone it to the first useful start).

Cloud scanning


Recently, a new module has been added to the antivirus components that supports the On-Access and On-Demand one: the cloud-based scanning. When this component is active, all data on files scanned by the antivirus is sent over the Internet to a network of interconnected servers, so as to be able to benefit from a much higher computing power: the servers, in this way, can scan the data of the file (or the entire file, if this is relatively small) and provide an immediate response to the antivirus, which can thus delete it (in the case of a virus) or "let it pass" (in the case of a legitimate file).


This approach has two major advantages: first of all, the analysis takes place on several engines at the same time, which drastically reduces the risk of false negatives (or false positives); Secondly, the resources of your computer are not committed to the scan, which is done exclusively over the Internet.

However, the cloud scanning system requires constant internet access, as the analytics servers must always be available. In order to avoid the saturation of the Internet bandwidth (a very common problem especially if you have a connection that is not very fast), this component usually comes into action only for scans on demand and / or for files classified as "suspicious". In the absence of an Internet connection, the cloud component does not work, so the antivirus must use the tools made available "offline" in order to block potential threats.

Methods of analysis

After analyzing the scanning modules characteristic of modern antivirus, it is time to understand what are the tools that these software use to be able to understand if a file is harmful or not.


To understand this difference, imagine a roadblock: the scanning techniques could be the cops, while you can see the methods of analysis such as the tools used for detecting infringements, such as speed cameras, breathalysers and so on.

Method based on signatures

The simplest and fastest method used by antivirus to find threats involves the use of a series of "special lists" containing the companies o definitions known viruses: the latter are specific characteristics of cyber threats, such as known behaviors, precise bit sequences inside infected files or hash codes. These archives are queried each time a file is scanned by the on-demand and on-access scanning modules.


The signature / definition lists are also updated regularly by all antivirus manufacturers, so as to be able to "catch" (in the shortest possible time) any new threats recognized. Unfortunately, however, this method is ineffective for viruses put into circulation a few days or hours after the analysis: since there is no known signature, the antivirus could let a threat pass without triggering the alarm (0-day threats) .

Going back to our example on authorities, you can consider signatures / definitions as mug shots used by cops to be able to identify wanted offenders right away. If a criminal has changed his characteristics, or has not yet been caught red-handed (so he has no mugshot associated with his identity), he can easily escape the control of even the most attentive patrol.

Method based on heuristics

If the signature of a virus is not present in the appropriate archive, it could be blocked using a particular component of the antivirus, namely the heuristic module. That module deals with to stop suspicious files (but not blocked by signatures) and monitor their behavior: if the files follow patterns recognized as highly suspicious or dangerous, they are immediately blocked and placed in quarantine, pending further investigations (ie the arrival of signatures on the malicious nature of the file).

Thanks to this module, the computer can defend itself against new threats. On the other hand, however, the heuristic sensitivity plays a key role in its success: a module that is too strict can block even perfectly legitimate files, while a module that is too permissive can let viruses pass without intervening at all.

Going back to the authority example, you can compare heuristics to the full check that cops perform when a suspicious car passes by during a roadblock. Even if the stopped person is not wanted, but seems restless, agitated, fears checks in the car or on his person, it is easy to assume that he is hiding something!

Cloud-based methods

Many modern tools, in order to block viruses, involve the use of the Internet: techniques such astelemetry analysis,"swarm" heuristics (based on the behaviors recorded by other users using the same antivirus and encountering the same file) and the data mining they help to stop even the most dangerous threats, those carried out by polymorphic viruses, i.e. able to change identity (thus resulting clean on every infected PC), and by ransomware (able to hide in unsuspected files).

You can compare cloud-based analytics methods such as the "outside" support offered to cops during a great manhunt: helicopters, radio communications, and watchdogs.

sandbox

Another popular tool available in modern antivirus is the so-called sandbox: it provides for the creation of an isolated space, not communicating with the outside, in which all system files required when starting a suspicious program are virtualized or an executable.

If the executable turns out to be a virus, it can infect only the virtualized system part within the sandbox, without damaging the actual operating system.

Thanks to the sandbox, you can avoid a large number of infections: if the solution of your choice has them, take care to include all the new programs downloaded, or those that may represent important threat vectors (eg. browser and e-mail client).

Importance of Updates

As you can easily guess, at this point, constantly update the antivirus it is the only way to always keep the security barrier offered by the software high. The updates, in fact, often include the download of new signatures and the improvement of the modules integrated into the antivirus.

To date, almost all antiviruses are programmed to download updates as soon as they become available: for those based mainly on the in cloud, the update is, on the other hand, constant and in real time, since the databases are synchronized as soon as a single signature is added. You will not believe it, but this operation can also happen several times in a minute!

The lack of updates, on the other hand, could make the protection features integrated in the antivirus software completely useless: the most recent malicious files, in this case, could act undisturbed and damage the operating system and the data stored in it. In fact, it would be just like having no protection!

Typically, you can adjust the frequency of automatic updates from settings panel antivirus: first make sure that these are active and take care to set the check / download interval to a very low time (one hour or less).

For solutions built into operating systems, such as Windows Defender, you can manually download updates from within the system settings: on Windows 10, for example, you have to go to the menu Home and click on the i-shaped buttonngranaggio, located on the left, to open the window Settings.

Afterwards, you have to click on the button Update and security, go to the section dedicated to Windows Update and click the button Check for updates.

The best antivirus

Let me guess: now that you understand how antivirus work and that you have clear ideas about your needs, would you like to take a look at what the computer scene offers to choose the one that best suits your case? No problem, I really think I can help you.

There are so many security software of this type, each with its own characteristics: free, paid, equipped with real-time scanning modules, ready for on-demand scans only, cloud-based and so on. If you use the Windows operating system, for example, I suggest you read my guide to the best antivirus for Windows 10, also valid for all other versions of the operating system, in which I explained how to compare the various free products and how to choose the one. that's right for you.

If, on the other hand, you need a solution that is efficient, customizable and equipped with a large number of modules, I recommend you move towards a paid antivirus.

As for the security solutions designed for smartphones and tablets with an operating system Android, you can take a look at my guide to the best antivirus for Android, in which I have listed the best apps designed to preserve the integrity of devices.

For MacOS e iOSHowever, I don't have much to tell you: these operating systems have extremely efficient built-in security protections, therefore, as a rule, they do not require the presence of a specific antivirus solution.

If, however, you have bypassed these protections for one reason or another or you still consider it essential to have an antivirus available, you can consult my tutorials dedicated to antivirus for Mac and virus removal from iPhone, in which I have dealt with the topic "security" with a wealth of details.

How antivirus work


Audio Video How antivirus work
add a comment of How antivirus work
Comment sent successfully! We will review it in the next few hours.