There are many strategies in detecting a virus, but here are presented the two most common ones:
- Detection based on signature, implies searching malware models known as executable code. However it is possible for an user to be infected with a new kind of malware that doesn't yet have a signature.
- A strategy to identify new viruses or other variants of existent viruses trough generic signatures is done by searching malicious code inside files.
However, regardless of how useful an antivirus can be it may have disadvantages. The antivirus software may reduce your computer performances if the software is not designed in an efficient way. Inexperienced users may have problems in understanding software's requests and the decisions they have to make. An incorrect decision may lead to security breaches.
There is not known for sure who is the inventor of the first antivirus software. It's possible that the first documented disposal of a computer virus to have been realized by Bernt Fix in 1987.
Before the internet connectivity to be widely spread, viruses were spread trough infected floppy. To disinfect them appeared the antivirus software but they were rarely updated. As internet spread viruses started to be distributed online.
For the beginning a huge risk was to use macros in text processing applications like Microsoft Word. Viruses developers started to use macros to write viruses included in documents. This meant that computers may be infected by attached hidden macros.
Later e-mail software became vulnerable to viruses like Microsoft Outlook Express and Outlook. So a user's computer could be infected just by opening an e-mail.
There are several methods antiviruses identify malicious software:
- The most used method is identification based on signature. To identify viruses and other infections antiviruses compare a file's content with a viruses signatures dictionary. The file is scanned both as a whole and by pieces because the viruses may include them selves inside the file.
- Identifying unknown viruses as detecting malicious activities may be realized based in heuristic detection.
- Another heuristic approach is file emulation. It implies executing a software in a virtual environment (sandbox) and registering its actions. According to registered actions the software is or it is not malicious.
Signature based detection
Traditionally antivirus software are strongly based on signatures to identify malware. This may be very efficient but it can't protect against malware unless this has already a signature. That's way signature based approaches aren't efficient against new viruses, unknown.
Because new viruses are created each day the signature based detection requires frequent updates of the viruses signatures dictionary. To help the producers, the antivirus software allows users to insert new viruses into the dictionary.
Viruses authors created them to be one step ahead antivirus software by writing one form viruses, multiform viruses and even metamorphic viruses that encrypts parts of them or they auto-modify as a disguising method so they don't fit the signatures int the dictionary.
Some advanced antivirus software use heuristic analyze to identify new kinds of malware or modified ones already known.
Many viruses start as a small infection but by mutating or any other attack criteria they may multiply dozens of strains in different variants.
As an example the Vundo Trojan has several members of its family according to the classification of antiviruses producers. Symantec classifies Vundo family members in 2 distinct members: Vundo Trojan and Vundo.B Trojan.
Unexpected renewal costs
Some commercial antiviruses include clauses for the subscription to be automatically renewed and the user is charged for that. As an example MCAfee requires users to unsubscribe with at least 60 days before the current subscription expires while BitDefender sends notifications with at least 30 days before. Also Norton Antivirus renews the subscription automatically.
Free and open source software like Clam AV offers the scanning application and the updates for free, so there is no renewal of the subscription.
Rogue security software
Some antivirus software are in fact malware disguised in antiviruses like WinFixer and MSAntivirus.
A false alarm is when a file is identified to be infected while it is not. If an antivirus software is set to immediately delete or to put in quarantine infected files, false alarms may destroy unused applications or even the OS.
Running several antiviruses on the same time may reduce your computer performances and create conflicts.
Sometimes it is necessary to temporarily deactivate antivirus protection to install major applications (or updates) like Service Packs for Windows or updating your video card drivers.
Studies realized in December 2007 shown that antivirus software's efficiency has dropped in the last years especially if they fight against Day 0 viruses. Analysts from the German magazine C't found out that the detection rate of threatens dropped down from 40-50% in 2006 to 20-30% in 2007. In 2007 the only exception was NOD32 antivirus software who managed a detection rate of 68%.
This term is in development.
Contribute on developing this term.